The Fun Part

Now that setup is out of the way, and you have a target in mind, in this case, Damn Vulnerable iOS App (DVIA) — let’s start debugging!

Using your Mac, open a terminal and ssh into the jailbroken device using the root account’s username and password.

ssh root@{IP address of iOS device}

2. Run Clutch to decrypt the application so a disassembler can decompile it.

clutch -i // To display applications installed using the App Store clutch -b {target's application numerical representation for Clutch}

Using Clutch to decrypt TestFlight.

Since DVIA is not installed via the App Store, it will not be recognized by Clutch. In the example above, Clutch is used to decrypt the TestFlight application.

3. After Clutch decrypts the binary, extract the binary using SCP, or another file transfer application such as FileZilla, then load the binary into a disassembler, e.g., IDA Pro or Hopper, to identify methods of interest. The Mac’s firewall may need reconfiguration to allow incoming SSH connections to permit this transfer.

scp {target's binary} {Mac user account}@{IP address of Mac}:/Users/{Mac user account}/Desktop

Using scp to transfer the unencrypted version of TestFlight from the iOS device to host machine.

4. While ssh’d into the device, determine the process id (PID) of the target application using the PS application within the terminal. This application will display information about active processes on the device. To make discovering the PID easier, grep could be used to filter the processes PS displays. Make sure the application is running :).

ps aux | grep -i {target application's name}

DVIA’s PID.

5. After determining the PID of your target, attach debugserver to the application and instruct it to listen on a port of your choice.

debugserver {IP address of Mac}:{port} -a {PID}

Debugserver connecting to DVIA’s process using PID and listening for connects from any IP on port 1234.

6. After debugserver attaches to the process, connect the Mac to the remote debug server. Within a new terminal on the Mac host enter the following:

lldb

platform select remote-ios

process connect connect://{IP address of iOS device}:{port} // Where {port} is the port number entered in step 5.

Sample output of LLDB successfully connecting to Debugserver.

If you see output similar to the output above, LLDB has successfully attached to the debug server and is ready to start debugging. From here you can set breakpoints on the methods identified in step 3, display data stored in registers, and read sections of memory. As you become more familiar with LLDB, you can execute more advanced actions such as, e.g., examining threads and evaluating expressions. A quick reference guide for LLDB commands can be found here.

Caveat

Some developers implement jailbreak detection within iOS applications. This mechanism checks for common artifacts of jailbroken devices. These artifacts include the presence of Cydia, Cydia Substrate, sshd, or apt. Depending on the implement, once a jailbroken device is detected, the application will force close its self on load, or notify the user that the application cannot run on a jailbroken device then run in a disabled state, preventing dynamic analysis. Luckily for us, there is a tool to circumvent such detections, tsProtector 8+ — which is available via Cydia. It should be noted that tsProctector 8+ will not work in all cases; however, tsProtector 8+ is capable of bypassing jailbreak detection implemented within most applications.

HAPPY DEBUGGING!!!