Skip to main content

Install Apps on Non-Jailbroken Devices with Sideloadly

Since non-jailbroken devices enforce stricter code signature verfication, meaning the application needs to be signed with a valid Apple Developer account, we can't get away with just simply fake signing the application.

Fortunately, you can obtain an Apple Developer account for free which Sideloadly then utilizes to resign your application with. This method allows you take an unencrypted application, regardless of the existing signature, to install and run on a non-jailbroken iOS device.

Prequisities

  • You are working on a macOS workstation.

  • Sideloadly, Xcode, and USBFlux are installed.

  • Access to a free Apple Account.

  • Local network access to virtual iOS devices in order to a establish USB connection with USBFlux.

  • The target app trying to be installed needs to unencrypted. The existing signature applied to the app shouldn't matter as long as it's not encrypted. Meaning, this method will not work with apps downloaded from the App Store because they are encrypted.

Setup and Sideload

  1. Run Xcode. In order to use a free Apple account for signing, go to Xcode SettingsAccounts → click the + in the bottom left hand corner and click Apple ID and add your account details. Once finished, you should see your Apple account appear under Apple IDs when under Accounts.

    Next, we need to generate the certificate used for signing. When in Xcode Settings in the Accounts tab, click your newly created team for the Apple ID you just added, then click Manage Certificates. If you don't see a Apple Development Certificate here, click the + in the bottom left hand corner to create one.

    Manage certs in Xcode

  2. After generating that certificate, you should now be able to reference your Apple ID when in the Sideloadly GUI after choosing the Apple ID Sideload option.

  3. Start USBFlux. If you're using the on-site version, open the settings for USBFlux and plug in the hostname value used to access the Corellium web interface. Enter domain login credentials.

  4. If you have active iOS devices in the domain and your workstation is the same network as your devices, you should see devices appearing on the remote when in USBFlux UI.

    You can also use idevice_id to list USB connected devices, which comes from libimobiledevice:

    neriksen ~  $ idevice_id
    00008030-000E782801EB802E (USB)
    fff7c:c5:37:5a:30:6efff (Network)
    fff7c:c5:37:ad:a3:d7fff (Network)
    fff7c:c5:37:cf:84:c9fff (Network)
    00008110-A41EE93728B9246A (USB)
    00008110-81B0A0DB781A6CC6 (USB)
    56d2a27f6a378963502dd9988d4b763d73336617 (USB)

  5. Going back to Sideloadly, the iDevice selection should show USB connected devices. Select the target USB connected iOS device and select the app to sideload. Clicking Advanced Options shows the different signing methods. We're going to choose the Apple ID sideload option. Then click Start. Enter your Apple ID credentials if the prompt appears.

  6. Once started, Sideloadly will unpack, resign using your free Apple account, then attempt to upload and install the .ipa to the USB connected device. This process can take some time.

  7. Once the app installs on the device, you need to manually trust the certificate used for signing. Open the iOS Setting app → GeneralVPN & Device Management. The profile should appear under Developer App, ensure that it's trusted. The app will not run if this is not done.

  8. Launch the app on the device, you should now see in the device console the code signature is validated and the app should run unless there's another issue causing app to not run.

    AMFI: profile validated the code signature

Limitations & Expectations

  • App ID Limit: You can sideload up to 10 unique App IDs using a free Apple ID, which resets every 4 days. Each App ID corresponds to a unique bundle identifier (e.g., com.example.myapp).

  • Device UDID Limit: Free Apple accounts are limited to 3 unique iOS device UDIDs per 7-day period. Once you sideload to a device, that UDID is registered to your account for 7 days.

    To work around this, sideload to a virtual iOS device with a legacy-format UDID (40-character hex from pre-iPhone X devices), save it, then repeat the process using a modern-format UDID (UUID-style from post-iPhone X devices). Apply the registered UDIDs to new devices as needed.

  • Connection Requirement: Sideloading to a virtual iOS device must be done over a USB connection.

  • App Stability: Even after successfully re-signing and installing the app using a free Apple Developer account, the app may still crash on launch. This is often due to additional protections like VM detection not signing-related issues.

Troubleshoot

If you see issues when trying to sideload your app to a virtual iOS device:

  • If you're connecting to the Corellium VPN, try restarting the connection.

  • Restart the USBFlux connection, force killing the entire process and restarting sometimes helps.

  • Ensure you are using the USB connection for the virtual iOS device.

  • If you continue to see issues trying to sideload, try creating a fresh iOS device to see if the issue persists.