Mapping iOS Persistence Attack Surface using Corellium

Accompanying code for a blog post.

This repository contains a uniq_opens.txt file as generated in the blog post. Replace this file if new data is generated.

Setup

Install Neo4J Desktop or create AuraDB instance
Run brew install libmagic
Run python3 -m pip install -r requirements.txt in the project root
Run npm install in the project root
Download and unpack the target IPSW and mount the root filesystem
Run diskutil enableOwnership /Volumes//Volumes/SkyF19F77.D10D101D20D201OS (or whatever the actual mount point is)
Edit the process_opens.py script so that ROOT_FS_PATH is the mount point of the filesystem
Edit the process_opens.py script to fill in the Neo4J credentials/host
Copy config.json.example to config.json and fill in the Corellium credentials, project name, and device UUID
Invoke the script: sudo python3 process_opens.py (as root because we enable permissions on the FS)

Once complete, validate that the data imported successfully by running this Cypher query in the Neo4J Browser:

MATCH (p:Process) RETURN p

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
README.md		README.md
config.json.example		config.json.example
download_file.js		download_file.js
package.json		package.json
process_opens.py		process_opens.py
requirements.txt		requirements.txt
stat_file.js		stat_file.js
uniq_opens.txt		uniq_opens.txt