macOS Setup
It helps to have a Mac when performing mobile app testing. A lot of the "tools" that can be run on the iOS device can also be run on a Mac. This allows for faster app analysis, plus there are many other tools that run on a Mac to speed up this analysis.
Additionally, you will want to have Xcode running on a Mac. Even if you do not plan on developing any apps, Xcode comes with a wealth of tools that you will use during an assessment. Make sure you install the Command Line tools of Xcode when you install it.
GateKeeper
Recent versions of macOS have introduced GateKeeper, which prevents the system from opening a file from an "Unidentified Developer". It will also alert you that the file was downloaded from the internet, and you must validate that you want to open it. For the most part, the applications below are properly signed and will not cause the GateKeeper alert. However, if you do run into this issue, you can use Terminal to manually remove the quarantine bit:
sudo xattr -rd com.apple.quarantine /Applications/AppName.app
With the quarantine bit removed, the application will open fine. This is also a permanent change, so you only need to do this once per application. Of course, you want to ensure that you obtained the app from a reliable source.
Software Installations
There are several software packages that you can use, but you will likely want to have these at a minimum. Tested on macOS versions up to, and including, macOS Monterey.
-
Xcode (with Command Line Tools -- Apple App Store)
Xcode provides many of the utilities required for static analysis, such as otool, lipo, etc. It also allows for easy app installation and will pull crash dumps from the iOS device. Xcode takes a ridiculously long time to install, and overall sucks. But we need it...
Xcode Command Line Tools:
xcode-select --install -
Homebrew (https://brew.sh)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"Note: Homebrew installs applications in
/usr/local/binfor Intel powered macOS systems. On new Apple Silicon (arm64) macOS systems, homebrew will use/opt/homebrew/binto install applications. Set your$PATHvariable accordingly! -
libimobiledevice (http://www.libimobiledevice.org)
This is an open-source package that connects to the device over the USB cable which allows you to gather information.
brew install libimobiledevice -
Burp Suite Pro (https://portswigger.net)
This is used for the interception and modification of HTTP communications from the mobile app.
-
Hex Editor (Your choice -- Both of these are good)
Hex Fiend (http://ridiculousfish.com/hexfiend/) Hex Fiend is a simple hex editor. This can be used to bypass many of the validation routines such as jailbreak detection.
brew install hex-fiendREHex (https://github.com/solemnwarning/rehex/releases)
A cross-platform (Windows, Linux, Mac) hex editor for reverse engineering, and everything else. Includes many additional tools that Hex Fiend does not have.
-
Radare2 (https://github.com/radare/radare2.git)
Radare2 is a full disassembler for ARM binaries and can be used to manipulate the assembly code. Not strictly required.
brew install radare2 -
XMachOView (https://github.com/horsicq/XMachOViewer)
An updated MachOView with enhanced capabilities! Download from the releases available on GitHub.
-
Sqlitebrowser (http://sqlitebrowser.org)
This tool allows you to open SQLite databases from the iOS device in a graphical view. It also supports encrypted databases, which makes it more useful.
brew install db-browser-for-sqlite -
Python3 Virtual Environment
It is recommended to create a Python3 virtual environment to install the mobile testing tools into. This keeps the tools isolated from the externally managed environment.
Install and activate the environment
python3 -m venv mobile
cd mobile
. bin/activatetipRemember to activate the environment when you need to use it. When finished, you can deactivate it by running the command
deactivate!Tools to install:
Frida (https://pypi.python.org/pypi/frida) (MUST match the version on the device)
Frida is a dynamic instrumentation toolkit to allow deep access to the running iOS application. If you install "frida-tools", it will also install the Frida server since it is a requirement.
pip3 install frida-toolsFrida Scripts (Corporate GitHub!)
Various frida scripts that are used throughout this testing guide!
Fridump (https://github.com/Nightbringer21/fridump)
This tool, based on Frida, allows you to dump the memory from a running iOS process. It also has built in strings capabilities for post memory dump analysis.
git clone https://github.com/Nightbringer21/fridumpfrida-ios-dump (https://github.com/AloneMonkey/frida-ios-dump)
Frida dump script to decrypt a binary and dump the app to an IPA on the host.
git clone https://github.com/AloneMonkey/frida-ios-dumpObjection (https://github.com/sensepost/objection)
Objection is a runtime mobile exploration toolkit, powered by Frida. Objection can automate many of the tasks of dynamic analysis of the app. Relies on Frida, and Python3.
pip install objectionKTool (https://github.com/cxnder/ktool)
A recent class dump script that supports Objective-C and Swift apps.
pip3 install k2lMobile Security Framework (MobSF) (https://github.com/MobSF/Mobile-Security-Framework-MobSF)
To install (one time setup):
-
Install wkhtmltopdf (https://wkhtmltopdf.org) to save scan output as a PDF file
sudo apt install wkhtmltopdf -
Clone the MobSF Git repository
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF -
Run the setup script
./setup.sh
To run the application:
-
To launch the app, execute the
run.shscript -
Open a web browser to http://localhost:8000
-
The default login credentials are
mobsf:mobsf. Authentication can also be disabled by setting theMOBSF_DISABLE_AUTHENTICATION=1environment variable.
