Skip to content

MASTG-TECH-0056: Installing Apps

Installing an application outside the Apple App Store is called sideloading. There are several ways of sideloading, as described below. On iOS, the installation process is handled by the installd daemon, which unpacks and installs the application. To integrate app services or be installed on an iOS device, all applications must be signed with a certificate issued by Apple. This means the application can be installed only after successful code-signature verification, as explained in Signing IPA files.

Disabling Signature Verification (optional): On a jailbroken device, you can bypass the signature verification requirement using AppSync Unified, which hooks the appropriate system daemon and disables signature verification for any installations you do with the tools listed below while it's enabled.

Different methods exist for installing an IPA package on an iOS device. They are described below.

Sideloadly

Sideloadly is a GUI tool that automates all required steps for you. It requires valid Apple developer credentials because it obtains a signature from Apple servers.

Connect your device via USB, enter your Apple ID, and drag-and-drop the IPA file into SideLoadly. Click Start to sign and install the given IPA automatically.

libimobiledevice

On Linux and macOS, you can alternatively use libimobiledevice suite. This allows you to install apps over a USB connection by executing ideviceinstaller. The connection is implemented with the USB multiplexing daemon usbmuxd, which provides a TCP tunnel over USB.

Let's install the iGoat-Swift app with the following command:

$ ideviceinstaller -i Uncrackable.ipa
...
Install: Complete

Filza

Filza allows you to install an IPA file already on your device. You can use either scp ( Host-Device Data Transfer) or AirDrop to copy the IPA file to your device, after which you can navigate to the IPA file on your file system and click the Install button in the top right corner.

ipainstaller

The IPA can also be installed directly on an iOS device via the command line using ipainstaller. Naturally, this requires a jailbroken device; otherwise, you cannot SSH into it. After copying the file over to the device, for example, via scp ( Host-Device Data Transfer) or AirDrop, you can execute ipainstaller with the IPA's filename:

ipainstaller Uncrackable.ipa

ios-deploy

On macOS, you can also use the ios-deploy tool to install iOS apps from the command line. You'll need to unzip your IPA since ios-deploy uses the app bundles to install apps.

unzip UnCrackable.ipa
ios-deploy --bundle 'Payload/UnCrackable Level 1.app' -W -v

xcrun

After installing Xcode Command Line Tools, you can execute the following command to install a signed IPA:

# Get the correct device id
$ xcrun devicectl list devices
Devices:
Name                 Hostname                                     Identifier                             State                Model
------------------   ------------------------------------------   ------------------------------------   ------------------   ------------------------------
Foobar               00008101-00FF28803FF9001E.coredevice.local   ABD1F3D8-7BC1-52CD-8DB6-9BFD794CE862   available (paired)   iPhone 14 Pro Max (iPhone15,3)

$ xcrun devicectl device install app --device 00008101-00FF28803FF9001E ~/signed.ipa
11:59:04  Acquired tunnel connection to device.
11:59:04  Enabling developer disk image services.
11:59:04  Acquired usage assertion.
4%... 12%... 28%... 30%... 31%... 32%... 33%... 35%... 36%... 37%... 39%... 40%... 42%... 43%... 45%... 49%... 51%... 52%... 54%... 55%... 57%... 59%... 60%... 62%... 66%... 68%... 72%... 76%... 80%... 84%... 88%... 92%... 96%... Complete!
App installed:
• bundleID: org.mas.myapp
• installationURL: file:///private/var/containers/Bundle/Application/DFC99D25-FC36-462E-91D2-18CDE717ED21/UnCrackable%20Level%201.app/
• launchServicesIdentifier: unknown
• databaseUUID: DA52A5EB-5D39-4628-810E-8F42A5561CDF
• databaseSequenceNumber: 1516 options:

Xcode

It is also possible to use the Xcode IDE to install iOS apps by executing the following steps:

  1. Start Xcode
  2. Select Window/Devices and Simulators
  3. Select the connected iOS device and click on the + sign in Installed Apps.

