name: ios-pentest description: "iOS mobile application penetration testing with Frida and Objection on jailbroken or non-jailbroken devices. Use for static + dynamic analysis of IPAs, SSL pinning / jailbreak / biometric bypass, keychain & local-storage extraction, network interception, and OWASP MASTG iOS assessments. Triggers on requests to pentest iOS apps, analyze IPAs, bypass iOS security controls, or produce MASTG-aligned findings."

iOS Mobile Application Penetration Testing

Thin router for an iOS app security assessment. Full OWASP MASTG coverage (recon → static → dynamic → network → storage → crypto → auth → reporting). Detailed runbooks live under workflows/ and methodology/; load them only when needed.

When to Use

New iOS application security assessment (IPA + installed app).
Bypass SSL pinning, jailbreak detection, biometric, anti-debug.
Extract and triage keychain / NSUserDefaults / files / SQLite.
Intercept and tamper HTTPS / gRPC / WebSocket traffic.
OWASP MASTG / MASVS compliance testing.
Analyze a decrypted or encrypted Mach-O binary.

Trigger Phrases

"pentest iOS app", "test this IPA", "bypass SSL pinning iPhone", "extract keychain", "MASTG iOS", "iOS jailbreak bypass", "analyze .ipa", "test iPhone app".

When NOT to Use This Skill

Android APK analysis → use android-pentest.
Generic web API testing for the backend → use web-pentest / api-pentest.
iOS source-code review (you have the repo) → use secure-code-review with iOS language packs.
macOS desktop app analysis → use macos-pentest.

Decision Tree

target acquired?
├── no binary yet → workflows/ipa_decryption.md
└── yes
    ├── need HTTPS visibility? → workflows/ssl_pinning_bypass.md
    ├── app exits on jailbroken device? → workflows/jailbreak_detection_bypass.md
    ├── hunting credentials/tokens? → workflows/keychain_extraction.md
    ├── testing login / biometric? → workflows/auth_testing.md
    └── full engagement → workflows/complete_assessment.md

Parallelism Hints

Run concurrently (independent I/O, no shared state):

class-dump -H App.app/App -o headers/
otool -L App.app/App and otool -hv App.app/App
strings -a App.app/App | grep ...
plutil -p App.app/Info.plist
Objection enumeration in a separate spawn.

Must run sequentially (shared Frida session / spawn state):

Frida --no-pause spawn → wait for bypass script to land → drive app → then attach further scripts.
Objection ios sslpinning disable → then any traffic-dependent command.
ideviceimagemounter → then frida-ps -U.
Keychain dump requires app launched at least once post-install.

Sub-Agent Delegation

Spawn a sub-agent when you can crisply isolate a scope:

Static-binary sub-agent — give it the decrypted App.app/, it runs class-dump + otool + strings + framework inventory in parallel, returns a structured summary of classes of interest, hardcoded secrets, and insecure API usage.
Keychain-extraction sub-agent — give it <bundle_id>, it runs objection ... keychain dump --json, classifies each entry by accessibility/ACL, emits findings per schemas/finding.json.
Optional: network-capture sub-agent driving Burp via proxy API while the main agent drives the UI.

Do not split Frida spawn + instrumentation across sub-agents — the Frida session is stateful and tied to one process.

Reasoning Budget

Use extended thinking for:

Interpreting decompiled Objective-C / Swift (Hopper / Ghidra / IDA output).
Designing custom Frida hooks when universal bypass fails.
Reasoning about cryptographic flow (key origin → cipher → storage).
MASVS severity triage when multiple subtle issues compound.

Skip extended thinking for:

Running canned Frida / Objection scripts from scripts/.
Parsing ios keychain dump --json output (pattern match).
otool / class-dump invocation and output collection.
File downloads, device enumeration, SSH pulls.

Multimodal Hooks

Mobile MCP (@anthropic/mobile-mcp --ios) provides iOS simulator / device UI automation:

Jailbreak-detection modal — screenshot the warning pre-bypass, then post-bypass absence, as evidence.screenshot.
Biometric prompt — capture Face ID / Touch ID sheet to prove the gate exists, then confirm bypass entered the protected screen.
App-switcher snapshot leak — screenshot the snapshot cache entry showing sensitive data on backgrounding.
WebView auth flow — capture the login redirect chain visually for SSO findings.

