iOS Pentesting

Mobile Testing

iOS testing typically requires a jailbroken device to perform dynamic analysis, inspect the filesystem, and decrypt IPA files.

Static Analysis

Extract and analyze the IPA:

bash

# Extract IPA from jailbroken device
# Using SSH
scp root@device:/var/containers/Bundle/Application/<UUID>/app.ipa .

# Or use tools like ipainstaller, Clutch for decrypted IPA

# Unzip IPA
unzip app.ipa -d app_extracted
cd app_extracted/Payload/App.app

# Analyze Info.plist
plutil -p Info.plist

Binary analysis:

bash

# List libraries
otool -L App

# Search for strings
strings App | grep -i "password|secret|key|token"

# Check for PIE and ARC
otool -hv App  # Check for PIE flag
otool -Iv App | grep _objc_release  # Check for ARC

# Class-dump
class-dump App > classes.txt

Dynamic Analysis

Frida setup:

bash

# Frida on iOS (requires jailbroken device)
# Install Frida from Cydia or via SSH

# List processes
frida-ps -U

SSL Pinning Bypass

Save as ios_ssl_bypass.js:

ios_ssl_bypass.js

javascript

var resolver = new ApiResolver('objc');
resolver.enumerateMatches('*[* URLSession:didReceiveChallenge:completionHandler:]', {
    onMatch: function(match) {
        Interceptor.attach(match.address, {
            onEnter: function(args) {
                var completionHandler = new ObjC.Block(args[4]);
                var NSURLSessionAuthChallengeUseCredential = 0;
                completionHandler.implementation = function(disposition, credential) {
                    completionHandler(NSURLSessionAuthChallengeUseCredential, null);
                };
            }
        });
    },
    onComplete: function() {}
});

Run bypass:

bash

frida -U -f com.target.app -l ios_ssl_bypass.js

Objection & Forensics

bash

# Using objection on iOS
objection -g com.target.app explore

# Inside objection:
# ios sslpinning disable
# ios keychain dump
# ios cookies get

# Inspect Keychain (on device)
keychain-dumper

# File system inspection
ls -la /var/mobile/Containers/Data/Application/<UUID>/

iOS Tools

class-dump

Reverse Engineering

Docs

A command-line utility for examining the Objective-C runtime information stored in Mach-O files.

Installation

bash

brew install class-dump

Hopper Disassembler

Disassembler

Docs

A reverse engineering tool for macOS and Linux that lets you disassemble, decompile, and debug your 32/64bits Intel Mac, Linux, Windows and iOS executables.

Installation

bash

# Download from website

Clutch

Decryption

Docs

High-speed iOS decryption tool. Dump decrypted IPAs from your jailbroken device.

Installation

bash

# Install on jailbroken device

Keychain-dumper

Forensics

Docs

A tool to check which keychain items are available to an attacker once an iOS device has been jailbroken.

Installation

bash

# Install on jailbroken device

iOS Pentesting

Static Analysis

Dynamic Analysis

SSL Pinning Bypass

Objection & Forensics

iOS Tools

class-dump

Hopper Disassembler

Clutch

Keychain-dumper

Related Topics

Mobile Testing

Android Pentesting

Burp Suite Cheatsheet