| name | ios-pentest |
| description | iOS mobile application penetration testing with Frida and Objection on jailbroken or non-jailbroken devices. Use for static + dynamic analysis of IPAs, SSL pinning / jailbreak / biometric bypass, keychain & local-storage extraction, network interception, and OWASP MASTG iOS assessments. Triggers on requests to pentest iOS apps, analyze IPAs, bypass iOS security controls, or produce MASTG-aligned findings. |
iOS Mobile Application Penetration Testing
Thin router for an iOS app security assessment. Full OWASP MASTG coverage (recon → static → dynamic → network → storage → crypto → auth → reporting). Detailed runbooks live under workflows/ and methodology/; load them only when needed.
When to Use
- New iOS application security assessment (IPA + installed app).
- Bypass SSL pinning, jailbreak detection, biometric, anti-debug.
- Extract and triage keychain / NSUserDefaults / files / SQLite.
- Intercept and tamper HTTPS / gRPC / WebSocket traffic.
- OWASP MASTG / MASVS compliance testing.
- Analyze a decrypted or encrypted Mach-O binary.
Trigger Phrases
"pentest iOS app", "test this IPA", "bypass SSL pinning iPhone", "extract keychain", "MASTG iOS", "iOS jailbreak bypass", "analyze .ipa", "test iPhone app".
When NOT to Use This Skill
- Android APK analysis → use
android-pentest.
- Generic web API testing for the backend → use
web-pentest / api-pentest.
- iOS source-code review (you have the repo) → use
secure-code-review with iOS language packs.
- macOS desktop app analysis → use
macos-pentest.
Decision Tree
target acquired?
├── no binary yet → workflows/ipa_decryption.md
└── yes
├── need HTTPS visibility? → workflows/ssl_pinning_bypass.md
├── app exits on jailbroken device? → workflows/jailbreak_detection_bypass.md
├── hunting credentials/tokens? → workflows/keychain_extraction.md
├── testing login / biometric? → workflows/auth_testing.md
└── full engagement → workflows/complete_assessment.md
Parallelism Hints
Run concurrently (independent I/O, no shared state):
class-dump -H App.app/App -o headers/otool -L App.app/App and otool -hv App.app/Appstrings -a App.app/App | grep ...plutil -p App.app/Info.plist- Objection enumeration in a separate spawn.
Must run sequentially (shared Frida session / spawn state):
- Frida
--no-pause spawn → wait for bypass script to land → drive app → then attach further scripts.
- Objection
ios sslpinning disable → then any traffic-dependent command.
ideviceimagemounter → then frida-ps -U.- Keychain dump requires app launched at least once post-install.
Sub-Agent Delegation
Spawn a sub-agent when you can crisply isolate a scope:
- Static-binary sub-agent — give it the decrypted
App.app/, it runs class-dump + otool + strings + framework inventory in parallel, returns a structured summary of classes of interest, hardcoded secrets, and insecure API usage.
- Keychain-extraction sub-agent — give it
<bundle_id>, it runs objection ... keychain dump --json, classifies each entry by accessibility/ACL, emits findings per schemas/finding.json.
- Optional: network-capture sub-agent driving Burp via proxy API while the main agent drives the UI.
Do not split Frida spawn + instrumentation across sub-agents — the Frida session is stateful and tied to one process.
Reasoning Budget
Use extended thinking for:
- Interpreting decompiled Objective-C / Swift (Hopper / Ghidra / IDA output).
- Designing custom Frida hooks when universal bypass fails.
- Reasoning about cryptographic flow (key origin → cipher → storage).
- MASVS severity triage when multiple subtle issues compound.
Skip extended thinking for:
- Running canned Frida / Objection scripts from
scripts/.
- Parsing
ios keychain dump --json output (pattern match).
otool / class-dump invocation and output collection.- File downloads, device enumeration, SSH pulls.
Multimodal Hooks
Mobile MCP (@anthropic/mobile-mcp --ios) provides iOS simulator / device UI automation:
- Jailbreak-detection modal — screenshot the warning pre-bypass, then post-bypass absence, as
evidence.screenshot.
- Biometric prompt — capture Face ID / Touch ID sheet to prove the gate exists, then confirm bypass entered the protected screen.
- App-switcher snapshot leak — screenshot the snapshot cache entry showing sensitive data on backgrounding.
- WebView auth flow — capture the login redirect chain visually for SSO findings.
~/.claude/mcp.json:
{"mcpServers": {"mobile-mcp": {"command": "npx", "args": ["-y", "@anthropic/mobile-mcp", "--ios"]}}}
Structured Output
Emit every finding as JSON conforming to schemas/finding.json. iOS-specific fields: affected.bundle_id, affected.ios_version, affected.device_udid, affected.jailbroken, mastg_id, evidence.frida_pid, evidence.keychain_dump, evidence.screenshot.
Workflow Index
Methodology Index
Payloads Index
Frida Script Index (scripts/)
| Script | Purpose |
|---|
ssl_pinning_bypass.js | Universal SSL/TLS pinning bypass |
jailbreak_bypass.js | Jailbreak detection bypass |
biometric_bypass.js | Touch ID / Face ID bypass |
keychain_hooks.js | Keychain operation monitoring |
crypto_hooks.js | Cryptographic operation tracing |
method_tracer.js | Generic Objective-C method tracer |
References Index
Examples
Tools
| Tool | Purpose | Install |
|---|
| Frida / frida-tools | Dynamic instrumentation | pip install frida-tools (≥ 16.6) |
| Objection | Mobile exploration REPL | pip install objection (≥ 1.11) |
| libimobiledevice | Device communication | brew install libimobiledevice |
| ios-deploy | App deploy | brew install ios-deploy |
| ideviceinstaller | App install / list | brew install ideviceinstaller |
| class-dump | ObjC header extraction | brew install class-dump |
| frida-ios-dump | FairPlay decryption | github.com/AloneMonkey/frida-ios-dump |
| Burp Suite | HTTPS interception | PortSwigger |
| Hopper / IDA / Ghidra | Binary RE | Vendor / GitHub |
| Mobile MCP | UI automation + screen capture | npx @anthropic/mobile-mcp --ios |
Prerequisites Quickcheck
Run before every engagement — fail fast if the lab is broken.
idevice_id -l
ideviceinfo | grep ProductVersion
frida-ps -U
objection -g <bundle_id> explore --startup-command 'ios info binary; exit'
Jailbroken setup: OpenSSH + Frida (Sileo repo build.frida.re) + AppSync Unified + Filza. Non-jailbroken fallback: patch IPA with objection patchipa to inject Frida Gadget, or mount the developer disk image with ideviceimagemounter.
Last Validated
2026-04. Frida ≥ 16.6, Objection ≥ 1.11, iOS 15–17 targets. For iOS 18+ jailbreak options shift to userspace-only (Dopamine/palera1n rootless) — SSH path is /var/jb/usr/bin/ssh and Frida server lives at /var/jb/usr/sbin/frida-server.
