My question in a nutshell: Is there a way to create an iOS app running on an iOS device that can connect to and communicate with its own device's lockdownd?
(For the curious who want to know "the why": I would like to use the connection to lockdownd to trigger the installation of apps in .ipa files on the iOS device that have a "local provisioning profile", i.e. a provisioning profile with the flag LocalProvision set to true which means that over-the-air/OTA installations via a web-based installation are prevented by the operating system.)
A little background: You can connect to an iOS device's lockdownd from a second device either
- by letting the second device serve as a USB host for the iOS device or
- by establishing a wifi-based TCP connection to the iOS device on port 62078.
By using libraries like libimobiledevice, you can then interact with the iOS device - for example to trigger the installation of an app contained in an .ipa file.
What I have already researched & tried:
- According to Jon Gabilondo's very good article Understanding usbmux and the iOS lockdown service,
lockdowndcreates a UNIX domain socket at/var/run/lockdown.sock- unfortunatley however with "privileges 511, which means only root will be able to write to it." (Quote from the article) --> I have therefore not tried accessing/writing to this socket. lockdowndalso opens a TCP endpoint listening on port 62078 in the device's wifi network. --> I have created a small test app that tries to establish a TCP connection to 127.0.0.1:62078. Unfortunatley, the connection attempt fails with the error #1 "Operation not permitted". Same when trying to connect to the IPv4 assigned by the wifi's DHCP server to the iOS device.
What other option could be used to establish a connection to an iOS device's lockdownd from within an app running on that device?
Yes,
connecttolocalhost:62078(or any other IP that resolves to localhost) is not permitted. I'm not sure why Apple decided to do that, as it does not make sense from Security point of view (other devices in the network can connect, so maybe it is just an extra layer of security for situations where Network Device is not enabled).Also, I assume Apple wouldn't support your use case, as they don't permit 3rd party AppStores (although, some say it may change soon - https://www.gamesindustry.biz/apple-may-allow-third-party-app-stores-on-iphone-in-next-update).
The only viable option I see is to set up some external port-forwarding (can be easily setup on many routers) or have some other sort of proxy. I've actually just tested it, and it perfectly works.
iOS 17 Edit
As of iOS 17 betas, it seems Apple are moving away from usbmuxd/lockdown towards Remote Device Service protocols implemented on top of a USB/WiFi network interfaces.
I haven't tried to connect to the new service ports from localhost, but it may worth a try.