hardw00t/ios-pentest

iOS Mobile Application Penetration Testing

Thin router for an iOS app security assessment. Full OWASP MASTG coverage (recon → static → dynamic → network → storage → crypto → auth → reporting). Detailed runbooks live under workflows/ and methodology/; load them only when needed.

When to Use

• New iOS application security assessment (IPA + installed app).
• Bypass SSL pinning, jailbreak detection, biometric, anti-debug.
• Extract and triage keychain / NSUserDefaults / files / SQLite.
• Intercept and tamper HTTPS / gRPC / WebSocket traffic.
• OWASP MASTG / MASVS compliance testing.
• Analyze a decrypted or encrypted Mach-O binary.

Trigger Phrases

"pentest iOS app", "test this IPA", "bypass SSL pinning iPhone", "extract keychain", "MASTG iOS", "iOS jailbreak bypass", "analyze .ipa", "test iPhone app".

When NOT to Use This Skill

• Android APK analysis → use android-pentest.
• Generic web API testing for the backend → use web-pentest / api-pentest.
• iOS source-code review (you have the repo) → use secure-code-review with iOS language packs.
• macOS desktop app analysis → use macos-pentest.

Decision Tree

target acquired?
├── no binary yet → workflows/ipa_decryption.md
└── yes
    ├── need HTTPS visibility? → workflows/ssl_pinning_bypass.md
    ├── app exits on jailbroken device? → workflows/jailbreak_detection_bypass.md
    ├── hunting credentials/tokens? → workflows/keychain_extraction.md
    ├── testing login / biometric? → workflows/auth_testing.md
    └── full engagement → workflows/complete_assessment.md

Parallelism Hints

Run concurrently (independent I/O, no shared state):

• class-dump -H App.app/App -o headers/
• otool -L App.app/App and otool -hv App.app/App
• strings -a App.app/App | grep ...
• plutil -p App.app/Info.plist
• Objection enumeration in a separate spawn.

Must run sequentially (shared Frida session / spawn state):

• Frida --no-pause spawn → wait for bypass script to land → drive app → then attach further scripts.
• Objection ios sslpinning disable → then any traffic-dependent command.
• ideviceimagemounter → then frida-ps -U.
• Keychain dump requires app launched at least once post-install.

Sub-Agent Delegation

Spawn a sub-agent when you can crisply isolate a scope:

• Static-binary sub-agent — give it the decrypted App.app/, it runs class-dump + otool + strings + framework inventory in parallel, returns a structured summary of classes of interest, hardcoded secrets, and insecure API usage.
• Keychain-extraction sub-agent — give it <bundle_id>, it runs objection ... keychain dump --json, classifies each entry by accessibility/ACL, emits findings per schemas/finding.json.
• Optional: network-capture sub-agent driving Burp via proxy API while the main agent drives the UI.

Do not split Frida spawn + instrumentation across sub-agents — the Frida session is stateful and tied to one process.

Reasoning Budget

Use extended thinking for:

• Interpreting decompiled Objective-C / Swift (Hopper / Ghidra / IDA output).
• Designing custom Frida hooks when universal bypass fails.
• Reasoning about cryptographic flow (key origin → cipher → storage).
• MASVS severity triage when multiple subtle issues compound.

Skip extended thinking for:

• Running canned Frida / Objection scripts from scripts/.
• Parsing ios keychain dump --json output (pattern match).
• otool / class-dump invocation and output collection.
• File downloads, device enumeration, SSH pulls.

Multimodal Hooks

Mobile MCP (@anthropic/mobile-mcp --ios) provides iOS simulator / device UI automation:

• Jailbreak-detection modal — screenshot the warning pre-bypass, then post-bypass absence, as evidence.screenshot.
• Biometric prompt — capture Face ID / Touch ID sheet to prove the gate exists, then confirm bypass entered the protected screen.
• App-switcher snapshot leak — screenshot the snapshot cache entry showing sensitive data on backgrounding.
• WebView auth flow — capture the login redirect chain visually for SSO findings.

~/.claude/mcp.json:

{"mcpServers": {"mobile-mcp": {"command": "npx", "args": ["-y", "@anthropic/mobile-mcp", "--ios"]}}}

Structured Output

Emit every finding as JSON conforming to schemas/finding.json. iOS-specific fields: affected.bundle_id, affected.ios_version, affected.device_udid, affected.jailbroken, mastg_id, evidence.frida_pid, evidence.keychain_dump, evidence.screenshot.

