Mobile App Tips. Dealing with iOS and device requirements

A recent mobile test caused me to write-up these notes and findings, I was having a tough day. The application required at least iOS 11 and also an iPad, neither of which I had. So what could I do?

Note: Any changes you make to the IPA (iPhone application archive) will require the application to be resigned, more on that below.

Getting the app to install on a physical device which doesn’t meet the requirements

You can ask the customer to rebuild the app with a lower iOS version target.  The different versions of iOS have different libraries and functions, the app I was testing used specific iOS 11 libraries and so the customer was unable to retarget the app.

Override the minimum iOS Version. If the customer can’t build the app you can change the minimum iOS requirements:

• Get the IPA file and extract it using winrar or similar, within the folder is an “Info.plist” change the “MinimumOSVersion” to the version of your app.  Resign and install the IPA and cross your fingers it works.

Override the device requirements.  If you do have a device which is on the iOS version but it doesn’t meet the device requirements you can change that.  So in my case the application needed an iPad, however I did have an iPhoneX running on 11.1.2.

• Similar to the above edit the “Info.plist” and change the “UIDeviceFamily” from 2 (iPad) to 1(iPhone)

Getting the app to install on an unjailbroken device

If you have a device which meets the iOS and device requirements you can easily install the app however testing will be difficult, there are some things we can do:

• The Flex framework allows you to do a range of things such as overload methods, create view states, look at network traffic and the local file sandbox.  It is possible to inject this tweak into your app using the Theos-Jailed framework.  The framework will also allow Cycript (like Frida) to be injected.  You can also inject your own dylib tweaks however your mileage will vary, I tried to inject the iOS-ssl-kill-switch dylib and whilst it loaded it didn’t have the required permissions to hook the calls without a jailbreak being in place.
• Using Theos-Jailed will allow you to do a best effort test against the application but things are still out of reach such as keychain access and an automatic way of bypassing jailbreak detection / SSL pinning.
• This method requires for the iOS binary to be decrypted.  If you download the app from the app store it will be encrypted, if the customer built their own app then it will likely not be.  If you’re not so lucky you need to find someone with a jailbroken device to decrypt the IPA for you.

Getting the app to install within the Xcode Simulator

If you don’t have an iOS test device this is another possible solution but it has a number of requirements.  iOS devices run on the ARM architecture and Mac devices run on Intel so the two don’t match, meaning you can’t install your compiled IPA onto the simulator.

To deploy the application to the simulator you need the customer to provide you with the Xcode project.  Some customers will be hesitant to do this as its their IP but in a bind we could use an NDA to appease them.

It is possible to use some jailbreak tweaks within the iOS simulator using a tool called Simject.  Simject allows you to inject dylib tweaks into the iOS simulator BUT these tweaks must be build for x86-64 which means you either need a precompiled version or you need the tweak source code to build yourself.  Some helpful person has already compiled flex for simject, you can get it here .  I just got this working at 2am so as I find more tweaks ill let you know.

There are some simulator tips here.

Signing applications after modification / bypassing UDID requirements

I have a developer account so I’m not sure how this works with the free account, I believe the only difference is you can only sign for 7 days.

To get an app to install after you have messed with it you need to resign it for your device. I have found iOS App Signer to be the best for this task.  I then install the app using the Xcode devices method.

If the customer as locked your application to a specific device UDID you can see this within the “embedded.mobileprovision” file, under the “ProvisionedDevices” key.  With a developer account you can create a new provisioning profile with your UDIDs and sign the app using that.

There is a great guide on how to setup an OSX VMware image, I’m currently using it for all my iOS testing and it works a treat.

Hopefully the above will get you out of a bind if you’re testing an iOS app.