IOS 10.1 (I know it's not ready yet, but thought i'd share some output)

[n0x00]

Issue

hey, If you need anyone to work through Needle on IOS 10.1 I have a iPhone and iPad Pro here ready to go

I just need to know what information is useful to you and how best I acquire it

Expected behaviour

[needle][list_apps] > use various/list_apps

run to list apps

Actual behaviour

Version not supported

Steps to reproduce

1. Jailbreak iOS 10.1
2. Install Needle from github
3. Run!

needle error logs

[needle][list_apps] > run
[D] Setup local output folder: /home/n0x00/.needle/output
[D] Creating local output folder: /home/n0x00/.needle/output
[*] Checking connection with device...
[+] Already connected to: 127.0.0.1
[V] Creating temp folder: /var/root/needle/
[D] [REMOTE CMD] Remote Command: if [ -d /var/root/needle/ ]; then echo "yes"; else echo "no" ; fi
[*] Configuring device...
[D] [REMOTE CMD] Remote Command: which apt-get
[D] [REMOTE CMD] Remote Command: which dpkg
[D] [REMOTE CMD] Remote Command: apt-get update
[V] [INSTALL] Installing COREUTILS via apt-get.
[D] [REMOTE CMD] Remote Command: apt-get install -y --force-yes coreutils
[V] [INSTALL] Installing COREUTILS via apt-get.
[D] [REMOTE CMD] Remote Command: apt-get install -y --force-yes coreutils-bin
[D] [REMOTE CMD] Remote Command: dpkg --get-selections | grep -v "deinstall" | cut -f1
[D] [REMOTE CMD] Remote Command: apt-get update
[D] [REMOTE CMD] Remote Command: cat /etc/apt/sources.list.d/cydia.list
[D] [REMOTE CMD] Remote Command: which FileDP
[D] [INSTALL] Tool already available: FILEDP
[D] [INSTALL] Already installed: ONDEVICECONSOLE.
[D] [REMOTE CMD] Remote Command: which keychain_dump
[D] [INSTALL] Tool already available: KEYCHAIN_DUMP
[D] [INSTALL] Already installed: OPEN.
[D] Installation method not provided for UIOPEN. Skipping
[V] [INSTALL] Manually installing: SSLKILLSWITCH
[D] [REMOTE CMD] Remote Command: curl -ksL "https://github.com/iSECPartners/ios-ssl-kill-switch/releases/download/release-0.6/com.isecpartners.nabla.sslkillswitch_v0.6-iOS_7.0.deb" -o /var/root/kill.deb
[D] [REMOTE CMD] Remote Command: dpkg -i /var/root/kill.deb && rm -f /var/root/kill.deb
[D] [REMOTE CMD] Remote Command: killall -HUP SpringBoard
[D] [INSTALL] Already installed: SOCAT.
[D] Installation method not provided for LIPO. Skipping
[D] [INSTALL] Already installed: COREUTILS.
[D] [INSTALL] Already installed: COREUTILS.
[D] [INSTALL] Already installed: PLUTIL.
[D] Installation method not provided for WHICH. Skipping
[D] [INSTALL] Already installed: FRIDA.
[D] Installation method not provided for APT-GET. Skipping
[V] [INSTALL] Manually installing: THEOS
[D] [REMOTE CMD] Remote Command: ln -s /usr/local/bin/perl /usr/bin/perl
[?] Error occurred during installation of tools: ln: failed to create symbolic link `/usr/bin/perl': File exists
[?] Trying to continue anyway...
[D] [REMOTE CMD] Remote Command: which pbwatcher
[D] [INSTALL] Tool already available: PBWATCHER
[D] [INSTALL] Already installed: IPAINSTALLER.
[D] Installation method not provided for FIND. Skipping
[D] Installation method not provided for DPKG. Skipping
[D] [INSTALL] Already installed: CLUTCH.
[D] Installation method not provided for OTOOL. Skipping
[D] Installation method not provided for UNZIP. Skipping
[D] [REMOTE CMD] Remote Command: which fsmon
[D] [INSTALL] Tool already available: FSMON
[D] [INSTALL] Already installed: DARWINTOOLS.
[D] [INSTALL] Already installed: CYCRIPT.
[D] [INSTALL] Already installed: GDB.
[D] [INSTALL] Already installed: PERL.
[D] [INSTALL] Already installed: PERL.
[D] [INSTALL] Already installed: BIGBOSS.
[D] Installation method not provided for STRINGS. Skipping
[D] [INSTALL] Already installed: CLASS-DUMP.
[D] [INSTALL] Already installed: CLASS-DUMP.
[D] [INSTALL] Already installed: CLASS-DUMP.
[D] Installation method not provided for THEOS_NIC. Skipping
[D] [INSTALL] Already installed: LDID.
[D] [INSTALL] Already installed: PREFERENCELOADER.
[*] Looking for apps...
[D] [REMOTE CMD] Remote Command: if [ -f /var/mobile/Library/MobileInstallation/LastLaunchServicesMap.plist ]; then echo "yes"; else echo "no" ; fi
[D] [REMOTE CMD] Remote Command: if [ -f /private/var/installd/Library/MobileInstallation/LastLaunchServicesMap.plist ]; then echo "yes"; else echo "no" ; fi
------------------------------------------------------------
Traceback (most recent call last):
  File "/home/n0x00/tools/needle/needle/core/framework/module.py", line 118, in do_run
    self.module_run()
  File "/home/n0x00/tools/needle/needle/modules/various/list_apps.py", line 25, in module_run
    self.device._list_apps()
  File "/home/n0x00/tools/needle/needle/core/device/device.py", line 199, in _list_apps
    else: list_iOS_7()
  File "/home/n0x00/tools/needle/needle/core/device/device.py", line 185, in list_iOS_7
    raise Exception('Support for iOS < 8 not yet implemented')
Exception: Support for iOS < 8 not yet implemented
------------------------------------------------------------
[!] Exception: Support for iOS < 8 not yet implemented.

