> For the complete documentation index, see [llms.txt](https://sec88.0x88.online/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sec88.0x88.online/ios-appsec.md). # IOS-AppSec {% embed url="" %} {% embed url="" %} **Analysis Tools** Everything that can be useful in analyzing applications: various libraries, modules to find vulnerabilities, whole frameworks and systems.
References * [bagback](https://github.com/ChiChou/bagbak) * [PassionFruit](https://github.com/Swordfish-Security/awesome-ios-security/blob/main) * [GrapeFruit](https://github.com/Swordfish-Security/awesome-ios-security/blob/main) * [IOS Security Suite](https://github.com/securing/IOSSecuritySuite) * [Blocking Jailbreak Detection Tweaks](https://ios.cfw.guide/blocking-jailbreak-detection/#tweaks) * [NetworkSniffer](https://github.com/evilpenguin/NetworkSniffer) * [Ghidra iOS kernelcache framework for reverse engineering](https://github.com/0x36/ghidra_kernelcache/) * [frida-ios-dump](https://github.com/AloneMonkey/frida-ios-dump) * [dumpdecrypted](https://github.com/stefanesser/dumpdecrypted) * [Yet Yet Another Code Decrypter](https://github.com/DerekSelander/yacd) * [xpcpy - Bidirectional XPC message interception and more](https://github.com/hot3eed/xpcspy) * [checkra1n jailbreak](https://checkra.in/) * [Frida](https://github.com/frida/frida/releases) * [Objection - mobile exploration toolkit by Frada](https://github.com/sensepost/objection) * [Bfinfect](https://github.com/BishopFox/bfinject) * [iFunbox](http://www.i-funbox.com/) * [Libimobiledevice - library to communicate with the services of the Apple iOS devices](https://www.libimobiledevice.org/) * [iRET (iOS Reverse Engineering Toolkit)](https://www.veracode.com/sites/default/files/Resources/Tools/iRETTool.zip) * [Burp Suite](https://portswigger.net/burp/communitydownload) * [Cycript](https://cydia.saurik.com/api/latest/3) * [iLEAPP - iOS Logs, Events, And Preferences Parser](https://github.com/abrignoni/iLEAPP) * [Cutter - Free and Open Source RE Platform Powered by Darree2](https://cutter.re/) * [decrypt0r - downloading and decrypt SecuroRom](https://github.com/shinvou/decrypt0r) * [Mobile-Security-Framework MobS](https://github.com/MobSF/Mobile-Security-Framework-MobSF) * [Runtime Mobile Security (RMS) - is a powerful web interface that helps you manipulate to Android and iOS Apps at Runtime](https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security) * [fridax](https://github.com/NorthwaveSecurity/fridax) * [MOBEXLER](https://mobexler.com/) * [Generate Malformed QRCodes](https://github.com/h0nus/QRGen) * [Tool for Injecting Malicious Payloads Into Barcodes](https://github.com/huntergregal/scansploit) * [AFL - american fuzzy lop](https://lcamtuf.coredump.cx/afl/) * [Setup for i0S and Android Application Analysis](https://m2sup3rn0va.github.io/SiAAA/) * [AES Killer (Burpsuite Plugin)](https://github.com/Ebryx/AES-Killer) * [ReFlutter](https://github.com/ptswarm/reFlutter) * [Lief](https://github.com/lief-project/LIEF) * [Mobile Verification Toolkit](https://github.com/mvt-project/mvt)
#### Vulnerable Applications Here are about different CTFs and how to pass them. All this will help to practice and understand what vulnerabilities may be in iOS applications and how to look for them. So far, the tasks themselves, and the passage have combined into one point. When there are more of them, it will be possible to divide (as it is done for Android).
References * [Myriam iOS](https://github.com/GeoSn0w/Myriam) * [ExploitMe Mobile iPhone Labs](http://securitycompass.github.io/iPhoneLabs/) * [Owasp: iGoat](https://github.com/hankbao/owasp-igoat) * [Damn Vulnerable iOS App (DVIA)](https://github.com/prateek147/DVIA) * [Damn Vulnerable iOS App (DVIA) v2](https://github.com/prateek147/DVIA-v2) * [DVIA Walkthrow](https://philkeeble.com/categories/#ios) * [OWASP: OMTG-Hacking-Playground](https://github.com/OWASP/OMTG-Hacking-Playground) * Magnet Virtual Summit 2020 CTF (iOS) * [writeup 1](https://www.stark4n6.com/2020/06/magnet-virtual-summit-2020-ctf-ios.html) * [writeup 2](https://dfir300.blogspot.com/2020/06/mvs2020ctf-write-up-ios.html)
#### Video Here are collected all videos related to the security of iOS. So far, I have found only English-language materials, but I hope that in the future they will be added in Russian.
