OpenSkillIndex← back to search

Hacktricks-skills ios-pentesting

iOS application security testing and pentesting. Use this skill whenever the user needs to test iOS apps for security vulnerabilities, analyze IPA files, perform static/dynamic analysis, check data storage security, test local authentication, or conduct mobile security assessments. Make sure to use this skill for any iOS security testing, app analysis, vulnerability assessment, or mobile pentesting tasks, even if the user doesn't explicitly mention 'pentesting' or 'security testing'.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/mobile-pentesting/ios-pentesting/ios-pentesting/SKILL.MD
source content

iOS Pentesting Skill

A comprehensive skill for performing security testing on iOS applications, including static analysis, dynamic analysis, data storage assessment, and vulnerability identification.

When to Use This Skill

Use this skill when:

  • Testing iOS applications for security vulnerabilities
  • Analyzing IPA files for security issues
  • Performing static or dynamic analysis on iOS apps
  • Checking data storage security (plist, SQLite, Keychain, etc.)
  • Testing local authentication and biometric implementations
  • Analyzing binary files for weak cryptography or insecure functions
  • Conducting mobile security assessments
  • Investigating iOS app security configurations

Prerequisites

Before starting iOS pentesting:

  1. Jailbroken device or iOS simulator with appropriate tools installed
  2. IPA file of the target application
  3. Required tools: Frida, Objection, otool, class-dump, MobSF (optional)
  4. Device connection via USB or network

Testing Workflow

1. Initial Setup

# List installed apps and get bundle identifier
frida-ps -Uai

# Get app bundle path using objection
objection explore -g ios
ios env

2. Static Analysis

Extract and Analyze IPA

# Rename IPA to ZIP and extract
mv app.ipa app.zip
unzip app.zip

# Navigate to app bundle
cd app.app/

Check Binary Protections

Use the 

check_binary_protections.sh
script to verify security features:

./scripts/check_binary_protections.sh <app-binary>

This checks for:

  • PIE (Position Independent Executable)
  • Stack Canaries
  • ARC (Automatic Reference Counting)
  • Binary Encryption

Identify Insecure Functions

Use the 

scan_insecure_functions.sh
script to find vulnerable function calls:

./scripts/scan_insecure_functions.sh <app-binary>

This scans for:

  • Weak hashing (MD5, SHA1)
  • Insecure random functions
  • Dangerous memory functions (gets, sprintf, etc.)
  • Insecure malloc usage

Analyze Info.plist

# Convert plist to readable format (macOS)
plutil -convert xml1 Info.plist

# Convert plist to readable format (Linux)
plistutil -i Info.plist -o Info_xml.plist

# Search for sensitive configurations
grep -i "UsageDescription" Info.plist
grep -i "CFBundleURLTypes" Info.plist
grep -i "NSAppTransportSecurity" Info.plist

3. Data Storage Analysis

Find and Analyze Plist Files

# Locate all plist files in app sandbox
find /private/var/mobile/Containers/Data/Application/{APPID} -name "*.plist"

# Check NSUserDefaults data
objection explore -g ios
ios nsuserdefaults get

# Convert and read plist files
ios plist cat /path/to/file.plist

Scan for SQLite Databases

# Find all SQLite databases
find /private/var/mobile/Containers/Data/Application/{APPID} -name "*.sqlite" -o -name "*.db"

