If you’re a pentester or bug bounty hunter that is trying to do some iOS mobile application testing, half the battle is getting a phone properly jailbroken so you can proxy HTTP requests. Nowadays, many apps are requiring the use of more modern iOS versions, so this jailbreak should help.
Note that this isn’t a post to cover the attack surface of an iOS application or a methodology of testing an iOS application. But before you get to actual testing, you’ll probably need to jailbreak. And, since the resources are slim out there, I figured I’d write up my process on Linux to jailbreak iOS 16.7.8 on iPhone X.
To do this, we are going to use palera1n. If you go to the official site, you can get an install command to pipe straight to sudo and bash! Perfect, lol. https://palera.in/download/?tab=linux
First off, you need to erase all content and settings on your iPhone. This jailbreak will not work properly if you’ve ever had a passcode set on your device, so erasing all content and settings and then setting up your phone puts it in a clean state. Do not set a passcode or face ID during the install.
Once setup is complete, on Ubuntu, you then need to run these commands to see some USB connection information and to help us debug issues.
sudo systemctl stop usbmuxd
sudo usbmuxd -f -pPlug your phone in, and after that, run
sudo palera1n -lNow, follow the directions on the screen. You may need to try this a couple of times, or unplug your device and plug it back it during the process. It has been kind of hit or miss for me. I’ve also found, as noted on the internet, you need to use a USB-A cable connection for this.
Once everything is complete, we need to install some things. In the palera1n app, install Sileo. You can do that by opening palera1n and clicking Sileo and install. Very simple. You may have to set a password during this process. I usually just use alpine for every password on devices, because it is the ‘default’ password for many jailbroken devices and linux images, etc.
Installing Frida
Open up Sileo, click the + button on the top right, and enter this URL, and click add source.
https://build.frida.re/ Frida should appear in the list of Repositories. Click on it, then all categories, then Frida and install Frida.
This tutorial assumes you’ve already installed frida on your pc/mac. If you haven’t go ahead and install it per easily Googleable directions.
SSH Access
At this point you should be able to get your IP address from your iPhone settings and you should be able to SSH into your phone as the user mobile and password alpine.
SSH access is needed for all sorts of things during a mobile application penetration test or bug bounty hunting.
Moving On
From here you can install the Burp Suite certificate on your device, use frida to bypass SSL pinning, etc. We won’t go into those, but they are all easily googleable.
Caveats
There are some Caveats to this jailbreak, as listed below.
- if you reboot, you need to re-jailbreak
- you can’t use anything that requires a passcode e.g. Apple Pay etc