References * [iOS Application Vulnerabilities and how to find them](https://www.youtube.com/watch?v=2CKrw7ErzCY) * [Attacking iPhone XS Max](https://www.youtube.com/watch?v=8cOx7vfszZU\&feature=youtu.be) * [Behind the Scenes of iOS Security](https://www.youtube.com/watch?v=BLGFriOKz6U) * [Analyzing and Attacking Apple Kernel Drivers](https://www.youtube.com/watch?v=07VqX4bbXTI) * [Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox](https://www.youtube.com/watch?v=bP5VP7vLLKo) * [Demystifying the Secure Enclave Processor](https://www.youtube.com/watch?v=7UNeUT_sRos) * [HackPac Hacking Pointer Authentication in iOS User Space](https://www.youtube.com/watch?v=DJFxhShJ6Ns) * [iOS 10 Kernel Heap Revisited](https://www.youtube.com/watch?v=DNW6Im31lQo) * [Recreating An iOS 0-Day Jailbreak Out Of Apple's Security Updates](https://www.youtube.com/watch?v=p512McKXukU) * [Building Secure iOS Apps (You don't have to learn it the hard way!)](https://www.youtube.com/watch?v=b6LI6j_aJ9k) * [The Worst Mobile Apps](https://www.youtube.com/watch?v=9JuBUpRPLRs) * [Learn modding Unity apps and games with Frida](https://www.youtube.com/watch?v=KeWcZ-Dd6tA)
#### Articles In this block - a variety of articles and materials on iOS. Russian-speaking and English-speaking - separately. A block with articles related to Frida is in a separate section, since today it is probably the most common framework for testing. It is probably useful to see how it is used on real applications. **Ru**
References * [Your flashlight can send SMS](https://habr.com/ru/company/pt/blog/155937/)\\ * * [The iPhone boot process. Part 1: Boot ROM](https://habr.com/ru/post/556582/) * [Guide to reverse iOS app on the example of ExpressVPN](https://habr.com/ru/post/569034/) * [Hacking and implementing your code into someone else’s iOS application](https://habr.com/ru/company/jugru/blog/570220/) * [iOS App security: guide for beginners](https://habr.com/ru/company/wrike/blog/544754/) * [Just for fun: How much does iOS live to Jailbreak](https://habr.com/ru/company/swordfish_security/blog/525772/) *
**En**
References **Frida** * [iOS Swift Anti-Jailbreak Bypass with Frida](https://syrion.me/blog/ios-swift-antijailbreak-bypass-frida/) * [Gotta Catch 'Em All: Frida & jailbreak detection](https://www.romainthomas.fr/post/21-07-pokemongo-anti-frida-jailbreak-bypass/) * [Beginning Frida: Learning Frida use on Linux and (just a bit on) Wintel and Android systems with Python and JavaScript (Frida. hooking, and other tools)](https://www.amazon.com/Beginning-Frida-Learning-Android-JavaScript/dp/B094ZQ1HHC) * [How Learning to Use Frida with Unity App](https://github.com/kylesmile1103/Learn-Frida) **Other** * [iOS Write ups](https://github.com/writeups/iOS) * [iOS Internals & Security Testing](https://rentry.co/newvw) * [Hacking iOS Simulator with simctl and dynamic products](https://curvedlayer.com/2020/08/09/ios-simulator-plugin-simctl.html) * [Psychic Paper](https://siguza.github.io/psychicpaper/) * [Stealing your SMS messages with iOS 0day](https://wojciechregula.blog/post/stealing-your-sms-messages-with-ios-0day/) * [Zero-day in Sign in with Apple](https://bhavukjain.com/blog/2020/05/30/zeroday-signin-with-apple/) * [Return of the iOS Sandbox Rebet: Lightspeeds Back in the Race](https://www.synacktiv.com/en/publications/return-of-the-ios-sandbox-escape-lightspeeds-back-in-the-race.html) * [PIN Selection on Smartphones](https://this-pin-can-be-easily-guessed.github.io/) * [A survey of recent iOS kernel exploits](https://googleprojectzero.blogspot.com/2020/06/a-survey-of-recent-ios-kernel-exploits.html) * [Apple Two-Factor