Environment

Workstation Operating System

'Linux crackio 4.4.0-59-generic

Python Version

'Python 2.7.12'

Python Packages (pip freeze)

'pip freeze
adium-theme-ubuntu==0.3.4
argh==0.26.2
backports-abc==0.5
backports.ssl-match-hostname==3.5.0.1
beautifulsoup4==4.4.1
biplist==1.0.1
blinker==1.4
brotlipy==0.6.0
certifi==2016.9.26
cffi==1.9.1
chardet==2.3.0
click==6.7
colorama==0.3.7
ConfigArgParse==0.11.0
construct==2.5.3
cryptography==1.7.1
cssutils==1.0.1
EditorConfig==0.12.1
enum34==1.1.6
Flask==0.11.1
frida==9.0.7
h2==2.4.2
hpack==2.3.0
html2text==2016.9.19
html5lib==0.999
hyperframe==4.0.1
idna==2.2
ipaddress==1.0.18
itsdangerous==0.24
Jinja2==2.9.4
jsbeautifier==1.6.4
lxml==3.5.0
MarkupSafe==0.23
mitmproxy==0.18.3
paramiko==2.1.1
passlib==1.6.5
pathtools==0.1.2
Pillow==3.4.2
prompt-toolkit==1.0.9
pyasn1==0.1.9
pycparser==2.17
Pygments==2.1.3
pyOpenSSL==16.2.0
pyparsing==2.1.10
pyperclip==1.5.27
PyYAML==3.12
readline==6.2.4.1
requests==2.11.1
singledispatch==3.4.0.3
six==1.10.0
sshtunnel==0.1.2
tornado==4.4.2
typing==3.5.2.2
unity-lens-photos==1.0
urwid==1.3.1
watchdog==0.8.3
wcwidth==0.1.7
Werkzeug==0.11.15
'

Device iOS Version

'10.1.1`

[marco-lancini]

Hi @n0x00, that would be amazing! At the moment we don't have any jailbroken device running 10.X 😢

