Conversation
![code-review-doctor[bot]](https://avatars.githubusercontent.com/in/83430?s=60&v=4){kind=small}
|
|
||
| if not os.path.isdir(script_dir): | ||
| raise FileNotFoundError( | ||
| "Expected subfolder 'frida-ios-hook' not found at: {}".format(script_dir) |
There was a problem hiding this comment.
f-string is easier to read, write, and less computationally expensive than legacy string formatting. Explained here.
| try: | ||
| if not os.path.exists(folder_path): | ||
| os.makedirs(folder_path) | ||
| print("[+] Created workspace folder: {}".format(folder)) |
There was a problem hiding this comment.
Similarly, Consider using f-string instead.
| os.makedirs(folder_path) | ||
| print("[+] Created workspace folder: {}".format(folder)) | ||
| else: | ||
| print("[*] Workspace folder already exists: {}".format(folder)) |
There was a problem hiding this comment.
Again, Consider using f-string instead.
| else: | ||
| print("[*] Workspace folder already exists: {}".format(folder)) | ||
| except Exception as e: | ||
| print("[!] Warning: Could not create folder '{}': {}".format(folder, e)) |
There was a problem hiding this comment.
Likewise, Consider using f-string instead.
| else: | ||
| print("[*] Workspace folder already exists: workspaces/dumps") | ||
| except Exception as e: | ||
| print("[!] Warning: Could not create folder 'workspaces/dumps': {}".format(e)) |
There was a problem hiding this comment.
Same as above: Consider using f-string instead.
| return | ||
|
|
||
| if not os.path.exists(hook_json_env): | ||
| print("[!] Warning: 'hook.conf.default' not found at: {}".format(hook_json_env)) |
There was a problem hiding this comment.
As above, Consider using f-string instead.
| else: | ||
| print("[*] hook.conf already exists, skipping initialization") | ||
| except Exception as e: | ||
| print("[!] Warning: Could not initialize hook.conf: {}".format(e)) |
There was a problem hiding this comment.
Same as above: Consider using f-string instead.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 4 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This PR is being reviewed by Cursor Bugbot
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| script.load() | ||
| device.resume(pid) | ||
| logger.info("[*] Hook loaded, press Ctrl+C to exit.") | ||
| sys.stdin.read() |
There was a problem hiding this comment.
Dead code uses undefined variable after error
High Severity
The else branch for the app-static method logs "Script not found!" but then attempts to spawn an app using options.package, which isn't guaranteed to be set in this code path (the condition only requires options.name). Additionally, the code tries to open(method, 'r') on line 386, but this branch is only reached when os.path.isfile(method) is false, meaning the file doesn't exist. This will cause either a NoneType error when spawning or a FileNotFoundError when opening the file.
frida-ios-hook/core/utils/config.py
Outdated
| break | ||
| elif not iproxy_device_port.isdigit(): | ||
| logger.error("[x_x] Please enter valid port number.") | ||
| iproxy_start = input('[?] Do you want start iproxy 2222 {} (yes/no): '.format(iproxy_device_port)) |
There was a problem hiding this comment.
Invalid port input continues without loop restart
Medium Severity
When a user enters a non-digit port number, the error message is printed at line 162, but there's no continue statement to restart the loop. The code falls through to line 163, which prompts "Do you want start iproxy 2222 {invalid_port}" with the invalid input value. This could lead to attempting to start iproxy with an invalid port parameter.
| var Log = Java.use("android.util.Log"); | ||
| Log.v("FACEBOOK_SSL_PINNING_BYPASS", message); | ||
| }); | ||
| } |
There was a problem hiding this comment.
Android script added to iOS-only repository
High Severity
The facebook.js script uses Android-specific Frida APIs (Java.perform, Java.use, android.util.Log) which don't exist on iOS. When loaded on iOS, line 113 calls logger() which invokes Java.perform(), causing a ReferenceError: Java is not defined and crashing the script immediately. This file was placed in frida-ios-hook/frida-scripts/ which is meant for iOS scripts, but the code is actually for Android Facebook app bypasses.
