Linux Setup
When testing iOS, it is helpful to have a macOS system available. However, if you do not have a macOS system, a Linux system can be used for the majority of the testing. In this case, we will use Kali Linux since we have dedicated laptops for this distribution.
Nearly everything will work the same when Android testing regardless if you use Linux or macOS. So, not too many changes needed for that.
Software Installations
There are several software packages that you can use, but you will likely want to have these at a minimum.
-
libimobiledevice (http://www.libimobiledevice.org)
This is an open-source package that connects to the device over the USB cable which allows you to gather information.
sudo apt install libimobiledevice libimobiledevice-glue libimobiledevice-utils libplist++ libplist-utils python3-imobiledevice python3-plist ideviceinstaller usbmuxd libusbmuxd-tools -
Burp Suite Pro (https://portswigger.net)
This is used for the interception and modification of HTTP communications from the mobile app.
-
Hex Editor
Linux has the
xxdcommand built-in. However, if you want a GUI application, you can try wxHexEditor:sudo apt install wxhexeditor -
Radare2 (https://github.com/radare/radare2.git)
Radare2 is a full disassembler for ARM binaries and can be used to manipulate the assembly code. Not strictly required.
sudo apt install radare2 -
XMachOView (https://github.com/horsicq/XMachOViewer)
XMachOViewer is a Mach-O viewer for Windows, Linux, and macOS.
-
Go to the release page and download the appropriate file:
-
Install the package file
sudo dpkg -i xmachoviewer_0.04_Debian_11_amd64.deb
-
-
Sqlitebrowser (http://sqlitebrowser.org)
This tool allows you to open SQLite databases from the iOS device in a graphical view. It also supports encrypted databases, which makes it more useful.
sudo apt install sqlitebrowser -
LLVM (https://llvm.org)
The LLVM project contains a lot of tools for Mach-O analysis, similar to the native macOS tools. By installing this package, and creating some symbolic links, we can mimic the same commands on Linux as macOS.
sudo apt install llvmThe binaries will be installed in
/usr/lib/llvm-19/bin, which symbolic links created in/usr/bin. You can add the real path to your$PATHvariable, or create the links in/usr/bin. It is up to you!Note: Update the version number as needed. This example is version 19.
sudo ln -s /usr/bin/llvm-otool-19 /usr/bin/otool
sudo ln -s /usr/bin/llvm-lipo-19 /usr/bin/lipoThe
nmbinary is a bit more complicated. Linux has a nativenmbinary already, but it does not support Mach-O formats. One way to solve this is to set a temporary alias fornmto runllvm-nmwhen performing iOS testing.alias nm='/usr/bin/llvm-nm'This alias will disappear when you close the terminal, restoring the native
nmusage. Additionally, you could just remove the alias without closing the terminal:unalias nm -
plistutil
Linux utility to read and convert Apple Property List (plist) files.
sudo apt-get install libplist-utilsThis will install an ELF binary in /usr/bin/plistutil. You can set a symbolic link to plutil to make for a smooth trasition between Linux and macOS.
sudo ln -s /usr/bin/plistutil /usr/bin/plutil -
Python3 Virtual Environment
It is recommended to create a Python3 virtual environment to install the mobile testing tools into. This keeps the tools isolated from the externally managed environment.
Install and activate the environment
python3 -m venv mobile
cd mobile
. bin/activatetipRemember to activate the environment when you need to use it. When finished, you can deactivate it by running the command
deactivate!Tools to install:
Frida (https://pypi.python.org/pypi/frida) (MUST match the version on the device)
Frida is a dynamic instrumentation toolkit to allow deep access to the running iOS application. If you install "frida-tools", it will also install the Frida server since it is a requirement.
pip3 install frida-toolsFrida Scripts (Corporate GitHub!)
Various frida scripts that are used throughout this testing guide!
Fridump (https://github.com/Nightbringer21/fridump)
This tool, based on Frida, allows you to dump the memory from a running iOS process. It also has built in strings capabilities for post memory dump analysis.
git clone https://github.com/Nightbringer21/fridumpfrida-ios-dump (https://github.com/AloneMonkey/frida-ios-dump)
Frida dump script to decrypt a binary and dump the app to an IPA on the host.
git clone https://github.com/AloneMonkey/frida-ios-dumpObjection (https://github.com/sensepost/objection)
Objection is a runtime mobile exploration toolkit, powered by Frida. Objection can automate many of the tasks of dynamic analysis of the app. Relies on Frida, and Python3.
pip install objectionKTool (https://github.com/cxnder/ktool)
A recent class dump script that supports Objective-C and Swift apps.
pip3 install k2lMobile Security Framework (MobSF) (https://github.com/MobSF/Mobile-Security-Framework-MobSF)
To install (one time setup):
-
Install wkhtmltopdf (https://wkhtmltopdf.org) to save scan output as a PDF file
sudo apt install wkhtmltopdf -
Clone the MobSF Git repository
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF -
Run the setup script
./setup.sh
To run the application:
-
To launch the app, execute the
run.shscript -
Open a web browser to http://localhost:8000
-
The default login credentials are
mobsf:mobsf. Authentication can also be disabled by setting theMOBSF_DISABLE_AUTHENTICATION=1environment variable.