Extending needle's core to support iOS 10 should be pretty straightforward.
These are a few things that needs to be modified:

constants.py

• add a variable DEVICE_PATH_APPLIST_iOS10 : https://github.com/mwrlabs/needle/blob/master/needle/core/utils/constants.py#L62
• add a variable DEVICE_PATH_BUNDLE_iOS10: https://github.com/mwrlabs/needle/blob/master/needle/core/utils/constants.py#L65

device.py

• add a variable _is_iOS10 : https://github.com/mwrlabs/needle/blob/master/needle/core/device/device.py#L32
• extend the method _detect_ios_version: https://github.com/mwrlabs/needle/blob/master/needle/core/device/device.py#L173
• extend the method _list_apps: https://github.com/mwrlabs/needle/blob/master/needle/core/device/device.py#L181

Let me know if you need help/support! :)

[marco-lancini]

Hi @n0x00, I actually just updated the develop branch with those modifications.
Can you please test it on iOS10 and tell me if it's working fine?

[cobbr]

I can confirm that it is not working on iOS 10.2. I am running it on Kali 2 Rolling.

I am able to drop into a shell with the shell command, but when I try to run modules I am getting this output:

[needle][class_dump] > run
[*] Checking connection with device...
[+] Already connected to: 127.0.0.1
[V] Creating temp folder: /var/root/needle/
[D] [REMOTE CMD] Remote Command: if [ -d /var/root/needle/ ]; then echo "yes"; else echo "no" ; fi
[+] Target app: REDACTED
[*] Retrieving app's metadata...
[D] [REMOTE CMD] Remote Command: if [ -f /var/mobile/Library/MobileInstallation/LastLaunchServicesMap.plist ]; then echo "yes"; else echo "no" ; fi
[D] [REMOTE CMD] Remote Command: if [ -f /private/var/installd/Library/MobileInstallation/LastLaunchServicesMap.plist ]; then echo "yes"; else echo "no" ; fi
[D] [REMOTE CMD] Remote Command: if [ -f /private/var/installd/Library/MobileInstallation/LastLaunchServicesMap.plist ]; then echo "yes"; else echo "no" ; fi
------------------------------------------------------------
Traceback (most recent call last):
  File "/opt/needle/needle/core/framework/module.py", line 110, in do_run
    pre = self.module_pre()
  File "/opt/needle/needle/core/framework/module.py", line 142, in module_pre
    if self.app_check() is None: return None
  File "/opt/needle/needle/core/framework/framework.py", line 649, in app_check
    self.APP_METADATA = Framework.APP_METADATA = self.device.app.get_metadata(app)
  File "/opt/needle/needle/core/device/app.py", line 18, in get_metadata
    self._device._list_apps()
  File "/opt/needle/needle/core/device/device.py", line 213, in _list_apps
    else: list_iOS_7()
  File "/opt/needle/needle/core/device/device.py", line 198, in list_iOS_7
    raise Exception('Support for iOS < 8 not yet implemented')
Exception: Support for iOS < 8 not yet implemented
------------------------------------------------------------
[!] Exception: Support for iOS < 8 not yet implemented.

It seems that this issue stems from the fact that the file /private/var/installd/Library/MobileInstallation/LastLaunchServicesMap.plist does not exist on my iOS 10.2 device and is not a reliable way to determine if a device is on iOS 10.

Let me know if I can help out debugging this at all. I am very interested in getting this to work on iOS 10, since it is all I have access to.

[marco-lancini]

Hi @cobbr, are you able to locate the LastLaunchServicesMap.plist file on the device's filesystem? That might greatly help (I'm running blind here cause I don't have a jailbroken device running 10 yet :S)

[cobbr]

Sorry if I didn't make that clear. The LastLaunchServicesMap.plist does not exist on the device's filesystem. I'm running blind on any devices < iOS 10, so it might help if I knew what was needed from that file?

Here is a directory listing of the /private/var/installd/Library/MobileInstallation folder:

DiskImagesInfo.plist
LastBuildInfo.plist
RoleUserMigration.plist

Maybe one of these files has the info that is needed?

[marco-lancini]

we currently use that file to get the following info for every installed app:

• uuid
• name
• bundle id
• bundle directory
• data directory
• entitlements

[cobbr]

Thanks for that list! Hmm... been poking around on my testing device this morning and unfortunately I haven't been able to find any file that seems to have that kind of information. This may be more complicated to find for iOS 10, unless I'm missing something.

