fsmon
fsmon copied to clipboard
nowsecure
IPC and fsmon on iOS
Hi!
First of all I think that fsmon is a great tool.
I compiled it on iPad Mini 2 with iOS 12.5.5 and jailbroken with odysseyra1n. I tested fsmon with Telegram sudo fsmon -P Telegram /. However, if I add a new contact from Telegram I can't capture writing on Contacts app because fsmon monitors only Telegram, but not ABDatabaseDoctor process. To workaround this problem I can use sudo fsmon /. However, with this command I capture noise from other process.
I know that apps on iOS can communicate with IPC. So can I use fsmon or other tool/project (e.g. Frida) to monitor an app (e.g. Telegram) and its IPC?
Thanks in advance. Kind regards, Lorenzo.
I think the best way to snitch into the IPC communications on iOS, is using Frida and hooking XPC apis. there are public tools around to do that already, so maybe that will work for you https://github.com/hot3eed/xpcspy
Besides pancake's point, why not just hook the contacts-writing APIs as called by Telegram?
@hot3eed Yes, I can, but I must find a general approach. For my project I must capture all artifacts produced by an app on iOS after an action. So not only those produced by the app under inspection, but also those produced by another process invoked by this app. I will try to understand your agent to find useful XPC APIs.
Hi @trufae!
I made some progress (maybe). Using DaemonDisabler I disabled /System/Library/LaunchDaemons/com.apple.ABDatabaseDoctor.plist and /System/Library/LaunchDaemons/com.apple.contactsd.plist. But without latter I can't write or read contacts from Telegram. So after I re-enabled it, I ran sudo fsmon /private/var/mobile/Library/AddressBook and I created a new contact from Telegram. Even if a new contact is present in Contacts app fsmon didn't show any output. Using ls -alFh /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb-wal I discovered that this file is changed.
So is it possible that fsmon didn't notice it?
Kind regards, Lorenzo.