Setting up an iOS hacking lab on only Linux

by etum

babbys first ios notes

#mobile#bug bounty

Setting up an iOS Hacklab on Linux only

This is going to be a living blogpost, as the iOS landscape is changing, and I do have a few correlating tools I may be working on.

Apple is such an interesting topic that I’ve wanted to dig deeper into for a while.

Despite this blog being bloated due to Astro, I am, deep inside, a fan of minimailism and KISS. While I initially intended to base my testing environment on OWASP MASTG, I quickly realized, a lot of bloated software that “just works” were recommended in the iOS section. For example, sideloadly, no good xcode alternatives, horrifying broken python code á la 2012, and just, a kind of dead landscape altogether.

What I wanted to achieve

  • 70% Bug hunting (aka, hacky fun times)
    Finding vulnerabilities in iOS applications.

  • 20% Understanding Apple’s ecosystem
    Studying the walled garden: exploring XNU, kernel exploits, and low-level communication. I think this is a really exciting topic I want to spend more time on. The kernel exploits previously found are so elegant, and requires a chain. It’s really cool. So I want to understand the kernel to fully appreciate those exploits :)

  • 10% Apple developer perspective
    just ios development.
    This helps with learning Swift / Objective-C and improves reversing ability.

And primarily, I’m just uselessly stubborn sometimes.

I want to keep pushing for free and open source when feasible to do so.

Specific software should not be the thing determining what OS you use, and I love the Unix community for providing so many alternatives.

Interestingly, I did ask two certain big competing agents this question (Newest models, Sonnet4.6 and GPT5.3): Whats in an Apple developers/researchers toolkit? If i dont have a macbook, what can i use? “Want serious iOS/macOS development/research -> get a Mac (used Mac Mini is cost-effective).” “Honestly, Apple’s ecosystem is heavily locked to macOS, but here are your options. …(Hackintosh, Mac VMs)…”

I respectfully disagree :D

Constraints

  • I’m a poorfag. I do not have a macbook.
  • I have self respect. I do not have a windows computer.
  • I do not have Corellium.

Setup

  • iPad A11 (~300 USD). palerain jailbreak due to kernel. iOS 18.1.
  • iPhone 5, iOS 10. (~50 USD). Jailbreakable, but version makes it more suitable in my personal museum. (Polite word for, useless purchase. :D)

Development

Building Apps Without Xcode

If you don’t want to use Xcode, a useful tool is:

https://github.com/xtool-org/xtool

This allows building iOS applications from Linux and Windows.

Unfortunately you still need an Apple Developer account, because xtool needs you to download an xcode package.
This is required anyway if you want to deploy apps to devices, so go ahead and register for a free account.

Disk Space Note

xtool can consume a lot of /tmp space (sometimes 15GB+).

If your /tmp partition is small, see:

https://askubuntu.com/questions/199565/not-enough-space-on-tmp

Alternative: Docker-OSX

Another option is running macOS inside Docker:

https://github.com/sickcodes/Docker-OSX

Reference video: https://www.youtube.com/watch?v=kTk5fGjK_PM

I haven’t needed it yet since xtool works well enough, but it is a thing.

Hacking tools (insert anonymous mask here)

My (noob) iOS hacking is something like this: 0. Jailbreak the device

  1. Obtain app
  2. Proxy network traffic
  3. Reverse the app statically
  4. Identify interesting hooks for Frida. (Frida may be needed on all steps. Sometimes for SSL, root identification, etc.)

Obtaining the app

iproxy 2222 22
scp mobile@localhost:/path/to/ipa -P 2222 .

There are other ways to get it, via ugly python scripts or frida, but IMO scp is solid and has never failed me (jinx)

Proxying traffic

I use caido (btw). Same-ish method works for Burp. There’s documentation here from the official Caido: https://docs.caido.io/app/tutorials/ios_configuration The only thing I do differently is that I don’t listen on all interfaces, since we have iProxy going I just use that to SSH tunnel. ssh -D mobile@localhost -p 2222

Bluetooth

Bluetooth SPECIAL INTEREST GROUP (aka, autists) have a site just for intercepting on iOS. https://www.bluetooth.com/blog/a-new-way-to-debug-iosbluetooth-applications/

Sadly, they then recommend XCode Packet logger.

Fear not, there’s a general Unix to iOS lifescaver library - libidevice. This library provides a lot of ways to communicate with a USB tethered device. For bluetooth, we can use idevicebtlogger. It has a lot of other cool tools that I’ll cover at a later date because im tired of writing and wnana go hack

Reversing

To convert plist:

plistutil -i source.plist -o dest.plist

The main reversing tool is up to you.

  • r2 + r2frida r2 is cool and I like pancake (the dev)

  • Hopper This seems quite popular for iOS reversing. I have only done a brief overview.

  • Ghidra Before I had IdaPro, i did find Ghidra the best for being free. LaurieWired made some utils for it regarding iOS reversing:

https://github.com/LaurieWired/iOS_Reverse_Engineeringand https://github.com/LaurieWired/Malimite(I havent really tried them)

Frida

Frida, aside from the schizo releases, is such a cool tool.

There are many cases where Frida mess up in different ways. It was kind of black magic to me, what frida versions worked with what phone.

In addition, as I ran it in a vm, it seemed to kill the USB connection suddenly: Solved with: https://github.com/frida/frida/issues/3487

Caveat: This type of Frida fuckery has happened to me way too often, so I wrote some bash utilities to kind of “brute force” what version worked. I’m a stupid lil guy, I didnt bother to trace back and logically map what version works with what device, on what Linux system. It’s dependant on a lot of variables. From host kernel to iOS version to the weather and what starsign you are. Perhaps when I have more insight into Frida source and how its actually hooking, I’ll adjust the script.

The script can be found here: https://github.com/etum-dev/DroidSH/blob/main/ios_frida.sh

A Frida wrapper called Objection is common. https://github.com/sensepost/objection

You may get into some issues depending on versions in use. Make sure you read the (disgusting) python errors properly (For example, it could be issues with setuptools being too new, etc.). Also, some versions may not be compatible with Frida, and vice-versa.

That’s all for now kids. This page will kind of serve as my own cheat sheet eventually, so it will be updated whenever i feel like it