I'm new to iOS in general, so it's possible I'm missing something obvious. Any clues to other places you would look for this kind of info?

[marco-lancini]

for the past 3 versions of iOS, these were the paths:

• iOS7 = /var/mobile/Library/Caches/com.apple.mobile.installation.plist
• iOS8 = /var/mobile/Library/MobileInstallation/LastLaunchServicesMap.plist
• iOS9 = /private/var/installd/Library/MobileInstallation/LastLaunchServicesMap.plist

[cobbr]

Been doing lots of locate and find searches for any files that look like they could be similar. Unfortunately, not much luck. There is a /private/var/installd/Library/Preferences/com.apple.mobile.installation.plist, but it doesn't appear to have any useful information.

The only solution that I can think of is manually searching for the information by traversing the /private/var/containers/Bundle/Application and /private/var/mobile/Containers/Data/Application directories.

Any other ideas apart from manual searching?

[cobbr]

I stumbled across this stackoverflow question that seems relevant. It references an Objective-C framework that can be used to get installed application info:

LSApplicationWorkspace from MobileCoreServices framework. It has method - (id)allInstalledApplications that returns an array of LSApplicationProxy objects that will give you all the information you might find in LastLaunchServicesMap.plist

A possible alternative to manual searching of information could be to create a small client/device-side application that uses LSApplicationWorkspace that needle could query for application information.

Additionally, it may be possible to use pyobjc to keep needle purely in python. Although, I don't know how easy it would be to incorporate the MobileCoreServices framework into a pyobjc application.

Thoughts on any of these possible solutions?

[ejohn20]

@cobbr / @marco-lancini

FYI - I spent a couple hours today comparing the iOS 8.4 and iOS 10.1 file systems. There is definitely not a file similar to the LastLaunchServicesMap on the iOS 10.1 file system. I checked the InstalledApps.plist and com.apple.mobile.installation.plist files as well, and found no useful information in those files either.

[marco-lancini]

Ok, potentially I could retrieve the Bundle and Data containers manually (even if not ideal).
But what about the entitlements, anyone knows where are they stored in iOS 10?

[marco-lancini]

Bingo!
@cobbr, @ejohn20: look at this file /User/Library/FrontBoard/applicationState.db

[cobbr]

Great find! I guess you were able to get your hands on a iOS 10 device?

I am able to find a list of bundle IDs in that database, but I think we are still stuck manually traversing for Bundle and Data containers, as well as searching for entitlements, unless I am missing something.

[ejohn20]

Interesting, I dug around in that database the other day. Were you able to find the bundle ids for custom apps that are installed? If so, what table did you find them in?

Running this command on my device with iGoat installed and a few other custom apps (Test Flight and other client apps) does not reveal their bundle ids.

iGoat Search: select * from application_identifier_tab where application_identifier LIKE '%iGoat%';
0 records returned.

