Removing Apple iOS DRM via CLI
Past and present tools for removing DRM from iOS applications
Disclaimer: This post is for educational purposes only and should not be used for any illegal or immoral activities against app developers.
As part of an iOS pentest one of the first things to do is to strip the DRM off the ipa file so we can examine the content of the application, this provides meaningful strings rather than encrypted strings.
Apple’s DRM is known as Fairplay, every time an app is downloaded from the App Store, or Apple’s online service for OTA rollouts, Testflight, they will be encrypted. This DRM works by placing a special header into the app binary which in turn is encrypted with the Apple specific App Store account public key. At install time, this header is decrypted with the private key stored in your device.
There are various tools that can “strip” this DRM, and they generally work by hooking into the device runtime and dumping the app from memory after examining the LC_ENCRYPTION_INFO flag. However, like much of the present-day techniques on iOS, DRM decryption is a cat and mouse game and these techniques, although remaining fundamentally the same, have differed as Apple pushes out more security for its operating system with each iOS version.
Clutch
Source: https://github.com/KJCracks/Clutch/releases
iOS: 8–10
Clutch is probably the most well-known app decryption tool, with its roots originating from early iOS8. Clutch is command line based and like most of these tools requires a jailbroken device with the ability to SSH; this makes it fairly easily to automate with simple scripts or a Python GUI.
Clutch can be used interactively by listing all the apps on the device and dumping, or dumping by providing the bundleID specifier. It dumps out the decrypted ipa file to a Dumped folder in the Documents directory on the device.
![The command Clutch2 -d [app_number] to decrypt an application](https://miro.medium.com/v2/resize:fit:1400/format:webp/1*ChLE32GPZ8mED68LdMPj-Q.png)
Despite its roots surviving three iterations of iOS (8–10) Clutch seems to have numerous issues and errors attempting to dump any app on iOS 11+ due to Apple’s tighter restrictions on app entitlements and arm64 versioning. These issues have somewhat confined a once very great tool to the archives unless using older devices. However, there could be hope as it seems that roarijo89 is attempting to make a fully compatible modern day arm64 Clutch with fully signed entitlements — https://github.com/KJCracks/Clutch/issues/244
Note: Clutch2 is a renamed version of clutch to signify clutch version 2.0.4, the default name is just clutch
dumpdecrypted
Source: https://github.com/stefanesser/dumpdecrypted
iOS: 8–9
Dumpdecrypted has had a number of versions by a number of different developers over the years; with the original being written by the famous developer Stefan Esser, however the makeup is generally the same, dynamic loading. iOS allows the use of injecting dynamic libraries (dylib) into a process through the DYLD_INSERT_LIBRARIES variable, using this is the magic behind this short-lived tool.
Simply put, it’s an elegant way of using the OS variable to load a library that then, as all decryption tools do, locates the crypt offset, copies chunks of the file before rewriting and rebuilding the file. The original code can still be viewed on Github.
Other versions of this tool do exist, such as a separate ‘dumpdecrypted’ binary from Cydia, however this like the original, struggle with the latest iOS versions due to hard coded paths or the move to entirely 64bit operations and unless it’s run on a legacy iOS version, will likely hit an error.
bfinject /bfdecrypt
Source: https://github.com/BishopFox/bfdecrypt — https://github.com/BishopFox/bfinject
iOS: 11
bfinject and bfdecrypt are two halves of the same issue, the former being the standalone tool and the latter the decryption dylib.
bfinject is more than a decryption tool, with it not only injecting the decryption library, but also allowing injection of custom libraries into running applications; as well as incorporating other pentesting tools such as Cycript. Sounds great, the downside, it was built for early iOS 11 jailbreaks, Electra and LiberiOS, and doesn’t run on the now much more common unc0ver jailbreak.
This is countered with the use of the standalone bfdecypt.dylib, and the other half to this duo. It’s not quite as easy to use as the other decryption tools listed and requires some tinkering to get it working initially, steps provided below, but once its working, it does at least work. It requires the app to be started, then backgrounded, the command run, then the app brought back to the foreground while it injects, and even then it can be flaky. It also requires Cycript to hook the process using the cynject binary and app PID.
root# curl -s https://raw.githubusercontent.com/BishopFox/bfdecrypt/master/bfdecrypt.dylib -o bfdecrypt.dylibroot# ldid -S bfdecrypt.dylibroot# cp bfdecrypt.dylib /usr/lib/
Once the app is decrypted you can grab it using netcat, as mentioned in the popup, or by scp from the apps data/Documents directory.
Neither of these options are exactly elegant, they require manual intervention to ensure the decryption; but for one of the first and earliest decryption tools that were available for the complete overhaul that was iOS 11, and the brand new jailbreaks on offer, it was a life saver, and all credit to BishopFox for doing so.
Frida scripts
Source: https://github.com/AloneMonkey/frida-ios-dump — https://github.com/integrity-sa/frida-ipa-dump
iOS: 9 (lower?) –13
Frida decryption and dumping is the way a lot of testing tools are going, the developers write a Frida script, or wrap it up in some Python, you run the script and the app is spawned, decrypted as well as pulled from the device and placed in the current directory. It’s no nonsense, works and its able to be automated into other tools or testing frameworks; the only prerequisite, a working installation of Frida and usbmuxd/itunnel/iproxy.
Not only does it do what it says, but it is fairly universal across multiple iOS version, and multiple devices. TestFlight was decrypted on an iPhone 6 — 9.0.2, an iPhone 7Plus — 11.2.5 and an iPhone6 — 12.4.3, and it worked every time.
The sheer vastness and compatibility of Frida along with the simplicity of using Javascript makes it one of the most universal tools to tinker with iOS devices; it’s no wonder that entire testing frameworks have been built around it such as needle, objection and passionfruit. Using it to decrypt the application is just the first step.
Needle - https://github.com/FSecureLABS/needle
Objection - https://github.com/sensepost/objection
Passionfruit - https://github.com/chaitin/passionfruit
All tools referenced are due to the hard work and effort by various iOS jailbreak devs.
