Skip to main content
13 min read Intermediate Mobile

iOS Pentesting : 2026 ( Updated)

Stay updated with the official OWASP MASTG iOS tests: https://mas.owasp.org/MASTG/tests/#ios;l1;l2;r;p

Overview

iOS pentesting (penetration testing) involves assessing the security of iOS applications to identify vulnerabilities that could be exploited. This process helps ensure that applications are robust and secure against various attack vectors.

Device Configuration & Setup

CategoryDetails
DeviceiPhone X (palera1n rootless)
Frida Version17.7.3
Objection Version1.12.3
Frida Sourcebuild.frida.re
Palen1x Official Guidehttps://docs.website-msw.pages.dev/docs/get-started/installing-palen1x-windows/
My Preferred Guidehttps://ios.cfw.guide/get-started/

iOS Testing Cheat Sheet

ScenarioUse This
Fresh launchfrida -U -f OWASP.iGoat-Swift
SSL pinning bypassfrida -U -f OWASP.iGoat-Swift -c federicodotta/ios13-pinning-bypass
Interactive runtime explorationobjection -n OWASP.iGoat-Swift -s start
DVIA runtime testingobjection -n com.highaltitudehacks.DVIAswiftv2 start

Common Testing: Objection & Local Storage cheat sheet

CategoryCommand / PathPurpose / Notes
Jailbreak Bypassios jailbreak disableDisable jailbreak detection
ios jailbreak enableRe-enable jailbreak detection
SSL / TLS Pinningios sslpinning disableDisable SSL pinning to intercept HTTPS traffic
ios sslpinning enableRe-enable SSL pinning
Session Startobjection -n <bundle_id> startStart an Objection session with the app
Environment InfoenvShow app environment paths: Bundle, Documents, Library, Caches
File Navigationpwd, ls, cd <path> Work around Application Directory
download <file>Download file from device to host
Keychain / Secretsios keychain dumpDump all keychain entries (may require passcode/TouchID)
ios keychain dump --json keychain.jsonExport keychain dump as JSON
Runtime Hookingios hooking list classesList all loaded Objective-C/Swift classes
ios hooking list methods <Class>List methods of a class
ios hooking watch method <Class> <method>Hook method to monitor calls and arguments
API Monitoringios monitor cryptoMonitor cryptographic function calls
ios monitor httpMonitor HTTP requests and responses
Jobs Managementjobs listList active hooks or monitoring jobs
jobs kill <id>Stop a running job
Documents Folder/var/mobile/Containers/Data/Application/<UUID>/Documents/Inspect for SQLite, JSON, plist, logs, cached API responses
Library Preferences/Library/Preferences/Check <bundle_id>.plist for stored secrets or debug flags
Library Application Support/Library/Application Support/Inspect SQLite databases, offline content, session storage
Library Caches/Library/Caches/Check for cached sensitive data such as API responses, images
Bundle Directory/private/var/containers/Bundle/Application/<UUID>/<AppName>.app/Inspect app binary, embedded certificates, config files, hardcoded API keys

Basics of iOS

iOS is Apple's mobile operating system that powers iPhones and iPads. It is designed with a strong focus on security and user privacy. Understanding the basics of iOS is crucial for effective pentesting.

Key Concepts

  • Sandboxing: Each app runs in its own sandbox to limit its access to other apps and system resources.
  • App Store Guidelines: Apps must adhere to Apple's guidelines, which include security and privacy considerations.
  • Code Signing: Apps must be signed with a valid Apple certificate to run on devices.

Architecture of iOS

iOS architecture is designed to ensure a high level of security and efficiency. The main components include:

  • Kernel: Manages system resources and enforces security policies.
  • Core OS: Includes low-level services and APIs.
  • Core Services: Provides fundamental services such as networking and data management.
  • Media: Handles graphics, audio, and video.
  • Cocoa Touch: The user interface layer, including touch input and application frameworks.

Basic Components of iOS

  • UIKit: Framework for building the user interface.
  • Foundation: Provides basic data types, collections, and operating-system services.
  • Core Data: Framework for data management and persistence.
  • Security: Framework for cryptographic services and secure storage.
  • Networking: Includes URLSession for handling network requests.

How to Perform iOS Pentesting

  1. Setup: Configure your testing environment with necessary tools and a test device.
  2. Static Analysis: Examine the app’s binary and source code for vulnerabilities.
  3. Dynamic Analysis: Test the app in real-time to observe its behavior and interactions.
  4. Network Analysis: Intercept and analyze network traffic between the app and backend services.
  5. Reverse Engineering: Decompile and analyze the app to uncover potential security issues.

