macOS Setup

It helps to have a Mac when performing mobile app testing. A lot of the "tools" that can be run on the iOS device can also be run on a Mac. This allows for faster app analysis, plus there are many other tools that run on a Mac to speed up this analysis.

Additionally, you will want to have Xcode running on a Mac. Even if you do not plan on developing any apps, Xcode comes with a wealth of tools that you will use during an assessment. Make sure you install the Command Line tools of Xcode when you install it.

GateKeeper

Recent versions of macOS have introduced GateKeeper, which prevents the system from opening a file from an "Unidentified Developer". It will also alert you that the file was downloaded from the internet, and you must validate that you want to open it. For the most part, the applications below are properly signed and will not cause the GateKeeper alert. However, if you do run into this issue, you can use Terminal to manually remove the quarantine bit:

sudo xattr -rd com.apple.quarantine /Applications/AppName.app

With the quarantine bit removed, the application will open fine. This is also a permanent change, so you only need to do this once per application. Of course, you want to ensure that you obtained the app from a reliable source.

Software Installations

There are several software packages that you can use, but you will likely want to have these at a minimum. Tested on macOS versions up to, and including, macOS Monterey.

Xcode (with Command Line Tools -- Apple App Store)

Xcode provides many of the utilities required for static analysis, such as otool, lipo, etc. It also allows for easy app installation and will pull crash dumps from the iOS device. Xcode takes a ridiculously long time to install, and overall sucks. But we need it...

Xcode Command Line Tools:
```
xcode-select --install
```
Homebrew (https://brew.sh)
```
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
```
Note: Homebrew installs applications in /usr/local/bin for Intel powered macOS systems. On new Apple Silicon (arm64) macOS systems, homebrew will use /opt/homebrew/bin to install applications. Set your $PATH variable accordingly!
libimobiledevice (http://www.libimobiledevice.org)

This is an open-source package that connects to the device over the USB cable which allows you to gather information.
```
brew install libimobiledevice
```
Burp Suite Pro (https://portswigger.net)

This is used for the interception and modification of HTTP communications from the mobile app.
Hex Editor (Your choice -- Both of these are good)

Hex Fiend (http://ridiculousfish.com/hexfiend/) Hex Fiend is a simple hex editor. This can be used to bypass many of the validation routines such as jailbreak detection.
```
brew install hex-fiend
```
REHex (https://github.com/solemnwarning/rehex/releases)

A cross-platform (Windows, Linux, Mac) hex editor for reverse engineering, and everything else. Includes many additional tools that Hex Fiend does not have.
Radare2 (https://github.com/radare/radare2.git)

Radare2 is a full disassembler for ARM binaries and can be used to manipulate the assembly code. Not strictly required.
```
brew install radare2
```
MachOView (https://sourceforge.net/projects/machoview/)

This provides a nice graphical interface to the load commands of an iOS binary. (Note: This package will be from an unidentified developer. Follow the instructions for Gatekeeper to run the application)
```
brew install machoview
```
XMachOView (https://github.com/horsicq/XMachOViewer)

An updated MachOView with enhanced capabilities! Download from the releases available on GitHub. (Recommend giving this a try!)
Sqlitebrowser (http://sqlitebrowser.org)

This tool allows you to open SQLite databases from the iOS device in a graphical view. It also supports encrypted databases, which makes it more useful.
```
brew install db-browser-for-sqlite
```
Python3 (macOS ships with python3, but you will need a newer version):
```
brew install python3
```
Create a python3 virtual environment, and install the following tools there (call it whatever you want):
```
python3 -m venv DynamicAnalysis
cd DynamicAnalysis
. bin/activate
```
Frida (https://pypi.python.org/pypi/frida) (MUST match the version on the device)

Frida is a dynamic instrumentation toolkit to allow deep access to the running iOS application. If you install "frida-tools", it will also install the Frida server since it is a requirement.
```
pip3 install frida-tools
```
Frida Scripts (Updating links soon!)

