Introduction
In this post I will explain how to configure objection for iOS runtime analysis on a non-jailbroken device.
objection is a powerful framework built on-top of Frida which allows you to perform various tasks on Android and iOS.
Some of these tasks include: Dumping memory / credentials, view hierarchy inspection, browsing the filesystem, bypassing security features and much more.
Install Frida CLI tools
Frida CLI tools
is a set of tools used to interact with Frida from the command-line interface.
Install Frida CLI tools
pip install frida-tools
Verify installation
frida-ps --v
# 16.3.3
Additional resources:
Install objection
objection
is a runtime analysis framework built on-top of Frida.
Install objection
pip3 install objection
Verify installation
objection version
# objection: 1.11.0
Additional resources:
Setup Frida iOS Gadget
Since you are not using a jailbroken device, you will rely on the Frida iOS Gadget to interact with our application.
Frida is able to instrument debuggable apps, and will inject Gadget automatically as of Frida 12.7.12.
Only a few requirements to be aware of:
- The iOS device must be running iOS 13 or newer
- The latest Frida iOS Gadget must be present in the user’s cache directory. On macOS this is
~/.cache/frida/gadget-ios.dylib
- The Developer Disk Image must be mounted
Download the Gadget
Create the required cache directory
mkdir -p ~/.cache/frida
Download the latest universal iOS Gadget
, decompress it, and move it to the cache directory
curl -L https://github.com/frida/frida/releases/download/16.4.4/frida-gadget-16.4.4-ios-universal.dylib.gz | gzip -d > ~/.cache/frida/gadget-ios.dylib
Verify the download
ls -la ~/.cache/frida
# drwxr-xr-x 3 <snip> <snip> 96 Jul 5 00:30 .
# drwxr-xr-x 3 <snip> <snip> 96 Jul 5 00:29 ..
# -rw-r--r--@ 1 <snip> <snip> 40640656 Jul 5 00:30 gadget-ios.dylib
Install pymobiledevice3 and mount the Developer Disk Image
To mount the Developer Disk Image
required to inject the Frida iOS Gadget
, you will use pymobiledevice3
.
Install pymobiledevice3
python3 -m pip install -U pymobiledevice3
Verify the installation
pymobiledevice3 version
# 4.11.3
Mount the Developer Disk Image
pymobiledevice3 mounter auto-mount
# 2024-07-16 21:55:38 <snip> pymobiledevice3.restore.tss[5412] INFO Sending TSS request...
# 2024-07-16 21:55:39 <snip> pymobiledevice3.restore.tss[5412] INFO response successfully received
# 2024-07-16 21:55:39 <snip> pymobiledevice3.cli.mounter[5412] INFO DeveloperDiskImage mounted successfully
If the Developer Disk Image was already mounted, you will see this error message, it’s fine to ignore it.
pymobiledevice3 mounter auto-mount
# 2024-07-16 21:51:56 <snip> pymobiledevice3.cli.mounter[5360] ERROR DeveloperDiskImage already mounted
Additional resources:
Deploy debug IPA to device
To verify your setup, you will need to interact with a debug application on a device.
In a previous post I demonstrated how to create a debug IPA from an existing application and deploy it to a device.
If you already have an application and know the bundle identifier, you can skip this section and continue with the verification steps below.
Verify Frida
Launch your application using frida
The switches for this command:
- -U - USB device
- -f - Bundle identifier of your application
frida -U -f "nel.willie.HelloWorld"
# ____
# / _ | frida 16.3.3 - A world-class dynamic instrumentation toolkit
# | (_| |
# > _ | Commands:
# /_/ |_| help -> Displays the help system
# . . . . object? -> Display information about 'object'
# . . . . exit/quit -> Exit
# . . . .
# . . . . More info at https://frida.re/docs/home/
# . . . .
# . . . . Connected to iPhone (id=00008110-001819DC2160401E)
# Spawned `nel.willie.HelloWorld`. Resuming main thread!
# [iPhone::nel.willie.HelloWorld ]->
The application should launch and allow you to interact with it using Frida commands.
Verify objection
Launch your application using objection
The switches for this command:
- -g - Bundle identifier of the gadget (The gadget is being injected into our application process so we use our application bundle identifier)
objection -g "nel.willie.HelloWorld" explore
# Using USB device `iPhone`
# Agent injected and responds ok!
# _ _ _ _
# ___| |_|_|___ ___| |_|_|___ ___
# | . | . | | -_| _| _| | . | |
# |___|___| |___|___|_| |_|___|_|_|
# |___|(object)inject(ion) v1.11.0
# Runtime Mobile Exploration
# by: @leonjza from @sensepost
# [tab] for command suggestions
# nel.willie.HelloWorld on (iPhone: 17.5.1) [usb] # ls
# NSFileType Perms NSFileProtection Read Write Owner Group Size Creation Name
# ---------- ----- ---------------- ---- ----- -------------- -------------- --------- ------------------------- ------------------------------------
# Regular 420 None True False _installd (33) _installd (33) 24.5 KiB 2017-01-29 06:43:02 +0000 [email protected]
The application should launch and allow you to interact with it using objection commands.
Final thoughts
Getting Frida and objection to work on a non-jailbroken device might seem like a lot of effort but it is actually quite easy compared to finding a reliable jailbreak for modern up-to-date iOS devices.
In a future post I will demonstrate how to perform the actual runtime analysis by solving challenges from the OWASP MAS Crackmes and MobileHackingLab.