Arcane is a simple script designed to backdoor iOS packages (iPhone-arm) and create the necessary resources for APT repositories. It was created for this publication to help illustrate why Cydia repositories can be dangerous and what post-exploitation attacks are possible from a compromised iOS device. How Arcane works To understand what's happening in the GIF, decompress a package created with Arcane. dpkg-deb -R /tmp/cydia/whois_5.3.2-1_iphoneos-arm_BACKDOORED.deb /tmp/whois-decomp Notice the control and postinst files in the DEBIAN directory. Both files are important. tree /tmp/whois-decomp/ /tmp/whois-decomp/ ├── DEBIAN │ ├── control │ └── postinst └── usr └── bin └── whois It's possible to supply scripts as part of a package when installing or removing applications. Package maintainer scripts include the preinst, postinst, prerm, and postrm files. Arcane takes advantage of the postinst file to execute commands during the installation. # The "post-installation" file. This file is generally responsible # for executing commands on the....