Basic iOS Apps Security Testing lab — 1

Hi Everyone, This is a continuous blog post for my — Basic security testing labs setup series. If you have not read those, I’ve embedded the link below.

I have collected the resources from many blog posts and included the updated part only. So, That I can use them whenever I am in need. Everyone else also can take reference from it.

When I was setting up the lab, I’ve read many articles but most of them are older and wrote by considering old iOS versions. So, In this post, I tried to add the latest tools and utilities available and tried to include only useful ones.

I am writing this blog post using the following hardware.

  • iPhone 6 — iOS 11.2.6

  • MacBook Pro — 10.13.6


  1. Disclaimer.
  2. Jailbreaking.
  3. Installing Tools and components on IOS device.
  4. Installing iOS Security Tools on MacOS
  5. External Tools/Apps Installation for iOS devices.
  6. Credits and References


This blog post is meant only for educational purposes and security research.

jailbreaking —

Jailbreaking will void the warranty of your device, you might lose all the data from the device, so be smart and please back up your data.

The jailbreaking method totally depends upon the iOS version, Please search online jailbreak for your version and responsibly jailbreak your device.

Using tools —

You should also be careful about the tools you are installing from Cydia or from outside. I will not responsible for anything unusable happened after using the following listed tools. BE SMART and analyze the tool before installing or using.

I recommend using the testing virtual machine to set up the lab and testing iOS device.

JailBreaking —

Jailbreaking is generally are of two types. Jailbreaking totally depends upon the iOS version your device is using.

Tethered — A tethered jailbreak requires the iOS to be connected to a computer when turned. If the iPhone is not connected to a computer and booted with special software the device will not enter the jailbroken state.

Un-Tethered — untethered jailbreaks do not require the computer. Everything required to enter the jailbroken state is contained on the iPhone.

I have used this guide to jailbreak my device.

Jailbreaking iPhone 6 with iOS 11.2.6

Checking your iOS version

Settings → General → About

I’ve used to download the Electra 11.3.1 app.

After downloading the app from the tweak box you should see the Electra app in your apps.

Open the App and “Enable Jailbreak”. your device will turn off and On multiple times.

After successful execution, you will see the Cydia in your apps.You might also require to repeat the process multiple times, to get the cydia installed.

Note — If you turn off your device, you need to enable the jailbreak again.

Cydia home page.

Installing Tools and components on IOS device.

  • BigBoss Recommended Tools.

This repo on Cydia contains most of the tools required for ios app security testing but due to some problem, I wasn’t able to install tools using it.

So, what I did, I manually downloading the useful tools only, I tried to add the basic information about the tools you should install. So, you have an idea about the tools you are installing.

Downloading tools from Cydia — iOS 11.2.6

  1. Network Commands — This will Install — arp, ifconfig, route and traceroute.
  • arp — Arp manipulates or displays the kernel’s IPv4 network neighbour cache. it can add entries to the table, delete one, or display the current content. ARP stands for Address Resolution Protocol, Which is used to find the address of a network neighbour for a given IPv4 address.

  • ifconfig — Ifconfig is used to configure or view the configuration of, a network interface.

  • route — Route is a command line tool that allows a user to view and configure there operating system’s routing table.

  • traceroute — Traceroute is a method of sending a packet and tracing the packet from its starting to ending location and showing each of the hops required to get to the location. Example tool: tracert

2. Bootstrap commands — Mach interface and stub generator.

3. Developer -cmds — Install (ctags, haxdump, rpcgen, unifdef)

  • ctags — Create tag files for source code.tag file allows items to be quickly and easily located.

  • hexdump — the hexdump utility is a filter which displays the specified files, or the standard input. If no files are specified, in a user-specified format.

  • rpcgen — The rpcgen command generates C code to implement a Remote Procedure Call (RPC) protocol. The input to the rpcgen command is a language similar to C language known as RPC language.

  • unifdef — The unifdef command is useful for removing ifdef lines from a file while otherwise leaving the file alone.

4. Diskdev-cmds — Install (mount, quota, fsck, fstyp, fdisk, tunefs)

  • mount — mount is a storage device filesystem available for use by the computers OS, Mounting a storage device such as drive, allow that drive to be available to the OS, which gives the ability to view, copy, and manage the files on the drive.

  • quota — disk quota management are permission given to admin that set limits on the user, workgroups, or other groups of storage spaces.

  • fsck — fsck (File System Check) is a program run on Linux or UNIX and their variants which checks the file system for any errors.

fsck functions in two modes.

