iOS App Security Testing Cheat Sheet

iOS application penetration testing — Frida and Objection instrumentation, SSL pinning bypass, Keychain and data-store dumping, jailbreak detection bypass, and IPA static analysis. (46 payloads)

Try it interactively with the Certificate Decoder

Environment & IPA Acquisition

(7)

frida-ps -Uai

List installed + running apps on the connected USB device — confirms frida-server is reachable and gives the bundle identifierNeeds frida-server running on a jailbroken device (installed via the Cydia/Sileo repo build.frida.re) and the frida-tools pip package on the host.

frida-trace -U -f com.target.app -m "-[NSURLSession *]"

Spawn the app and auto-generate trace handlers for every NSURLSession method — fast way to map the networking surface-f spawns + holds; -U is USB. Drop generated stubs in __handlers__/ to edit on-the-fly.

frida-ios-dump -u user -p pass com.target.app

Decrypt the App Store FairPlay binary in memory and pull a decrypted IPA back to the host for static analysisApp Store IPAs are encrypted at rest; you must decrypt from a running process. AESKey/cryptid is stripped from the LC_ENCRYPTION_INFO load command after dump.

unzip -q app.ipa -d app_extracted && ls app_extracted/Payload/*.app

Unpack the IPA — the .app bundle holds the Mach-O binary, Info.plist, embedded.mobileprovision, and assetsAn IPA is just a zip. embedded.mobileprovision reveals the team ID, entitlements, and provisioned device UDIDs.

otool -l Payload/Target.app/Target | grep -A4 LC_ENCRYPTION_INFO

Check the cryptid flag — cryptid 1 means the binary is still FairPlay-encrypted and must be decrypted before strings/class-dump workcryptid 0 = decrypted (e.g. after frida-ios-dump or a sideloaded/dev build). Use otool from Xcode command line tools.

ideviceinstaller -l # or: cfgutil get installedApps

Enumerate installed apps and their containers over USB with libimobiledevice — works without a jailbreaklibimobiledevice (idevice* tools) talks lockdownd directly; great for non-jailbroken recon and crash-log pulls.

security cms -D -i embedded.mobileprovision

Decode the provisioning profile to plist — read entitlements, get-task-allow (debuggable), and the list of allowed devicesget-task-allow=true indicates a development build that a debugger (and Frida via ptrace) can attach to without a jailbreak.

Objection Runtime Exploration

(8)

objection -g com.target.app explore

Attach to a running app and drop into the interactive REPL — the workhorse for everything belowObjection is a Frida wrapper; use -g for gadget/bundle id. Add --startup-command 'ios sslpinning disable' to auto-run on launch.

ios bundles list_frameworks

List all loaded frameworks/bundles so you can target third-party SDKs (analytics, payment, auth) for hookingOften the juicy logic — pinning, crypto, device fingerprinting — lives in a vendored framework, not the main binary.

ios hooking list classes

Dump every Objective-C class registered in the runtime — pipe into search to find App-prefixed business-logic classesFilter noise with: ios hooking search classes Login (matches class names containing 'Login').

ios hooking list class_methods LoginViewController

List all methods of a class with their full signatures so you know exactly what to hook or callUse the resulting selector verbatim in 'ios hooking set return_value' or a Frida ObjC.classes call.

ios hooking watch class LoginViewController --dump-args --dump-return --dump-backtrace

Live-monitor every method on a class, printing arguments, return values, and call stacks as the user interactsThe single most useful command for understanding flow — watch login/checkout, then read the captured plaintext credentials/tokens.

ios hooking set return_value "-[JailbreakDetector isJailbroken]" false

Force a single method's return value — instant patch for boolean security checks without writing a Frida scriptWorks for BOOL returns. For more complex checks, fall back to a custom replace() in Frida JS.

memory dump all /tmp/app_mem.bin ; memory search 41424344 --string

Dump the full process heap, then scan it for plaintext secrets, session tokens, or hardcoded keys left in memoryApps that 'securely' clear UI fields often leave secrets resident in NSString/NSData heap allocations.

ios cookies get ; ios ui dump ; ios ui screenshot shot.png

Pull HTTP cookies, dump the live view hierarchy, and grab a screenshot — handy for exposed hidden fields and disabled buttons'ios ui dump' reveals secure-text-entry flags and off-screen debug controls; bypass client-side button disabling here.

