iOS Pentesting Setup

iOS pentesting requires either a jailbroken device or a Corellium virtual device. This guide walks through the full setup: jailbreak, Frida, Objection, and Burp SSL interception — plus the core tools you need for every iOS assessment.

Device Options

Jailbroken Physical Device (Best)

Recommended devices by iOS version:

iOS Version	Device	Jailbreak Tool
iOS 14-16	iPhone X, 11, 12	Palera1n (A9-A11) / Dopamine (A12+)
iOS 15-16	iPhone 8-14	Dopamine / Fugu15
iOS 16	Various	Palera1n (semi-tethered for A9-A11)
iOS 17	A12+	dopamine (check jailbreaks.app)

Check jailbreaks.app before purchasing a device — jailbreak availability changes frequently.

Corellium (Paid, no physical device needed)

Virtual iOS devices with built-in Frida, SSH, and VPN support. Expensive but worth it for corporate use.

Simulator (Limited)

Xcode Simulator can’t run production apps. Useful only for apps built and signed by you.

Jailbreak via Palera1n (A9-A11, iOS 15-16)

# Install palera1n
curl -L https://github.com/palera1n/palera1n/releases/latest/download/palera1n-linux-x86_64 -o palera1n
chmod +x palera1n

# Connect device, put in DFU mode
# Run jailbreak
./palera1n --rootful    # rootful jailbreak (recommended for pentesting)

# After jailbreak, install Sileo or Cydia
# Add source: https://build.frida.re
# Install: Frida

SSH Access

After jailbreak, install OpenSSH from Cydia/Sileo.

# Connect via USB (recommended — no network exposure)
iproxy 2222 22 &        # forward USB port to local TCP
ssh root@localhost -p 2222
# Default password: alpine — change immediately!
passwd

# Or via WiFi
ssh root@DEVICE_IP

Frida on iOS

# On device (via Sileo/Cydia): install Frida from https://build.frida.re

# On Mac:
pip install frida-tools

# Verify
frida-ps -U              # list processes
frida-ps -Uai            # list apps

# Attach to app
frida -U -n "com.target.app" -l script.js

# Spawn
frida -U -f com.target.app -l script.js --no-pause

Objection for iOS

pip install objection

# Launch with Objection
objection -g com.target.app explore

# Inside REPL:
ios sslpinning disable           # disable SSL pinning
ios jailbreak disable            # bypass jailbreak detection
ios keychain dump                # dump keychain items
ios nsuserdefaults get           # read NSUserDefaults
ios info libraries               # list linked frameworks
ios hooking list classes         # enumerate ObjC classes
ios hooking watch class SomeClass  # hook all methods
ios hooking search methods "password"  # find password-related methods
memory dump all /tmp/dump        # memory dump

Burp Suite SSL Interception

Step 1 — Configure iOS proxy

Settings → WiFi → Connected network (i) → Configure Proxy
Server: <Mac IP>
Port: 8080

Step 2 — Install Burp CA certificate

1. Open Safari, go to: http://burpsuite/
2. Download CA certificate
3. Settings → General → VPN & Device Management → Install certificate
4. Settings → General → About → Certificate Trust Settings → Enable for Burp CA

On iOS 14+

Apple requires full trust for root certificates:

Settings → General → About → Certificate Trust Settings
Enable the Burp certificate here

IPA Extraction

From device (jailbreak required)

# Frida-based IPA dump
git clone https://github.com/AloneMonkey/frida-ios-dump
pip3 install -r frida-ios-dump/requirements.txt

# SSH config: edit dump.py with your SSH credentials
python3 dump.py com.target.app

# Alternative: ipainstaller
ipainstaller -b com.target.app -o /var/root/target.ipa

From iTunes backup

# iPhone Backup Extractor or libimobiledevice
idevicebackup2 backup /path/to/backup
# Look for app data in backup directory

Static Analysis Tools

class-dump / class-dump-z

Extract ObjC headers from binaries:

class-dump -H /path/to/AppBinary -o headers/
# Lists all classes, methods, properties

otool / nm

# Disassemble
otool -tV /path/to/AppBinary | head -100

# List symbols
nm -a /path/to/AppBinary | grep " T "

# Check protections
otool -l /path/to/AppBinary | grep -A 4 "LC_ENCRYPT"
# ryptid=1 means FairPlay encrypted (on-device only)
# cryptid=0 means decrypted (extracted from jailbroken device)

# Check hardened runtime / stack canary / ASLR / PIE
otool -l /path/to/AppBinary | grep -E "MH_PIE|LC_ENCRYPTION|LC_VERSION_MIN"
checksec --file=/path/to/AppBinary

Ghidra / IDA Pro / Hopper

Use for binary analysis. Export the decrypted binary from jailbroken device first.

Keychain Analysis

# Via Objection
ios keychain dump --json /tmp/keychain.json

# Via Frida
# keychain-dumper tool
./keychain-dumper > keychain.txt

# Via SSH on device
keychain-dumper -a    # dump all

File System Access

# App's sandbox (jailbreak required for full access)
ls /var/containers/Bundle/Application/*/com.target.app.app/
ls /var/mobile/Containers/Data/Application/*/

# Find app UUID
find /var/containers/Bundle/Application -name "*.app" | grep target

# Common sensitive paths
/var/mobile/Containers/Data/Application/<UUID>/Documents/
/var/mobile/Containers/Data/Application/<UUID>/Library/Preferences/
/var/mobile/Containers/Data/Application/<UUID>/Library/Caches/

iOS Pentesting Checklist

Jailbreak detection active?
SSL pinning implemented?
Sensitive data in NSUserDefaults or Keychain?
Plaintext data in files or SQLite databases?
Hardcoded secrets in binary or plist?
Exported URL schemes accepting untrusted input?
Local authentication (Face ID / Touch ID) bypassable?
App Transport Security (ATS) properly configured?
Shared group containers exposing data to other apps?
Pasteboard leaking sensitive data?