/iOS

Most usable tools for iOS penetration testing

Apache License 2.0Apache-2.0

iOS/macOS penetration testing cheatsheet

Action macOS Linux Win iOS w/JB
MobSF MobSF MobSF MobSF ---
Plist view plutil or Xcode apt-get install libplist-utils Plist Viewer plutil
Ghidra Ghidra Ghidra Ghidra ---
Frida Frida Frida Frida ---
Awesome Frida Awesome Frida --- --- Awesome Frida
Objection Objection Objection Objection Objection
Needle Needle Needle --- ---
Keychain dumper Keychain dumper --- --- Keychain dumper
iOS URL Schemes iOS URL Schemes --- --- iOS URL Schemes
Debug Hacks Debug Hacks --- --- ---
SandBox Dumper SandBox Dumper --- --- ---
PassionFruit PassionFruit PassionFruit --- ---
iPhoneTunnel iPhoneTunnel --- iPhoneTunnel ---
iRET iRET --- --- ---
idb idb idb --- ---
XSecurity XSecurity --- --- ---

macOS Quick Look plugin for iOS & OSX developers

https://github.com/ealeksandrov/ProvisionQL – Generate amazing preview for .ipa .app .appex .mobileprovision .provisionprofile

iOS / macOS obfuscation

https://github.com/obfuscator-llvm/obfuscator/wiki – ollvm

Static analyze

Project/App Swift Objective-c
Swift Lint + -

Jailbreak

Jailbreak check
Jailbreak Chart
Can I Jailbreak?
Jailbreak list
Repos
http://cydia.iphonecake.com
http://apt.saurik.com/
http://repo.nesolabs.de/
https://build.frida.re/
http://appsec-labs.com/cydia/
http://cydia.zodttd.com/repo/cydia/
http://mobiletools.mwrinfosecurity.com/cydia/
http://repo666.ultrasn0w.com/
http://apt.thebigboss.org/repofiles/cydia/
http://cydia.radare.org/
http://apt.modmyi.com/
http://coolstar.org/publicrepo/
http://getdelta.co/ < Flex3 working

Little h4ck for sslpinning bypass (help in some cases when sslkillswitch useless)

  • Configure burp proxy on iOS device – Visit [your_proxy_adress]:[proxy_port]/mobileassistant.deb – Download file and install
    • Via iFile
    • Via ssh like `dpkg -i path/to/mobileassistant.deb
  • Respring
  • Launch Mobile Assistant
  • Add app in bottom panel
  • Turn-on switcher next to app
  • Launch your app
  • Congrats

More info here NB! in some cases you may face with lack of libraries, do not replace anything manually in iOS, it may lead to infinity loop)

AppSign / Rebuild / Resign / Inject / Useful tools

Schema

Download and decrypt

Tool Description Link
iFunBox App iFunBox
Appdb Download&resign .ipa Appdb
iphonecake Download&resign .ipa iphonecake
4pda Download&resign .ipa 4pda
iTunes w/app tab iTunes 12.6.3.6 Apple Support
Download old version .ipa Manual how-to Lifehacker

Extract data

Tool Description Link
Rasticrac Jailbreak(+) Rasticrac
Clutch Jailbreak(+) Clutch

All in one (Inject > Repack > Resign > Upload)

Tool Description Link
IPA Patch Xcode Project IPA Patch
Resign Xcode Project Regisn

Inject framework

Tool Description Link
CydiaSubstrate Framework Site & .deb file
Reveal app Project Reveal app
JSPatch Framework JSPatch
FRAPL Framework FRAPL
Frida Gadget Framework Frida Gadget
Cycript Framework Frida+Cycript & Site

Repack and resign binary

Tool Description Link
Node Resign Xcode Project Node Resign
iOS App Signer Xcode Project iOS App Signer
AppAddict App AppAddict

Upload and run on device

Tool Description Link
iFunBox App iFunBox
Impactor App Cydia Impactor
IPA installer Xcode Project IPA installer

Useful tools

Tool Description Link
Runtime Headers Xcode Project Runtime Headers
SSL Killswitch 2 Jailbreak(+) SSL Killswitch 2
Theos Project Theos
Dumpdecrypted Project Dumpdecrypted
BundleID Jailbreak(+) BundleID
IPSW Download Firmware IPSW

Slides and articles and links

Name Link
Malware wellbeing on iOS devices Slides
DVIA Homepage
Dynamic analysis of iOS apps w/o Jailbreak Article En Article RU & Slides
Ro(o)tten Apples Vulnerability Heaven in the iOS Sandbox Slides
Light and Dark side of Code Instrumentation Slides
Комбайны безопасности для iOS и Android Slides

Author: @ansjdnakjdnajkd

Do you want to add or fix? - Write to me or pull request!