Hacktricks-skills ios-pentesting-without-jailbreak

iOS application security testing without requiring a jailbroken device. Use this skill whenever the user needs to pentest iOS apps, analyze mobile applications, perform dynamic instrumentation on iOS, or investigate iOS app security. This includes tasks like obtaining decrypted IPAs, patching entitlements for get_task_allow, enabling Developer Mode, running Frida/objection hooks, or using MobSF for automated analysis. Trigger this skill for any iOS security assessment, mobile app penetration testing, or iOS reverse engineering work.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/mobile-pentesting/ios-pentesting/ios-pentesting-without-jailbreak/SKILL.MD

source content

iOS Pentesting Without Jailbreak

This skill guides you through modern iOS application security testing without requiring a jailbroken device. The core technique involves using the

get_task_allow

entitlement to enable dynamic instrumentation tools like Frida and Objection.

Core Concept

Applications signed with the

get_task_allow

entitlement allow third-party applications to call

task_for_pid()

to get a task port over the target process, enabling memory access and control. However, Apple's FairPlay DRM protection invalidates the app when the signature changes, so you need to work with decrypted IPAs.

Workflow Overview

Obtain a decrypted IPA (from Apple Configurator or jailbreak decryption)
Patch entitlements to add
```
get_task_allow
```
Re-sign with a development certificate
Enable Developer Mode on the device (iOS 16+)
Install the re-signed IPA
Hook and analyze with Frida, Objection, or MobSF

Step 1: Obtain Decrypted IPA

Option A: Get from Apple Configurator (Recommended)

This method works on any iOS device without jailbreak:

Install the target app on the iPhone
On macOS, install and launch Apple Configurator

Open Terminal and navigate to:

cd "/Users/[username]/Library/Group Containers/K36BKF7T3D.group.com.apple.configurator/Library/Caches/Assets/TemporaryItems/MobileApps"

In Configurator, select your device → Add + → Apps
Configurator downloads the IPA from Apple and attempts to push it
The IPA appears in the directory from step 3

Option B: Decrypt from Jailbroken Device

If you have an old jailbroken device:

Install the target app on the jailbroken device
Use Iridium or frida-ios-dump to extract the decrypted IPA
Pull the decrypted IPA off the device

Note: If the device is too old for the app, modify

Info.plist

to lower the minimum supported version:

unzip target.ipa -d unzipped/
cd unzipped/Payload/
# Edit AppName.app/Info.plist - change LSMinimumSystemVersion
# Rezip the IPA

Step 2: Patch Entitlements & Re-sign

Using app-signer (Recommended)

app-signer

provides a user-friendly interface for re-signing:

Download and install
```
app-signer
```
from GitHub
Load your decrypted IPA
Enable the
```
get-task-allow
```
entitlement
Select your development certificate and provisioning profile
Export the re-signed IPA

Using iResign (Alternative)

# Install iResign
brew install iresign

# Re-sign with get-task-allow
iresign --entitlements get-task-allow --certificate "iPhone Developer" --profile "YourProfile" target.ipa

Using codesign (Manual)

# Extract the app
unzip target.ipa -d target/
cd target/Payload/

# Create entitlements file
cat > entitlements.xml << 'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>get-task-allow</key>
    <true/>
</dict>
</plist>
EOF

# Sign the app
codesign --force --sign "iPhone Developer" --entitlements entitlements.xml AppName.app

# Re-package
zip -r resigned.ipa AppName.app

Getting Development Certificates

Apple provides free developer signing profiles for all accounts through Xcode:

Open Xcode → Preferences → Accounts
Add your Apple ID
Create a new development certificate
Generate a provisioning profile for your app

Important: Configure the iPhone to trust developer apps:

Navigate to Settings → Privacy & Security → Developer Apps
Trust the developer certificate

Step 3: Enable Developer Mode (iOS 16+)

Since iOS 16, Apple requires Developer Mode for any binary with

get_task_allow

or signed with a development certificate:

Install or push any developer-signed IPA to the phone
Navigate to Settings → Privacy & Security → Developer Mode
Toggle Developer Mode ON
The device will reboot
After entering the passcode, confirm Turn On Developer Mode

Note: Developer Mode remains active until disabled or the phone is wiped. This step only needs to be performed once per device.

Step 4: Install the Re-signed IPA

Using ideviceinstaller

# Install via USB
ideviceinstaller -i resigned.ipa -w

Using AltStore / SideStore (Recommended for ongoing work)

For routine pentests, AltStore or SideStore are the most practical options:

Tool	Requirements	Strengths	Limitations
AltStore 2 / SideStore	macOS/Windows/Linux companion	Automatic reload over Wi-Fi, works up to iOS 17	Needs computer on same network, 3-app limit
TrollStore 1/2	iOS 14 – 15.4.1 (CoreTrust bug)	Permanent signing, no computer needed	Not supported on iOS 15.5+

Setup AltStore:

Install AltServer on your computer
Install AltStore on your iPhone via AirDrop or Safari
Trust the developer certificate in Settings
Drag and drop your re-signed IPA into AltStore
AltStore will sign and install it automatically

Step 5: Hook and Analyze

Using Objection

# Spawn and attach to the target app
objection -g "com.example.target" explore

# Common commands in the objection console:
android hooking watch pin
ios hooking watch pin
ios module dump
ios view dump

Using Frida

# Spawn and attach with Frida
frida -U -f com.example.target -l my_script.js --no-pause

# Or attach to running process
frida -U -n "App Name" -l my_script.js

Note: Recent Frida releases (>=16) automatically handle pointer authentication and iOS 17 mitigations.

Using MobSF (Automated Analysis)

MobSF provides automated dynamic analysis with a web UI:

# Run MobSF in Docker
docker pull opensecurity/mobile-security-framework-mobsf:latest
docker run -p 8000:8000 --privileged \
           -v /var/run/usbmuxd:/var/run/usbmuxd \
           opensecurity/mobile-security-framework-mobsf:latest

# Browse to http://127.0.0.1:8000 and upload your re-signed IPA

MobSF will:

Automatically deploy the binary
Enable a Frida server inside the app sandbox
Generate an interactive report with filesystem browser and traffic capture

Important Caveats

Lockdown Mode (iOS 16+)

Lockdown Mode blocks the dynamic linker from loading unsigned or externally signed dynamic libraries:

Check Settings → Privacy & Security → Lockdown Mode
Disable Lockdown Mode before testing
If enabled, Frida/objection sessions will terminate immediately

Pointer Authentication (PAC)

Enforced system-wide on A12+ devices
Frida >=16 transparently handles PAC stripping
Keep both
```
frida-server
```
and the Python/CLI toolchain up-to-date

AppSync Unified (Jailbreak Only)

If using a jailbroken device for decryption:

Install AppSync Unified from Cydia to prevent
```
invalid signature
```
errors
This allows installation of apps with modified signatures

Quick Reference Commands

# Check connected iOS devices
idevice_id -l

# List installed apps
ideviceinstaller -l

# Uninstall an app
ideviceinstaller -u "com.example.target"

# Install IPA
ideviceinstaller -i app.ipa -w

# Check if Developer Mode is enabled (requires ideviceinfo)
ideviceinfo | grep -i developer

# Run Frida server on device (if needed)
scp frida-server /var/root/
ssh root@device "chmod +x /var/root/frida-server && /var/root/frida-server &"