Skip to main content

macOS Setup

It helps to have a Mac when performing mobile app testing. A lot of the "tools" that can be run on the iOS device can also be run on a Mac. This allows for faster app analysis, plus there are many other tools that run on a Mac to speed up this analysis.

Additionally, you will want to have Xcode running on a Mac. Even if you do not plan on developing any apps, Xcode comes with a wealth of tools that you will use during an assessment. Make sure you install the Command Line tools of Xcode when you install it.

GateKeeper

Recent versions of macOS have introduced GateKeeper, which prevents the system from opening a file from an "Unidentified Developer". It will also alert you that the file was downloaded from the internet, and you must validate that you want to open it. For the most part, the applications below are properly signed and will not cause the GateKeeper alert. However, if you do run into this issue, you can use Terminal to manually remove the quarantine bit:

sudo xattr -rd com.apple.quarantine /Applications/AppName.app

With the quarantine bit removed, the application will open fine. This is also a permanent change, so you only need to do this once per application. Of course, you want to ensure that you obtained the app from a reliable source.

Software Installations

There are several software packages that you can use, but you will likely want to have these at a minimum. Tested on macOS versions up to, and including, macOS Monterey.

  1. Xcode (with Command Line Tools -- Apple App Store)

    Xcode provides many of the utilities required for static analysis, such as otool, lipo, etc. It also allows for easy app installation and will pull crash dumps from the iOS device. Xcode takes a ridiculously long time to install, and overall sucks. But we need it...

    Xcode Command Line Tools:

    xcode-select --install

  2. Homebrew (https://brew.sh)

    /bin/sh -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"

    Note: Homebrew installs applications in /usr/local/bin for Intel powered macOS systems. On new Apple Silicon (arm64) macOS systems, homebrew will use /opt/homebrew/bin to install applications. Set your $PATH variable accordingly!

  3. libimobiledevice (http://www.libimobiledevice.org)

    This is an open-source package that connects to the device over the USB cable which allows you to gather information.

    brew install libimobiledevice

  4. Burp Suite Pro (https://portswigger.net)

    This is used for the interception and modification of HTTP communications from the mobile app.

  5. Hex Editor (Your choice -- Both of these are good)

    Hex Fiend (http://ridiculousfish.com/hexfiend/) Hex Fiend is a simple hex editor. This can be used to bypass many of the validation routines such as jailbreak detection.

    brew install hex-fiend

    REHex (https://github.com/solemnwarning/rehex/releases)

    A cross-platform (Windows, Linux, Mac) hex editor for reverse engineering, and everything else. Includes many additional tools that Hex Fiend does not have.

  6. Radare2 (https://github.com/radare/radare2.git)

    Radare2 is a full disassembler for ARM binaries and can be used to manipulate the assembly code.

    brew install radare2

  7. XMachOView (https://github.com/horsicq/XMachOViewer)

    An updated MachOView with enhanced capabilities! Download from the releases available on GitHub.

  8. Sqlitebrowser (http://sqlitebrowser.org)

    This tool allows you to open SQLite databases from the iOS device in a graphical view. It also supports encrypted databases, which makes it more useful.

    brew install db-browser-for-sqlite

  9. Python3 Virtual Environment

    It is recommended to create a Python3 virtual environment to install the mobile testing tools into. This keeps the tools isolated from the externally managed environment.

    Install and activate the environment

    python3 -m venv mobile 
    cd mobile
    . bin/activate
    tip

    Remember to activate the environment when you need to use it. When finished, you can deactivate it by running the command deactivate!

    Tools to install:

    Frida (https://pypi.python.org/pypi/frida) (MUST match the version on the device)

    Frida is a dynamic instrumentation toolkit to allow deep access to the running iOS application. If you install "frida-tools", it will also install the Frida server since it is a requirement.

    pip3 install frida-tools

    Frida Scripts (Corporate GitHub!)

    Various frida scripts that are used throughout this testing guide!

