preface
This article is only for technical sharing, dealing with some scenarios encountered in iOS SDK development and maintenance, for example:
-
The customer wants to know in advance whether there will be SDK compatibility problems, such as Crash and symbol conflict, after the online App integrates our SDK
-
The customer’s online App integrates our SDK, and there is a problem, how to troubleshoot
-
We want to test whether the SDK works properly in an App
For these problems, generally we can not get the source code of the App, want to deal with these scenarios, you need to get the client App file and inject code, next we from iOS jailbreak, Frida shell, MonkeyDev to tell how to achieve.
IOS jailbreak
Why break out? Under normal circumstances, we cannot get the package file of App from the mobile phone, so we can only get ipA package through dynamic shell breaking by jailbreak machine, and use the current mainstream UNC0VER to jailbreak.
unc0ver
For jailbreaking of iOS, unc0ver is used here. The latest version supports imperfect jailbreaking of iOS 11-ios 14.3. Here, iPhone 5S and iOS 12.4.9 are used as examples to perform imperfect jailbreaking
There are “perfect jailbreaks” and “imperfect jailbreaks”. Perfect jailbreak simply said that jailbreak is very thorough, cracked the operating system read and write permissions, perfect jailbreak after completion can be used freely, switch machine, download and so on. It’s called the perfect jailbreak. Imperfect jailbreak means that the iPhone or iPad can not be shut down at any time like before jailbreak. After the jailbreak is shut down and restarted, the jailbreak becomes invalid and needs to be jailbroken again.
For UNC0ver, Xcode + iOS App Signer is used to install unc0ver App
Unc0ver IPA is apple compliant and can be quickly installed via i4 Assistant (Ace Assistant).
Open unc0ver, click Jailbreak to Jailbreak, pop the REBEL out, leave it alone, and continue. Open unc0ver (” Cydia “and” Substitude “) to Jailbreak (” re-jailbreak “).
Configure the Cydia
-
Click Cydia-> Software Sources -> Edit -> Add add the source build.frida.re, apt.cydiami.com, and update it.
-
Search for SSH and select OpenSSH to install
-
Search frida, since it’s 5S, we select Frida for pre-A12 devices
-
Search AFC, install AFC2 iOS12 system file access
At this point, the jailbreak is complete and you can access system files.
Frida hit a shell
The purpose of cracking is to obtain IPA package. Since Appstore has a shell for the application by default (we don’t know which encryption method is used), we need to crack the shell first (equivalent to obtaining decrypted files). You can download the App you need to crack through Appstore. You can also download the App on the i4 Assistant, and after installing it on the phone, we can dynamically crack the shell.
Dynamic shell smashing: start with the executable program image in the running process memory and dump the contents of the memory to achieve shell smashing. This method is relatively simple and does not care about the encryption technology used by the application.
For various shell smashing schemes, here is the Frida shell smashing used:
- The drop-down frida – ios – dump
Git clone github.com/AloneMonkey…
Drop down warehouse.
-
Brew Install Python
-
Brew install wget
-
Install the PIP
wget bootstrap.pypa.io/get-pip.py sudo python get-pip.py
-
Install frida sudo PIP install frida — upgrade — ignore-installed six
-
The installation script depends on the environment
CD frida-ios-dump csudo PIP install -r requireders. TXT –upgrade
-
Brew Install USBMUxD to communicate with the mobile phone
-
Connect the device over USB using SSH and map 22 to port 2222 on the computer
iproxy 2222 22
-
Open another terminal to join the connection password is the device login password alpine, need to keep the connection
SSH -p 2222 [email protected] or SSH [email protected] -p 2222
-
Since it was dynamic cracking, we opened the app that needed cracking and used Frida-ps-UA to view the running application and record the logo
PID Name Identifier
4621 Rn.notes. Best 4650 tomato novels com.dragon.read 4720 Set com.apple.Preferences 4547 Mail com.apple.mobilemail
-
Then go to the frida-ios-dump directory and run the dump.py command
dump.py com.dragon.read
-
This first run is stuck at 0.00B [00:00,?B/s], press Ctrl + C to cancel and restart dump.py
-
You end up with a cracked IPA file in frida-ios-dump
MonkeyDev
The original iOSOpenDev upgrade, non-jailbreak plug-in development integration magic, here only use part of its functions, see MonkeyDev installation for specific installation steps.
use
- Take the IPA package (e.g., treasure, degree, music) that you got from Frida and create a MonkeyDev project. Take PlayTheApp as an example
-
Put the cracked IPA under PlayTheApp/TargetApp/ and drag it to the project file.
-
Set the certificate of the main project, do not set dylib
Showing All Messages Signing for “PlayTheAppDylib” requires a development team. Select a development team in the Signing & Capabilities editor., In this case, choose PlayTheAppDylib->Build Settings->Add user-defined Setting. Add CODE_SIGNING_ALLOWED to NO and run the command again.
- file not found: /usr/lib/libstdc++. Dylib: libstdc++ is not available in xcode. Libstdc++ libraries removed from Xcode 10, 11 and 12 (directory permissions are not addressed here)
Inject the SDK
-
Once it’s running, we initialize the POD in the project,
Modify the POD file, comment use_frameworks!
Platform: ios, ‘9.0’
target ‘PlayTheApp’ do
Comment the next line if you don’t want to use dynamic frameworks
use_frameworks!
pod ‘GrowingAnalytics-cdp/Autotracker’
Pods for PlayTheApp
end
target ‘PlayTheAppDylib’ do
Comment the next line if you don’t want to use dynamic frameworks
use_frameworks!
pod ‘GrowingAnalytics-cdp/Autotracker’
Pods for PlayTheAppDylib
end
-
Find the corresponding AppDelegate class using the class-dump command
1class-dump -H xxx.app -o yourDir/Headers
The AppDelegate class is called XXXXAppDelegate
- Then use the Logos-Injected SDK to initialize the code and use the documentation to view the logos-iphone Development Wiki
// See <http://iphonedevwiki.net/index.php/Logos> #import <UIKit/UIKit.h> #import "GrowingAutotracker.h" static NSString *const kGrowingProjectId = @"91eaf9b283361032"; %hook XXXXAppDelegate - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions { BOOL result = %orig; GrowingTrackConfiguration *configuration = [GrowingTrackConfiguration configurationWithProjectId:kGrowingProjectId]; configuration.debugEnabled = YES; The configuration. ImpressionScale = 1.0; configuration.dataCollectionServerHost = @"https://run.mocky.io/v3/08999138-a180-431d-a136-051f3c6bd306"; [GrowingAutotracker startWithConfiguration:configuration launchOptions:launchOptions]; return result; } %endCopy the codeThen compile and run, you can debug SDK in App, and have the relevant log output.
So far, we have solved the problems in the first and third scenarios mentioned in the preface. For the second problem, how to check the SDK problems of online App, we need to observe the log output after running MonkeyDev, match the injection code, find the appropriate entry method or function, conduct method exchange, test modification, Determine where the problem is and how to fix it.
limitations
There are still shortcomings for this scheme
-
For some apps, they cannot be used normally even after breaking the shell.
-
If your App integrates with an older VERSION of the SDK and you want to inject a new version of the SDK, you need to replace the original file or rename it.
This solution still has limitations, but it is sufficient for most cases, and we will improve these deficiencies and develop into an automated platform solution.
