Linux Setup

When testing iOS, it is helpful to have a macOS system available. However, if you do not have a macOS system, a Linux system can be used for the majority of the testing. In this case, we will use Kali Linux since we have dedicated laptops for this distribution.

Nearly everything will work the same when Android testing regardless if you use Linux or macOS. So, not too many changes needed for that.

Software Installations

There are several software packages that you can use, but you will likely want to have these at a minimum.

1. libimobiledevice (http://www.libimobiledevice.org)

   This is an open-source package that connects to the device over the USB cable which allows you to gather information.

   Compile and install these in this order!

   # install dependencies
   sudo apt-get install -y build-essential checkinstall git autoconf automake libtool-bin autoconf automake libtool m4 libcurl4-openssl-dev cython3
   
   # compile libplist
   git clone https://github.com/libimobiledevice/libplist.git
   cd libplist; ./autogen.sh; make; sudo make install
   
   # compile libimobiledevice-glue
   git clone https://github.com/libimobiledevice/libimobiledevice-glue.git
   cd libimobiledevice-glue; ./autogen.sh; make; sudo make install
   
   # compile libusbmuxd
   git clone https://github.com/libimobiledevice/libusbmuxd.git
   cd libusbmuxd; ./autogen.sh; make; sudo make install
   
   # compile libtatsu
   git clone https://github.com/libimobiledevice/libtatsu.git
   cd libtatsu; ./autogen.sh; make; sudo make install
   
   # compile libimobiledevice
   git clone https://github.com/libimobiledevice/libimobiledevice.git
   cd libimobiledevice; ./autogen.sh; make; sudo make install
   

2. Burp Suite Pro (https://portswigger.net)

   This is used for the interception and modification of HTTP communications from the mobile app.

   (Use the corporate license for Professional edition, or download Community edition if that is not available.)

3. Hex Editor

   Linux has the xxd command built-in. However, if you want a GUI application, you can try wxHexEditor:

   sudo apt install -y wxhexeditor

4. Radare2 (https://github.com/radare/radare2.git)

   Radare2 is a full disassembler for ARM binaries and can be used to manipulate the assembly code. (Note: this is likely already installed on Kali)

   sudo apt install -y radare2

5. XMachOView (https://github.com/horsicq/XMachOViewer)

   Note: This is for x86_64 architecture only. No ARM64 version available!

   XMachOViewer is a Mach-O viewer for Windows, Linux, and macOS.

   • Go to the release page and download the appropriate file:

     https://github.com/horsicq/XMachOViewer/releases

   • Install the package file

     sudo dpkg -i xmachoviewer_0.04_Debian_11_amd64.deb

6. Sqlitebrowser (http://sqlitebrowser.org)

   This tool allows you to open SQLite databases from the iOS device in a graphical view. It also supports encrypted databases, which makes it more useful.

   sudo apt install -y sqlitebrowser

7. LLVM (https://llvm.org)

   The LLVM project contains a lot of tools for Mach-O analysis, similar to the native macOS tools. By installing this package, and creating some symbolic links, we can mimic the same commands on Linux as macOS.

   sudo apt install -y llvm

   The binaries will be installed in /usr/lib/llvm-19/bin, with symbolic links created in /usr/bin. You can add the real path to your $PATH variable, or create the links in /usr/bin. It is up to you!

   Note: Update the version number as needed. This example is version

sudo ln -s /usr/lib/llvm-19/bin/llvm-otool /usr/bin/otool
sudo ln -s /usr/lib/llvm-19/bin/llvm-lipo /usr/bin/lipo

The nm binary is a bit more complicated. Linux has a native nm binary already, but it does not support Mach-O formats. One way to solve this is to set a temporary alias for nm to run llvm-nm when performing iOS testing.

alias nm='/usr/bin/llvm-nm'

This alias will disappear when you close the terminal, restoring the native nm usage. Additionally, you could just remove the alias without closing the terminal:

unalias nm

7. plutil

   Python 3 script that clones the macOS plutil functionality for cross-platform scripting purposes.

   wget https://URL-NEEDED/plutil
   chmod +x plutil
   sudo cp -p plutil /usr/bin

8. Python3 Virtual Environment

   It is recommended to create a Python3 virtual environment to install the mobile testing tools into. This keeps the tools isolated from the externally managed environment.

   Install and activate the environment

   python3 -m venv mobile 
   cd mobile
   . bin/activate

   tip

   Remember to activate the environment when you need to use it. When finished, you can deactivate it by running the command deactivate!

   Tools to install:

   Frida (https://pypi.python.org/pypi/frida) (MUST match the version on the device)

   Frida is a dynamic instrumentation toolkit to allow deep access to the running iOS application. If you install "frida-tools", it will also install the Frida server since it is a requirement.

   pip3 install frida-tools

   Frida Scripts (Corporate GitHub!)

