🤖How to use Frida on iOS 17 without Jailbreak
Last updated
Last updated
Basically, starting with iOS 17 or above, I can’t use ios-deploy because this tool depends on DeveloperDiskImage (DDI), which is used for debugging the app and other tasks.
You can view the image below:
To use Frida on iOS 17 without jailbreak, you need:
A decrypted .ipa file
Xcode installed
Code signing and provisioning profile (Xcode will handle this for you; you only need to log in with your Apple ID and create a new project)
In this example, I will use SecureStorev2. You can find the .ipa download for this app in the ‘Setup Lab’ section.
First, you need to obtain your signing ID. For this, you can use:
The code signature looks like this:
Next, we’ll insert the dylib. To install insert_dylib, use the following commands
After installing insert_dylib, we need to install objection:
We use this command to sign the app with the Frida Gadget dylib:
Reminder: The code signing signature can be obtained using the commands mentioned above, but first, you need to have Xcode installed and create a project in Xcode.
You can also find the provisioning profile in the project I created called ‘Hacking.’ Additionally, you can see the patched .ipa file named ‘SecureStorev2-frida-codesigned.ipa.’
Now we need to install the .app contained inside the .ipa. To do this, extract the .ipa using the following command:
Now we’ll install the .app:
Install the Xcode CLI tools using the following command:
Connect your device to your computer and list the devices to get the device ID
In my case, my device ID starts with 0008030.
Install the .app:
Start the process:
Now the process is stuck on the screen:
Open Xcode, then go to Debug > Attach to Process and select the SecureStore process:
At the bottom of the screen, you can find the Frida server port:
Now we need to forward this port using pymobiledevice3:
Now start objection:
Finish
Credits: https://github.com/frida/frida/issues/2663#issuecomment-1956330432