Additional Locations (1)
frida-ios-hook/core/utils/config.py
Outdated
| break | ||
| elif not iproxy_device_port.isdigit(): | ||
| logger.error("[x_x] Please enter valid port number.") | ||
| iproxy_start = input('[?] Do you want start iproxy 2222 {} (yes/no): '.format(iproxy_device_port)) |
There was a problem hiding this comment.
User's custom port ignored when confirmed
Medium Severity
When the user enters a custom device port and the prompt asks "Do you want start iproxy 2222 {user_port} (yes/no)", answering "yes" starts iproxy with hard-coded port 22 instead of the user-provided iproxy_device_port. Line 163 correctly formats the confirmation prompt with the user's port, but line 168 ignores it entirely and uses " 22" directly. The user's custom port is only used in the "no" branch (lines 177, 183) and the "else" branch (line 191).
Bumps [paramiko](https://github.com/paramiko/paramiko) from 2.11.0 to 3.3.1. - [Commits](paramiko/paramiko@2.11.0...3.3.1) --- updated-dependencies: - dependency-name: paramiko dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [tqdm](https://github.com/tqdm/tqdm) from 4.64.1 to 4.66.1. - [Release notes](https://github.com/tqdm/tqdm/releases) - [Commits](tqdm/tqdm@v4.64.1...v4.66.1) --- updated-dependencies: - dependency-name: tqdm dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
* Bump to 3.9 (#98) * Bump paramiko from 2.11.0 to 3.3.1 Bumps [paramiko](https://github.com/paramiko/paramiko) from 2.11.0 to 3.3.1. - [Commits](paramiko/paramiko@2.11.0...3.3.1) --- updated-dependencies: - dependency-name: paramiko dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * Bump tqdm from 4.64.1 to 4.66.1 Bumps [tqdm](https://github.com/tqdm/tqdm) from 4.64.1 to 4.66.1. - [Release notes](https://github.com/tqdm/tqdm/releases) - [Commits](tqdm/tqdm@v4.64.1...v4.66.1) --- updated-dependencies: - dependency-name: tqdm dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * add backtrace to hooking.js * optimize hook.py * update readme * update setup.py * update requirements * update requirements * update changelog * update readme --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: noobpk <> * Bump tqdm from 4.64.1 to 4.66.1 Bumps [tqdm](https://github.com/tqdm/tqdm) from 4.64.1 to 4.66.1. - [Release notes](https://github.com/tqdm/tqdm/releases) - [Commits](tqdm/tqdm@v4.64.1...v4.66.1) --- updated-dependencies: - dependency-name: tqdm dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: lethanhphuc <31820707+noobpk@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…e input validation
…, and SSH connection handling. Refactor script loading and error handling for better stability. Add new Frida scripts for SSL pinning bypass in Facebook and Instagram apps.
…nning bypass scripts for Facebook and Instagram, improved SSH handling in the CLI, and better usage examples.
…ida-tools version 12.2.1, addressing the ObjC not defined issue.
…tallation instructions; refactor main usage message in hook.py to direct users to the new wiki.
…dd new WIKI.md for comprehensive documentation on installation, usage, and quick methods for frida-ios-hook.
…connection, process spawning, and script attachment. Refactor code to improve readability and maintainability, ensuring consistent logging across different methods of attaching scripts.
…upport. Introduce functions for detecting icon size, computing icon width, and rendering icons. Update get_applications to handle scope, improving application enumeration. Adjust output formatting to include icons when available.
…ling. Introduce output directory option for dumped IPAs, ensure proper file permissions for SCP access, and implement error handling for file retrieval methods. Update generate_ipa function to support custom output paths and verify IPA creation success.
…de dumps and workspace directories, and enhance documentation in README and WIKI.md. Introduce new README for hexbytescan-tasks with task descriptions.
…s', ensuring proper directory structure for output files.
…e hook.json and workspaces directory.
…r configuration, and update .gitignore to reflect changes.
…redential variable for clarity, and update config.py to reflect changes in configuration structure. Add command-line option to open hook.conf with the default editor based on the operating system.
…ok.conf file; enhance help documentation in hook.py for clarity.
…s and improve stability. Update user prompts for SSH connection and enhance logging for better clarity. Modify iproxy start prompt in config.py to reflect dynamic port input.
…attachment for cleaner output. Add new Frida scripts for random device ID generation and displaying device identifiers.
