Mobile AppSec · Sep 5, 2025 · 2 min read

iOS Penetration Testing — Part 1 (Beginner's Guide)

A foundational guide to setting up an iOS pentest lab — toolchain, jailbreak basics, IPA decryption, and the early signal-rich attack surface.

iOS Jailbreak Setup
By Hashir Sami Khan @p4n7h3rx

🔹 Introduction

Unlike Android, iOS apps are sandboxed, signed, and more restrictive. That makes pentesting harder but still possible. This guide walks you through step-by-step pentesting on iOS apps.

🔹 1. Setting Up the Environment

Jailbreak (Recommended)

You'll need a jailbroken iPhone/iPad. Tools:

  • Checkra1n (older devices)
  • Unc0ver / Taurine / Dopamine / WinRa1n (depending on iOS version)

Install Key Tools on Device

# Install OpenSSH on device
apt install openssh

# Connect via SSH
ssh root@<device_ip>

Install on Laptop (macOS/Linux)

# Install Brew (macOS)
 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

# Install Frida
pip3 install frida-tools

# Install Objection
pip3 install objection

# Install Class-dump
brew install class-dump

# Install Hopper or Ghidra (for reverse engineering)
brew install --cask ghidra

🔹 2. Getting the IPA

Extract installed apps:

# List apps on device
frida-ps -Uai

# Pull IPA (using frida-ios-dump)
git clone https://github.com/AloneMonkey/frida-ios-dump.git
cd frida-ios-dump
python3 dump.py com.target.iosapp

🔹 3. Static Analysis

Inspect App Structure

# Unzip IPA
unzip app.ipa -d app_folder

Key files to review:

  • Info.plist → app permissions, ATS, schemes
  • Frameworks/ → 3rd-party SDKs
  • Binary → main executable

Dump Classes

class-dump -H app_binary -o headers/

Look for Secrets

grep -r "key\|password\|token" headers/
strings app_binary | grep -i "api"

🔹 4. Data Storage Testing

Look inside app sandbox:

ssh root@<device_ip>
cd /var/mobile/Containers/Data/Application/<UUID>/
ls -lah

Check:

  • Documents/ → SQLite, Realm DBs
  • Library/Preferences/ → Plist files
  • Library/Cookies/
  • tmp/ → cached files

Example SQLite test:

sqlite3 Documents/app.sqlite "SELECT * FROM users;"

🔹 5. Network Traffic Interception

Step 1: Set up Burp Certificate

# Export cert from Burp
openssl x509 -inform DER -in cacert.der -out cacert.pem
scp cacert.pem root@<device_ip>:/usr/local/share/ca-certificates/

Step 2: Trust Cert on iOS

Move cert into:
/private/var/Keychains/TrustStore.sqlite3 (requires jailbreak).

Step 3: Run Proxy

Set device proxy → your laptop Burp IP:8080

🔹 6. Quick Wins for Beginners

  • Hardcoded secrets in binary.
  • Sensitive data in Plist/SQLite.
  • Logs with credentials:
idevicesyslog | grep password

cheers!

Tags: Ios Penetration Testing, Bug Bounty, Penetration Testing, Hacking, Bug Bounty Tips