ios-pentest

# iOS Mobile Application Penetration Testing

This skill enables comprehensive security testing of iOS applications using Frida, Objection, and standard iOS pentesting tools. It covers the full OWASP MASTG methodology for iOS from reconnaissance to exploitation and reporting.

## When to Use This Skill

This skill should be invoked when:
- Starting a new iOS application security assessment
- Performing dynamic analysis on iOS apps
- Bypassing security controls (SSL pinning, jailbreak detection, anti-tampering)
- Extracting and analyzing keychain data
- Testing authentication and biometric mechanisms
- Analyzing network communications
- Analyzing IPA files and app binaries
- Performing OWASP MASTG compliance testing for iOS

### Trigger Phrases
- "pentest this iOS app"
- "security test the IPA"
- "bypass SSL pinning on iPhone"
- "extract keychain data from [app]"
- "test iOS authentication"
- "MASTG testing for iOS app"
- "mobile app security assessment iOS"
- "test this iPhone app"

---

## Prerequisites

### Required Tools

| Tool | Purpose | Installation |
|------|---------|--------------|
| Frida | Dynamic instrumentation | `pip install frida-tools` |
| Objection | Mobile exploration | `pip install objection` |
| libimobiledevice | iOS device communication | `brew install libimobiledevice` |
| ios-deploy | App deployment | `brew install ios-deploy` |
| ideviceinstaller | App installation | `brew install ideviceinstaller` |
| Burp Suite | Traffic interception | Download from PortSwigger |
| Hopper/IDA | Binary analysis | Commercial/Download |
| class-dump | Header extraction | `brew install class-dump` |

### Mobile MCP for Device Interaction

For advanced device and simulator interactions, use **Mobile MCP**:
- **Repository**: https://github.com/mobile-next/mobile-mcp
- **Purpose**: Provides MCP-based interaction with iOS simulators and physical devices
- **Features**: Screen capture, touch automation, app lifecycle management, and UI inspection

```json
// Add to ~/.claude/mcp.json
{
  "mcpServers": {
    "mobile-mcp": {
      "command": "npx",
      "args": ["-y", "@anthropic/mobile-mcp", "--ios"]
    }
  }
}
```

This complements Frida/Objection for scenarios requiring direct device UI interaction during security testing.

### Device Setup

#### Jailbroken Device (Recommended for Full Testing)

```bash
# 1. Jailbreak device (checkra1n, unc0ver, or palera1n depending on iOS version)
# 2. Install Cydia/Sileo

# 3. Add Frida repo and install
# In Cydia: Add repo https://build.frida.re
# Install: Frida

# 4. Verify connection
frida-ps -U

# 5. Install useful packages via Cydia:
# - OpenSSH
# - Apple File Conduit 2
# - AppSync Unified
# - Filza File Manager
```

#### Non-Jailbroken Device (Limited Testing)

```bash
# Option 1: Developer Disk Image (iOS 13+)
# Mount developer disk via Xcode or:
ideviceimagemounter /path/to/DeveloperDiskImage.dmg

# Option 2: Frida Gadget injection into IPA
# 1. Extract IPA
unzip app.ipa -d extracted/

# 2. Inject Frida Gadget using objection:
objection patchipa --source app.ipa --codesign-signature "Developer ID"

# 3. Install patched IPA
ios-deploy --bundle extracted/Payload/App.app

# Option 3: For debuggable apps (development builds)
frida -U -f com.example.app --no-pause
```

### Verification

```bash
# Verify device connection
idevice_id -l

# Verify Frida connection
frida-ps -U

# Test Objection
objection -g com.example.app explore

# Verify SSH (jailbroken)
ssh root@<device-ip> -p 22
# Default password: alpine
```

---

## Quick Start Guide

### 1. Initial Setup (2 minutes)

```
User: I need to pentest the iOS app com.example.targetapp

Claude: I'll set up the iOS testing environment.

1. Get app info:
   $ ideviceinstaller -l | grep targetapp
   $ objection -g com.example.targetapp explore
   > ios info binary

2. Extract IPA for static analysis:
   # For App Store apps (jailbroken):
   $ ssh root@device "find /var/containers/Bundle/Application -name '*.app' | xargs -I {} dirname {}"

   # Or use frida-ios-dump:
   $ python dump.py com.example.targetapp

3. Map attack surface:
   > ios hooking list classes
   > ios hooking search classes auth
   > ios hooking search methods keychain
```

