iOS Pentesting on Jailbroken Devices: Frida, Objection, and Keychain Dump

Cybersecurity

Workflow for assessing iOS apps on a jailbroken device, including IPA extraction, Frida and objection runtime hooks, and pulling secrets from the iOS keychain.

By Arjun Raghavan, Security & Systems Lead, BIPI · December 20, 2024 · 10 min read

iOS pentesting needs a jailbroken device or a corellium simulator. checkra1n covers A9 through A11 hardware permanently, palera1n handles A11 and below on iOS 15 to 16, and Dopamine covers A12 to A16 on iOS 15 to 16.5 semi-tethered. For older targets, an iPhone 7 or 8 on checkra1n is still the most reliable rig in 2024.

Pulling and Decrypting the IPA

App Store binaries are FairPlay encrypted. SSH into the jailbroken device, find the .app bundle under /var/containers/Bundle/Application, then use frida-ios-dump or bagbak to dump the decrypted Mach-O. From there, class-dump for Objective-C metadata, Hopper or Ghidra for Swift and arm64 disassembly.

• frida-ios-dump.py com.target produces an unencrypted IPA ready for class-dump and Hopper
• Swift symbols need swift-demangle, otherwise Hopper shows mangled names like _$s10TargetApp9LoginViewC
• Search the binary for kSecAttrAccessible constants to map keychain item protection classes
• grep for http://, NSAllowsArbitraryLoads, and NSExceptionDomains in Info.plist for ATS bypass weaknesses

Objection: The Swiss Army Knife

objection wraps frida with a REPL that abstracts away the JavaScript. After installing frida-server via Cydia or Sileo, run objection --gadget com.target explore. Inside the prompt you get ios sslpinning disable, ios keychain dump, ios jailbreak disable, and ios hooking list classes in seconds.

• ios keychain dump dumps every kSecClassGenericPassword the app can read, OAuth tokens included
• ios cookies get pulls WKWebView and NSURLSession cookies, including session and CSRF tokens
• ios nsuserdefaults get reveals plist storage where developers often cache JWT and refresh tokens
• ios pasteboard monitor watches clipboard contents, useful against MFA apps that copy codes

Bypassing Jailbreak Detection

Most banking apps check for /Applications/Cydia.app, /bin/bash, and call fork or ptrace with PT_DENY_ATTACH. Objection ios jailbreak disable patches these in memory. For custom checks, dump the binary, identify the function with class-dump, then hook it with Interceptor.replace returning the safe value. CVE worthy bypasses in 2024 included a Chase Bank check that simply called stat on a path string built from NSString concatenation, trivially hooked.

If a check is written in Swift or Objective-C, Frida can defeat it in one line. Real anti-tampering on iOS lives in native C with inlined syscalls and integrity checks across multiple binaries.

Keychain and Data Protection

1. kSecAttrAccessibleAlways: readable even when device is locked, almost always a finding
2. kSecAttrAccessibleAfterFirstUnlock: readable after first boot unlock, acceptable for sync tokens
3. kSecAttrAccessibleWhenUnlocked: locked when screen is off, recommended for session tokens
4. kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly: highest tier, mandatory for refresh tokens and PII

Traffic Interception

Install the Burp CA via Settings, Profile Downloaded, then enable full trust under General, About, Certificate Trust Settings. Apps using NSURLSession default trust manager will route through. For pinned apps, use the Frida codeshare script ios10-ssl-bypass or hook SecTrustEvaluateWithError. Cronet and grpc-swift need native hooks against BoringSSL.

Notable iOS CVEs in 2024

• CVE-2024-23222 WebKit zero-day, exploited in the wild, kernel-level RCE chain
• CVE-2024-27834 in WebKit allowed PAC bypass on A12+, foundational for chained iOS exploits
• CVE-2024-44308 and CVE-2024-44309 WebKit zero-days patched in November 2024 security update

Defensive Posture

• Use DeviceCheck and App Attest server-side to bind tokens to genuine devices
• Encrypt sensitive blobs at app level with a key derived from CryptoKit and stored in Secure Enclave
• Layer multiple jailbreak detection routines in native code, fail closed on any failure
• Pin certificates via TrustKit or native SecTrustEvaluateWithError, no NSURLSession default fallback

iOS raises the bar but does not move the goalposts. With a jailbroken device, the right Frida tooling, and patience for Swift name demangling, every binding from network to keychain is in scope.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.