…ories for output files. Update hook.py to support custom output directory for dumped IPAs via new command-line option. Modify WIKI.md to reflect changes in output directory structure and usage instructions.
…output directory for dumped IPAs, new command-line option for custom output paths, and documentation updates in WIKI.md regarding these changes.
…features such as default output directory for dumped IPAs, custom output options, and enhancements to the iOSHook CLI. Document changes in usage examples and improve overall clarity in the README.
|
|
||
| if not os.path.isdir(script_dir): | ||
| raise FileNotFoundError( | ||
| "Expected subfolder 'frida-ios-hook' not found at: {}".format(script_dir) |
There was a problem hiding this comment.
f-string is easier to read, write, and less computationally expensive than legacy string formatting. More details.
| try: | ||
| if not os.path.exists(folder_path): | ||
| os.makedirs(folder_path) | ||
| print("[+] Created workspace folder: {}".format(folder)) |
There was a problem hiding this comment.
Similarly, Consider using f-string instead.
| os.makedirs(folder_path) | ||
| print("[+] Created workspace folder: {}".format(folder)) | ||
| else: | ||
| print("[*] Workspace folder already exists: {}".format(folder)) |
There was a problem hiding this comment.
As above, Consider using f-string instead.
| else: | ||
| print("[*] Workspace folder already exists: {}".format(folder)) | ||
| except Exception as e: | ||
| print("[!] Warning: Could not create folder '{}': {}".format(folder, e)) |
There was a problem hiding this comment.
Similarly, Consider using f-string instead.
| else: | ||
| print("[*] Workspace folder already exists: workspaces/dumps") | ||
| except Exception as e: | ||
| print("[!] Warning: Could not create folder 'workspaces/dumps': {}".format(e)) |
There was a problem hiding this comment.
Same as above: Consider using f-string instead.
| return | ||
|
|
||
| if not os.path.exists(hook_json_env): | ||
| print("[!] Warning: 'hook.conf.default' not found at: {}".format(hook_json_env)) |
There was a problem hiding this comment.
Same as above: Consider using f-string instead.
| else: | ||
| print("[*] hook.conf already exists, skipping initialization") | ||
| except Exception as e: | ||
| print("[!] Warning: Could not initialize hook.conf: {}".format(e)) |
There was a problem hiding this comment.
Similarly, Consider using f-string instead.
1 participant
[Release 3.11] - 2025-02-01
Added
workspaces/dumpsfor decrypted IPA (created by setup).--dump-output-dir DIR: Custom output directory for dumped IPA (CLI and hook.py).workspacesandworkspaces/dumpswhen runningpython3 setup.py.--ssh-port-forwardto forward port from local to device (ssh -R).Changed
frida-ios-hook/workspaces/dumpsby default instead of./dumps(no longer depends on CWD).core/utils/dump.py):DUMP_OUTPUT_DIRset from script location (hook_root/workspaces/dumps).IPA output dir: workspaces/dumps).-o/--output,--dump-output-dir, and that setup creates workspaces/dumps.--shell/--sshwith better SSH connection handling.Note
Medium Risk
Touches core dump/SSH workflows and Frida spawn/attach behavior; mistakes could break dumping, SSH access, or CLI usage across platforms, though changes are mostly additive and defensive.
Overview
Bumps project to 3.11 and standardizes dump artifacts under
frida-ios-hook/workspaces/dumps(created bysetup.py), adding--dump-output-dirto override the dumped IPA destination.Enhances the CLI with clearer help text and new operational flags:
--confto openhook.conf,--network/--localto choose SSH transport, and--ssh-port-forwardfor remote port forwarding; also adds optionalsshpass-backed non-interactive SSH using default credentials from config.Refactors dumping and hook execution for stability:
core/utils/dump.pynow creates/uses a deterministic output dir, improves error/crash handling and anti-debugging mitigation, and hardens SCP retrieval (permissions fixes and/tmpfallback), whilemethods/dump.jswrites dumped files with readable permissions to avoid SCP failures. Documentation and dependencies are updated accordingly (newWIKI.md, README options table, pinnedfrida==16.1.4/frida-tools==12.2.1, and new SSL pinning bypass scripts).Written by Cursor Bugbot for commit fae5532. This will update automatically on new commits. Configure here.