Recent enhancements to the Frida open-source dynamic instrumentation toolkit greatly ease the process of conducting jailed testing. You no longer have to manually package the Frida Gadget in your target app. As long as the app is debuggable, Frida does that for you. This post will walk you through the process of using Frida on a jailed device.
Frida version 12.7.12 and above include this improvement. Frida 12.8 is the most current version as of late December 2019.
Prerequisites
These instructions were written using macOS and assume access to Xcode for re-signing applications. You will need to install Frida 12.7.12 or above and target a device running iOS 13.
Preparing the Application
If you wish to use Frida with an app you have built and deployed to your device via Xcode, no further preparations are needed. If you are working with an application from the Apple® App Store® that has been decrypted, you must re-sign it prior to installing it to your device. To produce a debuggable application, you must re-sign it with a development certificate and include an appropriate provisioning profile.
To re-sign your.ipa file, install node-applesign and follow the instructions in the wiki to set up your re-signing environment, sign the file, and install it.
Preparing the Frida Gadget
Download the Frida Gadget for iOS from https://github.com/frida/frida/releases. If you are not using the latest version of Frida, make sure you download a matching Gadget version >= 12.7.12. Unzip the archive and move it to Frida’s cache directory:
$ gunzip frida-gadget-xx.y.zz-ios-universal.dylib.gz
$ mkdir -p ~/.cache/frida
$ cp frida-gadget-xx.y.zz-ios-universal.dylib ~/.cache/frida/gadget-ios.dylib
If you are using a platform other than macOS and are not sure where the Frida cache directory resides, try attaching to the application — the resulting error message will specify where Frida expects the Gadget to be.
Injecting the Gadget
To quickly test if the Gadget can be injected, connect your jailed device to your computer via USB, launch your re-signed app, and try to attach:
$ frida -U MyAppName
That’s it! You are now ready to explore your application with Frida.
Security analysts looking to speed mobile app vulnerability assessments and penetration testing should also consider NowSecure Workstation, a preconfigured hardware and software kit. Workstation can perform jailed testing on iOS apps while operating within the iOS sandbox on a standard device.