-
-
SQL Cipher (https://www.zetetic.net/sqlcipher/)
SQLCipher extends the SQLite database to include encrypted local data storage. On mobile devices, it is recommended to encrypt any local database using this package. This software is needed on your computer to be able to access the encrypted database.
sudo apt install sqlcipher -
apktool
Decodes an APK file.
sudo apt install apktool -
jadx
Jadx & Jadx-GUI will decompile the APK file back to near Java code. This command will install both jadx & jadx-gui.
sudo apt install jadx -
SUPER Analyzer (https://github.com/SUPERAndroidAnalyzer/super/releases)
No longer actively maintained! Analyzes an APK file for misconfigurations.
-
Download the package from the release page!
-
Install the package:
sudo dpkg -i super-analyzer_0.5.0_debian_amd64.deb
-
-
dex2jar
Convert .dex file to .class files. Commands start with
d2j-sudo apt install dex2jar -
Android Build Tools
Contains several command-line tools that will be needed during testing. for example, aapt/aapt2, apksigner, dexdump, zipalign, etc.
sudo apt install google-android-build-tools-35.0.0-installer -
Drozer
Drozer is a vulnerability and attack framework for Android. It received a much needed update for Python3 in 2024 by WithSecureLabs.
(Server: https://github.com/WithSecureLabs/drozer/releases)
Install Drozer server (using pipx)
sudo apt install pipx # if needed
pipx ensurepath
# install drozer:
pipx install drozer(Agent: https://github.com/WithSecureLabs/drozer-agent)
Install the Drozer agent to your device:
adb install drozer-agent-3.1.0.apk -
Corellium - usbfluxd (When working with Corellium)
Redirects the standard
usbmuxdsocket to allow connections to local and remoteusbmuxdinstances so remote devices appear connected locally.-
Open a browser and go to https://github.com/corellium/usbfluxd/releases.
-
Download the appropriate relase file.
-
Copy it to the Linux system (if needed).
-
Extract the archive file.
-
Copy the files to where you want to place them.
sudo cp -p usbfluxd /usr/local/sbin
sudo cp -p usbfluxctl /usr/local/bin -
Ensure that these two paths are in your
$PATHvariable. -
Launch the daemon:
sudo /usr/local/sbin/usbfluxd -
Once you have the virtual device running, get the IP address from the Connect tab in the left menu. Then add an entry for usbfluxd:
/usr/local/bin/usbfluxctl add <ip-address>:5000
# run this to see what is setup:
/usr/local/bin/usbfluxctl list
Once this is setup correctly, you can use the
libimobiledevicecommands, and Frida as you would with a physical device attached with a USB cable. -
SSH Configuration - For iOS Devices
When using Corellium, click on Connect in the left menu, and copy the ssh string that is provided.
To perform many of the tasks during a test, you will connect to the iOS device over the USB cable using the Secure SHell (SSH). This is a quicker, more reliable way to connect than just trying to SSH to the device IP address. You will still use SSH, but instead of going over the network, it will go over the USB cable. To perform this, you will need the usbmuxd package installed, which includes the iproxy command.
The iproxy tool allows you to setup a port that listens for incoming connections, and then forwards them over the cable to the target device. To do this, we will setup a non-standard SSH port on the laptop that we will connect to. The generally accepted port is 2222.
To perform this setup on an ad-hoc basis, just run the following command:
iproxy 2222 22 &
This tells the system to forward any traffic to port 2222 over the cable to port 22 on the device. Once that is running, you can use the built-in SSH client to connect to it:
ssh -p 2222 -l root localhost
If you perform many iOS tests, it may be easier to have the iproxy setup as a Launch Agent, so that it is running all the time. To set this up:
SSH Config
Finally, create (or modify) the ~/.ssh/config file and add the following entries into it:
Host ios
User root
Hostname 127.0.0.1
Port 2222
IdentityFile /Users/yourname/.ssh/id_rsa
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
Once this is setup, then you can simply run ssh ios to connect to port 2222.
ADB Configuration - For Android Devices
For android apps, it is best to just use the ADB utility to connect to the physical device. All you should need to do is:
adb shell
su