iOS Penetration Testing

iOS Pentest Checklist

Jailbreak

palera1n

wget https://github.com/palera1n/palera1n/releases/download/v2.0.0-beta.5/palera1n-linux-x86_64
chmod +x palera1n-linux-x86_64
sudo mv palera1n-linux-x86_64 /usr/local/bin/palera1n
sudo chown root: /usr/local/bin/palera1n

# Rootful Jailbreak
sudo palera1n -fc

# After iPhone restart, run this command
sudo palera1n -f

checkra1n

wget -O - https://assets.checkra.in/debian/archive.key | gpg --dearmor | sudo tee /usr/share/keyrings/checkra1n.gpg >/dev/null
echo 'deb [signed-by=/usr/share/keyrings/checkra1n.gpg] https://assets.checkra.in/debian /' | sudo tee /etc/apt/sources.list.d/checkra1n.list
sudo apt-get update
sudo apt-get install checkra1n

# jb
sudo checkra1n

Repository

Here is a list of repositories that need to be added to Cydia or Sileo after iOS is jailbroken. Not all repositories need to be added; it depends on your needs.

Applications

Here is a list of apps or tools that need to be installed after iOS is jailbroken.

For Jailbreak Detection Bypass

Apps
Repo Source

Shadow

jjolano

A-Bypass

Merona

HideJB

BigBoss

Not a bypass

Uckermark

Hestia

Havoc

Liberty Lite

Ryley Angus

There's no need to enable all above tools when performing a jailbreak bypass. For instance, some apps can be bypassed using Hestia, while others can only be bypassed using Shadow, and so on.

SSL Pinning Bypass

Apps
Repo Source

SSL Kill Switch 3

Misty's Repository

SSL Kill Switch 2

julioverne repository

Note: You can only choose between SSL Killswitch 2 or 3; you can't install all apps together.

Utilities

App Name
Description

appinst

Used to install .ipa files via the terminal. Can be installed through the akemi repository.

AppSync Unified

A tweak that allows users to install ad-hoc signed, fakesigned, or unsigned IPAs. Can be installed via the akemi repository.

openssh

Used to connect to an iPhone device via the SSH protocol. It should be installed when jailbreaking using checkra1n or palera1n. The default SSH credentials are username: root and password: alpine. We recommend changing the default password immediately.

Filza File Manager

A GUI application used to explore the internal system and install .IPA files. Can be installed through the BigBoss repository or the palera1n repository for its 64-bit version.

frida (server)

Used for hooking and monitoring API calls. In some cases, if SSL Kill Switch fails to bypass SSL Pinning in an application, a custom script may be required, necessitating the installation of the frida server on the iPhone device.

Tools

These tools are utilized for conducting penetration testing on iOS applications.

  • Frida - Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. Learn more at frida.re. Install: pip3 install frida-tools.

  • Objection - Runtime mobile exploration toolkit, powered by Frida, built to help you assess the security posture of your mobile applications, without needing a jailbreak. Install: pip3 install objection.

  • IPAtool - Command-line tool that allows searching and downloading app packages (known as ipa files) from the iOS App Store

  • Grapefruit - Runtime Application Instruments for iOS. Install: npm install -g igf.

  • frida-ios-dump - pull decrypted ipa from jailbreak device

  • MobSF - Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

  • reFlutter - Flutter Reverse Engineering Framework

Frida Scripts

This is a list of Frida scripts I have tested and that worked to bypass root detection or SSL pinning on iOS apps.

Note: This page is incomplete and will be regularly updated. If you have any ideas or resources that need to be added, please contact me at yuyudhn@gmail.com.

PreviousMSFvenom Generate PayloadNextObjection

Last updated