   Various frida scripts that are used throughout this testing guide!

   Fridump (https://github.com/Nightbringer21/fridump)

   This tool, based on Frida, allows you to dump the memory from a running iOS process. It also has built in strings capabilities for post memory dump analysis.

   git clone https://github.com/Nightbringer21/fridump

   frida-ios-dump (https://github.com/AloneMonkey/frida-ios-dump)

   Frida dump script to decrypt a binary and dump the app to an IPA on the host.

   git clone https://github.com/AloneMonkey/frida-ios-dump

   Objection (https://github.com/sensepost/objection)

   Objection is a runtime mobile exploration toolkit, powered by Frida. Objection can automate many of the tasks of dynamic analysis of the app. Relies on Frida, and Python3.

   pip install objection

   KTool (https://github.com/cxnder/ktool)

   A recent class dump script that supports Objective-C and Swift apps.

   pip3 install k2l

   Mobile Security Framework (MobSF) (https://github.com/MobSF/Mobile-Security-Framework-MobSF)

   To install (one time setup):

   • Install wkhtmltopdf (https://wkhtmltopdf.org) to save scan output as a PDF file

     sudo apt install -y wkhtmltopdf

   • Clone the MobSF Git repository

     git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
     cd Mobile-Security-Framework-MobSF

   • Run the setup script

     ./setup.sh

   To run the application:

   • To launch the app, execute the run.sh script

   • Open a web browser to http://localhost:8000

   • The default login credentials are mobsf:mobsf. Authentication can also be disabled by setting the MOBSF_DISABLE_AUTHENTICATION=1 environment variable.

9. SQL Cipher (https://www.zetetic.net/sqlcipher/)

   SQLCipher extends the SQLite database to include encrypted local data storage. On mobile devices, it is recommended to encrypt any local database using this package. This software is needed on your computer to be able to access the encrypted database.

   sudo apt install -y sqlcipher

10. apktool

    Decodes an APK file.

    sudo apt install -y apktool

11. jadx

    Jadx & Jadx-GUI will decompile the APK file back to near Java code. This command will install both jadx & jadx-gui.

    sudo apt install -y jadx

12. SUPER Analyzer (https://github.com/SUPERAndroidAnalyzer/super/releases)

    No longer actively maintained! Analyzes an APK file for misconfigurations.

    Note: This is for x86_64 architecture only. No ARM64 version available!

    • Download the package from the release page!

    • Install the package:

      sudo dpkg -i super-analyzer_0.5.0_debian_amd64.deb

13. dex2jar

    Convert .dex file to .class files. Commands start with d2j-

    sudo apt install -y dex2jar

14. Android Build Tools

    Contains several command-line tools that will be needed during testing. for example, aapt/aapt2, apksigner, dexdump, zipalign, etc.

    sudo apt install -y adb fastboot

15. Drozer

    Drozer is a vulnerability and attack framework for Android. It received a much needed update for Python3 in 2024 by WithSecureLabs.

    (Server: https://github.com/WithSecureLabs/drozer/releases)

    Install Drozer server (using pipx)

    sudo apt install -y pipx # if needed
    pipx ensurepath --force
    
    # install drozer:
    pipx install drozer

    (Agent: https://github.com/WithSecureLabs/drozer-agent)

    Install the Drozer agent to your device:

    adb install drozer-agent-3.1.0.apk

16. Corellium - usbfluxd (When working with Corellium)

    Redirects the standard usbmuxd socket to allow connections to local and remote usbmuxd instances so remote devices appear connected locally.

    • Open a browser and go to https://github.com/corellium/usbfluxd/releases.

    • Download the appropriate relase file.

    • Copy it to the Linux system (if needed).

    • Extract the archive file.

    • Copy the files to where you want to place them.

      sudo cp -p usbfluxd /usr/local/sbin
      sudo cp -p usbfluxctl /usr/local/bin

    • Ensure that these two paths are in your $PATH variable.

    • Launch the daemon:

      sudo /usr/local/sbin/usbfluxd

    • Once you have the virtual device running, get the IP address from the Connect tab in the left menu. Then add an entry for usbfluxd:

      /usr/local/bin/usbfluxctl add <ip-address>:5000
      
      # run this to see what is setup:
      /usr/local/bin/usbfluxctl list 

    Once this is setup correctly, you can use the libimobiledevice commands, and Frida as you would with a physical device attached with a USB cable.

 

ADB Configuration - For Android Devices

For android apps, it is best to just use the ADB utility to connect to the physical device. All you should need to do is:

adb shell
su