Recent enhancements to the Frida open-source dynamic instrumentation toolkit greatly ease the process of conducting jailed testing. You no longer have to manually package the Frida Gadget in your target app. As long as the app is debuggable, Frida does that for you. This post will walk you through the process of using Frida on a jailed device.

Frida version 12.7.12 and above include this improvement. Frida 12.8 is the most current version as of late December 2019.

Prerequisites

These instructions were written using macOS and assume access to Xcode for re-signing applications. You will need to install Frida 12.7.12 or above and target a device running iOS 13.

Preparing the Application

If you wish to use Frida with an app you have built and deployed to your device via Xcode, no further preparations are needed. If you are working with an application from the Apple® App Store® that has been decrypted, you must re-sign it prior to installing it to your device. To produce a debuggable application, you must re-sign it with a development certificate and include an appropriate provisioning profile.

To re-sign your.ipa file, install node-applesign and follow the instructions in the wiki to set up your re-signing environment, sign the file, and install it.

Preparing the Frida Gadget

Download the Frida Gadget for iOS from https://github.com/frida/frida/releases. If you are not using the latest version of Frida, make sure you download a matching Gadget version >= 12.7.12. Unzip the archive and move it to Frida’s cache directory:

$ gunzip frida-gadget-xx.y.zz-ios-universal.dylib.gz
$ mkdir -p ~/.cache/frida
$ cp frida-gadget-xx.y.zz-ios-universal.dylib ~/.cache/frida/gadget-ios.dylib

If you are using a platform other than macOS and are not sure where the Frida cache directory resides, try attaching to the application — the resulting error message will specify where Frida expects the Gadget to be.

 

 

Injecting the Gadget

To quickly test if the Gadget can be injected, connect your jailed device to your computer via USB, launch your re-signed app, and try to attach:

$ frida -U MyAppName

That’s it! You are now ready to explore your application with Frida.

Security analysts looking to speed mobile app vulnerability assessments and penetration testing should also consider NowSecure Workstation, a preconfigured hardware and software kit. Workstation can perform jailed testing on iOS apps while operating within the iOS sandbox on a standard device.

What to read next:

Dawn Isabel

linkedin icon twitter icon

Security Research Engineer

Dawn is a security research engineer at NowSecure with an extensive background in penetration testing. She enjoys hacking on iOS and watchOS, and has constructed several jailbreaks for Apple Watch. Her prior roles include building and running a university penetration testing service, leading a mobile tools development team, and several years in consulting. Dawn strives to make deep technical topics accessible to diverse audiences, and has delivered talks and workshops at OWASP AppSec, WiCyS, Converge, DefendCon, SUMIT, and the Women’s Society of Cyberjutsu.