iOS testing shares Frida with Android but the platform model, file layout, and toolchain differ enough to trip Android testers. This module walks through iOS-specific setup, keychain inspection, class-dump of Objective-C runtime, and SSL pinning bypass on an iPhone.

Device options in 2026

Jailbroken physical device — palera1n for A9–A11 chips on iOS 15/16, checkra1n for older. Newer hardware (A12+) has no reliable public jailbreak as of 2026
Corellium — commercial virtual iOS service. Runs real iOS in a browser-accessible VM. Used by many mobile pentest firms because it sidesteps the jailbreak availability problem
App sandbox testing — without jailbreak, you can still do limited testing via re-signing IPAs with your developer certificate and using iOS’s standard developer tools

Lab prerequisites

Jailbroken iPhone (or Corellium VM) running a supported iOS
OpenSSH + Dropbear installed via Sileo/Zebra package manager
Frida server installed on device (via Sileo repo build.frida.re)
Frida + Objection on host via pip
Burp Suite with CA certificate installed on device and trusted in Settings → About → Certificate Trust Settings
USB or Wi-Fi connectivity to SSH into the device

Pulling the IPA

App Store apps are encrypted (FairPlay). To decompile, you need the decrypted binary:

# Install frida-ios-dump on host
git clone https://github.com/AloneMonkey/frida-ios-dump
cd frida-ios-dump && pip install -r requirements.txt

# Dump decrypted IPA from running device
./dump.py -l                      # list installed apps
./dump.py com.target.app          # dump it
# Output: com.target.app.ipa in current dir, fully decrypted

Static inspection

An IPA is a ZIP. Unzip to find Payload/TargetApp.app/TargetApp — the Mach-O binary.

unzip com.target.app.ipa
cd Payload/TargetApp.app

# Plist inspection
plutil -p Info.plist | head -20
# Look for: URL schemes, ATS exceptions, entitlements

# Class-dump (Objective-C runtime classes)
class-dump TargetApp > classes.h

# For Swift-heavy apps use Hopper, Ghidra, or IDA
otool -L TargetApp                # linked libraries
otool -l TargetApp | grep -A3 LC_CODE_SIGNATURE
strings -a TargetApp | grep -i "http\|api\|password\|secret"

Frida on iOS

# From host
frida-ps -Ua                       # list apps on iOS device
objection --gadget com.target.app explore

# iOS-specific Objection commands
ios keychain dump                  # dump all keychain entries
ios nsuserdefaults get             # read NSUserDefaults
ios cookies get                    # session cookies
ios plist cat /var/mobile/...      # read plist files

Keychain — where sensitive data SHOULD be

The iOS Keychain is the platform-backed secure storage. Compare what you find there against what you find in plain NSUserDefaults or files:

ios keychain dump --json /tmp/keychain.json

# Inspect:
# - Access attributes: kSecAttrAccessibleWhenUnlocked (good),
#   kSecAttrAccessibleAlways (bad — readable even when device locked)
# - Access control: is biometric required for retrieval?
# - What's stored: tokens should be here; passwords ideally never stored

SSL pinning bypass

# Objection one-liner
ios sslpinning disable

# If that fails (custom pinning), write a Frida script:
// ios-ssl-bypass.js
var SSL_CTX_set_custom_verify = Module.findExportByName('libboringssl.dylib',
  'SSL_CTX_set_custom_verify');
Interceptor.replace(SSL_CTX_set_custom_verify, new NativeCallback(function(ctx, mode, cb){
  console.log('[+] SSL_CTX_set_custom_verify intercepted');
}, 'void', ['pointer','int','pointer']));

Inspecting app files

# Find app data container path
ios info binary                    # shows container path

# SSH in, cd to container, look for:
/var/mobile/Containers/Data/Application/<uuid>/Documents/     # user data
/var/mobile/Containers/Data/Application/<uuid>/Library/Caches # cached
/var/mobile/Containers/Data/Application/<uuid>/tmp            # temp

# Files to inspect: SQLite DBs, plists, JSON caches, log files

URL scheme testing

iOS URL schemes (e.g., targetapp://reset?token=X) are a common mobile-specific attack vector. Find declared schemes in Info.plist, then try to drive the app via Safari or a custom test page:

# On device (from Safari address bar or another app):
targetapp://purchase?product=premium&amount=0

# Does the app accept it? Validate server-side? Attack surface if URL params
# drive authenticated actions without verification.

Universal Links vs URL schemes

Apple pushes Universal Links (apple-app-site-association) over custom schemes because they authenticate the origin domain. If the app uses Universal Links, test the fallback: does it still register the legacy URL scheme? If yes, the weaker surface remains attackable.

🔐 Intermediate Module · Basic Tier

Continue reading with Basic tier (₹499/month)

You've read 38% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.

99+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

2 more sections locked below

Module 3 · iOS Pentesting Fundamentals 🔒