-
-
SQLite Parser (https://github.com/mdegrazia/SQLite-Deleted-Records-Parser)
SQLite does not delete records right away. So, SQLiteParser can be used to recover "deleted" records from an SQLite database.
git clone https://github.com/mdegrazia/SQLite-Deleted-Records-Parser.git -
disarm (https://newosxbook.com/tools/disarm.tar)
Jtool2 is deprecated, and its functionality is in disarm now.
curl https://newosxbook.com/tools/disarm.tar --output disarm.tar -
ideviceinstaller
A small utility to simplify the IPA installation.
brew install ideviceinstaller -
SQL Cipher (https://www.zetetic.net/sqlcipher/)
SQLCipher extends the SQLite database to include encrypted local data storage. On mobile devices, it is recommended to encrypt any local database using this package. This software is needed on your computer to be able to access the encrypted database.
brew install sqlcipher -
iOS App Signer (https://github.com/DanTheMan827/ios-app-signer)
Easily code-sign an IPA file for installation on to the device.
-
Download the zip file from Github
-
Extract the zip file, and drag the application to the
/Applicationsfolder
-
-
android-platform-utilities
This is a brew package that will install tools such adb, & fastboot.
brew install android-platform-tools -
apktool
Decodes an APK file.
brew install apktool -
jadx
Jadx & Jadx-GUI will decompile the APK file back to near Java code.
brew install jadx -
SUPER Analyzer (https://github.com/SUPERAndroidAnalyzer/super/releases)
No longer actiely maintained! Analyzes an APK file for misconfigurations.
-
dex2jar
Convert .dex file to .class files
brew install dex2jar
-
Android Build Tools (https://dl.google.com/android/repository/build-tools_r28.0.2-macosx.zip)
Contains several command-line tools that will be needed during testing.
-
Drozer
Drozer is a vulnerability and attack framework for Android. It received a much needed update for Python3 in 2024 by WithSecureLabs.
(Server: https://github.com/WithSecureLabs/drozer/releases)
Install Drozer server (using pipx)
# install pipx:
brew install pipx
pipx ensurepath
# now install drozer:
pipx install drozer(Agent: https://github.com/WithSecureLabs/drozer-agent)
Install the Drozer agent to your device:
adb install drozer-agent-3.1.0.apk -
Corellium - usbfluxd (When working with Corellium)
Redirects the standard
usbmuxdsocket to allow connections to local and remoteusbmuxdinstances so remote devices appear connected locally.git clone https://github.com/corellium/usbfluxd.git
cd usbfluxd
./autogen.sh
make
sudo make installThis will install
usbfluxdinto/usr/local/sbin, and alsousbfluxctlinto/usr/local/bin. Ensure these are in your$PATH.Launch the daemon:
sudo /usr/local/sbin/usbfluxdOnce you have the virtual device running, get the IP address from the Connect tab in the left menu. Then add an entry for usbfluxd:
/usr/local/bin/usbfluxctl add <ip-address>:5000
# run this to see what is setup:
/usr/local/bin/usbfluxctl listOnce this is setup correctly, you can use the
libimobiledevicecommands, and Frida as you would with a physical device attached with a USB cable.
SSH Configuration - For iOS Devices
When using Corellium, click on Connect in the left menu, and copy the ssh string that is provided.
To perform many of the tasks during a test, you will connect to the iOS device over the USB cable using the Secure SHell (SSH). This is a quicker, more reliable way to connect than just trying to SSH to the device IP address. You will still use SSH, but instead of going over the network, it will go over the USB cable. To perform this, you will need the usbmuxd package installed, which includes the iproxy command.
The iproxy tool allows you to setup a port that listens for incoming connections, and then forwards them over the cable to the target device. To do this, we will setup a non-standard SSH port on the laptop that we will connect to. The generally accepted port is 2222.
To perform this setup on an ad-hoc basis, just run the following command:
iproxy 2222 22 &
This tells the system to forward any traffic to port 2222 over the cable to port 22 on the device. Once that is running, you can use the built-in SSH client to connect to it:
ssh -p 2222 -l root localhost
If you perform many iOS tests, it may be easier to have the iproxy setup as a Launch Agent, so that it is running all the time. To set this up:
OpenSSH
If your jailbreak is using the OpenSSH package:
-
Change to the
~/Library/LaunchAgentsdirectory. -
Create a file called
com.usbmuxd.iproxy-ssh.plistin that directory. -
Add the following information to the
com.usbmuxd.iproxy-ssh.plistfile:<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.usbmuxd.iproxy-ssh</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/bin/iproxy</string>
<string>2222</string>
<string>22</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>
</dict>
</plist> -
Once the file is in place, you can load it manually the first time:
launchctl load com.usbmuxd.iproxy-ssh.plist -
Finally, create (or modify) the
~/.ssh/configfile and add the following entries into it:Host ios
User root
Hostname 127.0.0.1
Port 2222
IdentityFile /Users/yourname/.ssh/id_rsa
StrictHostKeyChecking no
UserKnownHostsFile /dev/nullOnce this is setup, then you can simply run
ssh iosto connect to port 2222.
ADB Configuration - For Android Devices
For android apps, it is best to just use the ADB utility to connect to the physical device. All you should need to do is:
adb shell
su