Various frida scripts that are used throughout this testing guide!
Fridump (https://github.com/Nightbringer21/fridump)

This tool, based on Frida, allows you to dump the memory from a running iOS process. It also has built in strings capabilities for post memory dump analysis.
```
git clone https://github.com/Nightbringer21/fridump
```
frida-ios-dump (https://github.com/AloneMonkey/frida-ios-dump)

Frida dump script to decrypt a binary and dump the app to an IPA on the Mac.
```
git clone https://github.com/AloneMonkey/frida-ios-dump
```
Objection (https://github.com/sensepost/objection)

Objection is a runtime mobile exploration toolkit, powered by Frida. Objection can automate many of the tasks of dynamic analysis of the app. Relies on Frida, and Python3.
```
pip install objection
```
SQLite Parser (https://github.com/mdegrazia/SQLite-Deleted-Records-Parser)

SQLite does not delete records right away. So, SQLiteParser can be used to recover "deleted" records from an SQLite database.
```
git clone https://github.com/mdegrazia/SQLite-Deleted-Records-Parser.git
```

Jtool2 -- a better otool replacement, and much more. (http://newosxbook.com/tools/jtool2.tgz)

curl http://newosxbook.com/tools/jtool2.tgz --output jtool2.tgz
tar -zxf jtool2.tgz
chmod +x jtool2
mv jtool2 /usr/local/bin

KTool (https://github.com/cxnder/ktool)

A recent class dump script that supports Objective-C and Swift apps.
```
pip3 install k2l
```
ideviceinstaller

A small utility to simplify the IPA installation.
```
brew install ideviceinstaller
```
SQL Cipher (https://www.zetetic.net/sqlcipher/)

SQLCipher extends the SQLite database to include encrypted local data storage. On mobile devices, it is recommended to encrypt any local database using this package. This software is needed on your computer to be able to access the encrypted database.
```
brew install sqlcipher
```
iOS App Signer (https://github.com/DanTheMan827/ios-app-signer)

Easily code-sign an IPA file for installation on to the device.
- Download the zip file from Github
- Extract the zip file, and drag the application to the /Applications folder
android-platform-utilities

This is a brew package that will install tools such adb, & fastboot.
```
brew install android-platform-tools
```
apktool

Decodes an APK file.
```
brew install apktool
```
jadx

Jadx & Jadx-GUI will decompile the APK file back to near Java code.
```
brew install jadx
```
SUPER Analyzer (https://github.com/SUPERAndroidAnalyzer/super/releases)

Analyzes an APK file for misconfigurations.

dex2jar

brew install dex2jar

Many tools look for a dex2jar executable in your $PATH. The brew package is d2j-dex2jar, so we need to create a symbolic link to handle these situations

# If on an Intel macOS system:
cd /usr/local/bin
# If on an Apple Silicon macOS system:
cd /opt/homebrew/bin

# Create the link:
ln -s d2j-std-apk.sh d2j-apk-sign

Build Tools (https://dl.google.com/android/repository/build-tools_r28.0.2-macosx.zip)

Contains several command-line tools that will be needed during testing.
Mobile Security Framework (MobSF) (https://github.com/MobSF/Mobile-Security-Framework-MobSF)

To install (one time setup):
- Install the latest Python3 version with Brew (brew install python3) or if it is already installed, then update it (brew upgrade python3)
- Ensure that the Brew python3 is in the $PATH before the system python3
  - For Intel systems: Make sure /usr/local/bin is first in the $PATH
  - For Apple Silicon: Make sure /opt/homebrew/bin is first in the $PATH
- Install wkhtmltopdf (https://wkhtmltopdf.org/downloads.html) to save scan output as a PDF file
- Install Java (brew install java)
  - Make sure to run the recommended link command for the system wrappers - this will be in the brew output!
- Clone the MobSF Git repository
- Run setup.sh
To run the application:
- To launch the app, execute the run.sh script
- Open a web browser to http://localhost:8000
Docker Drozer is a vulnerability and attack framework for Android. It requires Python2 which is not available on recent macOS versions (> 12.2). So we will use a Docker container to run the Drozer tool.

