iOS Penetration Testing — Part 2 (Advanced Guide)

🔹 1. Runtime Instrumentation with Frida

Start Frida server:

# Push frida-server to device
scp frida-server root@<device_ip>:/usr/local/bin/

# Start on device
ssh root@<device_ip>
chmod +x /usr/local/bin/frida-server
./frida-server &

List apps:

frida-ps -Uai

Inject script:

frida -U -f com.target.iosapp -l hook.js --no-pause

🔹 2. Objection — Simplified Frida

objection --gadget com.target.iosapp explore

Useful commands:

# Disable SSL pinning
ios sslpinning disable

# Disable jailbreak detection
ios jailbreak disable

# Dump keychain
ios keychain dump

# Search memory for secrets
memory search "token"

🔹 3. Deep Link & Custom Schemes

Check registered schemes:

plutil -p Info.plist | grep CFBundleURLSchemes

Exploit:

xcrun simctl openurl booted "myapp://login?token=evil"

🔹 4. WebView Exploits

If app uses WebView:

• Check if JavaScript is enabled.
• Test for XSS:

myapp://webview?url=javascript:alert(document.cookie)

🔹 5. SSL Pinning Bypass

Frida script example:

Java.perform(function() {
  var SSLContext = Java.use("javax.net.ssl.SSLContext");
  SSLContext.init.overload(
    "[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom"
  ).implementation = function(k, t, s) {
    console.log("Bypassing SSL Pinning");
    this.init(k, null, s);
  };
});

Run it:

frida -U -f com.target.iosapp -l ssl-bypass.js --no-pause

🔹 6. Memory Analysis

Dump memory:

objection --gadget com.target.iosapp explore
memory dump all /var/root/dump.bin
strings dump.bin | grep password

🔹 7. Extra Checks

UIPasteboard:

frida -U -f com.target.iosapp -l pasteboard.js

• App Extensions: Look for exposed entitlements.

Backups:

idevicebackup2 backup ./backup/ grep -r "token" backup/

🔹 8. Network Testing

MITM Attack:

• Run Burp in transparent mode.
• Capture API requests → fuzz endpoints.

Check ATS:

plutil -p Info.plist | grep NSAppTransportSecurity

🔹 Conclusion

Now you can:

• Part 1: Extract, decompile, inspect storage, intercept traffic.
• Part 2: Use Frida/Objection for runtime, bypass SSL pinning, test deep links, inspect WebViews, dump memory.

With these two parts, anyone can perform a deep pentest of iOS apps from scratch to advanced exploitation.

Tags: Ios Penetration Testing, Bug Bounty, Bug Bounty Tips, Penetration Testing, Hacking