Saved from https://gist.github.com/milo2012/a69f803472d5ecf3f161ff02c9d19cb2

pentesting_ios_apps_on_electra.txt

#Burp SSL Certificate on IOS 11
On iOS 11 you can't just install your MITM root cert, you also need to explicitly trust it.
You can do this by:
Settings -> General -> About -> Certificate Trust Settings -> Flip the switch on your cert
----------------------------------------------------------------------------------------------------------------
#GDB on IOS 11
Source: https://shmoo419.github.io/
gdb
ps -ax | grep -i appName
attach [processNo]
----------------------------------------------------------------------------------------------------------------
#Decrypting IOS Applications 
Option 1
$ wget https://github.com/BishopFox/bfinject/raw/master/bfinject.tar
$ scp bfinject.tar [email protected]:/pentest
$ tar xvf bfinject.tar
$ ps -ax 
$ bash bfinject -P XXX.app -l /pentest/bfdecrypt.dylib 
$ nc 192.168.100.120  31336 > /tmp/XXX-decrypted.ipa

Option 2
$ frida-ps -U -a

PID  Name           Identifier                            
---  -------------  --------------------------------------
513  Electra        org.coolstar.electra                                 
533  iFAST HK       com.xxx.xxxx

$ git clone https://github.com/AloneMonkey/frida-ios-dump
$ iproxy 2222 22 &
#modify dump.py #line 33: "password = alpine"

$ python dump.py com.xxx.xxxx
Start the target app com.xxx.xxxx
Dumping XXXX to /var/folders/cz/k032xxcx2y1f_vwf1tyfc3fr0000gn/T



----------------------------------------------------------------------------------------------------------------
#SSL Pinning
$ wget https://github.com/nabla-c0d3/ssl-kill-switch2/releases/download/0.12/com.nablac0d3.sslkillswitch2_0.12.deb
$ dpkg -i com.nablac0d3.sslkillswitch2_0.12.deb 
$ killall -HUP SpringBoard

or use one of the below 2 Frida codeshare
$ frida --codeshare lichao890427/ios-ssl-bypass -f YOUR_BINARY
$ frida --codeshare dki/ios10-ssl-bypass -f YOUR_BINARY
----------------------------------------------------------------------------------------------------------------
#Fixing Needle on Electra
#Install Darwin CC Tools via Cydia on iOS device
$ wget http://newosxbook.com/tools/jtool.tar
#Upload jtool.tar to iPhone /pentest folder
$ tar xvf jtool.tar
$ cd /Applications/NeedleAgent.app
$ /pentest/jtool.liberios -arch arm64 --ent ./NeedleAgent > ./NeedleAgent.ent
$ /pentest/jtool.liberios -e arch -arch arm64 NeedleAgent
$ /pentest/jtool.liberios --sign --ent NeedleAgent.ent --inplace ./NeedleAgent.arch_arm64
$ mv /Applications/NeedleAgent.app/NeedleAgent /Applications/NeedleAgent.app/NeedleAgent.backup
$ rm -R /Applications/NeedleAgent.app/NeedleAgent
$ cp /Applications/NeedleAgent.app/NeedleAgent.arch_arm64 /Applications/NeedleAgent.app/NeedleAgent
$ reboot
----------------------------------------------------------------------------------------------------------------
#Memory Dumping broken in Needle on Electra
$ git clone https://github.com/Nightbringer21/fridump
$ python fridump.py  -U [appname]
$ cd dump
$ cat * | grep -i [keyword]
----------------------------------------------------------------------------------------------------------------
#React Native
#If you see main.jsbundle in the application folder, this means that is it using React Native. The source code is in Javascript
$ ps -ax | grep -i [appname]
3012 ??         0:19.62 /var/containers/Bundle/Application/2E4444A3-C408-4BFE-92F7-193AB76D91F9/[appname].app/[appname]
$ ls /var/containers/Bundle/Application/2E4444A3-C408-4BFE-92F7-193AB76D91F9/[appname].app/
main.jsbundle