Tools

  • Paler1n : For jailbreak
  • Burp Suite: For web application security testing and network traffic interception.
  • Xcode: Apple’s IDE for building and debugging iOS apps.
  • Frida/Objection: For SSL/jailbreak Bypass
  • MobSF: Mobile Security Framework for automated static and dynamic analysis.

Requirements for iOS Pentesting

The main requirement is app hardware then tools like frida/objection/burpsuite and other configuration can be setup easily.

  • MacOS/ iOS phone/Tab: Apple hardware devices physical or Corellium.

Types of iOS Pentesting

  1. Static Analysis: Examining source code or binary files without executing the application.
  2. Dynamic Analysis: Testing the application during runtime to identify runtime vulnerabilities.
  3. Network Analysis: Intercepting and analyzing network traffic to detect issues in communication.
  4. Reverse Engineering: Decompiling and analyzing the app's binary to understand its internal workings and potential vulnerabilities.

Info.plist Vulnerabilities


<?xml version="1.0" encoding="UTF-8"?>
<plist version="1.0">
<dict>
    <!-- 1. Hardcoded API Key (vulnerable) -->
    <key>API_KEY</key>
    <string>abcdef1234567890</string> <!-- Vulnerability: Hardcoded API key, easily extracted. -->
    <!-- Mitigation: Store API keys securely in the Keychain, not in Info.plist. -->

    <!-- 2. Allowing Cleartext HTTP Traffic (vulnerable) -->
    <key>NSAppTransportSecurity</key>
    <dict>
        <key>NSAllowsArbitraryLoads</key>
        <true/> <!-- Vulnerability: App can communicate over unencrypted HTTP. -->
        <!-- Mitigation: Set `NSAllowsArbitraryLoads` to `false` and use HTTPS for secure communication. -->
    </dict>

    <!-- 3. Allowing Backup (vulnerable) -->
    <key>UIFileSharingEnabled</key>
    <true/> <!-- Vulnerability: Allowing file sharing and backup exposes sensitive data to potential extraction. -->
    <!-- Mitigation: Set `UIFileSharingEnabled` to `false` if file sharing isn't necessary. -->

    <!-- 4. Insecure App Transport Security (ATS) Settings (vulnerable) -->
    <key>NSAppTransportSecurity</key>
    <dict>
        <key>NSAllowsArbitraryLoadsInWebContent</key>
        <true/> <!-- Vulnerability: Web content may be loaded over HTTP, bypassing security requirements. -->
        <!-- Mitigation: Disable `NSAllowsArbitraryLoadsInWebContent` and enforce HTTPS for all web communications. -->
    </dict>

    <!-- 5. Debuggable Mode Enabled (vulnerable) -->
    <key>Debuggable</key>
    <true/> <!-- Vulnerability: Debuggable mode enabled, exposing the app to reverse engineering. -->
    <!-- Mitigation: Disable debugging in production and set `Debuggable` to `false`. -->

    <!-- 6. Exposed File Access (vulnerable) -->
    <key>UIBackgroundModes</key>
    <array>
        <string>fetch</string>
    </array> <!-- Vulnerability: Exposing sensitive data in background fetch operations. -->
    <!-- Mitigation: Limit background tasks and avoid exposing sensitive resources. -->

    <!-- 7. Excessive Permissions (vulnerable) -->
    <key>NSCameraUsageDescription</key>
    <string>We need access to your camera to scan QR codes.</string> <!-- Vulnerability: Requesting camera permission without explicit need. -->
    <!-- Mitigation: Request permissions only when absolutely necessary and explain the use case. -->

    <key>NSLocationWhenInUseUsageDescription</key>
    <string>We need access to your location for personalized recommendations.</string> <!-- Vulnerability: Location data can be accessed without explicit consent or valid need. -->
    <!-- Mitigation: Only request location permissions when necessary and inform users clearly. -->

    <!-- 8. No File Protection for Sensitive Data (vulnerable) -->
    <key>NSFileProtectionNone</key>
    <true/> <!-- Vulnerability: Storing sensitive data without file protection makes it accessible in backups. -->
    <!-- Mitigation: Use `NSFileProtectionComplete` or `NSFileProtectionCompleteUnlessOpen` to protect sensitive data. -->

