name: ios-pentest
description: "Comprehensive iOS mobile application penetration testing skill with Frida/Objection integration for jailbroken and non-jailbroken devices. This skill should be used when performing security assessments on iOS applications including static analysis, dynamic analysis, runtime manipulation, traffic interception, keychain analysis, and vulnerability identification. Triggers on requests to pentest iOS apps, test iPhone/iPad security, analyze IPAs, bypass security controls, or perform OWASP MASTG iOS assessments."

iOS Mobile Application Penetration Testing

This skill enables comprehensive security testing of iOS applications using Frida, Objection, and standard iOS pentesting tools. It covers the full OWASP MASTG methodology for iOS from reconnaissance to exploitation and reporting.

When to Use This Skill

This skill should be invoked when:
- Starting a new iOS application security assessment
- Performing dynamic analysis on iOS apps
- Bypassing security controls (SSL pinning, jailbreak detection, anti-tampering)
- Extracting and analyzing keychain data
- Testing authentication and biometric mechanisms
- Analyzing network communications
- Analyzing IPA files and app binaries
- Performing OWASP MASTG compliance testing for iOS

Trigger Phrases

• "pentest this iOS app"
• "security test the IPA"
• "bypass SSL pinning on iPhone"
• "extract keychain data from [app]"
• "test iOS authentication"
• "MASTG testing for iOS app"
• "mobile app security assessment iOS"
• "test this iPhone app"

Prerequisites

Required Tools

Mobile MCP for Device Interaction

For advanced device and simulator interactions, use Mobile MCP:
- Repository: https://github.com/mobile-next/mobile-mcp
- Purpose: Provides MCP-based interaction with iOS simulators and physical devices
- Features: Screen capture, touch automation, app lifecycle management, and UI inspection

// Add to ~/.claude/mcp.json
{
  "mcpServers": {
    "mobile-mcp": {
      "command": "npx",
      "args": ["-y", "@anthropic/mobile-mcp", "--ios"]
    }
  }
}

This complements Frida/Objection for scenarios requiring direct device UI interaction during security testing.

Device Setup

Jailbroken Device (Recommended for Full Testing)

# 1. Jailbreak device (checkra1n, unc0ver, or palera1n depending on iOS version)
# 2. Install Cydia/Sileo

# 3. Add Frida repo and install
# In Cydia: Add repo https://build.frida.re
# Install: Frida

# 4. Verify connection
frida-ps -U

# 5. Install useful packages via Cydia:
# - OpenSSH
# - Apple File Conduit 2
# - AppSync Unified
# - Filza File Manager

Non-Jailbroken Device (Limited Testing)

# Option 1: Developer Disk Image (iOS 13+)
# Mount developer disk via Xcode or:
ideviceimagemounter /path/to/DeveloperDiskImage.dmg

# Option 2: Frida Gadget injection into IPA
# 1. Extract IPA
unzip app.ipa -d extracted/

# 2. Inject Frida Gadget using objection:
objection patchipa --source app.ipa --codesign-signature "Developer ID"

# 3. Install patched IPA
ios-deploy --bundle extracted/Payload/App.app

# Option 3: For debuggable apps (development builds)
frida -U -f com.example.app --no-pause

Verification

# Verify device connection
idevice_id -l

# Verify Frida connection
frida-ps -U

# Test Objection
objection -g com.example.app explore

# Verify SSH (jailbroken)
ssh root@<device-ip> -p 22
# Default password: alpine

Quick Start Guide

1. Initial Setup (2 minutes)

User: I need to pentest the iOS app com.example.targetapp

Claude: I'll set up the iOS testing environment.

