# iOS > **Skill Level**: Intermediate to Advanced\ > **Prerequisites**: Swift/ObjC basics, iOS security model ## Resources & References {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} ## Non-Jailbreak Testing (Recommended) ### Environment Setup ```bash # Install Xcode command line tools xcode-select --install # Install Homebrew packages brew install libimobiledevice ideviceinstaller ios-deploy # Install Python tools pip3 install objection frida-tools # Check device connection idevice_id -l ideviceinfo ``` ### IPA Acquisition & Analysis ```bash # Get IPA from App Store (decrypted) # https://github.com/majd/ipatool ipatool auth login -e email@example.com ipatool download -b com.app.bundleid -o app.ipa # Extract IPA unzip app.ipa -d extracted/ # Analyze with MobSF # https://github.com/MobSF/Mobile-Security-Framework-MobSF docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf # Static analysis without device # https://github.com/AnyByte/app-check # https://github.com/nicnocquee/apple-mobile-provision-parser ``` ### Objection (Non-Jailbreak Runtime Manipulation) ```bash # Patch IPA with Frida gadget (no jailbreak needed) objection patchipa --source app.ipa --codesign-signature "Apple Development: email@example.com" # Install patched IPA ios-deploy --bundle Payload/App.app # Connect to running app objection explore # Common objection commands ios hooking list classes ios hooking list class_methods ios hooking watch class ios hooking watch method " " --dump-args --dump-return # Disable SSL pinning ios sslpinning disable # Dump keychain ios keychain dump # List cookies ios cookies get # Dump filesystem ios plist cat ios nsuserdefaults get # Bypass jailbreak detection ios jailbreak disable # Search for strings in memory memory search "password" --string # Dump classes and methods ios hooking generate simple ``` ### Frida Scripting ```javascript // frida-script.js - SSL Pinning Bypass // https://codeshare.frida.re/@dki/ios10-ssl-bypass/ Java.perform(function() { // iOS SSL Pinning Bypass var resolver = new ApiResolver('objc'); resolver.enumerateMatches('*[* URLSession:didReceiveChallenge:completionHandler:]', { onMatch: function(match) { Interceptor.attach(match.address, { onEnter: function(args) { var dominated = ObjC.Object(args[4]); dominated.invoke('initWithDisposition:credential:', 0, null); } }); }, onComplete: function() {} }); }); // Run with: frida -U -f com.app.bundleid -l frida-script.js --no-pause ``` ```bash # Frida basics frida-ps -Ua # List running apps frida -U -f com.app.bundleid # Spawn and attach frida -U "App Name" # Attach to running # Useful Frida scripts # https://github.com/m0bilesecurity/Frida-Mobile-Scripts # https://codeshare.frida.re/ ``` ### Proxy Setup (SSL Pinning Bypass) ```bash # Install Burp CA on device # Settings > General > About > Certificate Trust Settings > Enable # For SSL pinning bypass (without jailbreak) # Use objection: ios sslpinning disable # Or patch the app with Frida gadget # Network interception with mitmproxy mitmproxy --mode regular --ssl-insecure # Charles Proxy setup # Enable SSL Proxying for specific hosts # Install Charles CA on device ``` ## Jailbreak Testing ```bash # All about Jailbreak & iOS versions https://www.theiphonewiki.com/wiki/Jailbreak # OWASP MSTG https://github.com/OWASP/owasp-mstg # Jailbreak compatibility list https://docs.google.com/spreadsheets/d/11DABHIIqwYQKj1L83AK9ywk_hYMjEkcaxpIg6phbTf0/edit#gid=1014970938 # Checklist https://mobexler.com/checklist.htm#ios # Jailbreak tools # checkra1n - iPhone 5s though iPhone X, iOS 12.3+ # https://checkra.in/ checkra1n # unc0ver - https://unc0ver.dev/ # Taurine - https://taurine.app/ # palera1n - https://palera.in/ (iOS 15+) # 3UTools for Windows http://www.3u.com/ # Cydia Repositories # https://ryleylangus.com/repo # Liberty Bypass - Jailbreak detection bypass ``` ### Jailbroken Device Tools ```bash # SSH to device (default: alpine) ssh root@device_ip # Install Frida on device # Add https://build.frida.re to Cydia sources # Install Frida from Cydia # SSL Kill Switch 2 # https://github.com/nabla-c0d3/ssl-kill-switch2 # Install .deb on device # Keychain Dumper # https://github.com/ptoomey3/Keychain-Dumper ./keychain-dumper # FLEXible - In-app debugging # Install from Cydia # Cycript - Runtime manipulation cycript -p cy# UIApp.keyWindow.rootViewController ``` ## Static Analysis ### Binary Analysis ```bash # Get .ipa and extract unzip example.ipa cd Payload/App.app # Check encryption (should be cryptid 1) otool -l BINARY | grep -A 4 LC_ENCRYPTION_INFO # Check PIE (Position Independent Executable) otool -hv BINARY | grep PIE # Check ARC (Automatic Reference Counting) otool -Iv BINARY | grep objc_release # Check stack canaries otool -Iv BINARY | grep stack_chk # List dynamic dependencies otool -L BINARY # Dump classes and methods # https://github.com/DerekSelander/dsdump dsdump -a BINARY # Class-dump for Objective-C headers class-dump -H -o output/ BINARY # Swift class dump # https://github.com/nicolo-grazioli/swift-dump ``` ### Info.plist Analysis ```bash # Using plutil plutil -p Info.plist # Check for sensitive configurations # App Transport Security exceptions grep -A 10 "NSAppTransportSecurity" Info.plist # URL schemes grep -A 5 "CFBundleURLSchemes" Info.plist # Exported UTIs grep -A 5 "UTExportedTypeDeclarations" Info.plist # Background modes grep -A 5 "UIBackgroundModes" Info.plist # https://scriptingosx.com/2016/11/editing-property-lists/ ``` ### File System Analysis ```bash # Interesting locations /private/var/mobile/Containers/Data/Application/{HASH}/ /private/var/containers/Bundle/Application/{HASH}/ /var/containers/Bundle/Application/{HASH} /var/mobile/Containers/Data/Application/{HASH} /var/mobile/Containers/Shared/AppGroup/{HASH} # SQLite databases find /var/mobile/Containers/Data/Application/ -name "*.db" 2>/dev/null find /var/mobile/Containers/Data/Application/ -name "*.sqlite" 2>/dev/null # Plist files find /var/mobile/Containers/Data/Application/ -name "*.plist" 2>/dev/null # Cache and logs ls -la /var/mobile/Containers/Data/Application/{HASH}/Library/Caches/ ls -la /var/mobile/Containers/Data/Application/{HASH}/tmp/ ``` ## Dynamic Analysis ### Runtime Inspection ```bash # Dump decrypted IPA from device # https://github.com/AloneMonkey/frida-ios-dump python3 dump.py "App Name" # Manual IPA extraction (without launching app) ls -lahR /var/containers/Bundle/Application/ | grep -B 2 -i 'appname' scp -r root@127.0.0.1:/var/containers/Bundle/Application/{ID} LOCAL_PATH mkdir Payload cp -r appname.app/ Payload/ zip -r app.ipa Payload/ # Monitor logs idevicesyslog | grep "AppName" # Snapshot inspection (screenshot in memory) ls /var/mobile/Containers/Data/Application/{HASH}/Library/SplashBoard/Snapshots/ ``` ### Keychain Extraction ```bash # With Objection objection explore ios keychain dump ios keychain dump --json output.json # With keychain-dumper (jailbroken) ./keychain-dumper # Check keychain accessibility levels # kSecAttrAccessibleWhenUnlocked - Good # kSecAttrAccessibleAfterFirstUnlock - Okay # kSecAttrAccessibleAlways - Bad! ``` ### Jailbreak Detection Bypass ```bash # Using Objection ios jailbreak disable # Using Liberty Lite (Cydia) # Enable for specific app # Using A-Bypass # https://repo.co.kr/ # Frida script for jailbreak bypass # https://codeshare.frida.re/@liangxiaoyi1024/ios-jailbreak-detection-bypass/ ``` ## Common Vulnerabilities ### Insecure Data Storage ```bash # Check NSUserDefaults ios nsuserdefaults get # Check for cleartext in plist find . -name "*.plist" -exec grep -l "password\|token\|key" {} \; # Check SQLite databases sqlite3 database.db ".tables" sqlite3 database.db "SELECT * FROM users;" # Check for hardcoded credentials strings BINARY | grep -i "api\|key\|secret\|password\|token" ``` ### URL Scheme Vulnerabilities ```bash # List URL schemes cat Info.plist | grep -A 5 CFBundleURLSchemes # Test URL schemes # On device: Safari > myapp://test # Or programmatically # Check for deep link injection frida -U "AppName" -e 'ObjC.classes.UIApplication.sharedApplication().openURL_(ObjC.classes.NSURL.URLWithString_("myapp://inject"))' ``` ### Clipboard