    <!-- 9. Exposed Push Notification Payload (vulnerable) -->
    <key>UIRemoteNotificationTypes</key>
    <array>
        <string>badge</string>
        <string>sound</string>
        <string>alert</string>
    </array> <!-- Vulnerability: Including sensitive information in the notification payload. -->
    <!-- Mitigation: Encrypt sensitive data in push notifications and avoid exposing private information. -->

    <!-- 10. Exposing Sensitive Data in UserDefaults (vulnerable) -->
    <key>NSUserDefaults</key>
    <dict>
        <key>user_token</key>
        <string>user_auth_token_123456</string> <!-- Vulnerability: Storing sensitive information like tokens in UserDefaults, which is insecure. -->
        <!-- Mitigation: Store sensitive data such as tokens in the Keychain instead of UserDefaults. -->
    </dict>

    <!-- 11. Insecure Web View Usage (vulnerable) -->
    <key>UIWebView</key>
    <true/> <!-- Vulnerability: Using `UIWebView` instead of `WKWebView`, which is less secure. -->
    <!-- Mitigation: Replace `UIWebView` with `WKWebView` to enhance security and performance. -->

    <!-- 12. No Keychain Protection for Credentials (vulnerable) -->
    <key>KeychainAccess</key>
    <dict>
        <key>user_password</key>
        <string>password12345</string> <!-- Vulnerability: Storing passwords in the Keychain without access controls. -->
        <!-- Mitigation: Use `kSecAttrAccessibleWhenUnlocked` for sensitive data stored in the Keychain. -->
    </dict>

    <!-- 13. Excessive Background Task Usage (vulnerable) -->
    <key>UIBackgroundModes</key>
    <array>
        <string>location</string>
        <string>fetch</string>
        <string>remote-notification</string>
    </array> <!-- Vulnerability: Excessive use of background tasks can impact battery life and privacy. -->
    <!-- Mitigation: Use background tasks judiciously and limit permissions to only what's necessary. -->

    <!-- 14. Insecure Push Notification Configuration (vulnerable) -->
    <key>PushNotificationService</key>
    <true/> <!-- Vulnerability: Exposing insecure push notification configurations to potential interception. -->
    <!-- Mitigation: Use secure protocols and encrypt sensitive data in push notifications. -->
</dict>
</plist>

list of Info.plist iOS-specific vulnerabilities

iOS Vulnerabilities in Configuration and App Setup

  1. Hardcoded Credentials in Info.plist or Code

    • Risk: Hardcoding API keys or sensitive information in Info.plist or within the app code can be extracted by attackers.
    • Solution: Use secure storage mechanisms like iOS Keychain to store sensitive data, and retrieve them at runtime.

  2. Insecure App Transport Security (ATS) Settings

    • Risk: Disabling ATS or using weak encryption protocols (e.g., HTTP instead of HTTPS) exposes the app to data interception.
    • Solution: Ensure that ATS is enabled by default, and only allow connections over HTTPS with valid certificates.

  3. Excessive Permissions

    • Risk: Requesting unnecessary permissions (like location or camera access) increases the attack surface.
    • Solution: Request permissions only when necessary, and be transparent with users on why specific permissions are needed.

  4. Backup Data Exposure (NSFileProtectionNone)

    • Risk: Storing sensitive data without file protection in iCloud or device backups makes it accessible to unauthorized parties.
    • Solution: Use NSFileProtectionComplete or higher to protect files that contain sensitive information.

  5. Insecure App Identifier (CFBundleIdentifier)

    • Risk: Using a generic or poorly chosen bundle identifier can lead to conflicts or make it easier for attackers to impersonate your app.
    • Solution: Use a unique, well-structured app identifier to reduce the risk of impersonation.

  6. Insecure UIWebView Usage

    • Risk: UIWebView is deprecated and known to have multiple security vulnerabilities, including the potential for executing unsafe scripts.
    • Solution: Replace UIWebView with WKWebView for better security and performance.

  7. Exposing Sensitive Data in User Defaults

    • Risk: Storing sensitive information such as passwords or tokens in UserDefaults is insecure, as they can be easily accessed or intercepted.
    • Solution: Use Keychain for secure storage instead of UserDefaults for sensitive data.

  8. Exposing API Endpoints Without Authentication

    • Risk: Exposing sensitive API endpoints in the app without authentication mechanisms (such as OAuth) allows attackers to gain unauthorized access.
    • Solution: Implement strong authentication and authorization mechanisms for all API requests.