### 2. Bypass Security Controls (1 minute)

```bash
# Using Objection (recommended for quick bypass)
objection -g com.example.targetapp explore

# Inside objection console:
ios sslpinning disable
ios jailbreak disable
ios jailbreak simulate  # If app checks for jailbreak

# Or spawn with bypasses:
objection -g com.example.targetapp explore --startup-command 'ios sslpinning disable'
```

### 3. Dynamic Analysis

```bash
# Objection commands for common operations:
ios keychain dump
ios nsuserdefaults get
ios cookies get
ios nsurlcredentialstorage dump
ios plist cat <path>
ios bundles list_frameworks

# Frida for custom hooking:
frida -U -f com.example.targetapp -l hooks.js --no-pause
```

### 4. Data Extraction

```bash
# Keychain (most critical)
objection -g com.example.targetapp explore
> ios keychain dump

# Local storage
> ios nsuserdefaults get
> ios cookies get
> ios plist cat /var/mobile/Containers/Data/Application/<UUID>/Library/Preferences/*.plist

# File system (jailbroken)
ssh root@device
find /var/mobile/Containers/Data/Application -name "*.sqlite" -o -name "*.db"
```

---

## Methodology Reference

| Document | Coverage |
|----------|----------|
| [methodology/recon.md](methodology/recon.md) | Information gathering, IPA analysis |
| [methodology/static_analysis.md](methodology/static_analysis.md) | Binary analysis, class-dump, strings |
| [methodology/dynamic_analysis.md](methodology/dynamic_analysis.md) | Runtime testing, Frida/Objection |
| [methodology/network_testing.md](methodology/network_testing.md) | Traffic analysis, SSL pinning |
| [methodology/data_storage.md](methodology/data_storage.md) | Keychain, NSUserDefaults, files |
| [methodology/crypto_testing.md](methodology/crypto_testing.md) | Encryption analysis, key management |
| [methodology/auth_testing.md](methodology/auth_testing.md) | Authentication, biometrics, sessions |
| [methodology/binary_protections.md](methodology/binary_protections.md) | PIE, ARC, stack canaries |

---

## Common Workflows

### Workflow 1: Complete Application Assessment

```bash
# Phase 1: Reconnaissance
ideviceinstaller -l  # List installed apps
objection -g com.example.app explore
> ios info binary
> ios bundles list_frameworks

# Phase 2: Extract and Analyze IPA
# Jailbroken method:
ssh root@device "cp -r /var/containers/Bundle/Application/<UUID>/App.app /tmp/"
scp -r root@device:/tmp/App.app ./

# Decrypt if encrypted (App Store apps):
frida-ios-dump com.example.app

# Phase 3: Static Analysis
class-dump -H App.app/App -o headers/
strings App.app/App | grep -i "api\|key\|secret\|password"
otool -L App.app/App  # Check linked libraries

# Phase 4: Bypass Protections
objection -g com.example.app explore --startup-command 'ios sslpinning disable'
# Or with Frida script:
frida -U -f com.example.app -l ssl_bypass.js --no-pause

# Phase 5: Dynamic Analysis
> ios keychain dump
> ios nsuserdefaults get
> ios hooking watch class KeychainWrapper
> ios hooking watch method "-[AuthManager authenticate:]"

# Phase 6: Network Testing
# Configure Burp proxy on device:
# Settings > Wi-Fi > HTTP Proxy > Manual
# Install Burp CA via Safari
```

### Workflow 2: SSL Pinning Bypass

```bash
# Method 1: Objection (works for most apps)
objection -g com.example.app explore
> ios sslpinning disable

# Method 2: Frida script for common libraries
frida -U -f com.example.app -l scripts/ssl_pinning_bypass.js --no-pause

# Method 3: Custom bypass for specific implementation
# First identify pinning method:
> ios hooking search classes SSL
> ios hooking search classes TrustKit
> ios hooking search classes AFSecurityPolicy

# Method 4: Killswitch for ATS (dev only)
# Add to Info.plist: NSAllowsArbitraryLoads = YES
```

### Workflow 3: Keychain Analysis

```bash
# Dump all keychain items
objection -g com.example.app explore
> ios keychain dump

# Look for specific items
> ios keychain dump --json | grep -i password
> ios keychain dump --json | grep -i token

# Monitor keychain access in real-time
> ios hooking watch class KeychainItemWrapper
> ios hooking watch method "+[KeychainService getItem:]"

# Frida script for keychain monitoring
frida -U com.example.app -l scripts/keychain_hooks.js

# Check keychain accessibility levels:
# - kSecAttrAccessibleWhenUnlocked (OK)
# - kSecAttrAccessibleAfterFirstUnlock (MEDIUM - persists after reboot)
# - kSecAttrAccessibleAlways (CRITICAL - accessible even when locked)
```

