iOS App Testing Through Burp on Corellium

Photo by Nong Vang on Unsplash

Introduction

Jailbreak

The output screen of a successful checkra1n jailbreak
The output screen of a successful checkra1n jailbreak
Checkra1n Jailbreak

Setting up iOS device for SSH/Tweaks

1) Once you’ve successfully jailbroken your device and have Cydia installed go ahead an open “Cydia”
2) Cydia may ask you to upgrade, go ahead an select “Complete Upgrade”, "Confirm" and “Return to Cydia” when complete
3) Tap on the search tool and search for “openssh”, tap on it and then tap on “install” and “confirm”
4) Tap on “Return to Cydia”
5) Next thing to install/update is mobilesubstrate for supporting tweaks, go to the search tool again
6) Search for “cydia substrate”, tap on it
7) Tap on install (or modify then tap on update)
8) Tap on “Restart Springboard”
9) If for whatever reason your respring fails in an infinite loop, re-jailbrake your device in safe mode and reinstall “cydia substrate”
Cydia App

Setting up a Linux Development Environment

Setting up our iOS development environment on EC2
1) ssh <Instance IP> -R 2222:192.168.1.100:22 
2) sudo apt update
3) sudo apt-get install git zstd perl clang-6.0 build-essential libz3-dev zip unzip openvpn -y
4) nano ~/.profile
a) append the following lines in nano and save:
b) export THEOS=~/theos
c) export PATH=$THEOS/bin:$PATH
d) export THEOS_DEVICE_IP=127.0.0.1
e) export THEOS_DEVICE_PORT=2222
f) alias theos="nic.pl"
Exit the instance and ssh back to sync the settings
5) exit -> ssh <Instance IP> -R 2222:192.168.1.100:22
6) git clone --recursive https://github.com/theos/theos.git $THEOS
7) curl -LO https://github.com/theos/sdks/archive/master.zip
8) TMP=$(mktemp -d)
9) unzip master.zip -d $TMP
10) mv $TMP/sdks-master/*.sdk $THEOS/sdks
11) rm -r master.zip $TMP
12) wget https://github.com/CRKatri/llvm-project/releases/download/swift-5.3.2-RELEASE/swift-5.3.2-RELEASE-ubuntu20.04.tar.zst
13) tar -I zstd -xvf swift-5.3.2-RELEASE-ubuntu20.04.tar.zst
14) mkdir -p $THEOS/toolchain/linux/iphone
15) mv ./swift-5.3.2-RELEASE-ubuntu20.04/* $THEOS/toolchain/linux/iphone/
16) rm -rf swift-5.3.2-RELEASE-ubuntu20.04*
17) run command "theos"
18) <select iphone/tweak>
19) <name project "test">
20) <press enter for the remaining questions>
21) cd test
22) make
compilation of example tweak
a) make package # this creates a deb package to deploy
b) make install # this connects via SSH to install deb package
c) make GO_EASY_ON_ME=1 # to turn off warnings as errors

Setting up your physical iOS Device through Burp

Burp Suite Community Edition
1)      Download and install Burp Suite Community Edition from https://portswigger.net/
2) Start Burp Suite
3) Click on the “Proxy” tab
4) Click on “Intercept is on” button
5) Click on “Options” tab
6) Under Proxy Listeners click on “127.0.0.1:8080” and click edit
7) Click on the “All Interfaces” radio button and click “OK”
8) Click on “Yes” to the listen on all interfaces warning dialog
9) Click on the “HTTP History” tab
10) On your physical iOS device open the “Settings” app
11) tap on “Wi-Fi”
12) tap on the “i” button on your connected Wi-Fi network
13) tap on “Configure Proxy”
14) tap on “Manual”
15) tap on “Server” and enter the internal IP address of the machine running Burp Suite (assuming its on the same network)
16) tap on “Port” and enter “8080” and tap on “Save”
17) tap on home button to go back to main screen
1)      Go to into Safari
2) Navigate to https://www.google.com
3) At this point you should have a “This Connection is Not Private” warning
(Just a stock image)