  9. Allowing Debugging in Release Builds (NSDebug)

    • Risk: Leaving debugging features enabled in release builds can allow attackers to exploit vulnerabilities and reverse-engineer the app.
    • Solution: Disable debugging and logging features in release builds and remove any debug symbols.

  10. Unrestricted File Access

  • Risk: If the app allows unrestricted access to its local file system, it can expose sensitive files to other apps or attackers.
  • Solution: Restrict access to files using iOS sandboxing mechanisms and use proper app containerization.
  1. Excessive Use of NSURLProtocol
  • Risk: Unrestricted use of custom NSURLProtocol can lead to unauthorized interception of network requests or data leakage.
  • Solution: Use NSURLProtocol cautiously and limit its scope to avoid introducing security holes.
  1. Weak Encryption and Hardcoded Keys
  • Risk: Using weak or outdated encryption algorithms or hardcoding encryption keys in the app can make data easily accessible.
  • Solution: Use strong, modern encryption algorithms (e.g., AES-256) and store keys securely in the iOS Keychain.
  1. Improper App Sandbox Configuration
  • Risk: Incorrectly configuring app sandbox settings can allow an app to access resources or data that it should not.
  • Solution: Use the proper app sandbox settings in the Xcode project to restrict the app’s access to system resources.
  1. Missing or Misconfigured NSAppTransportSecurity
  • Risk: Failing to configure NSAppTransportSecurity properly can lead to vulnerabilities in network traffic (e.g., unencrypted data).
  • Solution: Ensure that NSAppTransportSecurity is configured to enforce secure network communication by only allowing HTTPS.
  1. Insecure Bluetooth Communication
  • Risk: Poorly implemented Bluetooth communication can expose sensitive data, especially if encryption is not used.
  • Solution: Implement proper encryption and use Bluetooth Low Energy (BLE) with secure pairing methods.
  1. Exposing Location Data Without Consent
  • Risk: Collecting or transmitting location data without explicit user consent exposes the app to privacy violations.
  • Solution: Always request permission to access location data and inform users of why it is needed.
  1. Insecure Push Notification Handling
  • Risk: Push notifications can be intercepted or spoofed if not properly secured.
  • Solution: Use encrypted push notifications and ensure that sensitive data is not exposed in the notification payload.
  1. Improper Handling of App Transitions (UIApplicationState)
  • Risk: Failing to handle app state transitions securely can leave sensitive data exposed when the app is backgrounded or terminated.
  • Solution: Secure sensitive data during app transitions (e.g., when the app goes to the background or is terminated) by properly handling UIApplicationState.
  1. Vulnerable or Unsecured Web Views
  • Risk: Web views can allow malicious content to run inside the app, leading to cross-site scripting (XSS) or other attacks.
  • Solution: Use WKWebView and ensure that any external content is properly sandboxed and doesn’t execute arbitrary code.
  1. Unprotected Keychain Access
  • Risk: Exposing sensitive data through weak Keychain configurations can result in unauthorized access to important credentials.
  • Solution: Ensure Keychain items are stored with proper access control settings (e.g., kSecAttrAccessibleWhenUnlocked).

Top 20 Test Cases for iOS Pentesting

1. Authentication Mechanism

Objective: Ensure that authentication mechanisms are secure and resistant to attacks.

  • Test: Verify that authentication credentials are properly validated.
  • Tools: Burp Suite, Frida
  • Commands: Inspect login requests/responses using Burp Suite; modify requests to test for weak authentication.

2. Authorization Checks

Objective: Ensure that users cannot access data or functionality beyond their permissions.

  • Test: Test for horizontal and vertical privilege escalation.
  • Tools: Burp Suite, Frida
  • Commands: Attempt to access restricted data or perform unauthorized actions.

3. Data Storage Security

Objective: Check the security of sensitive data stored on the device.

  • Test: Verify that sensitive data (e.g., passwords, tokens) is securely stored.
  • Tools: iExplorer, DB Browser for SQLite
  • Commands: Inspect app storage using iExplorer; review data in SQLite databases.

4. Keychain Security

Objective: Ensure that data stored in the iOS Keychain is protected.

  • Test: Check if sensitive data is properly encrypted and cannot be accessed without appropriate authorization.
  • Tools: Keychain Access, Frida
  • Commands: Use Frida to check keychain access; review data in Keychain Access.

5. Network Traffic Encryption

Objective: Verify that network traffic is properly encrypted and secured.

