Step by Step Complete Beginners guide of iOS penetration testing with corellium

7 months ago 67
BOOK THIS SPACE FOR AD
ARTICLE AD

Sandeep Vishwakarma

Greetings fellow hackers, my name is Sandy, Security Analyst and Bug bounty hunter.

As I’m presently engaged in iOS penetration testing, I’d like to relay my experiences with you, as they may prove beneficial in addressing some of the inquiries. I had difficulty getting started on resolving answers without any more introductions.

Jailbreaking, a process of removing software restrictions on iOS devices, has intrigued countless tech enthusiasts and researchers. However, it also raises security concerns for app developers and organizations keen on safeguarding their software from potential vulnerabilities. To address this, various methods have been devised to detect jailbroken devices and thwart certain apps from functioning on them. One notable approach involves harnessing Corellium, a potent mobile device emulation platform. In this blog post, we delve into how Corellium can be utilized to circumvent jailbreak detection mechanisms and delve into the ramifications it entails.

Table of contents:

Understanding Jailbreak DetectionThings to Consider Before Embarking on JailbreakingWhy Opt for Jailbreaking?Benefits of JailbreakingTypes of JailbreakIntroducing CorelliumBreaking Jailbreak Detection with CorelliumSetup a Corellium Instance and Install IPAProxy Setup for traffic Analysis with CorelliumBypassing jailbreak detection using LibertyConclusion

Understanding Jailbreak Detection:

Before delving into specifics, let’s briefly discuss jailbreak detection. Many mobile apps use jailbreak detection methods to check if a user’s device has been jailbroken.These mechanisms typically scrutinize for telltale signs indicating a compromised device, such as specific files’ presence or system modifications. Upon detecting a jailbreak, the app might refuse to operate or curtail its functionality to mitigate potential security risks.

Things to Consider Before Embarking on Jailbreaking:

Jailbreaking bears resemblance to the rooting process in Android, wherein we unlock root permissions for Android devices, enabling alterations to system configuration files. Similarly, in iOS, this process, known as “Jailbreak,” grants access to root permissions, empowering users to leverage the device’s full potential and utilize tweaks inaccessible without jailbreaking.

Why Opt for Jailbreaking?

Jailbreaking facilitates the installation of tweaks via Cydia and grants users control over iPhone processes, easing testing endeavors, primarily dynamic analysis.

Benefits of Jailbreaking:

- Extracting IPA from iOS

- Accessing internal files

- Installing third-party tools

- Accessing process memory

- Performing TLS bypass

- Real-time debugging capabilities

Types of Jailbreak:

1. Untethered Jailbreak:

An untethered jailbreak allows users to permanently modify their iOS device’s software, granting them the freedom to reboot their device without needing to connect it to a computer. This type of jailbreak remains effective even after restarting the device.

2. Tethered Jailbreak:

A tethered jailbreak requires users to connect their iOS device to a computer whenever they wish to boot it up after a restart. Without this connection, the device remains in a non-functional state. Tethered jailbreaks are less convenient as they rely on external devices for functionality.

3. Semi-Tethered Jailbreak:

A semi-tethered jailbreak offers a compromise between untethered and tethered jailbreaking. Users can boot their iOS device without connecting it to a computer, but certain functionalities, such as accessing jailbroken apps, may be temporarily unavailable until the device is connected to a computer and rebooted with the assistance of jailbreak tools.

4. Semi-Untethered Jailbreak:

A semi-untethered jailbreak combines aspects of untethered and tethered jailbreaking. Users can reboot their iOS device without needing a computer, similar to untethered jailbreaks. However, certain jailbreak functionalities may be disabled after a reboot and require the device to be re-jailbroken using dedicated tools or applications.

Corellium is a cool tool made by a company called Corellium. It lets your computer pretend to be an iPhone. This means you can test iPhone apps without actually having an iPhone. It’s super useful for people who want to check how safe iPhone apps are.