Full Dump: select * from application_identifier_tab;
2|com.apple.AppStore
3|com.apple.camera
4|com.apple.MobileAddressBook
5|com.apple.Diagnostics
6|com.apple.DiagnosticsService
7|com.apple.facetime
8|com.apple.appleseed.FeedbackAssistant
9|com.apple.mobileme.fmf1
10|com.apple.mobileme.fmip1
12|com.apple.Health
13|com.apple.Home
14|com.apple.Home.HomeUIService
15|com.apple.Magnifier
16|com.apple.Maps
17|com.apple.mobilecal
18|com.apple.mobilemail
19|com.apple.mobilenotes
20|com.apple.MobileSMS
21|com.apple.mobilesafari
22|com.apple.mobileslideshow
23|com.apple.MobileStore
24|com.apple.mobiletimer
25|com.apple.Music
26|com.apple.news
27|com.apple.PhotosViewService
28|com.apple.podcasts
29|com.apple.Preferences
30|com.apple.reminders
31|com.apple.social.SLGoogleAuth
32|com.apple.social.SLYahooAuth
33|com.apple.ScreenSharingViewService
34|com.apple.ServerDocuments
35|com.apple.StoreDemoViewService
36|com.apple.tips
37|com.apple.videos
38|com.apple.webapp
39|com.apple.webapp1
40|com.apple.WebSheet
41|com.apple.iad.iAdOptOut
42|com.apple.iBooks
43|com.apple.GameController2
44|com.apple.share
45|com.apple.family
46|com.apple.MailCompositionService
47|com.apple.AccountAuthenticationDialog
48|com.apple.purplebuddy
49|com.apple.CompassCalibrationViewService
50|com.apple.datadetectors.DDActionsService
51|com.apple.VoiceMemos
52|com.apple.VSViewService
53|com.apple.CoreAuthUI
54|com.apple.AskPermissionUI
55|com.apple.Passbook
56|com.apple.mobilephone
57|com.apple.fieldtest
58|com.apple.TencentWeiboAccountMigrationDialog
59|com.apple.FacebookAccountMigrationDialog
60|com.apple.MusicUIService
61|com.apple.Bridge
62|com.apple.appleaccount.AACredentialRecoveryDialog
63|com.apple.TrustMe
64|com.apple.InCallService
65|com.apple.WebContentFilter.remoteUI.WebContentAnalysisUI
66|com.apple.stocks
67|com.apple.mobilesms.notification
68|com.apple.SharedWebCredentialViewService
69|com.apple.DemoApp
70|com.apple.weather
71|com.apple.mobilesms.compose
72|com.apple.PrintKit.Print-Center
73|com.apple.CloudKit.ShareBear
74|com.apple.DataActivation
75|com.apple.Fitness
76|com.apple.PreBoard
77|com.apple.ios.StoreKitUIService
78|com.apple.HealthPrivacyService
79|com.apple.calculator
80|com.apple.SharingViewService
81|com.apple.PassbookUIService
82|com.apple.SafariViewService
83|com.apple.SiriViewService
84|com.apple.compass
85|com.apple.AdSheetPhone
86|com.apple.gamecenter.GameCenterUIService
87|com.apple.MobileReplayer
88|com.qwertyoruiopz.zmach-portal
89|com.saurik.Cydia

[cobbr]

Hmm, I'm seeing my custom apps in that database at the bottom of the list. I haven't installed iGoat. I'll give that a shot later today, and report back if it appears in the applicationState.db file.

[marco-lancini]

So, here's a breakdown:

• application_identifier_tab: list of application_identifier for every installed app (even if this has now been disinstalled)
• key_tab: mapping IDs to human-readable keys. Particularly notice 19 (__UninstallDate) and 10 (compatibilityInfo)
• kvs: contains the actual information. If you have an app installed, you should find a record containing 10 as a key. The actual content of the value field is then a plist containing the Bundle and Data folders. Problem is that when I find to export such plist, this is not in a format that can be parsed by plutil (although is not encrypted since I can see the Bundle and Data folders among its strings).

