A cheat sheet to debug third-party iOS applications quickly.
Since everyone loves a good cheat sheet, and there is not one readily available for debugging third-party iOS applications using a jailbroken device, here it is! Whether you are a seasoned security researcher, or a not so experienced hacker wanting to learn more about reverse engineering, this blog will outline the necessary steps to enable you to perform dynamic analysis on iOS applications, that you did not develop, successfully.

Environment Setup

Several devices and tools are required to start debugging iOS applications.

Mac Computer

A Mac computer streamlines the process of debugging iOS applications. As a part of Xcode, LLDB, Apple’s debugger, is fully functional and external libraries, and SDKs, are readily available on a Mac. Without a Mac, you will be limited to a beta build of LLDB, and have to go through the hassle of obtaining Apple’s SDK’s for iOS to perform various actions, such as remotely debugging iOS applications.
Further, it is necessary to obtain the debugserver application — in order to remotely debug applications on iOS devices. This application is readily available on a Mac.

LLDB

LLDB is an Apple-developed debugger, provided to perform dynamic analysis efficiently among other tasks. LLDB supports debugging C, Objective-C, and C++ applications.
To install LLDB, Enter ‘lldb’ within a terminal on the Mac host. If you do not have LLDB already installed, you will be prompted to install additional tools for Xcode. Select ‘Yes’; LLDB will be installed automatically, along with various other tools.

Jailbroken iOS Device

Jailbreaking a device provides root access to the filesystem as well as allows its user to install applications not authorized by Apple and unavailable via the App Store. Because applications downloaded from the App Store are protected using FairPlay DRM, it is necessary to jailbreak the device so that you can install third-party applications to bypass Apple’s FairPlay DRM.

Sign up to get our latest blogs

You will need to install third-party apps to follow this guide, therefore having access to a Jailbroken device is a must. As of June 26, 2017, the latest version of iOS with a publicly available jailbreak is iOS 10.1.1 for iPhone 7(+) and iOS 10.2 for all other devices.
To SSH into an iOS device, decrypt and extract application binaries, you will need to install OpenSSH and Clutch via Cydia. Don’t worry, Cydia is installed during the jailbreak process.

SSH Access

If you have a jailbroken 10.2 device, it is not required to install OpenSSH; however, it is necessary to configure the Dropbear SSH server to accept connections over WiFi by modifying the dropbear.plist.
To edit Dropbear’s plist file:
  1. Install Filza File Manager via Cydia. Open Cydia, search for “Filza,” then select install.
  2. Use Filza to navigate to: /private/var/containers/Bundle/Application/yalu102/yalu102.app .
  3. Edit dropbear.plist (Press hold on it > click more> click open with > click Text Editor).
  4. Replace <string>127.0.0.1:22<string> with <string>22</string>.
  5. Power off phone and re-jailbreak.


Searching and installing Filza via Cydia.

If you have a jailbroken device running 10.1.1 or lower, you have to install OpenSSH. OpenSSH for iOS enables a remote computer to establish a secure shell with an iOS device to browse the filesystem, to execute command-line programs, and to transfer files to and from the device.
To install OpenSSH:
  1. Open Cydia on the iOS device.
  2. Select “Search” to use the search functionality.
  3. Enter “OpenSSH” into the search bar.
  4. Select OpenSSH -> Install -> Confirm.

Clutch

When you download an application from the App Store, Apple uses your public key, which is generated when you create an AppleID, to encrypt the application before transferring the application to your device.
Due to that fact, to perform static analysis on an iOS application, the binary needs to be decrypted before a disassembler, e.g., IDA Pro or Hopper, can analyze it. While static analysis is not needed to perform dynamic analysis, static analysis will make setting breakpoints on methods of interest simpler. Good for us, Clutch has the capability to decrypt applications installed via the App Store.
To install Clutch:
  1. Open Cydia on a device running iOS 8+.
  2. Select “Sources”.
  3. Select Edit -> Add.
  4. Enter cydia.iphonecake.com into the prompt.
  5. Click Add Source.
  6. Select “Search”.
  7. Select Clutch -> Install -> Confirm.


Adding iphonecake source to Cydia.

