1

My question in a nutshell: Is there a way to create an iOS app running on an iOS device that can connect to and communicate with its own device's lockdownd?

(For the curious who want to know "the why": I would like to use the connection to lockdownd to trigger the installation of apps in .ipa files on the iOS device that have a "local provisioning profile", i.e. a provisioning profile with the flag LocalProvision set to true which means that over-the-air/OTA installations via a web-based installation are prevented by the operating system.)

A little background: You can connect to an iOS device's lockdownd from a second device either

  1. by letting the second device serve as a USB host for the iOS device or
  2. by establishing a wifi-based TCP connection to the iOS device on port 62078.

By using libraries like libimobiledevice, you can then interact with the iOS device - for example to trigger the installation of an app contained in an .ipa file.

What I have already researched & tried:

  1. According to Jon Gabilondo's very good article Understanding usbmux and the iOS lockdown service, lockdownd creates a UNIX domain socket at /var/run/lockdown.sock - unfortunatley however with "privileges 511, which means only root will be able to write to it." (Quote from the article) --> I have therefore not tried accessing/writing to this socket.
  2. lockdownd also opens a TCP endpoint listening on port 62078 in the device's wifi network. --> I have created a small test app that tries to establish a TCP connection to 127.0.0.1:62078. Unfortunatley, the connection attempt fails with the error #1 "Operation not permitted". Same when trying to connect to the IPv4 assigned by the wifi's DHCP server to the iOS device.

What other option could be used to establish a connection to an iOS device's lockdownd from within an app running on that device?

Hauke P.
  • 2,695
  • 1
  • 20
  • 43

1 Answers1

1

Yes, connect to localhost:62078 (or any other IP that resolves to localhost) is not permitted. I'm not sure why Apple decided to do that, as it does not make sense from Security point of view (other devices in the network can connect, so maybe it is just an extra layer of security for situations where Network Device is not enabled).

Also, I assume Apple wouldn't support your use case, as they don't permit 3rd party AppStores (although, some say it may change soon - https://www.gamesindustry.biz/apple-may-allow-third-party-app-stores-on-iphone-in-next-update).

The only viable option I see is to set up some external port-forwarding (can be easily setup on many routers) or have some other sort of proxy. I've actually just tested it, and it perfectly works.

iOS 17 Edit

As of iOS 17 betas, it seems Apple are moving away from usbmuxd/lockdown towards Remote Device Service protocols implemented on top of a USB/WiFi network interfaces.

I haven't tried to connect to the new service ports from localhost, but it may worth a try.

Elist
  • 5,313
  • 3
  • 35
  • 73
  • Thanks a lot for your response. I get the idea of setting up port forwarding: I guess that you let your iOS app connect to some port at a public IP that in-turn gets routed back to your iOS device, right? I don't think however that I'm getting the proxy idea: What type of proxy are you referring to? Could you please elaborate a little more? – Hauke P. Mar 06 '23 at 21:43
  • 1
    First, I am not sure if using a public IP for forwarding is necessary. You need a machine that can route back to your iOS, which typically means being on the same local network. By proxy I mean a service that does not act as “blind” as port forward, but instead reads the traffic contents and manipulates them. E.g, consider a service that has bidirectional route to the iOS device, stores the pairing keys etc. and exposes some higher level API that requires authentication and encryption. Such proxy will allow you to write an HTTPS Application in any environment and control the device. – Elist Mar 08 '23 at 06:50