# Check Core Data location
ls /private/var/mobile/Containers/Data/Application/{APPID}/Library/Application\ Support/

Check Realm Databases

# Find Realm files
find /private/var/mobile/Containers/Data/Application/{APPID} -name "*.realm*"

# Use Realm Studio to inspect (if available)

Analyze Cookies

# Dump cookies using objection
objection explore -g ios
ios cookies get --json

# Check cookies file location
ls /private/var/mobile/Containers/Data/Application/{APPID}/Library/Cookies/

Check Keychain

# Dump keychain entries
objection explore -g ios
ios keychain dump

# Dump NSURLCredentialStorage
ios nsurlcredentialstorage dump

4. Dynamic Analysis

Hook and Monitor with Objection

# Start objection session
objection explore -g ios

# Monitor cryptography
ios monitor crypt

# Disable SSL pinning
ios sslpinning disable

# Bypass biometric authentication
ios ui biometrics_bypass

Use Frida for Custom Hooking

# List processes
frida-ps -U

# Attach to app and load script
frida -U -f <bundle-id> --no-pause -l hook_script.js

5. Local Authentication Testing

Check for LocalAuthentication Framework

# Check linked frameworks
otool -L <app-binary>

# Look for these in output:
# /System/Library/Frameworks/LocalAuthentication.framework/LocalAuthentication
# /System/Library/Frameworks/Security.framework/Security

Test Biometric Bypass

# Using objection
objection explore -g ios
ios ui biometrics_bypass

# Using custom Frida script (see scripts/bypass_biometrics.js)
frida -U -f <bundle-id> --no-pause -l scripts/bypass_biometrics.js

6. Network Security Testing

Check for SSL Pinning

# Disable SSL pinning with objection
objection explore -g ios
ios sslpinning disable

# Or use SSL Kill Switch 2 on jailbroken device

Test Certificate Validation

  1. Set up Burp Suite proxy
  2. Install Burp CA certificate on device
  3. Test if app validates hostname correctly
  4. Create certificate for different hostname and test

7. Memory Analysis

Dump Application Memory

# Using Frida
fridump -U <bundle-id> -o memory_dump.bin

# Extract strings from dump
strings memory_dump.bin > strings.txt

# Or use rabin2
rabin2 -zz memory_dump.bin > strings.txt

Runtime Memory Search

# Using r2frida
r2 frida://usb//<app-name>
[0x00000000]> /\ <search-pattern>

8. Backup Analysis

Create and Analyze Backups

# Create backup via Finder/iTunes
# Locate backup directory
# Check Manifest.plist for encryption status

# Search for sensitive data in backup
grep -r "password" backup_directory/
grep -r "token" backup_directory/

Common Vulnerability Patterns

Data Storage Issues

  • Unencrypted sensitive data in plist files
  • Hardcoded credentials in source code
  • Weak encryption (MD5, SHA1, RC4)
  • Insecure Keychain usage (missing access control)
  • Sensitive data in backups

Authentication Issues

  • Biometric bypass (evaluatePolicy always returns true)
  • Missing local authentication for sensitive operations
  • Insecure credential storage

Network Issues

  • Missing SSL pinning
  • Certificate validation bypass
  • Unencrypted communication

Binary Issues

  • Missing PIE
  • Missing stack canaries
  • Insecure function usage (gets, sprintf, etc.)
  • Hardcoded secrets

Reporting

When documenting findings:

  1. Vulnerability Type: Clear classification
  2. Severity: Critical/High/Medium/Low
  3. Location: File, function, or code path
  4. Evidence: Screenshots, code snippets, or command output
  5. Impact: What an attacker could achieve
  6. Remediation: Specific fix recommendations

Tools Reference

ToolPurpose
FridaDynamic instrumentation
ObjectionRuntime exploration
otoolBinary analysis
class-dumpObjective-C header extraction
MobSFAutomated static analysis
Hopper/IDABinary disassembly
Burp SuiteNetwork interception
Keychain-DumperKeychain extraction

Safety Notes

  • Always obtain proper authorization before testing
  • Test on your own devices or authorized test environments
  • Be aware that some operations require jailbroken devices
  • Document all changes made during testing
  • Restore devices to original state after testing

Next Steps

After completing analysis:

  1. Compile findings into a security report
  2. Prioritize vulnerabilities by severity
  3. Provide remediation guidance
  4. Consider retesting after fixes are applied
  5. Update testing procedures based on lessons learned