Embedding Frida in iOS TestFlight Apps

Learning reverse engineering on mobile devices can be challenging, especially on iOS, where tooling is less accessible than on Android. On YouTube, I published various videos on reverse engineering with Frida , which is a tool for dynamic reverse engineering of applications during runtime. Last year, I started giving public reversing trainings via BlackHoodie and the university I'm teaching at, along with a training at NULLCON Berlin in March. While starting off with a focus on Android, which can easily be virtualized and rooted, knowledge on iOS reversing is a rare resource that many people want to learn about. But how can we make iOS reversing more accessible to learn, in a world dominated by closed-source tooling and strictly controlled by Apple?  Frida can be used on iOS without any jailbreak. Especially when building your own apps, adding it for educational purposes and using it on your own iPhone can be fun. In this blog post, we'll look into two options: (1) Distributin

macOS Frida Setup

On an M1 Mac, Frida needs some extra steps to be able to attach to system processes. Mainly writing this down here because it was spread across multiple GitHub issues. Hope it helps some of you who are working with Frida on M1 Macs :) Versions macOS Ventura 13.0.1 Frida 16.0.2 Apple M1 Pro Setup Disable System Integrity Protection (SIP). Power off Mac, power on with very long press to get the advanced boot options, open the Terminal from the Utilities, enter #  csrutil disable ... and confirm that this bricks your system's security. Disable some dialogues popping up and asking for permissions, further reducing the security of your system with #  sudo security authorizationdb write system.privilege.taskport allow ... this might be optional but needed if you use Frida via SSH. Change boot arguments as follows: sudo nvram boot-args=-arm64e_preview_abi ... and reboot. Now you should be able to attach to system services, e.g., run: # frida identityservicesd Update: macOS 14.4 and higher

iPhone Setup for Reversing and Debugging

There are a few configurations that I apply to almost every research iPhone. While these methods are documented publicly, the information is at many different places. Driven by laziness to search them on the Internet every time, I document them here, hoping that it also helps other researchers :) Logs Increase log level For many targets, Apple has predefined debug profiles. They will print contents to log messages that otherwise only show <private> . These profiles are publicly available . Following this post  one can also show all <private> logs with the following change: iPhone# vim /Library/Preferences/Logging/ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" ""> <plist version="1.0"> <dict>         <key>Enable-Logging</key>         <true/>         <key>Ena

Always-on Processor magic: How Find My works while iPhone is powered off

Update: We wrote a paper with even more technical details :) iOS 15.0 introduces a new feature: an iPhone can be located with Find My even while the iPhone is turned "off". How does it work? Is it a security concern? I saw this feature rather early on one of my iPhones with an iOS 15 beta. Here's a screenshot I took in July. The user interface changed a little bit since then. It took a bit longer until the public realized this feature exists. One needs to update to iOS 15.0, use an iPhone that has location services enabled, a logged in user account, participates in the Find My network, etc. And the weirdest thing nobody does these days: One has to turn the iPhone off. But once Twitter found out, this took off. And so did the rumors how this was implemented. Apple's Always-on Processor (AOP) There's only little public documentation about the AOP. All chips and various embedded devices Apple manufactures run a real-time operating system, called RTKitOS. The AOP on