HackTricksiOS Pentesting without Jailbreak
Reading time: 7 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the π¬ Discord group or the telegram group or follow us on Twitter π¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Main idea
Applications signed with the entitlement get_task_allow allow third party applications to run a function called task_for_pid() with the process ID of the initial application as argument in order to get the task port over it (be able to control it and access it's memory).
However, itβs not as easy as just pulling the IPA, re-signing it with the entitlement, and flashing it back to your device. This is becasue of FairPlay protection. When the signature of the app changes, the DRM (Digital Rights Management) key is invalidated and the app won't work.
With an old jailbroken device, it's possible to install the IPA, decrypt it using your favourite tool (such as Iridium or frida-ios-dump), and pulling it back off the device. Although, if possible, it's recommended to just as the client for the decrypted IPA.
Obtain decrypted IPA
Get it from Apple
- Install the app to pentest in the iPhone
- Install and launch Apple Configurator inside your macos
- Open
Terminalon your Mac, and cd to/Users/[username]/Library/Group\\ Containers/K36BKF7T3D.group.com.apple.configurator/Library/Caches/Assets/TemporaryItems/MobileApps. The IPA will appear in this folder later. - You should see your iOS device. Double-click on it, and then click Add + β Apps from the top menu bar.
- After clicking Add, Configurator will download the IPA from Apple, and attempt to push it to your device. If you followed my recommendation earlier and installed the IPA already, a prompt asking you to reinstall the app will appear.
- The IPA should be downloaded inside
/Users/[username]/Library/Group\\ Containers/K36BKF7T3D.group.com.apple.configurator/Library/Caches/Assets/TemporaryItems/MobileAppsfrom where you can grab it
Check https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed for more detailed information about this process.
Decrypting the app
In order to decrypt the IPA we are going to install it. However, if you have an old jailbroken iPhone, potentailly it's version is not going to be supported by the application as usually apps only suports latests versions.
So, in order to install it, just unzip the IPA:
unzip redacted.ipa -d unzipped
Check the Info.plist for the minimum supported versiona nd if your device is older than that, change the value so it's supported.
Zip back the IPA:
cd unzipped
zip -r ../no-min-version.ipa *
Then, install the IPA for example with:
ideviceinstaller -i no-min-version.ipa -w
Note that you might need AppSync Unified tweak from Cydia to prevent any invalid signature errors.
Once intalled, you can use Iridium tweak from Cydia in order to obtain the decrypted IPA.
Patch entitlements & re-sign
In order to re-sign the application with the get-task-allow entitlement there are several tools available like app-signer, codesign, and iResign. app-signer has a very user-friendly interface that allows to very easily resing an IPA file indicating the IPA to re-sign, to put it get-taks-allow and the certificate and provisioning profile to use.
Regarding the certificate and signing profiles, Apple offers free developer signing profiles for all accounts through Xcode. Just create an app and configure one. Then, configure the iPhone to trust the developer apps by navigating to Settings β Privacy & Security, and click on Developer Mode.
With the re-signed IPA, it's time to install it in the device to pentest it:
ideviceinstaller -i resigned.ipa -w
Enable Developer Mode (iOS 16+)
Since iOS 16 Apple introduced Developer Mode: any binary that carries get_task_allow or is signed with a development certificate will refuse to launch until Developer Mode is enabled on the device. You will also not be able to attach Frida/LLDB unless this flag is on.
- Install or push any developer-signed IPA to the phone.
- Navigate to Settings β Privacy & Security β Developer Mode and toggle it on.
- The device will reboot; after entering the passcode you will be asked to Turn On Developer Mode.
Developer Mode remains active until you disable it or wipe the phone, so this step only needs to be performed once per device. Apple documentation explains the security implications.
Modern sideloading options
There are now several mature ways to sideload and keep re-signed IPAs up-to-date without a jailbreak:
| Tool | Requirements | Strengths | Limitations |
|---|---|---|---|
| AltStore 2 / SideStore | macOS/Windows/Linux companion that re-signs the IPA every 7 days with a free dev profile | Automatic reload over Wi-Fi, works up to iOS 17 | Needs computer on the same network, 3-app limit imposed by Apple |
| TrollStore 1/2 | Device on iOS 14 β 15.4.1 vulnerable to the CoreTrust bug | Permanent signing (no 7-day limit); no computer required once installed | Not supported on iOS 15.5+ (bug patched) |
For routine pentests on current iOS versions Alt/Side-Store are usually the most practical choice.
Hooking / dynamic instrumentation
You can hook your app exactly as on a jailbroken device once it is signed with get_task_allow and Developer Mode is on:
# Spawn & attach with objection
objection -g "com.example.target" explore
# Or plain Frida
frida -U -f com.example.target -l my_script.js --no-pause
Recent Frida releases (>=16) automatically handle pointer authentication and other iOS 17 mitigations, so most existing scripts work out-of-the-box.
Automated dynamic analysis with MobSF (no jailbreak)
MobSF can instrument a dev-signed IPA on a real device using the same technique (get_task_allow) and provides a web UI with filesystem browser, traffic capture and Frida consoleγγ. The quickest way is to run MobSF in Docker and then plug your iPhone via USB:
docker pull opensecurity/mobile-security-framework-mobsf:latest
docker run -p 8000:8000 --privileged \
-v /var/run/usbmuxd:/var/run/usbmuxd \
opensecurity/mobile-security-framework-mobsf:latest
# Browse to http://127.0.0.1:8000 and upload your resigned IPA
MobSF will automatically deploy the binary, enable a Frida server inside the app sandbox and generate an interactive report.
iOS 17 & Lockdown Mode caveats
- Lockdown Mode (Settings β Privacy & Security) blocks the dynamic linker from loading unsigned or externally signed dynamic libraries. When testing devices that might have this mode enabled make sure it is disabled or your Frida/objection sessions will terminate immediately.
- Pointer Authentication (PAC) is enforced system-wide on A12+ devices. Frida β₯16 transparently handles PAC stripping β just keep both frida-server and the Python/CLI toolchain up-to-date when a new major iOS version ships.
References
- https://dvuln.com/blog/modern-ios-pentesting-no-jailbreak-needed
- Apple developer documentation β Enabling Developer Mode on a device: https://developer.apple.com/documentation/xcode/enabling-developer-mode-on-a-device
- Mobile Security Framework (MobSF): https://mobsf.github.io/Mobile-Security-Framework-MobSF/
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the π¬ Discord group or the telegram group or follow us on Twitter π¦ @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.