IOS Pentesting Cheatsheet

Jailbreaking

At the time of this writing, only up to version 12.1.2 of iOS can be jailbroken. While it is theoretically possible to downgrade the version, it is a giant hassle and I was not able to find a fully working solution over the span of several hours of research. Save yourself some time and just get a phone with an older version of iOS.

Jailbreak using Chimera

Following the instructions on here: https://cydia-app.com/chimera/

  1. Download http://www.cydiaimpactor.com/ onto your laptop
  2. Download the chimera IPA file from here: https://cydia-app.com/files/chimera_1.0.8.ipa or here: https://chimera.sh/downloads/ios/1.0.8.ipa. New links can most likely be found here: https://cydia-app.com/chimera/ or https://chimera.sh/
  3. Click Device on the top menu
  4. Click Install Package
  5. Select the chimera IPA file
  6. Click Open
  7. Once it's finished installing, open Chimera and hit the Jailbreak button
  8. Once it reboots, open Chimera and hit the Jailbreak button again
  9. At this point, Sileo should be installed and the device should be jailbroken

To verify that the jailbreak is working as you expect it to, connect the phone to a trusted wifi network and connect to it. The credentials by default will be root/alpine.

I have noticed that the jailbreak undoes itself every so often. Simply follow steps 7-9 to redo it.

Setup Burp

  1. Open Burp on laptop -> Proxy -> Options
  2. Under Proxy Listeners, click Edit, change to All interfaces
  3. On phone go to Settings -> Wi-Fi -> click the i next to the current connected network (the laptop needs to be on this network as well)
  4. Tap Configure Proxy -> Manual
  5. Set the Server to your laptop and the port to burp suiteā€™s port (8080 by default)
  6. Open safari on the phone and navigate to http://burp
  7. Click CA Certificate
  8. Click Allow
  9. Click Install -> Install -> Install -> Done

Install an IPA

  1. Plug iPhone into your computer
  2. Open xcode
  3. Click on Window -> Devices and Simulators
  4. Drag the .ipa file into the Installed Apps area

If when you try to run the app you get a message titled "Untrusted Enterprise Developer", do the following:

  1. Tap Settings > General > Profiles or Profiles & Device Management
  2. Locate the developer associated with the app, tap it
  3. Tap Trust "Developer"
  4. Tap Trust

Resources:
https://docs.monaca.io/en/products_guide/monaca_ide/deploy/non_market_deploy/
https://support.apple.com/en-us/HT204460

Filesystem layout

  • /Application - built-in apps
  • /var/containers/Bundle/Application - 3rd party apps
  • /var/mobile/Containers/Data/Application - 3rd party app data
  • /private/var/mobile/Library/Voicemail - voicemails
  • /private/var/mobile/Library/SMS - sms
  • /private/var/mobile/Media/DCIM - photos
  • /private/var/mobile/Media/Videos - videos
  • /var/mobile/Library/AddressBook/AddressBook.sqlitedb - address book

Useful Tools

Sqlite3

  1. Add this to sources: http://cydia.radare.org/
  2. Find sqlite and install it using Sileo