Skip to content

iOS: Configure objection for runtime analysis

Updated: at 05:25 PM

Introduction

In this post I will explain how to configure objection for iOS runtime analysis on a non-jailbroken device.

objection is a powerful framework built on-top of Frida which allows you to perform various tasks on Android and iOS.

Some of these tasks include: Dumping memory / credentials, view hierarchy inspection, browsing the filesystem, bypassing security features and much more.

Install Frida CLI tools

Frida CLI tools is a set of tools used to interact with Frida from the command-line interface.

Install Frida CLI tools

pip install frida-tools

Verify installation

frida-ps --v
# 16.3.3

Additional resources:


Install objection

objection is a runtime analysis framework built on-top of Frida.

Install objection

pip3 install objection

Verify installation

objection version
# objection: 1.11.0

Additional resources:


Setup Frida iOS Gadget

Since you are not using a jailbroken device, you will rely on the Frida iOS Gadget to interact with our application.

Frida is able to instrument debuggable apps, and will inject Gadget automatically as of Frida 12.7.12.

Only a few requirements to be aware of:

Download the Gadget

Create the required cache directory

mkdir -p ~/.cache/frida

Download the latest universal iOS Gadget, decompress it, and move it to the cache directory

curl -L https://github.com/frida/frida/releases/download/16.4.4/frida-gadget-16.4.4-ios-universal.dylib.gz | gzip -d > ~/.cache/frida/gadget-ios.dylib

Verify the download

ls -la ~/.cache/frida
# drwxr-xr-x  3 <snip>  <snip>        96 Jul  5 00:30 .
# drwxr-xr-x  3 <snip>  <snip>        96 Jul  5 00:29 ..
# -rw-r--r--@ 1 <snip>  <snip>  40640656 Jul  5 00:30 gadget-ios.dylib

Install pymobiledevice3 and mount the Developer Disk Image

To mount the Developer Disk Image required to inject the Frida iOS Gadget, you will use pymobiledevice3.

Install pymobiledevice3

python3 -m pip install -U pymobiledevice3

Verify the installation

pymobiledevice3 version
# 4.11.3

Mount the Developer Disk Image

pymobiledevice3 mounter auto-mount
# 2024-07-16 21:55:38 <snip> pymobiledevice3.restore.tss[5412] INFO Sending TSS request...
# 2024-07-16 21:55:39 <snip> pymobiledevice3.restore.tss[5412] INFO response successfully received
# 2024-07-16 21:55:39 <snip> pymobiledevice3.cli.mounter[5412] INFO DeveloperDiskImage mounted successfully

If the Developer Disk Image was already mounted, you will see this error message, it’s fine to ignore it.

pymobiledevice3 mounter auto-mount
# 2024-07-16 21:51:56 <snip> pymobiledevice3.cli.mounter[5360] ERROR DeveloperDiskImage already mounted

Additional resources:


Deploy debug IPA to device

To verify your setup, you will need to interact with a debug application on a device.

In a previous post I demonstrated how to create a debug IPA from an existing application and deploy it to a device.

If you already have an application and know the bundle identifier, you can skip this section and continue with the verification steps below.


Verify Frida

Launch your application using frida

The switches for this command:

frida -U -f "nel.willie.HelloWorld"
#      ____
#     / _  |   frida 16.3.3 - A world-class dynamic instrumentation toolkit
#    | (_| |
#     > _  |   Commands:
#    /_/ |_|       help      -> Displays the help system
#    . . . .       object?   -> Display information about 'object'
#    . . . .       exit/quit -> Exit
#    . . . .
#    . . . .   More info at https://frida.re/docs/home/
#    . . . .
#    . . . .   Connected to iPhone (id=00008110-001819DC2160401E)
# Spawned `nel.willie.HelloWorld`. Resuming main thread!
# [iPhone::nel.willie.HelloWorld ]->

The application should launch and allow you to interact with it using Frida commands.


Verify objection

Launch your application using objection

The switches for this command:

objection -g "nel.willie.HelloWorld" explore
# Using USB device `iPhone`
# Agent injected and responds ok!

#      _   _         _   _
#  ___| |_|_|___ ___| |_|_|___ ___
# | . | . | | -_|  _|  _| | . |   |
# |___|___| |___|___|_| |_|___|_|_|
#       |___|(object)inject(ion) v1.11.0

#      Runtime Mobile Exploration
#         by: @leonjza from @sensepost

# [tab] for command suggestions
# nel.willie.HelloWorld on (iPhone: 17.5.1) [usb] # ls
# NSFileType  Perms  NSFileProtection  Read  Write  Owner           Group           Size       Creation                   Name
# ----------  -----  ----------------  ----  -----  --------------  --------------  ---------  -------------------------  ------------------------------------
# Regular       420  None              True  False  _installd (33)  _installd (33)  24.5 KiB   2017-01-29 06:43:02 +0000  [email protected]

The application should launch and allow you to interact with it using objection commands.


Final thoughts

Getting Frida and objection to work on a non-jailbroken device might seem like a lot of effort but it is actually quite easy compared to finding a reliable jailbreak for modern up-to-date iOS devices.

In a future post I will demonstrate how to perform the actual runtime analysis by solving challenges from the OWASP MAS Crackmes and MobileHackingLab.