seikaikyo/analyzing-ios-app-security-with-objection

Analyzing iOS App Security with Objection

When to Use

Use this skill when:

• Performing runtime security assessment of iOS applications during authorized penetration tests
• Inspecting iOS keychain, filesystem, and memory for sensitive data exposure
• Bypassing client-side security controls (SSL pinning, jailbreak detection) during security testing
• Evaluating iOS app behavior at runtime without access to source code

Do not use this skill on production devices without explicit authorization -- Objection modifies app runtime behavior and may trigger security monitoring.

Prerequisites

• Python 3.10+ with pip
• Objection installed: pip install objection
• Frida installed: pip install frida-tools
• Target iOS device (jailbroken with Frida server, or non-jailbroken with repackaged IPA)
• For non-jailbroken: objection patchipa to inject Frida gadget into IPA
• macOS recommended for iOS testing (Xcode, ideviceinstaller)
• USB connection to target device or network Frida server

Workflow

Step 1: Prepare the Testing Environment

For jailbroken devices:

# Install Frida server on device via Cydia/Sileo
# SSH to device and start Frida server
ssh root@<device_ip> "/usr/sbin/frida-server -D"

# Verify Frida connectivity
frida-ps -U  # List processes on USB-connected device

For non-jailbroken devices (authorized testing):

# Patch IPA with Frida gadget
objection patchipa --source target.ipa --codesign-signature "Apple Development: [email protected]"

# Install patched IPA
ideviceinstaller -i target-patched.ipa

Step 2: Attach Objection to Target App

# Attach to running app by bundle ID
objection --gadget "com.target.app" explore

# Or spawn the app fresh
objection --gadget "com.target.app" explore --startup-command "ios hooking list classes"

Once attached, Objection provides an interactive REPL for runtime exploration.

Step 3: Assess Data Storage Security (MASVS-STORAGE)

# Dump iOS Keychain items accessible to the app
ios keychain dump

# List files in app sandbox
ios plist cat Info.plist
env  # Show app environment paths

# Inspect NSUserDefaults for sensitive data
ios nsuserdefaults get

# List SQLite databases
sqlite connect app_data.db
sqlite execute query "SELECT * FROM credentials"

# Check for sensitive data in pasteboard
ios pasteboard monitor

Step 4: Evaluate Network Security (MASVS-NETWORK)

# Disable SSL/TLS certificate pinning
ios sslpinning disable

# Verify pinning is bypassed by observing traffic in Burp Suite proxy
# Monitor network-related class method calls
ios hooking watch class NSURLSession
ios hooking watch class NSURLConnection

Step 5: Inspect Authentication and Authorization (MASVS-AUTH)

# List all Objective-C classes
ios hooking list classes

# Search for authentication-related classes
ios hooking search classes Auth
ios hooking search classes Login
ios hooking search classes Token

# Hook authentication methods to observe parameters
ios hooking watch method "+[AuthManager validateToken:]" --dump-args --dump-return

# Monitor biometric authentication calls
ios hooking watch class LAContext

Step 6: Assess Binary Protections (MASVS-RESILIENCE)

# Check jailbreak detection implementation
ios jailbreak disable

# Simulate jailbreak detection bypass
ios jailbreak simulate

# List loaded frameworks and libraries
memory list modules

# Search memory for sensitive strings
memory search "password" --string
memory search "api_key" --string
memory search "Bearer" --string

# Dump specific memory regions
memory dump all dump_output/

Step 7: Review Platform Interaction (MASVS-PLATFORM)

# List URL schemes registered by the app
ios info binary
ios bundles list_frameworks

# Hook URL scheme handlers
ios hooking watch method "-[AppDelegate application:openURL:options:]" --dump-args

# Monitor clipboard access
ios pasteboard monitor

# Check for custom keyboard restrictions
ios hooking search classes UITextField

Key Concepts

| Term | Definition | |------|-----------| | Objection | Runtime mobile exploration toolkit built on Frida that provides pre-built scripts for common security testing tasks | | Frida Gadget | Shared library injected into app process to enable Frida instrumentation without jailbreak | | Keychain | iOS secure credential storage system; Objection can dump items accessible to the target app's keychain access group | | SSL Pinning Bypass | Runtime modification of certificate validation logic to allow proxy interception of HTTPS traffic | | Method Hooking | Intercepting Objective-C/Swift method calls at runtime to observe arguments, return values, and modify behavior |

Tools & Systems

• Objection: High-level Frida-powered mobile security exploration toolkit with pre-built commands
• Frida: Dynamic instrumentation framework providing JavaScript injection into native app processes
• Frida-tools: CLI utilities for Frida including frida-ps, frida-trace, and frida-discover
• ideviceinstaller: Cross-platform tool for installing/managing iOS apps via USB
• Burp Suite: HTTP proxy for intercepting traffic after SSL pinning bypass

Common Pitfalls

• App crashes on attach: Some apps implement Frida detection. Use --startup-command to hook anti-Frida checks early in the app lifecycle.
• Keychain access scope: Objection can only dump keychain items within the app's access group. System keychain items require separate jailbreak-level tools.
• Swift name mangling: Swift method names are mangled in the runtime. Use ios hooking list classes with grep to find demangled names.
• Non-persistent changes: All Objection modifications are runtime-only and reset on app restart. Document findings immediately.