4 min read

Using The Power Of Frida To Extract FairPlay-Encrypted iOS Applications (inc.TestFlight)

Using The Power Of Frida To Extract FairPlay-Encrypted iOS Applications (inc.TestFlight)

Today we’re going to be using two lovely open source projects to our advantage - Frida (indirectly), and Frida-iOS-Dump (as directly as could be).

Frida, as we have learned from my previous article, allows us to communicate with an application; executing from ‘within the context’ of our Application.

We’re going to be using Frida alongside Frida-iOS-Dump - A project designed to use the power of Frida to produce a Decrypted IPA ( iPhone Application File ) from an Application while ‘In-Memory’ on our iDevice, for us to inspect, reverse engineer, re-sign and finally use on our iDevice (later, in Part 2 of this article (soon to be released)).

I can only assume if you’re looking to patch Jailbreak Detection Techniques, that you’re doing this with an Application from the Apple App Store. If you’re doing this purely for fun and not sure where to start, I used the ‘My Pub’ Application for experimenting.

Citrix Receiver - Jailbreak Detection

App Store Applications are encrypted using Apple’s DRM Service, Fairplay.

To achieve our goal of patching jailbreak detection, we’re going to need to ‘patch’ the binary. First, we need the binary! That’s where the amazing frida-ios-dump comes into play... We’re going to dump the app to the standard ‘IPA’ file format. Keep in mind this tutorial is also applicable for dumping Testflight Applications.

Frida iOS Dump works by initialising/loading the app live on the device. As the Application is loaded into the Device Memory in a decrypted form, the contents of the memory pertaining to said application are processed/parsed, and Frida iOS Dump generates a usable IPA. Clever stuff! I’ve created a little graphic to illustrate this process as it might sound a little cryptic just reading paragraph after paragraph - I want to ensure we have a clear understanding of the process!

You’ll need Frida setup first ( I talk about frida in my previous article “Frida, nmssh.js & Gaining A Technical Insight Into Shadow-Market Activation Utilities.”, detailing the setup process for the Mac. Setting up the iOS side is as simple as adding “https://build.frida.re” to Cydia and installing the correct build for your device.

Here’s the Github repository for frida-ios-dump ( it’s super simple, I promise! The setup guide is within the readme.md ) -> https://github.com/AloneMonkey/frida-ios-dump

I would like to note I had some issues installing the prerequesites for frida-ios-dump, specifically using pip to install the requirements. Removing the ‘--upgrade’ argument from pip however seemed to fix it!

Given Frida is now setup on both our Mac and iDevice, we should now be able to execute ‘frida-ps -Uai’ from our Terminal on the Mac. This should list all installed applications on the iDevice…

I encourage you to experiment with the macOS Terminal if you haven’t already, and to learn how to use utilities like ‘grep’ to speed up your workflow (significantly!). Let’s use frida-ps and grep to quickly find the app we need...

frida-ps -Uai | grep Twitter

Using ‘grep’ alongside frida-ps to save some time!

In this example, we are executing frida-ps, and the output of the command is being ‘tunneled’ to grep. Grep will then use the ‘input’ (the output of frida-ps) to find any lines with the word ‘Twitter’ inside and print only those specific lines.

Congrats, you just created your first pipe on a Unix system too! <3

So within our output we can see the Application we want to patch, alongside an ‘identifier’ on the right. This is called a ‘Bundle Identifier’ and is used internally on your device to reference different Applications.

Take note of the Bundle Identifier, we’ll need it in a moment.

It’s now time to change the ‘working directory’ of your Terminal to the directory of frida-ios-dump. You can use ‘cd’ (change directory) followed by the path of ‘frida-ios-dump’ to do so. Ensure you cd to the folder name, not to the binary within. That won’t work!

For users new to using the Terminal, the command i’d use to cd to the folder is:

cd ~/Documents/GitHub/frida-ios-dump

Keep in mind the location of frida-ios-dump will more than likely be different for you.

So, all being well, we can now type ‘./dump.py BUNDLEID’ - replacing BUNDLEID with the bundle identifier we took note of earlier.

The application should automatically initialise (should your device be unlocked and connected via USB) and frida-ios-dump will begin processing the Assets and Instructions within the Application. Give it a few more moments, and the process should finish and you’ll see “Generating ‘APP.ipa’” in the Mac terminal.

At this point, the process should be complete and you’ll hopefully find ‘APP.ipa’ in the directory of frida-ios-dump!

This IPA serves as our ‘decrypted’ iDevice Application. Woohoo! We are now able to modify the binary directly, and/or simply resign and install the app on another device.

I hope you’ve enjoyed this one, and maybe learnt something new! Please do leave a comment if you have some feedback and/or questions - I reply to everyone!

-J