Hacktricks-skills ios-pentesting-environment

Set up and configure iOS security testing environments including simulators, physical devices, and jailbroken devices. Use this skill whenever the user needs to prepare an iOS device for security testing, troubleshoot device pairing issues, understand jailbreak options, or work with iOS testing tooling. Trigger for any iOS pentest setup, device configuration, simulator management, or jailbreak-related tasks.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/mobile-pentesting/ios-pentesting/ios-testing-environment/SKILL.MD

source content

iOS Pentesting Environment Setup

This skill helps you configure iOS devices and environments for security testing. Follow the appropriate section based on your testing needs.

Quick Start

For simulator testing: Use the simulator setup section
For physical device testing: Use the physical device setup section
For jailbroken device testing: Use the jailbreak setup section

Apple Developer Program

Free Development Profile (Xcode 7.2+)

You can create a free iOS development provisioning profile to test on a real iPhone:

Open Xcode → Preferences → Accounts
Click + to add your Apple ID
Select your Apple ID → Manage Certificates
Click + → Apple Development → Done

Trust the Computer

Before running apps on your iPhone:

Connect your iPhone to the computer
On iPhone: Settings → General → Profiles and Device Management
Select the untrusted profile → Click Trust

iOS 16+ Developer Mode

On iOS 16+, Developer Mode must be enabled for locally installed development-signed apps:

Pair the device with Xcode
Trigger an install from Xcode
Go to Settings → Privacy & Security → Developer Mode
Enable Developer Mode
Reboot the device
Confirm the prompt after unlock

Note: Apps signed by the same certificate can share resources like keychain items.

Modern Host-Side Tooling

Device Enumeration

# List booted simulators
xcrun simctl list | grep Booted

# List all visible devices and simulators
xcrun xctrace list devices

# List paired physical devices (Xcode 15+)
xcrun devicectl list devices

Device Control (Xcode 15+)

# Install an app on a physical device
xcrun devicectl device install app --device <udid> <path_to_app_or_ipa>

# Launch an app (terminating existing instance)
xcrun devicectl device launch app --terminate-existing --device <udid> <bundle_id>

Important: Keep Xcode updated when testing iOS 17+ devices. Apple moved developer services to the CoreDevice stack, and outdated tooling frequently fails with pairing or app-launch errors.

Simulator Setup

Understanding Simulators

A simulator is not an emulator. It simulates device behavior but doesn't use actual hardware functions. This means:

✅ Good for: filesystem artifacts, NSUserDefaults, plist parsing, custom URL schemes, basic runtime instrumentation
❌ Limited for: Secure Enclave, baseband, keychain access-control behaviors, biometric flows, jailbreak-specific conditions

Finding Simulator Files

Simulator location:

/Users/<username>/Library/Developer/CoreSimulator/Devices

Find booted simulator UID:

xcrun simctl list | grep Booted
# Example: iPhone 8 (BF5DA4F8-6BBE-4EA0-BA16-7E3AFD16C06C) (Booted)

App data location:

/Users/<username>/Library/Developer/CoreSimulator/Devices/{UID}/data/Containers/Data/Application

App package location:

/Users/<username>/Library/Developer/Xcode/DerivedData/{Application}/Build/Products/Debug-iphonesimulator/

Opening Simulator

Open Xcode
Xcode tab → Open Developer Tools → Simulator
Select device from the dropdown (e.g., "iPod touch [...]")

Physical Device Testing

Requirements

Apple Developer Program: $99/year for provisioning identity to sign apps
Alternative: Use a jailbroken device (see below)

Provisioning Profile Location

On the device, provisioning profiles are stored at:

/Library/MobileDevice/ProvisioningProfiles

Jailbreaking

What is Jailbreaking?

Jailbreaking circumvents Apple's code signing restrictions, allowing unsigned code to run. Unlike Android rooting:

Android rooting: May involve installing
```
su
```
binary or custom ROMs (sometimes without exploits if bootloader is unlocked)
iOS jailbreaking: Requires bypassing Apple's code signing; cannot flash custom ROMs due to bootloader restrictions

Jailbreak Types

Type	Description
Tethered	Requires computer connection for each reboot
Semi-tethered	Can boot into non-jailbroken mode without computer
Semi-untethered	Manual re-jailbreaking needed, no computer required
Untethered	Permanent, no re-application needed

Current Jailbreak Tools

Tool	Target Devices	iOS Version
Checkra1n	A7-A11 chips	iOS 12-14
Palera1n	A8-A11 (checkm8-compatible)	iOS/iPadOS 15+
Dopamine	arm64/arm64e devices	iOS 15/16 (rootless)
Unc0ver	Various	Up to iOS 14.8

Resources:

Rootless Jailbreaks (iOS 15+)

Modern jailbreaks are commonly rootless instead of rootful:

Rootless: Avoids modifying the sealed system volume directly
File location: Jailbreak files stored under
```
/private/preboot/...
```
with stable symlink at /var/jb
Impact: Tweaks, launch daemons, and helper binaries exist under
```
/var/jb
```
instead of legacy root locations

Testing implications:

Check both legacy paths and
```
/var/jb
```
for tooling installation
Modern jailbreak detection checks for rootless artifacts and symlinks
Scripts assuming rootful filesystem may fail silently

Jailbreak Detection

Apps may detect jailbreaking through:

File/folder presence: Search for jailbreak-specific files
Rootless artifacts: Check
```
/var/jb
```
and symlinks to
```
/private/preboot/...
```
API behavior: Some API calls behave differently on jailbroken devices
OpenSSH service: Presence indicates jailbreak
Shell return value: Calling
```
/bin/sh
```
returns 1 instead of 0

Jailbreak Detection Bypass

Objection: Use
```
ios jailbreak disable
```
command
Liberty Lite: Install from https://ryleyangus.com/repo/ (appears in Search tab after adding repo)

Testing Without Jailbreak

For non-jailbroken device testing, refer to iOS pentesting without jailbreak techniques. This is increasingly common as modern iOS versions make jailbreaking difficult.

Important Considerations

iOS Updates

Downgrading: Only possible during limited signing windows after release
Signing windows: Check IPSW Downloads for current status
Recommendation: Don't update testing devices unless re-jailbreaking is guaranteed

Security Risks

Jailbreaking removes OS-imposed sandboxing, allowing:

✅ Full filesystem access
✅ Installation of unapproved apps
✅ Access to more APIs
⚠️ Potential security risks
⚠️ Device instability

Troubleshooting

Device Not Pairing (iOS 17+)

Update Xcode to latest version
Check Developer Mode is enabled (Settings → Privacy & Security)
Verify device is trusted on computer
Reboot device after enabling Developer Mode

App Won't Launch

Verify provisioning profile is valid
Check Developer Mode is enabled (iOS 16+)
Ensure device is trusted
For jailbroken devices: check jailbreak detection bypass is active

Simulator Issues

Verify Xcode is downloaded from official App Store
Check simulator is booted:
```
xcrun simctl list | grep Booted
```

Clear derived data:

rm -rf ~/Library/Developer/Xcode/DerivedData/*