Allow Application Installation on a Non-iPad Device

Sometimes an application must be used on an iPad. If you only have iPhone or iPod touch devices, you can force the application to be installed and used on these devices. You can do this by changing the value of the property UIDeviceFamily to the value 1 in the Info.plist file.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>

  <key>UIDeviceFamily</key>
  <array>
    <integer>1</integer>
  </array>

</dict>
</plist>

Note that changing this value will break the original signature, so you must re-sign the IPA ( Signing IPA files) to install it on a device that does not have signature validation disabled.

This workaround might not work if the application requires capabilities specific to modern iPads, while your iPhone or iPod is a bit older.

Possible values for the property UIDeviceFamily can be found in the Apple Developer documentation.

Tests

MASTG-TEST-0271: Runtime Use Of APIs Detecting Biometric Enrollment Changes MASTG-TEST-0267: Runtime Use Of Event-Bound Biometric Authentication MASTG-TEST-0269: Runtime Use Of APIs Allowing Fallback to Non-Biometric Authentication MASTG-TEST-0246: Runtime Use of Secure Screen Lock Detection APIs MASTG-TEST-0367: Runtime Use of Virtual Device Detection Techniques MASTG-TEST-0241: Runtime Use of Jailbreak Detection Techniques MASTG-TEST-0354: Runtime Use of Hook Detection Techniques MASTG-TEST-0359: Implementation Details Exposure in Logs MASTG-TEST-0363: Runtime Use of Entitlement-Backed APIs for Unjustified Capability Exposure MASTG-TEST-0361: Runtime Use of Protected Resource APIs Without Accurate Purpose Strings MASTG-TEST-0349: Runtime Use of Insecure Random APIs MASTG-TEST-0302: Sensitive Data Unencrypted in Private Storage Files MASTG-TEST-0314: Runtime Monitoring of Text Fields Eligible for Keyboard Caching MASTG-TEST-0301: Runtime Use of APIs for Storing Unencrypted Data in Private Storage MASTG-TEST-0299: Data Protection Classes for Files in Private Storage MASTG-TEST-0298: Runtime Monitoring of Files Eligible for Backup MASTG-TEST-0296: Sensitive Data Exposure in Logs MASTG-TEST-0384: Runtime Use of Enforced Updating APIs MASTG-TEST-0336: Runtime Setting of Relaxed WebView File Origin Policies MASTG-TEST-0347: Runtime Use of APIs Hiding Sensitive Data in Text Input Fields MASTG-TEST-0277: Sensitive Data in the iOS General Pasteboard at Runtime MASTG-TEST-0348: Insecure TLS Protocols in Network Traffic

Demos

MASTG-DEMO-0042: Runtime Use of LAContext.evaluatePolicy with Frida MASTG-DEMO-0044: Runtime Use of kSecAccessControlUserPresence with Frida MASTG-DEMO-0046: Runtime Use of kSecAccessControlBiometryCurrentSet with Frida MASTG-DEMO-0119: Bypassing Frida D-Bus Port Detection to Extract Sensitive Data MASTG-DEMO-0131: Detecting Virtual Device Detection Checks with Frida MASTG-DEMO-0026: Runtime Use of LAContext.canEvaluatePolicy with Frida MASTG-DEMO-0117: Extracting Sensitive Data from CCCrypt via Frida Hooking MASTG-DEMO-0118: Detecting Frida Hooks Before Sensitive Cryptographic Operations MASTG-DEMO-0125: Implementation Details Exposed in App Logs MASTG-DEMO-0126: Runtime Location Capture with a Deceptive Purpose String MASTG-DEMO-0127: Unjustified Capability Exposure due to Excessive Entitlements MASTG-DEMO-0074: Uses of Insecure Random Number Generation with frida-trace MASTG-DEMO-0067: Runtime Tracking of Files Eligible for Backup with Frida MASTG-DEMO-0066: Sensitive Data Logging with idevicesyslog MASTG-DEMO-0077: Runtime Monitoring of Text Fields Eligible for Keyboard Caching with Frida MASTG-DEMO-0099: Runtime Monitoring of WebView File Access with Frida