Vulnerabilities ```bash # Monitor clipboard with Frida frida -U "AppName" -e 'ObjC.classes.UIPasteboard.generalPasteboard().string()' # Check if sensitive data copied to clipboard # Look for password fields with copy enabled ``` ### Binary Protections Check ```bash # Use MobSF or manual checks # PIE: otool -hv binary | grep PIE # ARC: otool -Iv binary | grep objc_release # Stack Canaries: otool -Iv binary | grep stack_chk # Encrypted: otool -l binary | grep cryptid # Missing protections = easier exploitation ``` ## Tools Summary | Tool | Purpose | Jailbreak Required | | --------------- | ------------------------------ | --------------------- | | Objection | Runtime manipulation, patching | No | | Frida | Dynamic instrumentation | No (with patched IPA) | | MobSF | Static analysis | No | | ipatool | IPA download | No | | Keychain-dumper | Keychain extraction | Yes | | SSL Kill Switch | SSL pinning bypass | Yes | | Cycript | Runtime exploration | Yes | | class-dump | Header extraction | No | ## iOS 17-18 Security Changes ### New Security Features ```bash # iOS 17+ Security Enhancements # ================================ # 1. Lockdown Mode Enhancements # - Blocks most message attachment types # - Disables JIT compilation in Safari # - Blocks incoming FaceTime from unknown contacts # - Blocks wired connections when locked # Cannot bypass without physical access and passcode # 2. App Privacy Enhancements # - Sensitive Content Analysis on-device # - Enhanced Link Tracking Protection # - Communication Safety expansions # 3. Passkey Improvements # - Automatic passkey upgrades from passwords # - Passkey sharing via AirDrop # - Cross-platform passkey sync ``` ### Testing Considerations ```bash # iOS 17+ Proxy Setup # Safari requires additional trust for custom CA certificates # Settings → General → About → Certificate Trust Settings → Enable full trust # Lockdown Mode Detection # Check if lockdown mode is enabled frida -U "AppName" -e ' var mode = ObjC.classes.BMSystemContainer.currentSystemContainer().lockdownModeEnabled(); console.log("Lockdown Mode: " + mode); ' # iOS 18 Specific # Enhanced app sandboxing # Per-app network proxy settings possible # Improved keychain protection # SSL Pinning in iOS 17+ # App Transport Security more strictly enforced # Check ATS exceptions in Info.plist plutil -p Info.plist | grep -A 20 NSAppTransportSecurity # Many apps now use Certificate Transparency # Consider CT log bypass techniques ``` ### iOS 18 New Protections ```bash # Contact Key Verification # Prevents MITM on iMessage # Cannot intercept verified conversations # Secure Boot Improvements # Stronger chain of trust verification # SEP (Secure Enclave Processor) updates # App Intents & Shortcuts Privacy # More granular permissions for automation # Testing on iOS 18 # 1. Check for new entitlements in binary codesign -d --entitlements :- Payload/App.app/App 2>&1 # 2. Review privacy manifest requirements # Apps must declare data usage in PrivacyInfo.xcprivacy find . -name "PrivacyInfo.xcprivacy" -exec cat {} \; # 3. Required Reason APIs # Apps must declare why they use certain APIs # Fingerprinting APIs now require justification ``` ### Bypassing New Protections ```bash # iOS 17+ Jailbreak Status # Check current jailbreak availability # Dopamine, Palera1n for A11 and earlier # No public jailbreak for A12+ on iOS 17+ # Non-Jailbreak Testing Focus # Objection + patched IPA remains primary method # Focus on static analysis when dynamic not possible # Frida Gadget Injection # Works without jailbreak objection patchipa --source app.ipa --codesign-signature "YOUR_SIGNATURE" # Runtime Manipulation # iOS 17+ has improved integrity checks # May need to bypass more integrity validations frida -U "AppName" -e ' Interceptor.attach(ObjC.classes.PKTrustSettings["- evaluateTrust:"].implementation, { onLeave: function(retval) { retval.replace(0x1); // Trust all } }); ' ``` ![](/files/-MLvFJccFhVAHfJ86HeY) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.pentest-book.com/mobile/ios.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.