-- Taken from https://agostini.tech/2018/05/06/ios-application-security-part-6-reverse-engineering-and-tampering-re-sign-patching/ ---
#Use JStillery to beautify and deobfuscate the content of the temporary file.
#Identify where the code should be patched in the temporary file and implement the changes.
#Put the patched code on a single line and copy it in the original Payload/[APP].app/main.jsbundle file.
#Close and restart the application
----------------------------------------------------------------------------------------------------------------
#Issues using Cycript on MacOS High Sierra 
##On OSX
$ wget https://cache.saurik.com/cycript/mac/cycript_0.9.594.zip
$ unzip cycript_0.9.594.zip
$ sudo install_name_tool -change /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib /System/Library/Frameworks/Ruby.framework/Versions/2.3/usr/lib/libruby.2.3.0.dylib Cycript.lib/cycript-apl 
$ sudo install_name_tool -change /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib /System/Library/Frameworks/Ruby.framework/Versions/2.3/usr/lib/libruby.2.3.0.dylib Cycript.lib/libcycript.dylib 

##On iOS
$ bash bfinject -P [APPname] -L cycript

##On OSX
$ ./cycript -r [x.x.x.x]:1337
cy# alert = [[UIAlertView alloc] initWithTitle:@"Cycript" message:@"UIAlertView injected into application"  delegate:nil  cancelButtonTitle:@"OK"  otherButtonTitles:nil];
cy# [alert show];
cy# [alertView release]
----------------------------------------------------------------------------------------------------------------
#Data Protection Class on Files Containing Sensitive Data
$ frida --codeshare ay-kay/ios-dataprotection -f com.xxx.xxxx -U 
$ -> getDataProtectionKeysForAllPaths()
{
        "fileProtectionKey": "NSFileProtectionCompleteUntilFirstUserAuthentication",
        "path": "/private/var/mobile/Containers/Data/Application/XXXXXX-2E55-459F-98AC-XXXXXXX/Documents/Token.plist"
},
----------------------------------------------------------------------------------------------------------------
#Fuzzing URL Schemes - WIP (Doesn't seem to work)
$ frida-ps -U -a
#Open Info.plist, look under CFBundleURLTypes -> CFBundleURLSchemes, replace somescheme with the actual url scheme below.
$ frida -U --codeshare dki/ios-url-scheme-fuzzing -f com.xxx.xxxx
%resume
dumpSchemes();
openURL("somescheme://test");
fuzzStrings.push("somefancyfuzzstring");
fuzz("somescheme://test/{0}");
----------------------------------------------------------------------------------------------------------------
#Listing all methods in iOS application
$ wget https://raw.githubusercontent.com/0xdea/frida-scripts/master/raptor_frida_ios_enum.js
$ frida -U -f com.xxx.xxxx -l raptor_frida_ios_enum.js --no-pause
[iPad 4::com.xxx.xxxx]-> enumAllMethods()
----------------------------------------------------------------------------------------------------------------
#Checking App Transport Security
$ unzip XXXX\ HK.ipa 
Archive:  XXXX.ipa
   creating: Payload/
   
$ cd Payload/XXXX.app/
$ plutil -convert xml1 Info.plist
$ cat Info.plist
        <key>NSAppTransportSecurity</key>
        <dict>
                <key>NSExceptionDomains</key>
                <dict>
                        <key>localhost</key>
                        <dict>
                                <key>NSExceptionAllowsInsecureHTTPLoads</key>
                                <true/>
                        </dict>
                        <key>XXX.com</key>
                        <dict>
                                <key>NSExceptionAllowsInsecureHTTPLoads</key>
                                <true/>
                        </dict>
                </dict>
        </dict>

----------------------------------------------------------------------------------------------------------------
#Dumping iOS Keychain

$ objection -g "XXXX" explore
$ ios keychain dump
Class         Account    Service    Generic    Data
------------  ---------  ---------  ---------  ------
kSecClassKey