~/.claude/mcp.json:

{"mcpServers": {"mobile-mcp": {"command": "npx", "args": ["-y", "@anthropic/mobile-mcp", "--ios"]}}}

Structured Output

Emit every finding as JSON conforming to schemas/finding.json. iOS-specific fields: affected.bundle_id, affected.ios_version, affected.device_udid, affected.jailbroken, mastg_id, evidence.frida_pid, evidence.keychain_dump, evidence.screenshot.

Workflow Index

Workflow	File
Full assessment runbook	workflows/complete_assessment.md
SSL pinning bypass	workflows/ssl_pinning_bypass.md
Jailbreak-detection bypass	workflows/jailbreak_detection_bypass.md
Keychain extraction & triage	workflows/keychain_extraction.md
IPA decryption / acquisition	workflows/ipa_decryption.md
Auth & biometric testing	workflows/auth_testing.md

Methodology Index

Area	File
Recon	methodology/recon.md
Static analysis	methodology/static_analysis.md
Dynamic analysis	methodology/dynamic_analysis.md
Network testing	methodology/network_testing.md
Data storage	methodology/data_storage.md
Crypto testing	methodology/crypto_testing.md
Auth testing	methodology/auth_testing.md

Payloads Index

File	Purpose
payloads/jailbreak_detection_paths.txt	Common files/schemes iOS apps probe for jailbreak
payloads/url_scheme_tests.txt	URL scheme / deep-link test vectors

Frida Script Index (`scripts/`)

Script	Purpose
`ssl_pinning_bypass.js`	Universal SSL/TLS pinning bypass
`jailbreak_bypass.js`	Jailbreak detection bypass
`biometric_bypass.js`	Touch ID / Face ID bypass
`keychain_hooks.js`	Keychain operation monitoring
`crypto_hooks.js`	Cryptographic operation tracing
`method_tracer.js`	Generic Objective-C method tracer

References Index

File	Purpose
references/ios_vulns.md	iOS vuln classes, severity tables, MASVS map
references/troubleshooting.md	Frida / pinning / proxy issue triage
references/frida_ios_snippets.md	Reusable Frida code snippets
references/bounty_patterns_2024_2026.md	Post-2023 bounty TTPs (URL-scheme / Universal-Link hijack, WebView deep-link XSS, Keychain IAM-token insecurity)
checklists/owasp_mastg_ios.md	Full MASTG iOS checklist
templates/finding_report.md	Markdown finding template

Examples

File	Purpose
examples/initial_setup.md	First-contact blueprint
examples/ssl_bypass_run.md	Pinning-bypass blueprint
examples/keychain_dump.md	Keychain dump & triage blueprint

Tools

Tool	Purpose	Install
Frida / frida-tools	Dynamic instrumentation	`pip install frida-tools` (≥ 16.6)
Objection	Mobile exploration REPL	`pip install objection` (≥ 1.11)
libimobiledevice	Device communication	`brew install libimobiledevice`
ios-deploy	App deploy	`brew install ios-deploy`
ideviceinstaller	App install / list	`brew install ideviceinstaller`
class-dump	ObjC header extraction	`brew install class-dump`
frida-ios-dump	FairPlay decryption	`github.com/AloneMonkey/frida-ios-dump`
Burp Suite	HTTPS interception	PortSwigger
Hopper / IDA / Ghidra	Binary RE	Vendor / GitHub
Mobile MCP	UI automation + screen capture	`npx @anthropic/mobile-mcp --ios`

Prerequisites Quickcheck

Run before every engagement — fail fast if the lab is broken.

idevice_id -l               # at least one UDID listed
ideviceinfo | grep ProductVersion
frida-ps -U                 # frida-server reachable
objection -g <bundle_id> explore --startup-command 'ios info binary; exit'

Jailbroken setup: OpenSSH + Frida (Sileo repo build.frida.re) + AppSync Unified + Filza. Non-jailbroken fallback: patch IPA with objection patchipa to inject Frida Gadget, or mount the developer disk image with ideviceimagemounter.

Last Validated

2026-04. Frida ≥ 16.6, Objection ≥ 1.11, iOS 15–17 targets. For iOS 18+ jailbreak options shift to userspace-only (Dopamine/palera1n rootless) — SSH path is /var/jb/usr/bin/ssh and Frida server lives at /var/jb/usr/sbin/frida-server.

ios-pentest

SKILL.md