marco$ plutil -p example.plist
<62706c69 73743030 d4010203 0405063d 3e582476 65727369 6f6e5824 6f626a65 63747359 24617263 68697665 72542474 6f701200 0186a0ad 07081718 191a1b20 2c2d2e35 3955246e 756c6cd7 090a0b0c 0d0e0f10 11121314 15165624 636c6173 735a6275 6e646c65 50617468 5b73616e 64626f78 50617468 5f101062 756e646c 65496465 6e746966 6965725e 6c61756e 63686573 4f706171 75655f10 1362756e 646c6543 6f6e7461 696e6572 50617468 5f10106c 61756e63 68496e74 65726661 63657380 0c800380 04800209 80058006 5f101075 6b2e636f 2e626263 2e6e6577 73756b5f 105b2f70 72697661 74652f76 61722f63 6f6e7461 696e6572 732f4275 6e646c65 2f417070 6c696361 74696f6e 2f374536 33323738 312d3737 30422d34 4137442d 38383737 2d354630 31413142 42384233 392f4242 434e6577 732e6170 705f1054 2f707269 76617465 2f766172 2f6d6f62 696c652f 436f6e74 61696e65 72732f44 6174612f 4170706c 69636174 696f6e2f 36393432 43353232 2d333432 312d3441 44352d38 4133302d 38323834 33393435 45384639 5f104f2f 70726976 6174652f 7661722f 636f6e74 61696e65 72732f42 756e646c 652f4170 706c6963 6174696f 6e2f3745 36333237 38312d37 3730422d 34413744 2d383837 372d3546 30314131 42423842 3339d21c 091d1f5a 4e532e6f 626a6563 7473a11e 8007800b d6210922 23242526 2714292a 2b5a7572 6c536368 656d6573 57646566 61756c74 54747970 65546e61 6d655a69 64656e74 69666965 72800080 0a091001 80088009 5c4c6175 6e636853 63726565 6e5f101f 5f5f6672 6f6d5f55 494c6175 6e636853 746f7279 626f6172 644e616d 655f5fd2 2f303132 5a24636c 6173736e 616d6558 24636c61 73736573 5f101158 424c6175 6e636849 6e746572 66616365 a233345f 10115842 4c61756e 6368496e 74657266 61636558 4e534f62 6a656374 d22f3036 375e4e53 4d757461 626c6541 72726179 a3363834 574e5341 72726179 d22f303a 3b5f1024 58424170 706c6963 6174696f 6e4c6175 6e636843 6f6d7061 74696269 6c697479 496e666f a23c345f 10245842 4170706c 69636174 696f6e4c 61756e63 68436f6d 70617469 62696c69 7479496e 666f5f10 0f4e534b 65796564 41726368 69766572 d13f4054 726f6f74 80010008 0011001a 0023002d 00320037 0045004b 005a0061 006c0078 008b009a 00b000c3 00c500c7 00c900cb 00cc00ce 00d000e3 01410198 01ea01ef 01fa01fc 01fe0200 020d0218 02200225 022a0235 02370239 023a023c 023e0240 024d026f 0274027f 0288029c 029f02b3 02bc02c1 02d002d4 02dc02e1 0308030b 03320344 0347034c 00000000 00000201 00000000 00000041 00000000 00000000 00000000 0000034e>

Anyone able to properly parse it?

[cobbr]

@marco-lancini
Thanks for the breakdown. However, I am seeing a few different issues on my end.

• Some of my installed applications do not have an entry in kvs with 10 as a key.
• For the applications that do have an entry in kvs with 10 as a key, I am not seeing the Bundle and Data folders among it's strings. Here is an example of a few entries in my kvs table:

sqlite3> select * from kvs where key=10;
id|application_identifier|key|value
209|91|10|bplist003A???1k+
220|92|10|bplist0003A???v??
224|93|10|bplist0003A???I[G?

• I am also having trouble parsing the plist found in this field. However, I'm getting an error message when using plutil, as opposed to getting unreadable output. Here is an example:

cobbr$ sqlite3 applicationState.db "select value from kvs where id=224;" > example.plist
cobbr$ plutil -p example.plist
example.plist: Unexpected character b at line 1

This is strange to me, since all plist files begin with a 'b' correct? I'm wondering if this is some sort of encoding issue?

I also attempted to parse the plist file using the python modules plistlib, binplist, and binaryplist. None of these were successful in parsing the file.

[marco-lancini]

Hi @tghosth, @n0x00, @cobbr, @ejohn20!
Good news: the agent for needle is almost ready! (I plan to go live next week).
This will bring full support to iOS 10.

I'm gonna close this issue for now

[cobbr]

Awesome! Much appreciated.
Out of curiosity, what was the solution you ended up going with?

[ejohn20]

Excellent! I'll give it a test drive when it's ready.

[marco-lancini]

@cobbr: in order to be 100% reliable (and future-proof), we opted for developing a native agent. We plan to release it this coming week! :)

[va2ron1]

I don't know if this could help, but I leave it here:
/var/root/Library/MobileContainerManager/containers.sqlite3

[H5GG]

I don't know if this could help, but I leave it here:
/var/root/Library/MobileContainerManager/containers.sqlite3

useful