SSL/TLS Pinning Bypass

(7)

ios sslpinning disable

Objection's catch-all pinning bypass — hooks NSURLSession, SecTrustEvaluate, and common AFNetworking/TrustKit paths in one shotFirst thing to try. If traffic still doesn't appear in Burp, the app uses a custom/native pinning layer — move to Frida or static patching.

frida -U --codeshare pcipolloni/universal-ssl-pinning-bypass-with-frida -f com.target.app

Run the popular community universal-pinning-bypass script straight from codeshare without saving a fileCovers SecTrustEvaluate / X509TrustManager equivalents. Codeshare scripts can change — pin a local copy for repeatable engagements.

Interceptor.attach(Module.findExportByName('libboringssl.dylib','SSL_CTX_set_custom_verify'), { onEnter(a){ a[2]=Module.findExportByName(null,'SSL_get_psk_identity'); } })

Defeat low-level BoringSSL pinning by swapping the custom verify callback for a benign function that always returns OKModern iOS networking pins inside BoringSSL (libboringssl.dylib). ssl_verify_ok = 0; many bypass scripts just force the callback to return 0.

Interceptor.replace(Module.findExportByName('Security','SecTrustEvaluateWithError'), new NativeCallback(()=>1, 'int', ['pointer','pointer']))

Force the modern Security.framework trust evaluator to always report success — covers apps using SecTrustEvaluateWithErrorSecTrustEvaluate is deprecated; newer apps call SecTrustEvaluateWithError. Returning 1 (true) accepts any presented certificate.

ObjC.classes.TrustKit['+ sharedInstance'] ... swizzle pinningValidator to TSKTrustDecisionShouldAllowConnection

Neutralize TrustKit by forcing the pinning validator to return the 'allow' trust decisionTrustKit is a widely embedded pinning library; identify it via 'ios bundles list_frameworks' showing TrustKit before hooking.

Install Burp CA: Settings > General > About > Certificate Trust Settings > enable full trust

Trust the proxy CA at the OS level — required even after pinning bypass so the base TLS chain validatesOn iOS 10.3+ a profile-installed CA also needs the manual 'Enable Full Trust' toggle. Pinning bypass + trusted CA = readable traffic.

Patch __TEXT pinning check with a hex editor (e.g. flip TBNZ to NOP) and re-sign with ldid -S

Static binary patch when runtime hooking is detected — nop out the branch that enforces pinning and re-sign the Mach-OSurvives anti-Frida checks since no instrumentation is attached. Re-sign with ldid (jailbroken) or codesign + your dev cert (sideload).

Keychain & Local Data Storage

(8)

ios keychain dump

Dump every Keychain item the app can access — accounts, tokens, refresh tokens, and 'remember me' credentials in plaintextCheck the accessibility attribute: kSecAttrAccessibleAlways / WhenUnlocked items survive reboot; AfterFirstUnlock leaks tokens to background access.

ios keychain dump --json /tmp/keychain.json

Export the Keychain to JSON for offline triage and reporting — preserves service, account, and accessibility metadataGrep the output for 'access_control' to flag items NOT protected by Face/Touch ID (kSecAccessControlUserPresence missing).

ios nsuserdefaults get

Dump NSUserDefaults — developers routinely stash auth tokens, feature flags, and PII here despite it being world-readable plistStored unencrypted in Library/Preferences/<bundle>.plist. Anything here is recoverable from a backup, no jailbreak needed.

env → cd <Documents> → ls -la (inside objection)

Resolve the app sandbox paths (Bundle / Documents / Library / Caches / tmp) and browse files written at runtime'env' prints the container roots. Caches/ often holds unencrypted API responses; Documents/ holds user-generated files and SQLite DBs.

