Hacktricks-skills ios-pentesting-basics

iOS security testing operations including device identification, shell access, data transfer, app extraction, and decryption. Use this skill whenever the user needs to perform iOS pentesting tasks, identify iOS devices, access device shells, transfer data from iOS devices, extract or decrypt iOS apps, or install apps on iOS devices. Trigger for any iOS security assessment, mobile app testing, or iOS device forensics work.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/mobile-pentesting/ios-pentesting/basic-ios-testing-operations/SKILL.MD

source content

iOS Basic Testing Operations

A skill for performing iOS security testing operations including device identification, shell access, data transfer, and app extraction/decryption.

Device Identification

Finding the UDID

The UDID (40-digit unique identifier) is essential for iOS device operations.

Via Finder (macOS Catalina+):

Connect device via USB
Open Finder and select the device
Click the device name to reveal details including UDID

Via iTunes (macOS pre-Catalina):

Connect device and view in iTunes to find UDID

Command-line methods:

# Using ioreg
ioreg -p IOUSB -l | grep "USB Serial"

# Using ideviceinstaller (macOS/Linux)
brew install ideviceinstaller
idevice_id -l

# Using system_profiler
system_profiler SPUSBDataType | sed -n -e '/iPad/,/Serial/p;/iPhone/,/Serial/p;/iPod/,/Serial/p' | grep "Serial Number:"

# Using instruments
instruments -s devices

Device Shell Access

SSH Access (Post-Jailbreak)

Install OpenSSH package on jailbroken device

Connect via SSH:

ssh root@<device_ip_address>

Important: Change default passwords (
```
alpine
```
for root and mobile users)

SSH Over USB (No Wi-Fi)

Use

iproxy

to map device ports:

# Forward device port 22 to local port 2222
iproxy 2222 22

# Connect via SSH
ssh -p 2222 root@localhost

On-Device Shell Apps

NewTerm 2: Direct device interaction for troubleshooting
Reverse SSH shells: Establish remote access from host computer

Password Reset

To reset forgotten passwords to default (

alpine

Edit
```
/private/etc/master.passwd
```
Replace existing hash with
```
alpine
```
hash for root and mobile users

Data Transfer

Archive and Transfer via SSH/SCP

# On device: Archive application data
tar czvf /tmp/data.tgz /private/var/mobile/Containers/Data/Application/<APP_UUID>

# Exit SSH
exit

# On host: Pull the archive
scp -P 2222 root@localhost:/tmp/data.tgz .

GUI Tools

iFunbox and iExplorer: File management on iOS devices
Note: iOS 8.4+ restricts access to app sandbox unless jailbroken

Objection for File Management

# Launch objection explorer
objection --gadget com.apple.mobilesafari explorer

# Navigate to app documents
cd /var/mobile/Containers/Data/Application/<APP_UUID>/Documents

# Download files
file download <filename>

App Extraction and Decryption

Acquiring IPA Files

OTA Distribution:

# Install ITMS services downloader
npm install -g itms-services

# Download IPA from manifest
itms-services -u "itms-services://?action=download-manifest&url=<MANIFEST_URL>" -o - > out.ipa

Manual Decryption Process

iOS apps are encrypted with FairPlay. To decrypt:

Check and modify PIE flag:

otool -Vh Original_App
python change_macho_flags.py --no-pie Original_App
otool -Vh Hello_World

Identify encrypted section:

otool -l Original_App | grep -A 4 LC_ENCRYPTION_INFO

Dump memory from jailbroken device:
```
# Using gdb
```

dump memory dump.bin 0x8000 0x10a4000


4. **Overwrite encrypted section:**
```bash
dd bs=1 seek=<starting_address> conv=notrunc if=dump.bin of=Original_App

Finalize: Set
```
cryptid
```
to 0 using MachOView

Automated Decryption Tools

frida-ios-dump

# List installed apps
python dump.py -l

# Dump specific app
python3 dump.py -u "root" -p "<PASSWORD>" <BUNDLE_ID>

Configuration:

Connect via localhost:2222 (iproxy) or direct IP:port
Requires jailbroken device with frida-server

frida-ipa-extract

# Setup
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt

# USB mode
python extract.py -U -f com.example.app -o MyApp.ipa

# SSH mode
python extract.py -H 192.168.100.32 -P 2222 -u root -p password -f com.example.app

# With sandbox dump
python extract.py -U -f com.example.app -o MyApp.ipa --sandbox --no-resume

Flags:

```
-f <bundle>
```
: Spawn/attach to bundle ID
```
-o
```
: Output filename
```
-U
```
: USB mode
```
-H/-P/-u/-p
```
: SSH tunnel parameters
```
--sandbox
```
: Dump sandbox
```
--no-resume
```
: Keep app suspended

flexdecrypt/flexdump

# Install on device
apt install zip unzip
wget https://gist.githubusercontent.com/defparam/71d67ee738341559c35c684d659d40ac/raw/30c7612262f1faf7871ba8e32fbe29c0f3ef9e27/flexdump -P /usr/local/bin
chmod +x /usr/local/bin/flexdump

# List and dump apps
flexdump list
flexdump dump Twitter.app

bagbak

bagbak --raw Chrome

r2flutch

Radare2 + Frida based decryption tool.

App Installation

Sideloading Methods

Cydia Impactor:

Sign and install IPA files on iOS
Also supports APK on Android

libimobiledevice:

# Install via ideviceinstaller
ideviceinstaller -i app.ipa

ipainstaller:

Command-line installation tool

ios-deploy (macOS):

# Install and launch
ios-deploy --bundle app.ipa --launch

Xcode:

Window → Devices and Simulators
Add app to Installed Apps

Installing iPad Apps on iPhone

Modify

Info.plist

Change
```
UIDeviceFamily
```
value to
```
1
```
Re-sign the IPA (signature validation required)

Note: May fail if app requires iPad-exclusive capabilities.

Common Workflows

Full App Extraction Workflow

Identify device UDID
Establish SSH connection (via Wi-Fi or iproxy)
List installed apps
Extract app using preferred tool (frida-ios-dump, flexdump, etc.)
Decrypt if necessary
Transfer to host machine