1. Get app info:
   $ ideviceinstaller -l | grep targetapp
   $ objection -g com.example.targetapp explore
   > ios info binary

2. Extract IPA for static analysis:
   # For App Store apps (jailbroken):
   $ ssh root@device "find /var/containers/Bundle/Application -name '*.app' | xargs -I {} dirname {}"

   # Or use frida-ios-dump:
   $ python dump.py com.example.targetapp

3. Map attack surface:
   > ios hooking list classes
   > ios hooking search classes auth
   > ios hooking search methods keychain

2. Bypass Security Controls (1 minute)

# Using Objection (recommended for quick bypass)
objection -g com.example.targetapp explore

# Inside objection console:
ios sslpinning disable
ios jailbreak disable
ios jailbreak simulate  # If app checks for jailbreak

# Or spawn with bypasses:
objection -g com.example.targetapp explore --startup-command 'ios sslpinning disable'

3. Dynamic Analysis

# Objection commands for common operations:
ios keychain dump
ios nsuserdefaults get
ios cookies get
ios nsurlcredentialstorage dump
ios plist cat <path>
ios bundles list_frameworks

# Frida for custom hooking:
frida -U -f com.example.targetapp -l hooks.js --no-pause

4. Data Extraction

# Keychain (most critical)
objection -g com.example.targetapp explore
> ios keychain dump

# Local storage
> ios nsuserdefaults get
> ios cookies get
> ios plist cat /var/mobile/Containers/Data/Application/<UUID>/Library/Preferences/*.plist

# File system (jailbroken)
ssh root@device
find /var/mobile/Containers/Data/Application -name "*.sqlite" -o -name "*.db"

Methodology Reference

Common Workflows

Workflow 1: Complete Application Assessment

# Phase 1: Reconnaissance
ideviceinstaller -l  # List installed apps
objection -g com.example.app explore
> ios info binary
> ios bundles list_frameworks

# Phase 2: Extract and Analyze IPA
# Jailbroken method:
ssh root@device "cp -r /var/containers/Bundle/Application/<UUID>/App.app /tmp/"
scp -r root@device:/tmp/App.app ./

# Decrypt if encrypted (App Store apps):
frida-ios-dump com.example.app

# Phase 3: Static Analysis
class-dump -H App.app/App -o headers/
strings App.app/App | grep -i "api\|key\|secret\|password"
otool -L App.app/App  # Check linked libraries

# Phase 4: Bypass Protections
objection -g com.example.app explore --startup-command 'ios sslpinning disable'
# Or with Frida script:
frida -U -f com.example.app -l ssl_bypass.js --no-pause

# Phase 5: Dynamic Analysis
> ios keychain dump
> ios nsuserdefaults get
> ios hooking watch class KeychainWrapper
> ios hooking watch method "-[AuthManager authenticate:]"

# Phase 6: Network Testing
# Configure Burp proxy on device:
# Settings > Wi-Fi > HTTP Proxy > Manual
# Install Burp CA via Safari

Workflow 2: SSL Pinning Bypass

# Method 1: Objection (works for most apps)
objection -g com.example.app explore
> ios sslpinning disable

# Method 2: Frida script for common libraries
frida -U -f com.example.app -l scripts/ssl_pinning_bypass.js --no-pause

# Method 3: Custom bypass for specific implementation
# First identify pinning method:
> ios hooking search classes SSL
> ios hooking search classes TrustKit
> ios hooking search classes AFSecurityPolicy

# Method 4: Killswitch for ATS (dev only)
# Add to Info.plist: NSAllowsArbitraryLoads = YES

Workflow 3: Keychain Analysis

# Dump all keychain items
objection -g com.example.app explore
> ios keychain dump

# Look for specific items
> ios keychain dump --json | grep -i password
> ios keychain dump --json | grep -i token

# Monitor keychain access in real-time
> ios hooking watch class KeychainItemWrapper
> ios hooking watch method "+[KeychainService getItem:]"

# Frida script for keychain monitoring
frida -U com.example.app -l scripts/keychain_hooks.js

# Check keychain accessibility levels:
# - kSecAttrAccessibleWhenUnlocked (OK)
# - kSecAttrAccessibleAfterFirstUnlock (MEDIUM - persists after reboot)
# - kSecAttrAccessibleAlways (CRITICAL - accessible even when locked)