Once Docker is installed and running, get the container image and start it up:
```
# Pull the container (one time task):
docker pull fsecurelabs/drozer

# Start the container and open a terminal prompt:
docker run -it fsecurelabs/drozer
drozer console connect --server <phone IP address>
```
Download the latest Drozer Agent here. Install to your test device:
```
adb install drozer-agent-2.3.4.apk
```

SSH Configuration - For iOS Devices

To perform many of the tasks during a test, you will connect to the iOS device over the USB cable using the Secure SHell (SSH). This is a quicker, more reliable way to connect than just trying to SSH to the device IP address. You will still use SSH, but instead of going over the network, it will go over the USB cable. To perform this, you will need the usbmuxd package installed, which includes the iproxy command.

The iproxy tool allows you to setup a port that listens for incoming connections, and then forwards them over the cable to the target device. To do this, we will setup a non-standard SSH port on the laptop that we will connect to. The generally accepted port is 2222.

To perform this setup on an ad-hoc basis, just run the following command:

iproxy 2222 22 &

This tells the system to forward any traffic to port 2222 over the cable to port 22 on the device. Once that is running, you can use the built-in SSH client on the Mac to connect to it:

ssh -p 2222 -l root localhost

If you perform many iOS tests, it may be easier to have the iproxy setup as a Launch Agent, so that it is running all the time. To set this up:

OpenSSH

If your jailbreak is using the OpenSSH package (unc0ver, Taurine, etc.), then use this section:

Change to the ~/Library/LaunchAgents directory.
Create a file called com.usbmuxd.iproxy-ssh.plist in that directory.

Add the following information to the com.usbmuxd.iproxy-ssh.plist file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>com.usbmuxd.iproxy-ssh</string>
	<key>ProgramArguments</key>
	<array>
		<string>/usr/local/bin/iproxy</string>
		<string>2222</string>
		<string>22</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	<key>KeepAlive</key>
	<true/>
</dict>
</plist>

Once the file is in place, you can load it manually the first time:
```
launchctl load com.usbmuxd.iproxy-ssh.plist
```

DropBear SSH

If your jailbreak is using the DropBear SSH package (checkra1n), then use this section:

Change to the ~/Library/LaunchAgents directory.
Create a file called com.usbmuxd.iproxy-dropbear.plist in that directory.

Add the following information to the com.usbmuxd.iproxy-dropbear.plist file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>com.usbmuxd.iproxy-dropbear</string>
	<key>ProgramArguments</key>
	<array>
		<string>/usr/local/bin/iproxy</string>
		<string>4444</string>
		<string>44</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	<key>KeepAlive</key>
	<true/>
</dict>
</plist>

Once the file is in place, you can load it manually the first time:
```
launchctl load com.usbmuxd.iproxy-dropbear.plist
```

If you use multiple devices, you can set both up since they use different ports. This way, it is always running regardless of the jailbreak in use.

Finally, create (or modify) the ~/.ssh/config file and add the following entries into it:

Host ios
    User root
    Hostname 127.0.0.1
    Port 2222
    IdentityFile /Users/yourname/.ssh/id_rsa
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null

Host device
    User root
    Hostname 127.0.0.1
    Port 4444
    IdentityFile /Users/yourname/.ssh/id_rsa
    StrictHostKeyChecking no

Once this is setup, then you can simply run ssh ios to connect to port 2222 or ssh device to connect to port 4444.

ADB Configuration - For Android Devices

For android apps, it is best to just use the ADB utility to connect to the physical device. All you should need to do is:

adb shell
su

GateKeeper​

Software Installations​

SSH Configuration - For iOS Devices​

OpenSSH​

DropBear SSH​

ADB Configuration - For Android Devices​