💻
Application Security Cheat Sheet
  • Application Security Cheat Sheet
  • Android Application
    • Overview
      • Application Data & Files
      • Application Package
      • Application Sandbox
      • Application Signing
      • Deployment
      • Package Manager
    • Intent Vulnerabilities
      • Deep Linking Vulnerabilities
    • WebView Vulnerabilities
      • WebResourceResponse Vulnerabilities
      • WebSettings Vulnerabilities
  • CI/CD
    • Dependency
      • Dependency Confusion
      • Dependency Hijaking
      • Typosquatting
    • GitHub
      • GitHub Actions
      • Code owners
      • Dependabot
      • Redirect
      • Releases
  • Cloud
    • AWS
      • Amazon API Gateway
      • Amazon Cognito
      • Amazon S3
  • Container
    • Overview
      • Container Basics
      • Docker Engine
    • Escaping
      • CVE List
      • Exposed Docker Socket
      • Excessive Capabilities
      • Host Networking Driver
      • PID Namespace Sharing
      • Sensitive Mounts
    • Container Analysis Tools
  • Framework
    • Spring
      • Overview
      • Mass Assignment
      • Routing Abuse
      • SpEL Injection
      • Spring Boot Actuators
      • Spring Data Redis Insecure Deserialization
      • Spring View Manipulation
    • React
      • Overview
      • Security Issues
  • Linux
    • Overview
      • Philosophy
      • File
      • File Descriptor
      • I/O Redirection
      • Process
      • Inter Process Communication
      • Shell
      • Signals
      • Socket
      • User Space vs Kernel Space
    • Bash Tips
  • iOS Application
    • Overview
      • Application Data & Files
      • Application Package
      • Application Sandbox
      • Application Signing
      • Deployment
    • Getting Started
      • IPA Patching
      • Source Code Patching
      • Testing with Objection
  • Resources
    • Lists
      • Payloads
      • Wordlists
    • Researching
      • Web Application
      • Write-ups
    • Software
      • AWS Tools
      • Azure Tools
      • Component Analysis
      • Docker Analysis
      • Dynamic Analysis
      • Fuzzing
      • GCP Tools
      • Reverse Engineering
      • Static Analysis
      • Vulnerability Scanning
    • Training
      • Secure Development
  • Web Application
    • Abusing HTTP hop-by-hop Request Headers
    • Broken Authentication
      • Two-Factor Authentication Vulnerabilities
    • Command Injection
      • Argument Injection
    • Content Security Policy
    • Cookie Security
      • Cookie Bomb
      • Cookie Jar Overflow
      • Cookie Tossing
    • CORS Misconfiguration
    • File Upload Vulnerabilities
    • GraphQL Vulnerabilities
    • HTML Injection
      • base
      • iframe
      • link
      • meta
      • target attribute
    • HTTP Header Security
    • HTTP Request Smuggling
    • Improper Rate Limits
    • JavaScript Prototype Pollution
    • JSON Web Token Vulnerabilities
    • OAuth 2.0 Vulnerabilities
      • OpenID Connect Vulnerabilities
    • Race Condition
    • Server Side Request Forgery
      • Post Exploitation
    • SVG Abuse
    • Weak Random Generation
    • Web Cache Poisoning
Powered by GitBook
On this page
  • Preparation
  • Apple Developer account
  • mobileprovision file
  • Dependencies
  • Patching
  1. iOS Application
  2. Getting Started

IPA Patching

PreviousGetting StartedNextSource Code Patching

Last updated 3 years ago

In order to start analyzing and managing the iOS app without jailbreak, the app's IPA itself needs to be patched and code signed to load the FridaGadget.dylib on start. This can be done using the following script:

To patch an IPA though, a few things need to be done in preparation: installing dependencies, obtaining the embedded.mobileprovision file and a code signing certificate from Apple.

Preparation

Apple Developer account

First and foremost, you need to register for an Apple Developer account. A free one works fine, but you need to keep in mind that you will only be allowed to run patched applications for 7 days, before repeating the patching/signing/installation process again.

To register:

  • Sign in with your AppleID in XCode by browsing to XCode > Preferences > Accounts and clicking on the + at the bottom left.

  • Click on Manage Certificates and click on the + drop down, selecting iOS Development. XCode will generate a new code signing certificate for you to use.

  • Click Done.

Once you have a developer account signed in to in XCode, you will now be able to sideload applications and run them on iOS devices. You can also check for code signing certificates that are now available in a terminal:

$ security find-identity -p codesigning -v
1) 11AA22BB*** "Apple Development: *****@icloud.com (ABCDEF1234)"
     1 valid identities found

11AA22BB*** is code sign identity.

mobileprovision file

The .mobileprovison file contains some certificate information as well as the entitlements groups for the application. To generate the .mobileprovision file, all you need to do is build and deploy a blank iOS application to a device.

So, to build and deploy a blank iOS application using XCode to get the updated embedded.mobileprovision file you need:

  • Start XCode and select Create a new Xcode project.

  • Select iOS > App and click Next.

  • Fill in a Product Name and an Organization Identifier, click Next.

  • Choose where to save the project and finally click on Create.

  • In the projects root, under the Signing & Capabilities tab, ensure that there are no errors with the signing certificate. Most of the time, XCode is pretty verbose with what needs to be done to fix any errors you may encounter, so just take a moment to read.

  • When done, ensure your iOS device is plugged in. Select it as the target device in the top left corner, and hit the big play button. This process will compile the blank app for the target device, and update embedded.mobileprovision file.

  • In the projects root, under the Signing & Capabilities tab pick up the updated embedded.mobileprovision by dragging it behind the file with the gear icon.

Running your blank application for the first time on an iOS device will most probably result in a error that reads something like:

Verify the Developer App certificate for your account is trusted on your device.
Open Settings on your device and navigate to General > Device Management,
then select your Developer App certificate to trust it.

What this means is that you need to also trust the iTunes account you used to run code on the iOS device you have. Simply navigate to your iOS devices:

Settings > General > Device Management > iTunes account from the "Developer App" section > Select "Trust"

Dependencies

ipa-patching.sh

The main script that loads the FridaGadget.dylib, signs the code and deploys the IPA to the device.

$ git clone https://github.com/0xn3va/ipa-patching.git

brew

$ /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"

Patching

With all of the above dependencies solved, you can finally patch an IPA. To do this, simply run the script:

$ cd ipa-patching
$ ./ipa-patching.sh

This script will extract the IPA, locate the app binary, patch it to load the FridaGadget.dylib, sign code and deploy it to device.

Visit and agree to the license agreement.

The ipa-patching.sh script to patching an IPA requires

Before patching IPA, you need to set a number of variables in ipa-patching.sh, more .

https://developer.apple.com/register/
brew
here
LogoGitHub - 0xn3va/ipa-patching: Simple script for IPA patching and deploying to device without jailbreakGitHub