Update 2025-09-25-iOS-All-The-Things-Part-II.md

Mr-R19HT · web-flow · commit 73622adc63f2 · 2025-09-25T03:44:29.000+03:00
diff --git a/_posts/2025-09-25-iOS-All-The-Things-Part-II.md b/_posts/2025-09-25-iOS-All-The-Things-Part-II.md
@@ -1,5 +1,5 @@
 ---
-date: 2025-09-25 00:41:15
+date: 2025-09-25 00:43:15
 layout: post
 title: iOS All The Things - Part II
 
@@ -81,3 +81,106 @@ d. **Semi-Untethered:** if reboot the device , the ios is return to normal statu
 Using that [website](https://canijailbreak.com/) to know what’s that tool compatible with version of ios device to make jailbreak.
 
 
+## Pull & Push IPA Packages
+
+Once your iOS device is successfully jailbroken, the next step is to install a package manager like Sileo, Cydia, or Zebra. Think of this as an "alternative App Store" specifically for jailbroken devices, where you can find powerful tools and tweaks that Apple doesn't allow.
+
+One of the most important tools you can install is Filza File Manager. This is a powerful file explorer that gives you full access to the entire iOS filesystem. something that is normally restricted on a non-jailbroken device.
+
+**Filza Uses:**
+* Browse System Files: View and edit files across the entire operating system.
+* Access App Containers: Open the sandboxed directories of installed applications.
+* Extract IPA Files: This is a critical function for penetration testers.
+
+#### How to Extract an IPA using Filza
+
+Another meaning pull any installed app from your device for analysis:
+
+a. Open Filza and navigate to the applications directory: '/var/containers/Bundle/Application/'
+
+![image](/assets/img/ios-pentesting/Part-II/installed-apps-directories.jpg)
+
+b. Find the App: You'll see folders with random names. Open each one to find the '.app' bundle for your target application (e.g., Facetime.app).
+
+![image](/assets/img/ios-pentesting/Part-II/face-app-extension.jpg)
+
+c. Go to any directory, such as /var/mobile/Downloads. Create a new folder named Payload. Paste the copied '.app' bundle into this Payload folder.
+
+d. Compress the Payload folder into a ZIP file. Long-press on the Payload folder and select the "Compress" option. This will create a Payload.zip file.
+
+![image](/assets/img/ios-pentesting/Part-II/zip-payload2.png)
+
+e. Rename the Payload.zip file to YourAppName.ipa. An IPA file is essentially a standard ZIP archive with a specific structure and a different file extension.
+
+![image](/assets/img/ios-pentesting/Part-II/ipa-extension.jpg)
+
+f. The '.ipa' file is now ready for analysis. You can transfer it to your own machine (e.g., Kali Linux system) using a secure transfer tool like scp (Secure Copy).
+
+![image](/assets/img/ios-pentesting/Part-II/shape-ipa.jpg)
+
+To move the extracted IPA file from your iOS device to your computer, you need a connection between the two devices. This is typically done using SSH (Secure Shell).
+
+
+* **Method 1:** Using SSH from Your Computer
+  
+  Ensure SSH is enabled on your jailbroken iOS device and that both devices are on the same network.
+
+  ```bash
+  scp mobile@[device_ip]:/var/mobile/Downloads/YourAppName.ipa /path/on/your/kali/
+  ```
+ 
+* **Method 2:** Using NewTerm on Your iOS Device
+
+  Alternatively, you can use NewTerm (available in Sileo/Zebra) a terminal emulator for iOS. to push the file to your computer:
+
+  a.  Install NewTerm from your package manager.
+
+  b. Open NewTerm and use scp in reverse:
+
+  ```bash
+  scp /var/mobile/Downloads/YourAppName.ipa kali@[KALI_IP]:/home/kali/Downloads/
+
+  # The same scp command can also be used to transfer an IPA package from your computer to your jailbroken device (Push)
+  scp /home/kali/Downloads/YourAppName.ipa mobile@[device_ip]:/var/mobile/Downloads/  
+  ```
+
+This ability to extract IPAs directly from a jailbroken device is a game-changer for security testing. It allows you to:
+
+* Perform static analysis on real applications using tools like Ghidra or Hopper.
+* Study the app’s compiled code, configuration files, and resources.
+* Identify potential vulnerabilities without needing the original source code.
+
+#### Analyzing Decrypted Executables with Hopper or Ghidra
+
+After transferring an IPA package to your computer, the next step is to analyze the application's main executable file. You can extract this file by unzipping the IPA package and navigating to the 'Payload/YourApp.app' folder.
+
+When you try to analyze an App Store application using reverse engineering tools like Hopper or Ghidra, you'll encounter a significant obstacle: the main executable file is encrypted. Apple encrypts applications from the App Store to protect intellectual property, which means static analysis tools will show garbled or meaningless code.
+
+![image](/assets/img/ios-pentesting/Part-II/hopper-encrypted-content2.png)
+
+When an iOS application runs, the system must decrypt it in memory to execute the code.
+
+To overcome this encryption barrier, we use 'frida-ios-dump' a powerful tool that captures a running application directly from the device's memory. Here's how it works:
+
+a. Install frida-server from sileo.
+
+b. Run the target application on your jailbroken device.
+
+c. Execute [frida-ios-dump](https://github.com/AloneMonkey/frida-ios-dump/) from your computer while the app is active.
+
+```bash
+# to forward ssh connection
+iproxy 2222 22
+# run frida-ios-dump 
+./dump.py -H device-ip -u user -P password -p 2222 (bundle/name)
+```
+
+d. The tool dumps the decrypted version of the application from memory.
+
+e. You now have a decrypted IPA that can be properly analyzed.
+
+![image](/assets/img/ios-pentesting/Part-II/hopper-decrypted-content.png)
+
+## Setup BurpSuite
+
+