Debugserver

The console application debugserver is required to debug iOS applications installed on iOS devices remotely. Debugserver attaches to a process then listens for connections, from remote devices, for remote debugging.
To install Debugserver:
  1. Open a terminal on the Mac host.
  2. Mount an iOS Developer Image.
hdiutil attach /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/DeviceSupport/{iOS version of device}/DeveloperDiskImage.dmg
3. Extract debugserver from the image to the current directory.
cp /Volumes/DeveloperDiskImage/usr/bin/debugserver ./
4. Sign debugserver.
codesign -s - --entitlements entitlements.plist -f debugserver
Entitlements.plist is a property list file that should contain the following:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/ PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.springboard.debugapplications</key> <true/>
    <key>run-unsigned-code</key> <true/>
    <key>get-task-allow</key> <true/>
    <key>task_for_pid-allow</key> <true/>
</dict> 
</plist>


Sample output from steps 1–4.

5. Transfer the signed binary to the /usr/bin/ directory within the iOS device’s filesystem via scp or a different file transfer application, e.g., FileZilla, from the Mac host.
The default password for the root account is ‘alpine’. It is recommended to change this password after jailbreaking a device. Steps to change the password can be found here.
scp debugserver root@{IP address of iOS device}:/usr/bin
You may have to change debugserver’s permissions to allow the binary to be executed. While ssh’d into the device, use chmod to change the binary’s permissions to make it executable. More information about *nix file permissions can be found here.
ssh root@{IP address of iOS device}
cd /usr/bin/
chomd +x debugserver

The Fun Part

Now that setup is out of the way, and you have a target in mind, in this case, Damn Vulnerable iOS App (DVIA) — let’s start debugging!
  1. Using your Mac, open a terminal and ssh into the jailbroken device using the root account’s username and password.
ssh root@{IP address of iOS device}
2. Run Clutch to decrypt the application so a disassembler can decompile it.
clutch -i  // To display applications installed using the App Store
clutch -b {target's application numerical representation for Clutch}

Using Clutch to decrypt TestFlight.

Since DVIA is not installed via the App Store, it will not be recognized by Clutch. In the example above, Clutch is used to decrypt the TestFlight application.
3. After Clutch decrypts the binary, extract the binary using SCP, or another file transfer application such as FileZilla, then load the binary into a disassembler, e.g., IDA Pro or Hopper, to identify methods of interest. The Mac’s firewall may need reconfiguration to allow incoming SSH connections to permit this transfer.
scp {target's binary} {Mac user account}@{IP address of Mac}:/Users/{Mac user account}/Desktop

Using scp to transfer the unencrypted version of TestFlight from the iOS device to host machine.

4. While ssh’d into the device, determine the process id (PID) of the target application using the PS application within the terminal. This application will display information about active processes on the device. To make discovering the PID easier, grep could be used to filter the processes PS displays. Make sure the application is running :).
ps aux | grep -i {target application's name}

DVIA’s PID.

5. After determining the PID of your target, attach debugserver to the application and instruct it to listen on a port of your choice.
debugserver {IP address of Mac}:{port} -a {PID}

Debugserver connecting to DVIA’s process using PID and listening for connects from any IP on port 1234.

6. After debugserver attaches to the process, connect the Mac to the remote debug server. Within a new terminal on the Mac host enter the following:
lldb
platform select remote-ios
process connect connect://{IP address of iOS device}:{port} 
// Where {port} is the port number entered in step 5.

Sample output of LLDB successfully connecting to Debugserver.

If you see output similar to the output above, LLDB has successfully attached to the debug server and is ready to start debugging. From here you can set breakpoints on the methods identified in step 3, display data stored in registers, and read sections of memory. As you become more familiar with LLDB, you can execute more advanced actions such as, e.g., examining threads and evaluating expressions. A quick reference guide for LLDB commands can be found here.

Caveat

Some developers implement jailbreak detection within iOS applications. This mechanism checks for common artifacts of jailbroken devices. These artifacts include the presence of Cydia, Cydia Substrate, sshd, or apt. Depending on the implement, once a jailbroken device is detected, the application will force close its self on load, or notify the user that the application cannot run on a jailbroken device then run in a disabled state, preventing dynamic analysis. Luckily for us, there is a tool to circumvent such detections, tsProtector 8+ — which is available via Cydia. It should be noted that tsProctector 8+ will not work in all cases; however, tsProtector 8+ is capable of bypassing jailbreak detection implemented within most applications.
HAPPY DEBUGGING!!!

SOURCE LINK