Taking Apart iOS Apps’ Anti-Debugging

src/mobile-pentesting/ios-pentesting/README.md

@@ -156,6 +156,18 @@ Identification of **protections are present in the binary**:
 - **Environment Variables**: Check for environment variables that may indicate a debugging session.
 - **Mach Ports**: Detect if mach exception ports are being used by debuggers.
 
+
+#### Anti-Debugging & Anti-Tamper Techniques (Layered Checks)
+
+Real-world apps often layer pre-exec, on-attach, and continuous checks. Common patterns to look for (and how to neutralize them during testing):
+
+- **Private API side-channel fingerprinting**: private launch APIs (e.g., `SBSLaunchApplicationWithIdentifierAndURLAndLaunchOptions`) are abused to probe for installed bundle IDs (`com.opa334.TrollStore`, `org.coolstar.SileoStore`, `com.tigisoftware.Filza`, etc.) based on return codes/logging. Hook the call and sanitize arguments/return values to emulate a clean device.
+- **Self-attestation via code-signing state**: `csops()` with `CS_OPS_ENTITLEMENTS_BLOB` reads entitlements; unexpected values trigger exit. Pair this with integrity checks (CRC32/MD5 of resources, certificate validation, Mach-O metadata like `LC_ENCRYPTION_INFO_64`) to detect re-signing or patching. Instrument these routines and force "expected" results during analysis.
+- **Kill-on-attach**: `ptrace(PT_DENY_ATTACH)` combined with `abort()`/`exit()` on attach. Bypass by neutralizing the termination path or hooking `ptrace` to succeed without enforcing denial.
+- **Crash forensics sabotage**: overwrite CPU registers before crashing to destroy backtraces. Prefer breakpoints/hooks earlier in the detection path instead of relying on crash logs.
+- **Jetsam-based termination**: deliberate memory pressure to trigger jetsam, which yields no normal crash log. Look for large allocations around detection logic and cap/short-circuit them to keep logs.
+- **Continuous checks with delayed enforcement**: heartbeat timers re-run detection and enforce later. Trace timers/dispatch sources and keep the process alive by bypassing the delayed kill path.
+
 ### Basic Dynamic Analysis
 
 Check out the dynamic analysis that [**MobSF**](https://github.com/MobSF/Mobile-Security-Framework-MobSF) perform. You will need to navigate through the different views and interact with them but it will be hooking several classes on doing other things and will prepare a report once you are done.
@@ -1199,6 +1211,7 @@ zero-click-messaging-image-parser-chains.md
 
 ## **References & More Resources**
 
+- [https://blog.calif.io/p/taking-apart-ios-apps-anti-debugging](https://blog.calif.io/p/taking-apart-ios-apps-anti-debugging)
 - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06b-basic-security-testing#information-gathering](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06b-basic-security-testing#information-gathering)
 - [iOS & Mobile App Pentesting - INE](https://my.ine.com/CyberSecurity/courses/089d060b/ios-mobile-app-pentesting)
 - [https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0057/](https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0057/)
@@ -1227,4 +1240,3 @@ zero-click-messaging-image-parser-chains.md
 
 
 {{#include ../../banners/hacktricks-training.md}}
-