ios plist cat Library/Preferences/com.target.app.plist

Print any plist on disk — read cached preferences, tokens, and config without pulling files off the deviceBinary plists are auto-converted to readable XML. Pair with 'file download' to exfil the raw plist for the report.

sqlite3 Documents/app.db '.tables' ; sqlite3 app.db 'SELECT * FROM users;'

Inspect local SQLite/Core Data stores for cached credentials, message history, or PII stored without encryptionCore Data writes a .sqlite file. WAL mode means recent rows may live in app.db-wal — pull all three (.db, -wal, -shm).

file download Documents/cache.realm /tmp/cache.realm

Exfiltrate Realm databases for offline analysis — frequently store entire object graphs unencrypted by defaultOpen with Realm Studio. If encrypted, the 64-byte key is often in the Keychain — dump it first, then decrypt.

ls -la Library/Caches/Snapshots/ # app backgrounding screenshots

Recover the auto-snapshot iOS takes when an app backgrounds — can leak the last screen (account balances, OTPs, PII)An app should blur/hide sensitive views on willResignActive. If it doesn't, plaintext screens persist in Snapshots/ until overwritten.

Jailbreak & Anti-Tamper Detection Bypass

(8)

objection -g com.target.app explore --startup-command "ios jailbreak disable"

Objection's built-in jailbreak-detection bypass — hooks fileExistsAtPath, fork, NSFileManager, and dyld checks on startupRun at spawn so the bypass is active before the app's first detection routine fires. Covers the most common 80% of checks.

Add /Applications/Cydia.app, /bin/bash, /etc/apt, /private/var/lib/apt to a path blocklist hook

Understand what detectors look for — fileExistsAtPath against jailbreak artifacts is the #1 check to neutralizeHook -[NSFileManager fileExistsAtPath:] and return NO for any path containing these known jailbreak markers.

Interceptor.replace(Module.findExportByName(null,'fork'), new NativeCallback(()=>-1,'int',[]))

Defeat the fork()-succeeds detection — a sandboxed app can't fork, so apps test it to infer a jailbreakReturning -1 simulates the sandbox-denied behavior. Also hook system() and popen() which detectors use the same way.

Interceptor.attach(Module.findExportByName(null,'stat'), { onLeave(r){ /* clear results for /Applications/Cydia.app */ } })

Spoof stat/lstat/access calls so probes for jailbreak files report 'not found'Some apps bypass NSFileManager and call libc stat directly to dodge ObjC hooks — patch at the native layer.

Hook -[NSURL canOpenURL:] / UIApplication to return NO for cydia:// undecimus:// sileo:// zbra://

Block URL-scheme detection — apps probe whether jailbreak-store schemes can be openedcanOpenURL: for a jailbreak app's scheme returning YES is a strong jailbreak signal; force NO for those schemes only.

Use Liberty Lite / Shadow / A-Bypass tweak from a jailbreak repo

On-device tweaks that hide the jailbreak from detection without any host-side scripting — fastest for app smoke-testingTweak-based bypass survives anti-Frida checks too. Add the target's bundle id to the tweak's allow/hide list.

Check for / disable anti-Frida: scan for 'frida', port 27042, and gum-js-loop thread before hooking

Apps detect Frida by scanning loaded modules, the default 27042 port, and named threads — defeat detection before instrumentingStart frida-server on a non-default port (frida-server -l 0.0.0.0:5555) and attach with frida -H to dodge the port-scan check.

RASP/integrity bypass: hook the SDK callback that reports 'tampered=true' to return clean state

Commercial RASP (Promon SHIELD, Guardsquare DexGuard/iXGuard, Appdome) ships threat-scoring SDKs — hook the verdict, not each checkFind the single decision function (often returning a threat bitmask) via 'ios hooking watch' during a deliberate tamper, then pin its return.

