# iOS > **Skill Level**: Intermediate to Advanced\ > **Prerequisites**: Swift/ObjC basics, iOS security model ## Resources & References {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} ## Non-Jailbreak Testing (Recommended) ### Environment Setup ```bash # Install Xcode command line tools xcode-select --install # Install Homebrew packages brew install libimobiledevice ideviceinstaller ios-deploy # Install Python tools pip3 install objection frida-tools # Check device connection idevice_id -l ideviceinfo ``` ### IPA Acquisition & Analysis ```bash # Get IPA from App Store (decrypted) # https://github.com/majd/ipatool ipatool auth login -e email@example.com ipatool download -b com.app.bundleid -o app.ipa # Extract IPA unzip app.ipa -d extracted/ # Analyze with MobSF # https://github.com/MobSF/Mobile-Security-Framework-MobSF docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf # Static analysis without device # https://github.com/AnyByte/app-check # https://github.com/nicnocquee/apple-mobile-provision-parser ``` ### Objection (Non-Jailbreak Runtime Manipulation) ```bash # Patch IPA with Frida gadget (no jailbreak needed) objection patchipa --source app.ipa --codesign-signature "Apple Development: email@example.com" # Install patched IPA ios-deploy --bundle Payload/App.app # Connect to running app objection explore # Common objection commands ios hooking list classes ios hooking list class_methods ios hooking watch class ios hooking watch method " " --dump-args --dump-return # Disable SSL pinning ios sslpinning disable # Dump keychain ios keychain dump # List cookies ios cookies get # Dump filesystem ios plist cat ios nsuserdefaults get # Bypass jailbreak detection ios jailbreak disable # Search for strings in memory memory search "password" --string # Dump classes and methods ios hooking generate simple ``` ### Frida Scripting ```javascript // frida-script.js - SSL Pinning Bypass // https://codeshare.frida.re/@dki/ios10-ssl-bypass/ Java.perform(function() { // iOS SSL Pinning Bypass var resolver = new ApiResolver('objc'); resolver.enumerateMatches('*[* URLSession:didReceiveChallenge:completionHandler:]', { onMatch: function(match) { Interceptor.attach(match.address, { onEnter: function(args) { var dominated = ObjC.Object(args[4]); dominated.invoke('initWithDisposition:credential:', 0, null); } }); }, onComplete: function() {} }); }); // Run with: frida -U -f com.app.bundleid -l frida-script.js --no-pause ``` ```bash # Frida basics frida-ps -Ua # List running apps frida -U -f com.app.bundleid # Spawn and attach frida -U "App Name" # Attach to running # Useful Frida scripts # https://github.com/m0bilesecurity/Frida-Mobile-Scripts # https://codeshare.frida.re/ ``` ### Proxy Setup (SSL Pinning Bypass) ```bash # Install Burp CA on device # Settings > General > About > Certificate Trust Settings > Enable # For SSL pinning bypass (without jailbreak) # Use objection: ios sslpinning disable # Or patch the app with Frida gadget # Network interception with mitmproxy mitmproxy --mode regular --ssl-insecure # Charles Proxy setup # Enable SSL Proxying for specific hosts # Install Charles CA on device ``` ## Jailbreak Testing ```bash # All about Jailbreak & iOS versions https://www.theiphonewiki.com/wiki/Jailbreak # OWASP MSTG https://github.com/OWASP/owasp-mstg # Jailbreak compatibility list https://docs.google.com/spreadsheets/d/11DABHIIqwYQKj1L83AK9ywk_hYMjEkcaxpIg6phbTf0/edit#gid=1014970938 # Checklist https://mobexler.com/checklist.htm#ios # Jailbreak tools # checkra1n - iPhone 5s though iPhone X, iOS 12.3+ # https://checkra.in/ checkra1n # unc0ver - https://unc0ver.dev/ # Taurine - https://taurine.app/ # palera1n - https://palera.in/ (iOS 15+) # 3UTools for Windows http://www.3u.com/ # Cydia Repositories # https://ryleylangus.com/repo # Liberty Bypass - Jailbreak detection bypass ``` ### Jailbroken Device Tools ```bash # SSH to device (default: alpine) ssh root@device_ip # Install Frida on device # Add https://build.frida.re to Cydia sources # Install Frida from Cydia # SSL Kill Switch 2 # https://github.com/nabla-c0d3/ssl-kill-switch2 # Install .deb on device # Keychain Dumper # https://github.com/ptoomey3/Keychain-Dumper ./keychain-dumper # FLEXible - In-app debugging # Install from Cydia # Cycript - Runtime manipulation cycript -p cy# UIApp.keyWindow.rootViewController ``` ## Static Analysis ### Binary Analysis ```bash # Get .ipa and extract unzip example.ipa cd Payload/App.app # Check encryption (should be cryptid 1) otool -l BINARY | grep -A 4 LC_ENCRYPTION_INFO # Check PIE (Position Independent Executable) otool -hv BINARY | grep PIE # Check ARC (Automatic Reference Counting) otool -Iv BINARY | grep objc_release # Check stack canaries otool -Iv BINARY | grep stack_chk # List dynamic dependencies otool -L BINARY # Dump classes and methods # https://github.com/DerekSelander/dsdump dsdump -a BINARY # Class-dump for Objective-C headers class-dump -H -o output/ BINARY # Swift class dump # https://github.com/nicolo-grazioli/swift-dump ``` ### Info.plist Analysis ```bash # Using plutil plutil -p Info.plist # Check for sensitive configurations # App Transport Security exceptions grep -A 10 "NSAppTransportSecurity" Info.plist # URL schemes grep -A 5 "CFBundleURLSchemes" Info.plist # Exported UTIs grep -A 5 "UTExportedTypeDeclarations" Info.plist # Background modes grep -A 5 "UIBackgroundModes" Info.plist # https://scriptingosx.com/2016/11/editing-property-lists/ ``` ### File System Analysis ```bash # Interesting locations /private/var/mobile/Containers/Data/Application/{HASH}/ /private/var/containers/Bundle/Application/{HASH}/ /var/containers/Bundle/Application/{HASH} /var/mobile/Containers/Data/Application/{HASH} /var/mobile/Containers/Shared/AppGroup/{HASH} # SQLite databases find /var/mobile/Containers/Data/Application/ -name "*.db" 2>/dev/null find /var/mobile/Containers/Data/Application/ -name "*.sqlite" 2>/dev/null # Plist files find /var/mobile/Containers/Data/Application/ -name "*.plist" 2>/dev/null # Cache and logs ls -la /var/mobile/Containers/Data/Application/{HASH}/Library/Caches/ ls -la /var/mobile/Containers/Data/Application/{HASH}/tmp/ ``` ## Dynamic Analysis ### Runtime Inspection ```bash # Dump decrypted IPA from device # https://github.com/AloneMonkey/frida-ios-dump python3 dump.py "App Name" # Manual IPA extraction (without launching app) ls -lahR /var/containers/Bundle/Application/ | grep -B 2 -i 'appname' scp -r root@127.0.0.1:/var/containers/Bundle/Application/{ID} LOCAL_PATH mkdir Payload cp -r appname.app/ Payload/ zip -r app.ipa Payload/ # Monitor logs idevicesyslog | grep "AppName" # Snapshot inspection (screenshot in memory) ls /var/mobile/Containers/Data/Application/{HASH}/Library/SplashBoard/Snapshots/ ``` ### Keychain Extraction ```bash # With Objection objection explore ios keychain dump ios keychain dump --json output.json # With keychain-dumper (jailbroken) ./keychain-dumper # Check keychain accessibility levels # kSecAttrAccessibleWhenUnlocked - Good # kSecAttrAccessibleAfterFirstUnlock - Okay # kSecAttrAccessibleAlways - Bad! ``` ### Jailbreak Detection Bypass ```bash # Using Objection ios jailbreak disable # Using Liberty Lite (Cydia) # Enable for specific app # Using A-Bypass # https://repo.co.kr/ # Frida script for jailbreak bypass # https://codeshare.frida.re/@liangxiaoyi1024/ios-jailbreak-detection-bypass/ ``` ## Common Vulnerabilities ### Insecure Data Storage ```bash # Check NSUserDefaults ios nsuserdefaults get # Check for cleartext in plist find . -name "*.plist" -exec grep -l "password\|token\|key" {} \; # Check SQLite databases sqlite3 database.db ".tables" sqlite3 database.db "SELECT * FROM users;" # Check for hardcoded credentials strings BINARY | grep -i "api\|key\|secret\|password\|token" ``` ### URL Scheme Vulnerabilities ```bash # List URL schemes cat Info.plist | grep -A 5 CFBundleURLSchemes # Test URL schemes # On device: Safari > myapp://test # Or programmatically # Check for deep link injection frida -U "AppName" -e 'ObjC.classes.UIApplication.sharedApplication().openURL_(ObjC.classes.NSURL.URLWithString_("myapp://inject"))' ``` ### Clipboard Vulnerabilities ```bash # Monitor clipboard with Frida frida -U "AppName" -e 'ObjC.classes.UIPasteboard.generalPasteboard().string()' # Check if sensitive data copied to clipboard # Look for password fields with copy enabled ``` ### Binary Protections Check ```bash # Use MobSF or manual checks # PIE: otool -hv binary | grep PIE # ARC: otool -Iv binary | grep objc_release # Stack Canaries: otool -Iv binary | grep stack_chk # Encrypted: otool -l binary | grep cryptid # Missing protections = easier exploitation ``` ## Tools Summary | Tool | Purpose | Jailbreak Required | | --------------- | ------------------------------ | --------------------- | | Objection | Runtime manipulation, patching | No | | Frida | Dynamic instrumentation | No (with patched IPA) | | MobSF | Static analysis | No | | ipatool | IPA download | No | | Keychain-dumper | Keychain extraction | Yes | | SSL Kill Switch | SSL pinning bypass | Yes | | Cycript | Runtime exploration | Yes | | class-dump | Header extraction | No | ## iOS 17-18 Security Changes ### New Security Features ```bash # iOS 17+ Security Enhancements # ================================ # 1. Lockdown Mode Enhancements # - Blocks most message attachment types # - Disables JIT compilation in Safari # - Blocks incoming FaceTime from unknown contacts # - Blocks wired connections when locked # Cannot bypass without physical access and passcode # 2. App Privacy Enhancements # - Sensitive Content Analysis on-device # - Enhanced Link Tracking Protection # - Communication Safety expansions # 3. Passkey Improvements # - Automatic passkey upgrades from passwords # - Passkey sharing via AirDrop # - Cross-platform passkey sync ``` ### Testing Considerations ```bash # iOS 17+ Proxy Setup # Safari requires additional trust for custom CA certificates # Settings → General → About → Certificate Trust Settings → Enable full trust # Lockdown Mode Detection # Check if lockdown mode is enabled frida -U "AppName" -e ' var mode = ObjC.classes.BMSystemContainer.currentSystemContainer().lockdownModeEnabled(); console.log("Lockdown Mode: " + mode); ' # iOS 18 Specific # Enhanced app sandboxing # Per-app network proxy settings possible # Improved keychain protection # SSL Pinning in iOS 17+ # App Transport Security more strictly enforced # Check ATS exceptions in Info.plist plutil -p Info.plist | grep -A 20 NSAppTransportSecurity # Many apps now use Certificate Transparency # Consider CT log bypass techniques ``` ### iOS 18 New Protections ```bash # Contact Key Verification # Prevents MITM on iMessage # Cannot intercept verified conversations # Secure Boot Improvements # Stronger chain of trust verification # SEP (Secure Enclave Processor) updates # App Intents & Shortcuts Privacy # More granular permissions for automation # Testing on iOS 18 # 1. Check for new entitlements in binary codesign -d --entitlements :- Payload/App.app/App 2>&1 # 2. Review privacy manifest requirements # Apps must declare data usage in PrivacyInfo.xcprivacy find . -name "PrivacyInfo.xcprivacy" -exec cat {} \; # 3. Required Reason APIs # Apps must declare why they use certain APIs # Fingerprinting APIs now require justification ``` ### Bypassing New Protections ```bash # iOS 17+ Jailbreak Status # Check current jailbreak availability # Dopamine, Palera1n for A11 and earlier # No public jailbreak for A12+ on iOS 17+ # Non-Jailbreak Testing Focus # Objection + patched IPA remains primary method # Focus on static analysis when dynamic not possible # Frida Gadget Injection # Works without jailbreak objection patchipa --source app.ipa --codesign-signature "YOUR_SIGNATURE" # Runtime Manipulation # iOS 17+ has improved integrity checks # May need to bypass more integrity validations frida -U "AppName" -e ' Interceptor.attach(ObjC.classes.PKTrustSettings["- evaluateTrust:"].implementation, { onLeave: function(retval) { retval.replace(0x1); // Trust all } }); ' ``` ![](https://1729840239-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M5x1LJiRQvXWpt04_ee%2F-MLvF5zjxdR7Yg0H0fNV%2F-MLvFJccFhVAHfJ86HeY%2Fimage.png?alt=media\&token=a9eaf794-7a63-4a8f-a560-cfd0be9584e4)