# iOS Application Testing
#### Jailbreaking iOS Device:
{% embed url="" %}
{% file src="/files/liHLacR4Y7gHxMoLcAOw" %}
After iOS Device is Jailbroken, Cydia is installed on the device. This can be used to install multiple testing tools like:
* MTerminal
* IPA Installer
* Frida Server
#### Installing SSL Kill Switch 2:
```
Sequrus-iPad:~ root# wget root# dpkg --install com.nablac0d3.sslkillswitch2_0.14.deb
```
```
Sequrus-iPad:~ root# dpkg --install com.nablac0d3.sslkillswitch2_0.14.deb
```
```
Sequrus-iPad:~ root# killall -HUP SpringBoard
```
Now SSL Kill Switch 2 will appear in Settings, you just need to toggle it on!
### Pulling IPA from iOS Device:
```
Sequrus-iPad:~ root# ipainstaller -l
```
```
Sequrus-iPad:~ root# ipainstaller -b
The application has been backed up as /private/var/mobile/Documents/Package-Name.ipa.
```
Now Connect to the iOS Device IP address using FileZilla to download the IPA from the above Location. This IPA can be used on tools like MobSF for static analysis
### Frida on iOS:
If Frida Server doesn't start through Cydia, Start is manually:
```
Sequrus-iPad:/usr/bin root# frida-server -l 192.168.0.135
```
#### List devices:
```
C:\\Users\\sequr>frida-ls-devices
```
#### List Installed Applications:
```
frida-ps -Uai
```
#### Connect to the iOS Device Using USB:
```
C:\\Users\\sequr>frida-ps -Ua
Waiting for USB device to appear...
```
#### Connect to the iOS Device Remotely Using its IP Address:
```
C:\\Users\\sequr>frida-ps -H 192.168.0.135
```
#### Using a Codeshare Script via USB Connection:
```
C:\\Users\\sequr>frida --codeshare federicodotta/ios13-pinning-bypass -f --no-pause -Ua
```
#### using Codeshare Script via Remote IP Connection:
```
C:\\Users\\sequr>frida --codeshare federicodotta/ios13-pinning-bypass -f --no-pause -H 192.168.0.135
```
### Troubleshooting:
#### Unable to connect to remote frida-server / Waiting for USB device to appear...
#### Server Side - On iOS Device by SSH-ing to the device
```
/usr/bin/frida-server -l
```
#### Client side - on Testing Machine with Frida:
```
frida-ps -H
```
### Dumping Decrypted IPA using Frida IOS Dumper:
**Make sure Frida is installed and running and usable before using this repo. This repo uses Frida so will need that setup and installed.**
**First clone the repo:**
{% embed url="" %}
Ref
{% endembed %}
**Reference Video here:**
*
**Clone the repo:**
```
git clone https://github.com/AloneMonkey/frida-ios-dump
```
```
cd frida-ios-dump
```
```
sudo pip install -r requirements.txt --upgrade
```
**In another Terminal open a ssh proxy and run the following:**
```
iproxy 2222 22
```
Make sure the credentials in the **dump.py** file are root:alpine (unless you have changed them on your iOS jailbroken device):
**Now list all the application packages using the -l flag:**
```
┌──(root㉿kali)-[~/Downloads/frida-ios-dump]
└─# python3 dump.py -l
PID Name Identifier
- ------------- -------------------------------
- App Store com.apple.AppStore
- Camera com.apple.camera
- Chrome com.google.chrome.ios
```
**Now without the -l flag dump the package of your choice as decrypted IPA. I'm using -o to output a different file name but can also just dump without changing the name:**
```
┌──(root㉿kali)-[~/Downloads/frida-ios-dump]
└─# python3 dump.py com.my.sample.app
Start the target app com.my.sample.app
Dumping Incode Omni to /tmp
start dump /private/var/containers/Bundle/Application/0000-00000-00000-00000/my.sample.app/
myapp.fid: 100%|██████████████████████████████████████████████████████████████| 16.8M/16.8M [00:00<00:00, 33.9MB/s]
AppIcon60x60@2x.png: 26.1MB [00:04, 5.89MB/s]
0.00B [00:00, ?B/s]
Generating "My App.ipa"
```
**The File saves on your machine.**
**Specify output file name:**
```
python3 dump.py -o MyDecryped-App com.my.sample.app
```
```
──(root㉿kali)-[~/Downloads/frida-ios-dump]
└─# python3 dump.py
usage: dump.py [-h] [-l] [-o OUTPUT_IPA] [-H SSH_HOST] [-p SSH_PORT] [-u SSH_USER] [-P SSH_PASSWORD]
[-K SSH_KEY_FILENAME]
[target]
frida-ios-dump (by AloneMonkey v2.0)
positional arguments:
target Bundle identifier or display name of the target app
optional arguments:
-h, --help show this help message and exit
-l, --list List the installed apps
-o OUTPUT_IPA, --output OUTPUT_IPA
Specify name of the decrypted IPA
-H SSH_HOST, --host SSH_HOST
Specify SSH hostname
-p SSH_PORT, --port SSH_PORT
Specify SSH port
-u SSH_USER, --user SSH_USER
Specify SSH username
-P SSH_PASSWORD, --password SSH_PASSWORD
Specify SSH password
-K SSH_KEY_FILENAME, --key_filename SSH_KEY_FILENAME
Specify SSH private key file path
```
## Multiple Frida Bypasses in Conjunction:
```
┌──(kali㉿kali)-[~]
└─$ frida -f my.package.com -U -l /home/kali/Downloads/root.js -l /home/kali/Downloads/pinning.js
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://wiki.smhuda.com/pentesting/application-security/mobile-security/ios.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.