Jailbreaking • IPA Extraction • FileSystem Analysis • SSL Pinning Bypass • HTTP Interception • Frida • Objection • Crypto • API Testing

iOS applications power banking, fintech, travel, enterprise access, healthcare, and internal corporate apps. As more companies move to mobile-first ecosystems, iOS penetration testing has become a critical security skill.

This handbook is written for professional security testers, bug hunters, and red teamers — covering static analysis, dynamic analysis, reverse engineering, SSL pinning, Flutter/iOS VPN proxying, filesystem mapping, and more.

If you are familiar with Android pentesting, this is the iOS equivalent, but with the restrictions, protections, and complexities of Apple's ecosystem.

1. Jailbreak Setup (Real-Device Testing)

To perform complete iOS pentesting, a jailbroken device is essential. We'll use checkra1n (checkm8 exploit — works on iPhone 5s → iPhone X).

Steps to Jailbreak Your iOS Device

1. Install checkra1n on macOS
2. Connect device via USB
3. Launch checkra1n
4. If errors appear → enable: Options → Allow untrusted versions
5. Enter DFU mode:

• Hold Power + Volume Down
• Release Power after 4 seconds
• Continue holding Volume Down

1. Device jailbreaking begins automatically
2. Cydia is installed on success

Once jailbroken → install:

Essential Cydia Packages

• OpenSSH
• Frida
• Filza (File manager)
• Sileo or Zebra (optional package managers)

2. SSH Access (Root)

Default login:

ssh root@DEVICE_IP
# password:
root

Forgot root password?

Use Filza to modify:

File: /private/etc/master.passwd

Replace root hash with:

root:/smx7MYTQIi2M:0:0::0:0:System Administrator:/var/root:/bin/sh

This resets password → root.

3. Extracting & Decrypting IPA Files (App Store Apps Are Encrypted)

iOS App Store apps are encrypted with FairPlay DRM. You cannot reverse an App Store IPA directly — you must dump it from a jailbroken device.

Install Frida on macOS

pip3 install frida-tools

List apps on device

frida-ps -Uai

Use Frida-based IPA dumping script

Use the popular frida-ios-dump:

1. Clone script
2. Install Python deps
3. Forward SSH port:

iproxy 2222 22

Or:

ssh root@DEVICE_IP -L 2222:localhost:22

1. Dump app:

python3 dump.py "App Display Name"

If app isn't dumping → open the app manually while script runs.

4. DeepLink Enumeration

DeepLinks are commonly abused in iOS apps (SSO bypass, restricted page access, parameter tampering).

Check Info.plist for:

• CFBundleURLTypes
• CFBundleURLSchemes
• CFBundleURLName

Example execution on a simulator:

xcrun simctl openurl booted "deeplink://videos/new"

5. Decompiling the IPA File

Once the decrypted IPA is obtained:

Unzip the IPA

unzip Appname.ipa

This generates:

Payload/Appname.app/

Inside:

• Info.plist → Metadata
• Frameworks/ → Native libraries
• PlugIns/ → Extensions
• Assets.car → Images, icons
• Appname (Mach-O) → The binary executable

Extract assets from Assets.car:

acextract -i Assets.car -l   # list files
mkdir AssetsOutput
acextract -i Assets.car -o AssetsOutput

6. Hardcoded Secrets & Endpoints (Static Analysis)

Navigate to:

cd Payload/Appname.app/

Hardcoded Emails (binary-wide)

strings Appname | grep -E "[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}"

Hardcoded AWS Keys

gf aws-keys

Hardcoded IPs

gf ip

Base64 data

gf base64

URL endpoints

gf urls

Google API Keys

strings Appname | grep -i "AIza"

Info.plist

Check for:

• API endpoints
• Flags
• Feature toggles
• Authentication modes

settings.json (if present)

Search for secrets.

7. Objection for Live Analysis

Find package:

frida-ps -Uai | grep appname

Start Objection:

objection -g package.name explore

Useful Objection Commands

Binary info

ios info binary

Shows PIE, ARC, encryption flags.

Keychain Dump

ios keychain dump
ios keychain dump_raw

URLCredentialStorage

ios nsurlcredentialstorage dump

NSUserDefaults

ios nsuserdefaults get

Cookies

ios cookies get

Upload/Download files

file download <remote> <local>
file upload <local> <remote>

8. iOS FileSystem Mapping (Bundle & Data Directories)

An iOS app has two primary storage locations:

A. Bundle Directory

Read-only (unless jailbroken) Contains:

• Binary
• Plists
• Resources
• Frameworks

Find via Objection:

env

Example:

/var/containers/Bundle/Application/UUID/Appname.app

SSH into it and inspect.