Workflow Index

| Workflow | File | |----------|------| | Full assessment runbook | workflows/complete_assessment.md | | SSL pinning bypass | workflows/ssl_pinning_bypass.md | | Jailbreak-detection bypass | workflows/jailbreak_detection_bypass.md | | Keychain extraction & triage | workflows/keychain_extraction.md | | IPA decryption / acquisition | workflows/ipa_decryption.md | | Auth & biometric testing | workflows/auth_testing.md |

Methodology Index

| Area | File | |------|------| | Recon | methodology/recon.md | | Static analysis | methodology/static_analysis.md | | Dynamic analysis | methodology/dynamic_analysis.md | | Network testing | methodology/network_testing.md | | Data storage | methodology/data_storage.md | | Crypto testing | methodology/crypto_testing.md | | Auth testing | methodology/auth_testing.md |

Payloads Index

| File | Purpose | |------|---------| | payloads/jailbreak_detection_paths.txt | Common files/schemes iOS apps probe for jailbreak | | payloads/url_scheme_tests.txt | URL scheme / deep-link test vectors |

Frida Script Index (scripts/)

| Script | Purpose | |--------|---------| | ssl_pinning_bypass.js | Universal SSL/TLS pinning bypass | | jailbreak_bypass.js | Jailbreak detection bypass | | biometric_bypass.js | Touch ID / Face ID bypass | | keychain_hooks.js | Keychain operation monitoring | | crypto_hooks.js | Cryptographic operation tracing | | method_tracer.js | Generic Objective-C method tracer |

References Index

| File | Purpose | |------|---------| | references/ios_vulns.md | iOS vuln classes, severity tables, MASVS map | | references/troubleshooting.md | Frida / pinning / proxy issue triage | | references/frida_ios_snippets.md | Reusable Frida code snippets | | references/bounty_patterns_2024_2026.md | Post-2023 bounty TTPs (URL-scheme / Universal-Link hijack, WebView deep-link XSS, Keychain IAM-token insecurity) | | checklists/owasp_mastg_ios.md | Full MASTG iOS checklist | | templates/finding_report.md | Markdown finding template |

Examples

| File | Purpose | |------|---------| | examples/initial_setup.md | First-contact blueprint | | examples/ssl_bypass_run.md | Pinning-bypass blueprint | | examples/keychain_dump.md | Keychain dump & triage blueprint |

Tools

| Tool | Purpose | Install | |------|---------|---------| | Frida / frida-tools | Dynamic instrumentation | pip install frida-tools (≥ 16.6) | | Objection | Mobile exploration REPL | pip install objection (≥ 1.11) | | libimobiledevice | Device communication | brew install libimobiledevice | | ios-deploy | App deploy | brew install ios-deploy | | ideviceinstaller | App install / list | brew install ideviceinstaller | | class-dump | ObjC header extraction | brew install class-dump | | frida-ios-dump | FairPlay decryption | github.com/AloneMonkey/frida-ios-dump | | Burp Suite | HTTPS interception | PortSwigger | | Hopper / IDA / Ghidra | Binary RE | Vendor / GitHub | | Mobile MCP | UI automation + screen capture | npx @anthropic/mobile-mcp --ios |

Prerequisites Quickcheck

Run before every engagement — fail fast if the lab is broken.

idevice_id -l               # at least one UDID listed
ideviceinfo | grep ProductVersion
frida-ps -U                 # frida-server reachable
objection -g <bundle_id> explore --startup-command 'ios info binary; exit'

Jailbroken setup: OpenSSH + Frida (Sileo repo build.frida.re) + AppSync Unified + Filza. Non-jailbroken fallback: patch IPA with objection patchipa to inject Frida Gadget, or mount the developer disk image with ideviceimagemounter.

Last Validated

2026-04. Frida ≥ 16.6, Objection ≥ 1.11, iOS 15–17 targets. For iOS 18+ jailbreak options shift to userspace-only (Dopamine/palera1n rootless) — SSH path is /var/jb/usr/bin/ssh and Frida server lives at /var/jb/usr/sbin/frida-server.