Published on

Hacking iOS


What Does Hacking iOS Mean?

As most developers for the platform know, iOS is a very locked down operating system full of sandboxes, restrictions, and gray areas. But this doesn't mean it's impenetrable. Jailbreak developers try to exploit vulnerabilities in the operating system allowing commands to be executed with a higher privileges.

If we're lucky, these exploiters will share their findings allowing the rest of the jailbreak community to jailbreak as well. Some of the biggest names for exploiting iOS 8 include Pangu8, TaiG, PP, and more.

Why Should I Care?

When you jailbreak your device, you're given access to the entire operating system; with this access you can do things like modify your carrier name or completely re-theme your device!

Even if you're not planning on customizing your device, there are still a lot of good reasons to jailbreak. For example, with access to the root filesystem, I can use my iPhone as a flash drive. For developers looking to reverse engineer iOS, you can dissect how Apple made the lock screen and other iOS components with FLEXible. This is only possible after jailbreaking.

Using FLEXible to inspect the iOS lock screen
Using FLEXible to inspect the iOS lock screen

Setup "Cycript"

Cycript is a program that allows users to essentially inject code into a running process. This is useful if you want to modify things in iOS without compiling a full tweak. Think of it like a REPL. In order to setup Cycript you must first install OpenSSH from the Cydia application that is installed when you jailbreak.

OpenSSH creates a secure shell from your computer's CLI to your iOS device. This is how we'll be interacting with Cycript. To install Cycript, we're going to first need the .deb file containing the package. The download for this can be found here (make sure you get the latest version.)

Now that you have the .deb file on your computer, you need to connect to your iOS device through SFTP and upload your .deb file with the following commands by replacing <ip address> with your devices IP address (which can be found in the Settings app) and replacing <cycript path> with the location of the Cycript .deb file on your computer:

Zanes-iMac:~ Zane$ sftp root@<ip address>
root@...'s password:alpine
Connected to ...
sftp> cd /tmp
sftp> put <cycript path>
Uploading ... to /private/var/tmp/cycript_0.9.501_iphoneos-arm.deb
... 444KB 443.5KB/s 00:00
sftp> bye

Great! Almost ready to use Cycript, now we have to install the package using these commands:

Zanes-iMac:~ Zane$ ssh root@<ip address>
root@...'s password:alpine
Zanes-iPad:~ root# cd /tmp && dpkg -i cycript_0.9.501_iphoneos-arm.deb

Cycript is now up and ready to go!

To attach Cycript to a running process (e.g. SpringBoard) run the following on your device:

Zanes-iPad:~ root# cycript -p SpringBoard

Now you can manipulate the SpringBoard process that's currently running without any permanent changes.

To read more about how to use Cycript's language, check out the official manual. I've also made a video on Cycript that goes into detail about using it to inspect a process here.