Authentication: SMS vs. Trusted Devices](https://blog.elcomsoft.com/2020/06/apple-two-factor-authentication-sms-vs-trusted-devices/) * [Intercepting Flutter Traffic on iOS](https://blog.nviso.eu/2020/06/12/intercepting-flutter-traffic-on-ios/) * [Snapchat detection on iOS](https://aeonlucid.com/Snapchat-detection-on-iOS/) * [Writing an iOS Kernel Exploit from Scratch](https://secfault-security.com/blog/chain3.html) * [The Four Ways to Deal with iPhone Backup Passwords](https://blog.elcomsoft.com/2020/07/4-ways-to-handle-iphone-backup-passwords/) * [Extracting and Decrypting iOS Keychain: Physical, Logical and Cloud Options Explored](https://blog.elcomsoft.com/2020/08/extracting-and-decrypting-ios-keychain-physical-logical-and-cloud-options-explored/) * [iOS Kernel Explotation - One Byte to rule all](https://googleprojectzero.blogspot.com/2020/07/one-byte-to-rule-them-all.html) * [Modern iOS Application Security](https://www.infoq.com/presentations/ios-security/) * [Reverse Engineering iOS Mobile Apps](https://www.bugcrowd.com/resources/webinars/reverse-engineering-ios-mobile-apps/) * [KTRW: The journey to build a debuggable iPhone](https://media.ccc.de/v/36c3-10806-ktrw_the_journey_to_build_a_debuggable_iphone) * [The One Weird Trick SecureROM Hates](https://media.ccc.de/v/36c3-11238-the_one_weird_trick_securerom_hates) * [Tales of: old untethering iOS 11-Spoiler: Apple is bad at patching](https://media.ccc.de/v/36c3-11034-tales_of_old_untethering_ios_11) * [Messenger Hacking: Remotely Compromising an iPhone while IMessage](https://media.ccc.de/v/36c3-10497-messenger_hacking_remotely_compromising_an_iphone_through_imessage) * [Reverse Engineering the iOS Simulator's SpringBoard](https://vimeo.com/231806976) * [Most usable tools for iOS testing](https://github.com/ansjdnakjdnajkd/iOS) * [iOS-Security-Guides](https://github.com/0xmachos/iOS-Security-Guides) * [Trust in Apple's Secret Garden: Exploring & Reversing Apple's Continuity Protocol-Slides](https://i.blackhat.com/eu-19/Thursday/eu-19-Yen-Trust-In-Apples-Secret-Garden-Exploring-Reversing-Apples-Continuity-Protocol-3.pdf) * [Apple Platform Security](https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf) * [Mobile security, forensics & malware analysis with Santoku Linux](https://2013.appsecusa.org/2013/wp-content/uploads/2013/12/viaForensics-AppSecUSA-Nov-2013.pdf) * [Stealing local files using Safari Web Share API](https://blog.redteam.pl/2020/08/stealing-local-files-using-safari-web.html?m=1) * [CVE-2020-9964 - An iOS infoleak](https://muirey03.blogspot.com/2020/09/cve-2020-9964-ios-infoleak.html?m=1) * [Attack Secure Boot of SEP](https://raw.githubusercontent.com/windknown/presentations/master/Attack_Secure_Boot_of_SEP.pdf) * [iOS 14 Forensics: What Has Changed Since iOS 13.7](https://blog.elcomsoft.com/2020/09/ios-14-forensics-what-has-changed-since-ios-13-7/) * [We Hacked Apple for 3 Months: Here's What We Found](https://samcurry.net/hacking-apple/) * [Fun with XPC](https://medium.com/@ali.pourhadi/fun-with-xpc-153fd772d409) * [Bypass Facebook SSL Certificate Pinning for iOS](https://www.cyclon3.com/bypass-facebook-ssl-certificate-pinning-for-ios) * [Bypass Instagram SSL Certificate Pinning for iOS](https://www.cyclon3.com/bypass-instagram-ssl-certificate-pinning-for-ios) * [ASLR & the iOS Kernel - How Virtual Address Spaces is randomised](https://bellis1000.medium.com/aslr-the-ios-kernel-how-virtual-address-spaces-are-randomised-d76d14dc7ebb) * [iOS/papecOS testing cheatsheet](https://github.com/ansjdnakjdnajkd/iOS) * [M1ssing Register Access Controls Leak EL0 State](https://m1racles.com/) * [Jailbroken