Workflow 4: Biometric Authentication Testing

# Monitor biometric calls
objection -g com.example.app explore
> ios hooking watch class LAContext
> ios hooking watch method "-[LAContext evaluatePolicy:localizedReason:reply:]"

# Bypass biometric with Frida
frida -U com.example.app -l scripts/biometric_bypass.js

# Test if server validates biometric
# 1. Bypass locally
# 2. Check if authenticated actions still require server auth
# 3. Replay captured tokens

Workflow 5: URL Scheme / Deep Link Testing

# Find registered URL schemes
plutil -p App.app/Info.plist | grep -A5 CFBundleURLSchemes

# Or via objection:
> ios info binary

# Test URL schemes on device via Safari:
# targetapp://action?param=value

# Monitor URL handling
> ios hooking watch method "-[AppDelegate application:openURL:options:]"

# Test for:
# - Open redirect: targetapp://redirect?url=http://evil.com
# - XSS in WebView: targetapp://open?url=javascript:alert(1)
# - Sensitive action: targetapp://transfer?amount=1000&to=attacker

Workflow 6: Binary Protection Analysis

# Check PIE (Position Independent Executable)
otool -hv App.app/App | grep PIE
# Should show: PIE flag

# Check ARC (Automatic Reference Counting)
otool -I -v App.app/App | grep objc_release
# Presence indicates ARC

# Check stack canaries
otool -I -v App.app/App | grep stack_chk
# Should show: ___stack_chk_fail

# Check encryption
otool -l App.app/App | grep -A4 LC_ENCRYPTION_INFO
# cryptid 1 = encrypted, 0 = decrypted

# Comprehensive check via objection
> ios info binary

# Expected results for secure app:
# - PIE: enabled
# - ARC: enabled
# - Stack Canaries: present
# - Encrypted: yes (App Store) / no (development)

Frida Script Library

Pre-built scripts in /scripts/ directory:

Objection Quick Reference

Information Gathering

ios info binary                    # App binary info
ios bundles list_frameworks        # Linked frameworks
ios hooking list classes           # All classes
ios hooking search classes <term>  # Search classes
ios hooking list class_methods <class>  # Methods in class

Security Bypass

ios sslpinning disable            # Disable SSL pinning
ios jailbreak disable             # Disable jailbreak detection
ios jailbreak simulate            # Simulate non-jailbroken
ios pasteboard monitor            # Monitor clipboard

Data Extraction

ios keychain dump                 # Dump keychain items
ios keychain dump --json          # JSON format
ios nsuserdefaults get            # Get NSUserDefaults
ios cookies get                   # Get cookies
ios nsurlcredentialstorage dump   # URL credentials
ios plist cat <path>              # Read plist file

Runtime Manipulation

ios hooking watch class <class>   # Watch all methods
ios hooking watch method <method> # Watch specific method
ios hooking set return_value <method> <value>  # Modify return
ios hooking generate simple <class>  # Generate hook template

File System

ls                                # List files
file download <path>              # Download file
file upload <local> <remote>      # Upload file
sqlite connect <path>             # Connect to SQLite DB

iOS-Specific Vulnerabilities

1. Keychain Misconfigurations

CRITICAL - kSecAttrAccessibleAlways
- Data accessible even when device locked
- Test: ios keychain dump while device locked

HIGH - kSecAttrAccessibleAfterFirstUnlock
- Persists after reboot
- Test: Reboot device, check accessibility

MEDIUM - Missing kSecAttrAccessControl (biometric)
- No biometric protection on sensitive items
- Test: Check for LAContext requirements

2. Data Protection API Misuse

# Check file protection levels
find /var/mobile/Containers/Data/Application/<UUID> -type f | while read f; do
    ls -l@ "$f" | grep -i protection
done