Breaking Jailbreak Detection with Corellium:
Corellium is also helpful for figuring out how to trick apps that try to tell if your iPhone is hacked. Here’s how you can do it:
1. Get Corellium: First, sign up for Corellium and make a pretend iPhone on your computer.
2. Get the app: Next, put the app that checks for hacks onto your pretend iPhone.
3. Watch the app: Open the app and see what it does. Look out for any messages that say it found a hack on your phone.
4. Look inside: Take a peek at the app’s insides to see how it’s checking for hacks. You might find clues in its files and how it talks to the phone.
5. Beat the system: Now that you know how the app checks for hacks, come up with ways to fool it. You might need to change some stuff in the app or how it talks to the phone.
6. Check your work: Test your ideas on the app using Corellium. Make sure the app can’t tell if your phone is hacked anymore.
7. Share what you learned: Write down what you found out and tell others about it. Sharing helps everyone stay safe with their iPhones.

Now that we’ve opened up the app file from your iPhone, let’s make a fake iPhone and put the app on it.

Go to https://app.corellium.com/ and login into your account

Sign in

Once logged in go and create a new device

Create device
Select project

Choose the device that’s almost the same as your real one, if not exactly the same. In my case I tested this flow on an iphone 11 pro .

Select device

Pick the iOS version that matches yours and make sure your device is jailbroken. In my case, I tested this on iOS 14.8.

Select iOS Version along with Jailbroken

You can name your device whatever you like and adjust advanced boot settings as needed. In my case I have selected advanced boot options and “Create Device”.

Create device

Again click on the “Create Device” option.

Create device

Please wait for a bit while your virtual device is being set up in the background. This might take some time.

Virtual device creating

Done and running!

Download OVPN File

Now, the emulated device is all set up and ready for the IPA file to be installed on it. Corellium provides an interface in the web interface to install IPA files.

First click on the OVPN FILE button under the connect tab, download the file because we will be using it on the windows.

OVPN File Downloaded

Go to https://openvpn.net and download/install the client for Windows.Now, Double click to import OVPN.

OVPN File imported successfully

We have VPN access into Corellium, yay!

OVPN File is now connected

We’re now connected to the Corellium VPN service, which means we can access our emulated device through the SSH service at the IP address 10.11.3.2.

Note : The default password is alpine

SSH login
Command to extract IPA

Prior to employing the ipatool for acquiring an .ipa file from the App Store, it is essential to establish an Apple ID and authenticate your device. This step is necessary to access the App Store and download the app package for analysis and testing.

ipatool auth login

Before we can use ipatool to download an .ipa file from the App Store, we need to search for the app package we want to analyze. This is done using the ipatool search command, which allows us to search for apps by name or by the developer’s name. For example, let’s say we want to download the Twitter app. Once you’ve found the desired app in the App Store using ipatool, you can use the app’s bundle ID as an identifier to download the .ipa file. The bundle ID is a unique identifier assigned to every iOS app, and it helps locate and download the app package from the App Store.

login successful
Successfully extracted IPA

Installing IPA through Web UI, Click on “Install app”

Install IPA

Select the IPA file. I used DVIA-V2 to demonstrate.

Select IPA

We have successfully installed the DVIA-v2 IPA.

IPA Installed

Before we integrate Burp Suite into this process, it’s worth noting that Corellium has a useful traffic viewer. In the “Network” tab, if you click on “Start Monitoring,” you can get a clear view of some of the HTTPS traffic that the app sends. at launch:

Launch IPA

Now that we have the app installed on Burp Suite, we’ll proceed with similar steps outlined in the previous section titled “Setting up your physical iOS Device through Burp.” First off, you’ll need to install OpenVPN for Windows. Once OpenVPN is running, head to the taskbar, right-click on the OpenVPN icon, and select “Import File…”

Import OVPN File

Remember the OVPN file we downloaded earlier? Now, navigate to and import the file into OpenVPN. After that, return to the OpenVPN icon and click on “Connect.”