Using SSLBypass to Bypass All Certificate Checks

1)      Go back to your EC2 instance at your home directory: cd ~
2) git clone https://github.com/evilpenguin/SSLBypass
3) cd SSLBypass
4) make package
5) make install # use 'alpine' when asked for a password
Compile and Install of SSLBypass
Mobile Safari Burp Traffic
We’ve intercepted Google (Just a stock image)

Decrypt Apps for Reversing and Sideloading

Prep the device
1) On your physical device go back to settings and turn off the proxy settings in order to remove Burp out of the loop.
2) On your physical device download/install Twitter from the AppStore (account and login required)
3) SSH into your physical device: ssh root@127.0.0.1 -p 2222
Install flexdecrypt by John Coates on your device
4) wget https://github.com/JohnCoates/flexdecrypt/releases/download/1.1/flexdecrypt.deb
5) dpkg -i flexdecrypt.deb
6) rm flexdecrypt.deb
First lets install some dependencies:
1) apt update # make sure manual proxy is not configured
2) apt install zip unzip
Next we install flexdump by running this exact command:
3) wget https://gist.githubusercontent.com/defparam/71d67ee738341559c35c684d659d40ac/raw/30c7612262f1faf7871ba8e32fbe29c0f3ef9e27/flexdump -P /usr/local/bin; chmod +x /usr/local/bin/flexdump
scp -P 2222 root@127.0.0.1:/var/mobile/Documents/Flexdump/Twitter_8.69.2_fd.ipa ~

Setup a Corellium Instance and Install IPA

sudo openvpn --config ~/device.ovpn &
We have VPN access into Corellium, yay!
First lets clone the repo for AppSync/Appinst:
1) git clone https://github.com/akemin-dayo/AppSync
2) cd AppSync
Next we need to patch the Makefile real quick for THEOS to work
3) sed -i 's/clang::5.0/clang::6.0/g' ./Makefile
4) sed -i 's/clang::5.0/clang::6.0/g' ./appinst/Makefile
Next set up the THEOS variable for installing onto Corellium. Corellium in the WebUI should specify the device IP address
5) export THEOS_DEVICE_IP=10.11.1.1 # The IP shown in webui
6) export THEOS_DEVICE_PORT=22
Next lets build/install AppSync onto Corellium
7) make package GO_EASY_ON_ME=1
8) make install # enter password 'alpine' each time it asks
Next lets build/install Appinst onto Corellium
9) cd ./appinst
10) make package GO_EASY_ON_ME=1
11) make install # enter password 'alpine' each time it asks
Installing AppSync
Installing Appinst
1) scp ~/Twitter_8.69.2_fd.ipa root@10.11.1.1:~
1) ssh root@10.11.1.1 # password 'alpine'Once your are in the device
2) appinst ~/Twitter_8.69.2_fd.ipa

Setup Burp Suite for Analysis with Corellium

1)      Start Burp Suite
2) Click on the “Proxy” tab
3) Click on “Intercept is on” button
4) Click on “Options” tab
5) Under Proxy Listeners click on “127.0.0.1:8080” and click edit
6) Click on the “All Interfaces” radio button and click “OK”
7) Click on “Yes” to the listen on all interfaces warning dialog
8) Click on the “HTTP History” tab
9) On your Corellium iOS device open the “Settings” app
10) tap on “Wi-Fi”
11) tap on the “i” button on the "Corellium" Wi-Fi network
12) tap on “Configure Proxy”
13) tap on “Manual”
14) tap on “Server” and enter the IP address given to you from OpenVPN, in my case this is "10.11.3.3"
15) tap on “Port” and enter “8080” and tap on “Save”
16) tap on home button to go back to main screen
Proxy Setup
Sweet, Sweet Traffic

Conclusion

Byte Fuzzer, Web Security Researcher, Hardware Tinkerer.