B. Data Directory

Writable → user data + cached files Contains:

• Caches
• Documents
• Library
• Preferences

Example path:

/var/mobile/Containers/Data/Application/<UUID>/

Caches

cd Library/Caches

Look for:

• Temp JSON
• Images
• Sensitive API responses

Documents

User-generated content. If insecure → data can leak without jailbreaking.

cd Documents

Library

Houses:

• Preferences
• Internal configs
• plist configurations

Highly sensitive location.

9. Logging Analysis (NSLog Issues)

iOS developers often leave debug logs:

Use libimobiledevice:

brew install libimobiledevice
idevicesyslog --process AppName

Or attach a Frida script to capture Objective-C logs.

10. Intercepting HTTP(S) Traffic on iOS (Burp)

Basic Proxying

iOS Device → Same LAN as Burp machine Configure:

Settings → Wi-Fi → (i) → HTTP Proxy → Manual Enter:

• IP: your machine IP
• Port: 5567 (example)

Burp will begin intercepting HTTP, but HTTPS needs certificate installation.

Install Burp CA → trust it under:

Settings → General → About → Certificate Trust Settings Enable full trust.

If the app has SSL pinning, interception fails → go to SSL bypass section.

11. Source Code & Logic Analysis (What to Focus On)

Inspect (using strings, Hopper, Ghidra, etc.):

Key functionality

• Login / Registration flows
• Password reset
• Token & session management
• Web API integration
• Payment / Transaction logic
• OTP handling
• WebView integration (WKWebView)
• Crypto methods
• Role / feature flags
• In-app authorization logic

12. Cryptography Testing

Look for:

Weak algorithms

• MD5
• SHA1
• DES
• Custom crypto blobs

Hardcoded secrets

Search strings in Mach-O binary.

Base64 pretending to be encryption

gf base64

Insecure key generation

• static IV
• constant salt
• PBKDF2 with low iterations

If custom crypto: reverse logic → look for XOR, ROT, Caesar-style ciphers in code.

13. API Testing (Backend Pentesting)

Most iOS vulnerabilities are actually backend vulnerabilities.

Test:

• Authentication bypass
• Token reuse
• Role escalation
• IDOR
• Weak OTP rate limits
• Parameter tampering
• Replay attacks
• Overly verbose API responses

Combine:

• Burp Suite
• Postman
• Custom scripts (Python, curl, etc.)

14. Advanced Topic: SSL Pinning Bypass on iOS (All App Types)

iOS apps implement SSL pinning in:

• NSURLSession
• Alamofire
• TrustKit
• Custom C functions
• Native code (libswiftCore / .so / .dylib)
• Flutter (inside Flutter.framework)

Universal Frida Hook (Works for most)

Use the provided Frida bypass script:

frida -U -f package-name -l ssl_bypass.js --no-pause

Flutter iOS SSL Pinning (Advanced)

Flutter apps ignore iOS Wi-Fi proxy → require VPN-based interception.

Steps:

1. Install and configure OpenVPN on macOS.
2. Bridge traffic → device → VPN → Burp.
3. Redirect traffic:

sudo iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 80 -j REDIRECT --to-port 8080
sudo iptables -t nat -A PREROUTING -i tun0 -p tcp --dport 443 -j REDIRECT --to-port 8080

1. Identify Flutter binary:

Payload/App.app/Frameworks/Flutter.framework/Flutter

1. Use Frida script for DIO (httpClientAdaptor) bypass included in your notes → this works 90%+ of the time now.

15. References

• OWASP MASVS
• OWASP MASTG
• Apple iOS Security Guide
• Frida documentation
• Objection docs
• iOS Security Research Papers

16. Additional Resources

• iOS Reverse Engineering — Jonathan Levin
• The iOS Hacker's Handbook
• Ghidra + Hopper tutorials
• Threat Labs blogs
• Awesome-iOS-Security GitHub

Final Thoughts

iOS is far more restricted than Android:

• No direct filesystem access
• Sandboxing limits exploration
• SSL pinning is more common
• Apps often use native libs
• IPA encryption complicates analysis

But with:

• A good jailbreak
• Frida
• Objection
• Systematic filesystem analysis
• Proper API testing