### Workflow 4: Biometric Authentication Testing

```bash
# Monitor biometric calls
objection -g com.example.app explore
> ios hooking watch class LAContext
> ios hooking watch method "-[LAContext evaluatePolicy:localizedReason:reply:]"

# Bypass biometric with Frida
frida -U com.example.app -l scripts/biometric_bypass.js

# Test if server validates biometric
# 1. Bypass locally
# 2. Check if authenticated actions still require server auth
# 3. Replay captured tokens
```

### Workflow 5: URL Scheme / Deep Link Testing

```bash
# Find registered URL schemes
plutil -p App.app/Info.plist | grep -A5 CFBundleURLSchemes

# Or via objection:
> ios info binary

# Test URL schemes on device via Safari:
# targetapp://action?param=value

# Monitor URL handling
> ios hooking watch method "-[AppDelegate application:openURL:options:]"

# Test for:
# - Open redirect: targetapp://redirect?url=http://evil.com
# - XSS in WebView: targetapp://open?url=javascript:alert(1)
# - Sensitive action: targetapp://transfer?amount=1000&to=attacker
```

### Workflow 6: Binary Protection Analysis

```bash
# Check PIE (Position Independent Executable)
otool -hv App.app/App | grep PIE
# Should show: PIE flag

# Check ARC (Automatic Reference Counting)
otool -I -v App.app/App | grep objc_release
# Presence indicates ARC

# Check stack canaries
otool -I -v App.app/App | grep stack_chk
# Should show: ___stack_chk_fail

# Check encryption
otool -l App.app/App | grep -A4 LC_ENCRYPTION_INFO
# cryptid 1 = encrypted, 0 = decrypted

# Comprehensive check via objection
> ios info binary

# Expected results for secure app:
# - PIE: enabled
# - ARC: enabled
# - Stack Canaries: present
# - Encrypted: yes (App Store) / no (development)
```

---

## Frida Script Library

Pre-built scripts in `/scripts/` directory:

| Script | Purpose |
|--------|---------|
| `ssl_pinning_bypass.js` | Universal SSL/TLS pinning bypass |
| `jailbreak_bypass.js` | Jailbreak detection bypass |
| `biometric_bypass.js` | Touch ID / Face ID bypass |
| `keychain_hooks.js` | Keychain operation monitoring |
| `crypto_hooks.js` | Cryptographic operation monitoring |
| `url_scheme_monitor.js` | URL scheme handling monitor |
| `network_hooks.js` | Network request/response logging |
| `pasteboard_monitor.js` | Clipboard monitoring |
| `method_tracer.js` | Generic Objective-C method tracing |
| `anti_debug_bypass.js` | Anti-debugging bypass |

---

## Objection Quick Reference

### Information Gathering
```bash
ios info binary                    # App binary info
ios bundles list_frameworks        # Linked frameworks
ios hooking list classes           # All classes
ios hooking search classes <term>  # Search classes
ios hooking list class_methods <class>  # Methods in class
```

### Security Bypass
```bash
ios sslpinning disable            # Disable SSL pinning
ios jailbreak disable             # Disable jailbreak detection
ios jailbreak simulate            # Simulate non-jailbroken
ios pasteboard monitor            # Monitor clipboard
```

### Data Extraction
```bash
ios keychain dump                 # Dump keychain items
ios keychain dump --json          # JSON format
ios nsuserdefaults get            # Get NSUserDefaults
ios cookies get                   # Get cookies
ios nsurlcredentialstorage dump   # URL credentials
ios plist cat <path>              # Read plist file
```

### Runtime Manipulation
```bash
ios hooking watch class <class>   # Watch all methods
ios hooking watch method <method> # Watch specific method
ios hooking set return_value <method> <value>  # Modify return
ios hooking generate simple <class>  # Generate hook template
```

### File System
```bash
ls                                # List files
file download <path>              # Download file
file upload <local> <remote>      # Upload file
sqlite connect <path>             # Connect to SQLite DB
```

---

## iOS-Specific Vulnerabilities

### 1. Keychain Misconfigurations

```markdown
CRITICAL - kSecAttrAccessibleAlways
- Data accessible even when device locked
- Test: ios keychain dump while device locked

HIGH - kSecAttrAccessibleAfterFirstUnlock
- Persists after reboot
- Test: Reboot device, check accessibility

MEDIUM - Missing kSecAttrAccessControl (biometric)
- No biometric protection on sensitive items
- Test: Check for LAContext requirements
```

