🤖How to use Frida on iOS 17 without Jailbreak

Identifying the problem

Basically, starting with iOS 17 or above, I can’t use ios-deploy because this tool depends on DeveloperDiskImage (DDI), which is used for debugging the app and other tasks.

You can view the image below:

Error

No DDI available for iOS 17

How to solve it

To use Frida on iOS 17 without jailbreak, you need:

• A decrypted .ipa file

• Xcode installed

• Code signing and provisioning profile (Xcode will handle this for you; you only need to log in with your Apple ID and create a new project)

In this example, I will use SecureStorev2. You can find the .ipa download for this app in the ‘Setup Lab’ section.

First, you need to obtain your signing ID. For this, you can use:

security find-identity -p codesigning -v (native command - simpler option)
OR
applesign -L (Use npm to install this command.)

The code signature looks like this:

Code Signature

Next, we’ll insert the dylib. To install insert_dylib, use the following commands

git clone https://github.com/Tyilo/insert_dylib
cd insert_dylib
xcodebuild
cp build/Release/insert_dylib /usr/local/bin/insert_dylib

After installing insert_dylib, we need to install objection:

pip3 install objection

We use this command to sign the app with the Frida Gadget dylib:

objection patchipa --source SecureStorev2.ipa --codesign-signature <CODESIGN-HERE>

Objection patchipa

Reminder: The code signing signature can be obtained using the commands mentioned above, but first, you need to have Xcode installed and create a project in Xcode.

You can also find the provisioning profile in the project I created called ‘Hacking.’ Additionally, you can see the patched .ipa file named ‘SecureStorev2-frida-codesigned.ipa.’

Now we need to install the .app contained inside the .ipa. To do this, extract the .ipa using the following command:

unzip SecureStorev2-frida-codesigned.ipa
cd Payload/

Unzip .ipa

Now we’ll install the .app:

1. Install the Xcode CLI tools using the following command:

xcode-select --install

2. Connect your device to your computer and list the devices to get the device ID

xcrun xctrace list devices

List Devices

In my case, my device ID starts with 0008030.

3. Install the .app:

xcrun devicectl device install app --device <YOUR_DEVICE_ID> SecureStorev2.app/

Install .app

4. Start the process:

xcrun devicectl device process launch --start-stopped --device <YOUR_DEVICE_ID> <INSTALLATIONURL_RETURNED_ON_THE_LAST_COMMAND>

Start Process

5. Now the process is stuck on the screen:

Proccess Stuck

6. Open Xcode, then go to Debug > Attach to Process and select the SecureStore process:

Initiate a debug

7. At the bottom of the screen, you can find the Frida server port:

Frida listening

8. Now we need to forward this port using pymobiledevice3:

pymobiledevice3 usbmux forward 27042 27042

In my case, I installed pymobiledevice3 as follows:

1. brew install pipx
2. pipx install pymobiledevice3
3. pipx ensurepath
4. export PATH="$HOME/.local/bin:$PATH"
5. source ~/.zshrc # or source ~/.bashrc

9. Now start objection:

objection -N -h 127.0.0.1 -p 27042 explore
OR
frida-ps -H 127.0.0.1:27042

10. Finish

Finish

Credits: https://github.com/frida/frida/issues/2663#issuecomment-1956330432