  • Test: Ensure that HTTPS/TLS is properly implemented and not susceptible to attacks.
  • Tools: Charles Proxy, Burp Suite
  • Commands: Intercept traffic using Charles Proxy or Burp Suite; inspect for proper encryption.

6. Certificate Pinning

Objective: Ensure that certificate pinning is correctly implemented to prevent man-in-the-middle (MITM) attacks.

  • Test: Check if the app validates certificates properly.
  • Tools: Frida, Burp Suite
  • Commands: Use Frida scripts to bypass certificate pinning; inspect responses using Burp Suite.

7. Code Injection

Objective: Identify vulnerabilities related to code injection.

  • Test: Test for SQL injection, command injection, and other code injection vulnerabilities.
  • Tools: Burp Suite, Frida
  • Commands: Attempt to inject payloads into input fields; inspect the app’s response.

8. Session Management

Objective: Validate the security of session management practices.

  • Test: Ensure that session tokens are securely managed, expired, and not vulnerable to attacks.
  • Tools: Burp Suite, Frida
  • Commands: Inspect session tokens; test for token expiration and renewal.

9. Secure Storage of Sensitive Data

Objective: Verify that sensitive data is not stored insecurely on the device.

  • Test: Check for sensitive data stored in plaintext or insecure locations.
  • Tools: iExplorer, DB Browser for SQLite
  • Commands: Review storage directories and databases for unencrypted data.

10. Data Leakage

Objective: Ensure that sensitive data is not leaked through logs, error messages, or other means.

  • Test: Check for the presence of sensitive data in logs or error messages.
  • Tools: Burp Suite, Frida
  • Commands: Review app logs and error messages for sensitive information.

11. Reverse Engineering Protections

Objective: Verify that the app is protected against reverse engineering.

  • Test: Check for protections like obfuscation or anti-debugging mechanisms.
  • Tools: Hopper, IDA Pro
  • Commands: Analyze app binaries for obfuscation or anti-debugging techniques.

12. Insecure Communication

Objective: Ensure that all communication between the app and backend services is secure.

  • Test: Check for insecure protocols or exposed sensitive data in communication.
  • Tools: Charles Proxy, Burp Suite
  • Commands: Intercept and analyze communication traffic.

13. Insecure Code Execution

Objective: Test for vulnerabilities that allow insecure code execution.

  • Test: Attempt to execute arbitrary code or commands.
  • Tools: Frida, Burp Suite
  • Commands: Use Frida to inject code; attempt command injection.

14. File System Access

Objective: Verify that the app does not expose or mishandle file system access.

  • Test: Check for unauthorized access to files and directories.
  • Tools: iExplorer, File Manager
  • Commands: Inspect the app’s file system access and permissions.

15. App Sandbox Violations

Objective: Ensure that the app adheres to sandboxing rules and does not access unauthorized resources.

  • Test: Test for violations of sandboxing rules.
  • Tools: Frida, Xcode
  • Commands: Use Frida to test access to restricted resources.

16. Jailbreak Detection

Objective: Verify that the app properly detects and handles jailbroken devices.

  • Test: Check if the app has mechanisms to detect and respond to jailbroken environments.
  • Tools: Frida, Xcode
  • Commands: Use Frida to simulate a jailbroken environment and test app behavior.

17. URL Scheme Vulnerabilities

Objective: Test for vulnerabilities related to URL schemes and deep linking.

  • Test: Check if URL schemes are vulnerable to manipulation or abuse.
  • Tools: Burp Suite, Frida
  • Commands: Test URL schemes and deep links for security flaws.

18. API Security

Objective: Ensure that APIs used by the app are secure and do not expose sensitive data.

  • Test: Test the security of APIs and their endpoints.
  • Tools: Burp Suite, Postman
  • Commands: Test API endpoints for authentication, authorization, and data exposure issues.

19. Cryptographic Implementations

Objective: Verify the correct implementation of cryptographic algorithms and data protection.

  • Test: Check for proper use of cryptographic functions and secure key management.
  • Tools: Frida, Cryptographic Analysis Tools
  • Commands: Analyze cryptographic implementations for weaknesses.

20. Error Handling

Objective: Ensure that error handling does not expose sensitive information or system details.

  • Test: Check how the app handles errors and whether any sensitive information is disclosed.
  • Tools: Burp Suite, Frida
  • Commands: Trigger errors and review the app’s responses for sensitive data.