### 2. Data Protection API Misuse

```markdown
# Check file protection levels
find /var/mobile/Containers/Data/Application/<UUID> -type f | while read f; do
    ls -l@ "$f" | grep -i protection
done

# Expected: NSFileProtectionComplete for sensitive files
# Vulnerable: NSFileProtectionNone or missing protection
```

### 3. IPC Vulnerabilities

```markdown
# URL Scheme hijacking
- Check if sensitive URL schemes can be intercepted
- Test custom scheme handling for injection

# Universal Links
- Check apple-app-site-association file
- Test for bypasses to native handling

# App Extensions
- Check data sharing between extensions
- Test for sensitive data leakage
```

---

## Troubleshooting Guide

### Frida Issues

**"Unable to find application"**
```bash
# Verify bundle ID
ideviceinstaller -l | grep <name>

# Try spawning instead of attaching
frida -U -f com.exact.bundleid --no-pause
```

**"Frida server not running"**
```bash
# SSH to device and start manually
ssh root@device
/usr/sbin/frida-server &

# Or check if running
frida-ps -U
```

**"Failed to spawn: unable to access process"**
```bash
# For non-jailbroken, use Frida Gadget
objection patchipa --source app.ipa --codesign-signature "Your Cert"

# Or use developer disk image
ideviceimagemounter /path/to/DeveloperDiskImage.dmg
```

### SSL Pinning Issues

**Universal bypass doesn't work**
```bash
# 1. Identify pinning library
ios hooking search classes Trust
ios hooking search classes SSL
ios hooking search classes Certificate

# 2. Check for custom implementation
class-dump -H App.app/App -o headers/
grep -r "pin" headers/

# 3. Write custom hook targeting specific method
```

### Jailbreak Detection

**App detects jailbreak and exits**
```bash
# Method 1: Objection
ios jailbreak disable

# Method 2: Hide jailbreak files via Cydia packages
# Install Liberty Lite or Shadow

# Method 3: Custom Frida bypass
frida -U -f app -l jailbreak_bypass.js --no-pause

# Common detection vectors:
# - File existence (/Applications/Cydia.app, /bin/bash, /usr/sbin/sshd)
# - URL scheme (cydia://)
# - Dylib injection detection
# - Sandbox escape checks
# - Fork() detection
```

---

## Reporting

### Finding Template

```markdown
## [SEVERITY] Finding Title

**MASTG ID**: MASTG-TEST-XXXX
**Category**: MASVS-STORAGE | MASVS-CRYPTO | MASVS-AUTH | MASVS-NETWORK
**CVSS Score**: X.X

### Description
Detailed description of the vulnerability.

### Affected Component
- Bundle ID: com.example.app
- Class/Method: ClassName.methodName
- File: /path/to/file

### Evidence
[Objection/Frida output]
[Screenshots]
[Network captures]

### Reproduction Steps
1. Install Frida on jailbroken device
2. Run: objection -g com.example.app explore
3. Execute: ios keychain dump
4. Observe: Plaintext credentials visible

### Impact
Business impact and risk assessment.

### Remediation
- Use kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
- Implement additional encryption layer
- Add biometric protection

### References
- https://mas.owasp.org/MASTG/...
- https://developer.apple.com/...
```

---

## Bundled Resources

### scripts/
- `ssl_pinning_bypass.js` - Universal SSL pinning bypass
- `jailbreak_bypass.js` - Jailbreak detection bypass
- `biometric_bypass.js` - Biometric authentication bypass
- `keychain_hooks.js` - Keychain operation monitoring
- `crypto_hooks.js` - Crypto operation monitoring
- `url_scheme_monitor.js` - URL scheme monitoring
- `method_tracer.js` - Generic method tracing
- `anti_debug_bypass.js` - Anti-debugging bypass

### methodology/
- `recon.md` - iOS reconnaissance techniques
- `static_analysis.md` - Binary and IPA analysis
- `dynamic_analysis.md` - Runtime testing with Frida/Objection
- `network_testing.md` - Traffic interception and analysis
- `data_storage.md` - Keychain and local storage testing
- `crypto_testing.md` - Cryptographic implementation testing
- `auth_testing.md` - Authentication and biometric testing
- `binary_protections.md` - PIE, ARC, stack canaries

### checklists/
- `owasp_mastg_ios.md` - Complete OWASP MASTG iOS checklist
- `quick_wins.md` - Fast vulnerability identification
- `pre_engagement.md` - Setup verification

### references/
- `objection_commands.md` - Complete Objection command reference
- `frida_ios_snippets.md` - Common Frida code snippets
- `ios_security_checklist.md` - Comprehensive security checklist