Connect with OVPN

Once a connection is made OpenVPN should have an IP address assigned to you and you can have your emulated device interact with your Burp Suite session. In my case, the IP address assigned to me is 10.11.3.4

Connected

At this stage, the steps for setting up Burp Suite are similar to the ones mentioned earlier, namely:

1) Start Burp Suite

2) Click on the “Proxy” tab

3) Click on “Intercept is on” button

4) Click on “Options” tab

5) Under Proxy Listeners click on “10.11.3.4:8080” and click edit

6) Select the “Specific address” radio button and then click “OK.”

Proxy setup

7) Click on “Yes” to the listen on Specific address warning dialog

8) Click on the “HTTP History” tab

9) Open the “Settings” app on your Corellium iOS device.

10) tap on “Wi-Fi”

11) Tap on the “i” button next to the “Corellium” Wi-Fi network.

12) tap on “Configure Proxy”

13) tap on “Manual”

14) tap on “Server” and enter the IP address given to you from OpenVPN, in my case this is “10.11.3.4”

15) Touch “Port,” input “8080,” and then tap “Save.”

16) Tap the home button to return to the main screen.

Proxy configuration in device

Proxy Setup

When you open the DVIA app, you’ll notice that all the traffic is routed through Burp Suite on your Windows machine via the VPN. Installing the SSLBypass tweak seems unnecessary for bypassing certificate pinning or installing the Burp certificate. Corellium does some magic in the background when you start the Network Monitor to handle certificate validation, making it easier for researchers to enhance visibility. However, if this doesn’t work in all cases, you can follow the SSLBypass tweak installation steps mentioned earlier and target the Corellium device IP instead of your physical device. SSLBypass should be installable on Corellium devices as well.

Capture traffic
Capture IPA traffic

Sweet, Sweet Traffic

Bypassing jailbreak detection using Liberty involves installing the Liberty tweak on your jailbroken device. This tweak allows you to hide the jailbreak status from apps that check for it, enabling you to use those apps without restrictions. As I demonstrate in DVIA-v2 for Jailbreak Detection and Bypass.

Device Jailbroken

After jailbreaking your device, you can follow these steps to bypass jailbreak detection using Liberty:
1. Launch Cydia on your jailbroken device.

Cydia

2. Tap on the “Sources” tab at the bottom.

cydia source

3. Tap on “Edit” in the top-right corner, then tap “Add” in the top-left corner.

source add

4. Enter the following repository URL: https://ryleyangus.com/repo/

Enter APT repo URL

5. Tap on “Add Source” and wait for Cydia to refresh sources.

6. Once the repository is added, go to the “Search” tab and search for “Liberty Lite” or “Liberty Lite (Beta)”.

7. Tap on the tweak from the search results, then tap on “Install” and confirm to install it.

Libertylite

8. After the installation is complete, restart your device.

9. Once your device is restarted, launch the Liberty Lite app from your settings options..

10. In Liberty Lite, you’ll find a list of installed apps. Switch on the toggle next to the app you want to bypass jailbreak detection for.

11. Close the Liberty Lite app and launch the app you want to use without jailbreak detection.

12. You should now be able to use the app without encountering jailbreak detection issues.

bypass jailbroken

— — — — — — — — — — — — — — — — —OR — — — — — — — — — — — — — — — — — — —

For manual Installation of “liberty lite”.

After taking ssh, use command:

Command to install Command for Libertylite
Command for Libertylite

I spent a few days scratching my head to figure all this out. This document is like my cheat sheet for the future because I know I’ll forget all these little steps. I’m happy to share it with everyone! It helps you set up an iOS testing place for people who test security and find bugs.

Libertylite: https://ryleyangus.com/repo/deb_files/com.ryleyangus.libertylite.beta_0.2.12_iphoneos-arm.deb

For personalize training Contact : sv110040@gmail.com

References:

https://www.corellium.com/

Read Entire Article