iOS can't run macOS apps. I spend a week to find out why.](https://worthdoingbadly.com/macappsios/) * [Quick Analysis for the SSID Format String Bug](https://blog.chichou.me/2021/06/20/quick-analysis-wifid/) * [Unpatch iPhone Bug Allows Remote Device Takeover](https://threatpost.com/unpatched-iphone-bug-remote-takeover/167922/) * Reverse Engineering Starling Bank * [Part I: Obfuscation Techniques](https://hot3eed.github.io/2020/07/30/starling_p1_obfuscations.html) * [Part II: Jailbreak & Debugger Detection, Weaknesses & Mitigations](https://hot3eed.github.io/2020/08/02/starling_p2_detections_mitigations.html) * [ProtonMail : forensic decryption of iOS App](https://xperylab.medium.com/protonmail-forensic-decryption-of-ios-app-8e9ae9f50953) * [iOS on QEMU](https://github.com/alephsecurity/xnu-qemu-arm64) * [Proxying is not the way to the monitor network on your iOS mobile apps](https://twitter.com/ddouhine/status/1430881952559685633?s=28) * [Forensic guide to iMessage, WhatsApp, Telegram, Signal and Skype data acquisition](https://blog.elcomsoft.com/2020/04/forensic-guide-to-imessage-whatsapp-telegram-signal-and-skype-data-acquisition/) * [Malware Uses Corporate MDM as attack vector](https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/) * [Mobexler Checklist](https://mobexler.com/checklist.htm) * [Ad Fraud Spotted in Barcode Reader Malware Analysis](https://www.trendmicro.com/en_us/research/20/f/barcode-reader-apps-on-google-play-found-using-new-ad-fraud-technique.html) * [Researching Confid Messenger Encryption](https://blog.elcomsoft.com/2020/06/researching-confide-messenger-encryption/) * [Reverse Engineering Snapchat (Part I): Obfuscation Techniques](https://hot3eed.github.io/snap_part1_obfuscations.html) * [Reverse Engineering Snapchat (Part II): Deobfuscating the Undeobfuscatable](https://hot3eed.github.io/2020/06/22/snap_p2_deobfuscation.html) * [Firebase Cloud Messaging Service Takeover](https://abss.me/posts/fcm-takeover/) * [Saying Goodbye to My Favorite 5 Minute P1](https://www.allysonomalley.com/2020/01/06/saying-goodbye-to-my-favorite-5-minute-p1/) * [Reverse engineering Flutter apps (Part 1)](https://blog.tst.sh/reverse-engineering-flutter-apps-part-1/) * [How I Hacked Facebook Again!](https://hitcon.org/2020/slides/How%20I%20Hacked%20Facebook%20Again!.pdf) * [Instagram\_RCE: Code Execution Vulnerability in Instagram App for Android and iOS](https://research.checkpoint.com/2020/instagram_rce-code-execution-vulnerability-in-instagram-app-for-android-and-ios/) * [How to UseGhidra to Reverse Engineer Mobile Application](https://infosecwriteups.com/how-to-use-ghidra-to-reverse-engineer-mobile-application-c2c89dc5b9aa) * [React Native Application Static Analysis](https://suam.wtf/posts/react-native-application-static-analysis-en/) * [Pentesting Non-Proxy Aware Mobile Applications Without Root/Jailbreak](https://medium.com/@meshal_/pentesting-non-proxy-aware-mobile-applications-65161f62a965) * [CVE-2021-30737 - Vulnerability Overview](http://phrack.org/issues/70/12.html#article) * [CVE-2021-30737, @xerub's 2021 iOS ASN.1 Vulnerability](https://googleprojectzero.blogspot.com/2022/04/cve-2021-30737-xerubs-2021-ios-asn1.html) * [OWASP MSTG](https://github.com/OWASP/owasp-mstg/) * [Full Mobile Hacking Course](https://mega.nz/folder/spoGDToC#zjYFlRAU7S06u5jSaQnvYw) * [NowSecure Academy](https://academy.nowsecure.com/)
#### Courses * * #### Collected Resources {% embed url="" %} #### Checklists {% embed url="" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sec88.0x88.online/ios-appsec.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.