iOS Application Testing

Jailbreaking iOS Device:

After iOS Device is Jailbroken, Cydia is installed on the device. This can be used to install multiple testing tools like:

  • MTerminal

  • IPA Installer

  • Frida Server

Installing SSL Kill Switch 2:

Sequrus-iPad:~ root# wget <> root# dpkg --install com.nablac0d3.sslkillswitch2_0.14.deb
Sequrus-iPad:~ root# dpkg --install com.nablac0d3.sslkillswitch2_0.14.deb
Sequrus-iPad:~ root# killall -HUP SpringBoard

Now SSL Kill Switch 2 will appear in Settings, you just need to toggle it on!

Pulling IPA from iOS Device:

Sequrus-iPad:~ root# ipainstaller -l
Sequrus-iPad:~ root# ipainstaller -b <package-name>
The application has been backed up as /private/var/mobile/Documents/Package-Name.ipa.

Now Connect to the iOS Device IP address using FileZilla to download the IPA from the above Location. This IPA can be used on tools like MobSF for static analysis

Frida on iOS:

If Frida Server doesn't start through Cydia, Start is manually:

Sequrus-iPad:/usr/bin root# frida-server -l

List devices:


List Installed Applications:

frida-ps -Uai

Connect to the iOS Device Using USB:

C:\\Users\\sequr>frida-ps -Ua
Waiting for USB device to appear...

Connect to the iOS Device Remotely Using its IP Address:

C:\\Users\\sequr>frida-ps -H

Using a Codeshare Script via USB Connection:

C:\\Users\\sequr>frida --codeshare federicodotta/ios13-pinning-bypass -f <package-name> --no-pause -Ua

using Codeshare Script via Remote IP Connection:

C:\\Users\\sequr>frida --codeshare federicodotta/ios13-pinning-bypass -f <package-name> --no-pause -H


Unable to connect to remote frida-server / Waiting for USB device to appear...

Server Side - On iOS Device by SSH-ing to the device

/usr/bin/frida-server -l <iOS Device IP Address>

Client side - on Testing Machine with Frida:

frida-ps -H <iOS Device IP Address>

Dumping Decrypted IPA using Frida IOS Dumper:

Make sure Frida is installed and running and usable before using this repo. This repo uses Frida so will need that setup and installed.

First clone the repo:

Reference Video here:

Clone the repo:

git clone
cd frida-ios-dump
sudo pip install -r requirements.txt --upgrade

In another Terminal open a ssh proxy and run the following:

iproxy 2222 22

Make sure the credentials in the file are root:alpine (unless you have changed them on your iOS jailbroken device):

Now list all the application packages using the -l flag:

└─# python3 -l
PID  Name           Identifier                     
-  -------------  -------------------------------
-  App Store             
-  Camera               
-  Chrome   

Now without the -l flag dump the package of your choice as decrypted IPA. I'm using -o to output a different file name but can also just dump without changing the name:

└─# python3
Start the target app
Dumping Incode Omni to /tmp
start dump /private/var/containers/Bundle/Application/0000-00000-00000-00000/
myapp.fid: 100%|β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ| 16.8M/16.8M [00:00<00:00, 33.9MB/s]
AppIcon60x60@2x.png: 26.1MB [00:04, 5.89MB/s]                                                                     
0.00B [00:00, ?B/s]
Generating "My App.ipa"

The File saves on your machine.

Specify output file name:

python3 -o MyDecryped-App
└─# python3                            
usage: [-h] [-l] [-o OUTPUT_IPA] [-H SSH_HOST] [-p SSH_PORT] [-u SSH_USER] [-P SSH_PASSWORD]
               [-K SSH_KEY_FILENAME]

frida-ios-dump (by AloneMonkey v2.0)

positional arguments:
  target                Bundle identifier or display name of the target app

optional arguments:
  -h, --help            show this help message and exit
  -l, --list            List the installed apps
  -o OUTPUT_IPA, --output OUTPUT_IPA
                        Specify name of the decrypted IPA
  -H SSH_HOST, --host SSH_HOST
                        Specify SSH hostname
  -p SSH_PORT, --port SSH_PORT
                        Specify SSH port
  -u SSH_USER, --user SSH_USER
                        Specify SSH username
                        Specify SSH password
                        Specify SSH private key file path

Multiple Frida Bypasses in Conjunction:

└─$ frida -f -U -l /home/kali/Downloads/root.js -l /home/kali/Downloads/pinning.js

Last updated