iOS IPA Architecture and JailBreak IOS 13.4.1

root access of iOS
All Blogmobile application security

iOS application security is the most trending topic in nowadays over social media. Although Apple claims that they are building the best products in the market in terms of manufacturing the CHIP, iPhone Hardware to Apps task handling is based on AES 256 encryptions and also Apple focuses a lot on consumers’ personal data security. In this blog, I am not going into the details of iPhone Architecture. We will focus on iOS apps and the internal working of iOS applications as a pentester point of view.

There are three types of iOS applications:

  • Native applications uses Objective C/Swift for building the application
  • Hybrid applications use frameworks like Xamarin, Cordova etc. along with Objective C/Swift.
  • Web based applications are responsive versions of websites built for working on mobile device.

We would be currently focusing on native iOS applications. A native iOS application can use Objective C or Swift code along with any of their native libraries or frameworks available of use in iOS applications.

So lets divide the Application architecture into Some chunks : –

IOS1
source:unknown

iOS apps are distributed in IPA (iOS App Store Package) archives. The IPA file is a ZIP-compressed archive that contains all the code and resources required to execute the app.IPA files have a built-in directory structure.

  • /Payload/ folder contains all the application data. We will come back to the contents of this folder in more detail.
  • /Payload/Application.app contains the application data itself (ARM-compiled code) and associated static resources.
  • /iTunesArtwork is a 512×512 pixel PNG image used as the application’s icon.
  • /iTunesMetadata.plist contains various bits of information, including the developer’s name and ID, the bundle identifier, copyright information, genre, the name of the app, release date, purchase date, etc.
  • /WatchKitSupport/WK is an example of an extension bundle. This specific bundle contains the extension delegate and the controllers for managing the interfaces and responding to user interactions on an Apple Watch. For example the AWS SDK.

/Payload Folder In Detail

Let’s take a closer look at the different files in the IPA container. Apple uses a relatively flat structure with few extraneous directories to save disk space and simplify file access. The top-level bundle directory contains the application’s executable file and all the resources the application uses (for example, the application icon, other images, and localized content.

  • MyApp: The executable file containing the compiled (unreadable) application source code.
  • Application: Application icons.
  • Info.plist: Configuration information, such as bundle ID, version number, and application display name.It can be viewed with a text editor. If it is in a binary format, can be converted using
plistutil -i|–infile FILE [-o|–outfile FILE] [-d|–debug] Convert a plist FILE from binary to XML format or vice-versa.
  • Launch images: Images showing the initial application interface in a specific orientation. The system uses one of the provided launch images as a temporary background until the application is fully loaded.
  • MainWindow.nib: Default interface objects that are loaded when the application is launched. Other interface objects are then either loaded from other nib files or created programmatically by the application.
  • Settings.bundle: Application-specific preferences to be displayed in the Settings app.
  • Custom resource files: Non-localized resources are placed in the top-level directory and localized resources are placed in language-specific subdirectories of the application bundle. Resources include nib files, images, sound files, configuration files, strings files, and any other custom data files the application uses.

on a jailbroken device you can install the IPA file with IPA Installer, iFunbox, Cydia impactor, or intallipa command inside in the rooted phone.

During mobile security assessments, developers often give you the IPA directly. They can send you the actual file or provide access to the development-specific distribution platform they use, e.g., HockeyApp or TestFlight.

iOS2
source:unknown

language.lproj folder exists for each language that the application supports. It contains a storyboard and a strings file. 

A storyboard is a visual representation of the iOS application’s user interface. It shows screens and the connections between those screens.

The strings file format consists of one or more key-value pairs and optional comments.

On a jailbroken device, you can recover the IPA for an installed iOS app using various tools like frida-ios-dump , iNalayzer etc that allow decrypting the main app binary and reconstruct the IPA file.

Lets jailbreak the Device with IOS 13.4.1

Downlaod the tool chekra1n for iOS 13 and higher device jailbreak

Here is my iPhone –

Screenshot 2020 05 14 at 7.16.30 PM
My iPhone SE with 13.4.1 Testing

Lets open the Checkra1n tool

Screenshot 2020 05 14 at 7.17.15 PM
Checkra1n tool
Screenshot 2020 05 14 at 7.17.27 PM
certcube -DFU mode

Once you click on the Next your iPhone will puts into the DFU mode then follow the tool instructions and after 1 min you will see chekra1n will be installed in IOS 13.4.1 and now you can follow the screenshot

Now all you need to Configure Cydia with Vrious Repos :-

A6F6F655 A7E6 4FD7 9EDA 1DB8C6E1F523
certcube

once you configure all repos then download OpenSSH and Filza Server from Cydia for initial work

UserName - root  Password - alpine
Screenshot 2020 05 14 at 7.39.34 PM
Screenshot 2020 05 14 at 7.42.35 PM 4

That’s all about this blog in the next blog we will understand How to extract the IPA from the device and How you can analyze the IPA with various methods.

Learn IOS Exploitation and Security Pentesting with our most advanced IOS Security Course- Course Link

Leave a Reply

Your email address will not be published. Required fields are marked *