    Fridump (https://github.com/Nightbringer21/fridump)

    This tool, based on Frida, allows you to dump the memory from a running iOS process. It also has built in strings capabilities for post memory dump analysis.

    git clone https://github.com/Nightbringer21/fridump

    frida-ios-dump (https://github.com/AloneMonkey/frida-ios-dump)

    Frida dump script to decrypt a binary and dump the app to an IPA on the host.

    git clone https://github.com/AloneMonkey/frida-ios-dump

    Objection (https://github.com/sensepost/objection)

    Objection is a runtime mobile exploration toolkit, powered by Frida. Objection can automate many of the tasks of dynamic analysis of the app. Relies on Frida, and Python3.

    pip install objection

    KTool (https://github.com/cxnder/ktool)

    A recent class dump script that supports Objective-C and Swift apps.

    pip3 install k2l

    Mobile Security Framework (MobSF) (https://github.com/MobSF/Mobile-Security-Framework-MobSF)

    To install (one time setup):

    • Install wkhtmltopdf (https://wkhtmltopdf.org) to save scan output as a PDF file

      sudo apt install wkhtmltopdf

    • Clone the MobSF Git repository

      git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
      cd Mobile-Security-Framework-MobSF

    • Run the setup script

      ./setup.sh

    To run the application:

    • To launch the app, execute the run.sh script

    • Open a web browser to http://localhost:8000

    • The default login credentials are mobsf:mobsf. Authentication can also be disabled by setting the MOBSF_DISABLE_AUTHENTICATION=1 environment variable.

  10. SQLite Parser (https://github.com/mdegrazia/SQLite-Deleted-Records-Parser)

    SQLite does not delete records right away. So, SQLiteParser can be used to recover "deleted" records from an SQLite database.

    git clone https://github.com/mdegrazia/SQLite-Deleted-Records-Parser.git

  11. disarm (https://newosxbook.com/tools/disarm.tar)

    Jtool2 is deprecated, and its functionality is in disarm now.

    curl https://newosxbook.com/tools/disarm.tar --output disarm.tar

  12. ideviceinstaller

    A small utility to simplify the IPA installation.

    brew install ideviceinstaller

  13. SQL Cipher (https://www.zetetic.net/sqlcipher/)

    SQLCipher extends the SQLite database to include encrypted local data storage. On mobile devices, it is recommended to encrypt any local database using this package. This software is needed on your computer to be able to access the encrypted database.

    brew install sqlcipher

  14. iOS App Signer (https://github.com/DanTheMan827/ios-app-signer)

    Easily code-sign an IPA file for installation on to the device.

    • Download the zip file from Github

    • Extract the zip file, and drag the application to the /Applications folder

  15. android-platform-utilities

    This is a brew package that will install tools such adb, & fastboot.

    brew install android-platform-tools

  16. apktool

    Decodes an APK file.

    brew install apktool

  17. jadx

    Jadx & Jadx-GUI will decompile the APK file back to near Java code.

    brew install jadx

  18. SUPER Analyzer (https://github.com/SUPERAndroidAnalyzer/super/releases)

    No longer actiely maintained! Analyzes an APK file for misconfigurations.

  19. dex2jar

Convert .dex file to .class files

brew install dex2jar

  1. Android Build Tools (https://dl.google.com/android/repository/build-tools_r28.0.2-macosx.zip)

    Contains several command-line tools that will be needed during testing.

  2. Drozer

    Drozer is a vulnerability and attack framework for Android. It received a much needed update for Python3 in 2024 by WithSecureLabs.

    (Server: https://github.com/WithSecureLabs/drozer/releases)

    Install Drozer server (using pipx)

    # install pipx:
    brew install pipx
    pipx ensurepath

    # now install drozer:
    pipx install drozer

    (Agent: https://github.com/WithSecureLabs/drozer-agent)

    Install the Drozer agent to your device:

    adb install drozer-agent-3.1.0.apk

  3. Corellium - usbfluxd (When working with Corellium)

    Redirects the standard usbmuxd socket to allow connections to local and remote usbmuxd instances so remote devices appear connected locally.

    git clone https://github.com/corellium/usbfluxd.git
    cd usbfluxd
    ./autogen.sh
    make
    sudo make install

    This will install usbfluxd into /usr/local/sbin, and also usbfluxctl into /usr/local/bin. Ensure these are in your $PATH.

    Launch the daemon:

    sudo /usr/local/sbin/usbfluxd

    Once you have the virtual device running, get the IP address from the Connect tab in the left menu. Then add an entry for usbfluxd:

    /usr/local/bin/usbfluxctl add <ip-address>:5000

    # run this to see what is setup:
    /usr/local/bin/usbfluxctl list

    Once this is setup correctly, you can use the libimobiledevice commands, and Frida as you would with a physical device attached with a USB cable.

ADB Configuration - For Android Devices

For android apps, it is best to just use the ADB utility to connect to the physical device. All you should need to do is:

adb shell
su