Static Analysis & Secret Hunting

(8)

class-dump -H Payload/Target.app/Target -o headers/

Reconstruct Objective-C class/method headers from the Mach-O — gives a full map of the app's runtime interfaceOnly works on a DECRYPTED binary (cryptid 0). For Swift-heavy apps use 'swift-demangle' on symbols or dsdump for the Swift metadata.

strings -a Payload/Target.app/Target | grep -iE 'http(s)?://|api[_-]?key|secret|bearer|AKIA[0-9A-Z]{16}'

Sweep the binary for endpoints, API keys, AWS access keys, and bearer tokens baked into the buildAKIA… is an AWS access key id; also grep for firebaseio.com, amazonaws.com, and Google maps/API key patterns (AIza...).

rabin2 -zzq Payload/Target.app/Target | grep -iE 'password|token|jwt|private[_-]?key'

Use radare2's rabin2 to extract wide/UTF-16 and section strings that plain 'strings' misses-zz pulls strings from all sections including __cstring and __const where hardcoded credentials commonly hide.

plutil -p Payload/Target.app/Info.plist | grep -iE 'NSAppTransportSecurity|URLSchemes|UIFileSharing|NSAllowsArbitraryLoads'

Audit Info.plist for ATS exceptions, custom URL schemes, and iTunes file-sharing — each is an attack surfaceNSAllowsArbitraryLoads=true disables ATS (cleartext allowed). Custom CFBundleURLSchemes enable deep-link / scheme-hijack testing.

codesign -d --entitlements :- Payload/Target.app

Print the binary's entitlements — keychain-access-groups, app-groups, associated-domains, and any private/excessive grantskeychain-access-groups reveals shared Keychain with sibling apps; associated-domains shows universal-link domains to test for hijack.

MobSF: docker run -p 8000:8000 opensecurity/mobile-security-framework-mobsf, then upload the IPA

Run the full automated static (and dynamic) pipeline — ATS, binary protections, secrets, and a scored reportConfirms PIE, stack canary, ARC, and encryption flags in one view. Use as the baseline, then verify findings manually.

grep -rE 'kCCAlgorithmAES|ECB|kSecAttrAccessibleAlways' headers/ source/

Flag weak crypto usage — ECB mode, static IVs, and overly-permissive Keychain accessibility constantskSecAttrAccessibleAlways is deprecated/insecure (data readable when locked). ECB and hardcoded IVs are reportable crypto findings.

nm Payload/Target.app/Target | grep -iE 'NSLog|_objc_msgSend' ; otool -hv Target | grep PIE

Check binary hardening — confirm PIE/ASLR is enabled and look for leftover NSLog/debug logging in release buildsMissing PIE in the otool -hv flags = no ASLR (reportable). NSLog symbols in a release build often mean sensitive data hits the device log.

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Cheat Sheets

JWT Attacks Cheat Sheet Post-Exploitation Cheat Sheet API Security Cheat Sheet Mobile Security Cheat Sheet

Frequently asked questions

What is the iOS App Security Testing Cheat Sheet?+

It's a quick-reference collection of 46 iOS App Sec payloads for testing iOS App Security Testing vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these iOS App Sec payloads?+

Copy any payload straight into your authorized test, or use the Certificate Decoder to apply them interactively. Only test systems you have explicit permission to assess.

Are these iOS App Sec payloads free to use?+

Yes — this cheat sheet and all iOS App Sec payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the iOS App Security Testing Cheat Sheet?+

How do I use these iOS App Sec payloads?+

Copy any payload straight into your authorized test, or use the Certificate Decoder to apply them interactively. Only test systems you have explicit permission to assess.

Are these iOS App Sec payloads free to use?+

Yes — this cheat sheet and all iOS App Sec payloads are completely free, with no account required. Everything runs in your browser.

iOS App Security Testing Cheat Sheet

Environment & IPA Acquisition

Objection Runtime Exploration

SSL/TLS Pinning Bypass

Keychain & Local Data Storage

Jailbreak & Anti-Tamper Detection Bypass

Static Analysis & Secret Hunting

Related Tools

Related Cheat Sheets

Frequently asked questions

iOS App Security Testing Cheat Sheet

Environment & IPA Acquisition

Objection Runtime Exploration

SSL/TLS Pinning Bypass

Keychain & Local Data Storage

Jailbreak & Anti-Tamper Detection Bypass

Static Analysis & Secret Hunting

Related Tools

Related Cheat Sheets

Frequently asked questions