NOWSECURE NOW AVAILABLE IN THE MICROSOFT AZURE MARKETPLACE

Microsoft Azure customers gain access to NowSecure Mobile App Security and Privacy Testing for scalability, reliability, and agility of Azure to drive mobile appdev and shape business strategies.

Read More
Media Announcement
NOWSECURE NOW AVAILABLE IN THE MICROSOFT AZURE MARKETPLACE NOWSECURE NOW AVAILABLE IN THE MICROSOFT AZURE MARKETPLACE Show More
magnifying glass icon

How to Conduct Jailed Testing with Frida

Posted by

Dawn Isabel

Security Research Engineer
Dawn is a security research engineer at NowSecure with an extensive background in penetration testing. She enjoys hacking on iOS and watchOS, and has constructed several jailbreaks for Apple Watch. Her prior roles include building and running a university penetration testing service, leading a mobile tools development team, and several years in consulting. Dawn strives to make deep technical topics accessible to diverse audiences, and has delivered talks and workshops at OWASP AppSec, WiCyS, Converge, DefendCon, SUMIT, and the Women’s Society of Cyberjutsu.
Best Practices,  Industry News

Recent enhancements to the Frida open-source dynamic instrumentation toolkit greatly ease the process of conducting jailed testing. You no longer have to manually package the Frida Gadget in your target app. As long as the app is debuggable, Frida does that for you. This post will walk you through the process of using Frida on a jailed device.

Frida version 12.7.12 and above include this improvement. Frida 12.8 is the most current version as of late December 2019.

Prerequisites

These instructions were written using macOS and assume access to Xcode for re-signing applications. You will need to install Frida 12.7.12 or above and target a device running iOS 13.

Preparing the Application

If you wish to use Frida with an app you have built and deployed to your device via Xcode, no further preparations are needed. If you are working with an application from the Apple® App Store® that has been decrypted, you must re-sign it prior to installing it to your device. To produce a debuggable application, you must re-sign it with a development certificate and include an appropriate provisioning profile.

To re-sign your.ipa file, install node-applesign and follow the instructions in the wiki to set up your re-signing environment, sign the file, and install it.

Cracking Fun with Frida & Radare: Mobile App & IoT Edition

Read More

Preparing the Frida Gadget

Download the Frida Gadget for iOS from https://github.com/frida/frida/releases. If you are not using the latest version of Frida, make sure you download a matching Gadget version >= 12.7.12. Unzip the archive and move it to Frida’s cache directory:

$ gunzip frida-gadget-xx.y.zz-ios-universal.dylib.gz
$ mkdir -p ~/.cache/frida
$ cp frida-gadget-xx.y.zz-ios-universal.dylib ~/.cache/frida/gadget-ios.dylib

If you are using a platform other than macOS and are not sure where the Frida cache directory resides, try attaching to the application — the resulting error message will specify where Frida expects the Gadget to be.

Injecting the Gadget

To quickly test if the Gadget can be injected, connect your jailed device to your computer via USB, launch your re-signed app, and try to attach:

$ frida -U MyAppName

That’s it! You are now ready to explore your application with Frida.

Security analysts looking to speed mobile app vulnerability assessments and penetration testing should also consider NowSecure Workstation, a preconfigured hardware and software kit. Workstation can perform jailed testing on iOS apps while operating within the iOS sandbox on a standard device.

Related Content

5 Common OWASP-MASVS Secure Coding Mistakes
Mobile App Privacy Testing Checklist
Checklist
Clothing Company Sews Up Mobile AppSec
Case Study