TrollStore
For some iOS versions, it is possible to permanently install IPAs even on a non-jailbroken device due to a bug in CoreTrust. The vulnerability is a logical flaw in the processing of the certificate of an IPA, which can trick iOS into installing applications as System apps, after which they remain on the device and can be used indefinitely. It’s even possible to add various entitlements which normally aren’t available to apps, including entitlements reserved for system apps. Unfortunately, there are still a few entitlements that cannot be given to an app installed via TrollStore, namely com.apple.private.es.debugger, dynamic-codesigning, com.apple.private.skip-library-validation, which means it’s not possible to use TrollStore to inject into other apps. This is unfortunate, as this is a requirement for many tweaks, including Frida-server.
- Vulnerability exists in iOS 14.0 - 15.4.1
More information can be found at: • TrollStore • CoreTrust