# Expected: NSFileProtectionComplete for sensitive files
# Vulnerable: NSFileProtectionNone or missing protection

3. IPC Vulnerabilities

# URL Scheme hijacking
- Check if sensitive URL schemes can be intercepted
- Test custom scheme handling for injection

# Universal Links
- Check apple-app-site-association file
- Test for bypasses to native handling

# App Extensions
- Check data sharing between extensions
- Test for sensitive data leakage

Troubleshooting Guide

Frida Issues

"Unable to find application"

# Verify bundle ID
ideviceinstaller -l | grep <name>

# Try spawning instead of attaching
frida -U -f com.exact.bundleid --no-pause

"Frida server not running"

# SSH to device and start manually
ssh root@device
/usr/sbin/frida-server &

# Or check if running
frida-ps -U

"Failed to spawn: unable to access process"

# For non-jailbroken, use Frida Gadget
objection patchipa --source app.ipa --codesign-signature "Your Cert"

# Or use developer disk image
ideviceimagemounter /path/to/DeveloperDiskImage.dmg

SSL Pinning Issues

Universal bypass doesn't work

# 1. Identify pinning library
ios hooking search classes Trust
ios hooking search classes SSL
ios hooking search classes Certificate

# 2. Check for custom implementation
class-dump -H App.app/App -o headers/
grep -r "pin" headers/

# 3. Write custom hook targeting specific method

Jailbreak Detection

App detects jailbreak and exits

# Method 1: Objection
ios jailbreak disable

# Method 2: Hide jailbreak files via Cydia packages
# Install Liberty Lite or Shadow

# Method 3: Custom Frida bypass
frida -U -f app -l jailbreak_bypass.js --no-pause

# Common detection vectors:
# - File existence (/Applications/Cydia.app, /bin/bash, /usr/sbin/sshd)
# - URL scheme (cydia://)
# - Dylib injection detection
# - Sandbox escape checks
# - Fork() detection

Reporting

Finding Template

## [SEVERITY] Finding Title

**MASTG ID**: MASTG-TEST-XXXX
**Category**: MASVS-STORAGE | MASVS-CRYPTO | MASVS-AUTH | MASVS-NETWORK
**CVSS Score**: X.X

### Description
Detailed description of the vulnerability.

### Affected Component
- Bundle ID: com.example.app
- Class/Method: ClassName.methodName
- File: /path/to/file

### Evidence
[Objection/Frida output]
[Screenshots]
[Network captures]

### Reproduction Steps
1. Install Frida on jailbroken device
2. Run: objection -g com.example.app explore
3. Execute: ios keychain dump
4. Observe: Plaintext credentials visible

### Impact
Business impact and risk assessment.

### Remediation
- Use kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
- Implement additional encryption layer
- Add biometric protection

### References
- https://mas.owasp.org/MASTG/...
- https://developer.apple.com/...

Bundled Resources

scripts/

• ssl_pinning_bypass.js - Universal SSL pinning bypass
• jailbreak_bypass.js - Jailbreak detection bypass
• biometric_bypass.js - Biometric authentication bypass
• keychain_hooks.js - Keychain operation monitoring
• crypto_hooks.js - Crypto operation monitoring
• url_scheme_monitor.js - URL scheme monitoring
• method_tracer.js - Generic method tracing
• anti_debug_bypass.js - Anti-debugging bypass

methodology/

• recon.md - iOS reconnaissance techniques
• static_analysis.md - Binary and IPA analysis
• dynamic_analysis.md - Runtime testing with Frida/Objection
• network_testing.md - Traffic interception and analysis
• data_storage.md - Keychain and local storage testing
• crypto_testing.md - Cryptographic implementation testing
• auth_testing.md - Authentication and biometric testing
• binary_protections.md - PIE, ARC, stack canaries

checklists/

• owasp_mastg_ios.md - Complete OWASP MASTG iOS checklist
• quick_wins.md - Fast vulnerability identification
• pre_engagement.md - Setup verification

references/

• objection_commands.md - Complete Objection command reference
• frida_ios_snippets.md - Common Frida code snippets
• ios_security_checklist.md - Comprehensive security checklist