Ipa installation by @NVISOSecurity #3100
Conversation
There was a problem hiding this comment.
Great content @TheDauntless! Also the warnings/tips for AppSync and libimobiledevice are spot on! I've reviewed the tools, planning to do the rest today or tomorrow.
| @@ -8,3 +8,6 @@ source: https://sideloadly.io/ | |||
| --- | |||
|
|
|||
| [Sideloadly](https://sideloadly.io/ "Sideloadly") allows you to obtain a valid signature for a given IPA file and then install it to a connected iOS device. In addition to signing and installing an IPA file, Sideloadly also allows you to inject tweaks, change the App or Bundle name or make other limited modifications to the IPA metadata. Sideloadly is available on both macOS and Windows. | |||
|
|
|||
| !!! warning "Do not use your personal Apple account" | |||
| To sign an IPA file, you will need a valid iOS developer account, either free or paid. Both types come with certain restrictions, as explained on the Sideloadly website. We recommend creating a dedicated developer account for signing test applications, and **not** using your personal Apple account. | |||
There was a problem hiding this comment.
What would be the restrictions when using a paid developer account?
There was a problem hiding this comment.
Not sure I understand this comment.
There was a problem hiding this comment.
You are writing:
To sign an IPA file, you will need a valid iOS developer account, either free or paid. Both types come with certain restrictions, as explained on the Sideloadly website.
I don't understand what the restrictions would be for a paid developer account. I also couldn't find anything on the sideloadly website.
A free account has a of course restrictions (7 days valid etc.)
There was a problem hiding this comment.
Oh, right. I've linked to the technique now which explains it. The paid account still has restrictions (365 days), so I think the text still makes sense.
Co-authored-by: Sven <sven@bsddaemon.org>
Co-authored-by: Sven <sven@bsddaemon.org>
Co-authored-by: Sven <sven@bsddaemon.org>
Co-authored-by: Sven <sven@bsddaemon.org>
|
Thanks for the review so far! |
There was a problem hiding this comment.
@TheDauntless reviewed more techniques, but not done yet. Thanks for the nice summary!
| After the app has been installed on the device, it needs to be launched in debug mode. This is not the case when launching the app via springboard (the application will crash), but it is possible with various tools as explained in @MASTG-TECH-0056. When the application is running in debug mode, Frida can be injected into the process with name `Gadget`: | ||
| If you've repackaged an application with a Frida Gadget, or if you want to attach @MASTG-TOOL-0057 to the application, you have to launch the application in debug mode. When you launch the application via SpringBoard, it will not launch in debug mode and the application will crash. | ||
|
|
||
| After the application has been installed using @MASTG-TECH-TOOL-0056, you can launch it in debug mode using the following commands: |
There was a problem hiding this comment.
| After the application has been installed using @MASTG-TECH-TOOL-0056, you can launch it in debug mode using the following commands: | |
| After the application has been installed using @MASTG-TECH-0056, you can launch it in debug mode using the following commands. | |
| > Note that the commands that are part of @MASTG-TOOL-0126 refer to the latest version available from Github. If you installed them via brew or other package managers, you may have an older version with different command line flags. |
| @@ -8,3 +8,6 @@ source: https://sideloadly.io/ | |||
| --- | |||
|
|
|||
| [Sideloadly](https://sideloadly.io/ "Sideloadly") allows you to obtain a valid signature for a given IPA file and then install it to a connected iOS device. In addition to signing and installing an IPA file, Sideloadly also allows you to inject tweaks, change the App or Bundle name or make other limited modifications to the IPA metadata. Sideloadly is available on both macOS and Windows. | |||
|
|
|||
| !!! warning "Do not use your personal Apple account" | |||
| To sign an IPA file, you will need a valid iOS developer account, either free or paid. Both types come with certain restrictions, as explained on the Sideloadly website. We recommend creating a dedicated developer account for signing test applications, and **not** using your personal Apple account. | |||
There was a problem hiding this comment.
You are writing:
To sign an IPA file, you will need a valid iOS developer account, either free or paid. Both types come with certain restrictions, as explained on the Sideloadly website.
I don't understand what the restrictions would be for a paid developer account. I also couldn't find anything on the sideloadly website.
A free account has a of course restrictions (7 days valid etc.)
| com.google.Maps, "24.50.0", "Google Maps" | ||
|
|
||
| # Run in debug mode | ||
| $ idevicedebug -d run sg.vp.UnCrackable1.QH868V5764 |
There was a problem hiding this comment.
Unfortunately this always failed for my iOS 15.8.3 device (jailbroken). I couldn't find a DeveloperDiskImage for 15.8.3, but one for 15.7 but couldn't mount it. Were you testing this on macOS? I am using macOS sequoia 15.1.1 and Xcode 16.2
07:42:10 lockdown.c:278 lockdownd_stop_session(): success
07:42:10 idevice.c:1193 idevice_connection_disable_bypass_ssl(): Skipping bidirectional SSL shutdown. SSL error code: 5
07:42:10 idevice.c:1208 idevice_connection_disable_bypass_ssl(): SSL mode disabled
07:42:10 service.c:98 service_client_factory_start_service(): Could not start service com.apple.debugserver!
Could not start com.apple.debugserver!
Please make sure to mount the developer disk image first:
1) Get the iOS version from `ideviceinfo -k ProductVersion`.
2) Find the matching iPhoneOS DeveloperDiskImage.dmg files.
3) Run `ideviceimagemounter` with the above path.
There was a problem hiding this comment.
It works on my machine / device:
- macOS 15.2 (24C101)
- XCode 16.2 (16C5032a)
- iOS 15.8.3 (non-jb)
- idevicedebug 1.3.0-260-gc8cdf20
In installed via Sideloadly
idevicedebug -d run sg.vp.UnCrackable12
working_directory: /private/var/mobile/Containers/Data/Application/9C89C011-33D7-421B-9934-B92488F49486
Setting logging bitmask...
Setting maximum packet size...
Setting working directory...
Setting argv...
app_argv[0] = /private/var/containers/Bundle/Application/F7FDC3A7-2055-46B8-A88B-2764BF84ACD2/UnCrackable Level 1.app/UnCrackable Level 1
Checking if launch succeeded...
Setting thread...
Continue running process...Co-authored-by: Sven <sven@bsddaemon.org>
Co-authored-by: Sven <sven@bsddaemon.org>
Co-authored-by: Sven <sven@bsddaemon.org>
Co-authored-by: Sven <sven@bsddaemon.org>
Co-authored-by: Sven <sven@bsddaemon.org>
Co-authored-by: Sven <sven@bsddaemon.org>
Co-authored-by: Sven <sven@bsddaemon.org>
Co-authored-by: Sven <sven@bsddaemon.org>
Co-authored-by: Sven <sven@bsddaemon.org>
A cleanup of all the iOS signing / installing / running in debug mode.
I tried to be pragmatic, focussing on different techniques that work (I tested all of them, it was not a fun day) and also focussing on modern solutions rather than keep holding on to outdated ones.
This fixes #3090