  • interactive — interactive mode prompts the user each time it finds the error to determine whether or not the user wants to fix the error or continue without fixing.
  • Non-Interactive — This automatically corrects errors without prompting the user.

  • fstyp — Filesystem type is a statement used in a Unix or Linux environment that declares the file system type being used or specified. for example, hfs and swap is fstype

  • fdisk — fdisk is a partition table manipulator for Linux

  • tunefs — tunefs command is helpful to manipulate the filesystem parameters of an ext2, or ext3, or ext4 type file system

5. Erica utilities — A collection of command-line utilities for various purposes.

6. File-cmds —  Install (chflags, compress, ipcrm, ipcs, pax)

  • chflags — Change a file or folder’s flag.

  • compress — Compress compacts a file so that it becomes smaller. When compressing a file it will be replaced with a file with extension .z, while keeping all the same ownership modes.
  • ipcrm — ipcrm command can be used to remove an IPC object from the kernel.

  • ipcs — Ipcs shows information on the inter-process communication facilities for which the calling process has read access.

  • pax — Short for portable archive interchange, the pax command read, writes, and write, and write the lists of members of the archive file and copy directory hierarchies.

7. Gawk —  (GNU’s heavy-weight implementation of awk)

8. IOkit tools —  (ioalloccount, ioclasscount,ioreg)

  • ioalloccount — ioalloccount displays some accounting of memory allocation by IOkit Tool’s allocators, including object instances, in the kernel. useful for tracking leaks

  • ioclasscount — ioclasscount displays the instances count, offset by the number of subclasses that have at least one allocated, for the class specified.

9. Link identifier Editor — This program lets you manipulate the signature block in a Mach-O binary. Use -S to sign a binary from scratch and allocate its entitlements, -s to update the hashes on an existing binary or, -e to dump entitlements.

Other Important Utilities and tools.

10. Make — Dependency-based build environments.

11. Nano — completely free, modern clone of pico

12. Unrar — De-compresses files in rar format

13. Unzip — De-Compresses files in zip format

14. .Syslog Commandline — Enable/disable Syslog via cmd line. syslogon to enable, syslogoff to disable. Log to /var/log/syslog

15. Zip — Standard compression tool

16. OpenSSH — Secure remote access between machines.

17. OpenSSL — SSL library and cryptographic tools.

18. Apt 1.4 Strict  — The advanced packaging tool from Debian

19. Git  — Fast Content-addressable system

20. PreferencesLoader — PreferencesLoader is a MobileSubstrate based utility that allows developers to add entries to the settings up, Similar to the SettingsBundles that app store apps use.

21. AppList — Allows developers to query the list of installed apps and provide a preferences pane based on that information.

Exports displayIdentifier, displayName, icon, and small-con via a remote messaging center so that it’s easy to write a prefs pane that presents a list of apps.

Installing iOS Security Tools on MacOS

Installing iExplorer

iExplorer is the ultimate iPhone manager. It transfers music, messages, photos, files and everything else from any iPhone, iPod, iPad or iTunes backup to any Mac or PC computer. It’s lightweight, quick to install, free to try, and up to 70x faster and more resource efficient than the competition.

Downloading and uses of iExplorer.

iExplorer :

After installing the iExplorer, we have to connect the iOS device to macbook with cable.

Installed apps can be found using Apps tabs

We can also analyse the backups using iExplorer.

Installing Cydia Impactor —

Cydia Impactor is a GUI tool for working with mobile devices. It has features already, but is still very much a work-in-progress. It is developed by saurik.

Downloading & Installing Cydia Impactor. (Developers Account Required)

Cydia Impactor:

Note: Cydia requires your Apple id and password, using newly created Apple id is recommended.

Installing ipa applications in iPhone using Cydia Impactor.

Enter your Apple id credentials.

Enter your Apple id credentials.

I am getting the following error because I don’t have developers account.

Burp Suite Free/Pro — Downloading and configuring.

Burp Suite is the industry-leading intermediate proxy tool, which is having huge no of tools and utility required to perform pentesting or security audit.

Download —

Setting Proxy lister — Proxy → Options → Proxy Listener → Add

Bind to port: 1337

Bind to address : All interfaces (

Click “Ok”

Settings → wifi → (i) from connected network → Configure Proxy → Manual

Server :

Port: 1337

Visit: http://burp in Safari browser.

Click on “CA Certificate” to download the certificate and click “allow”.

Install the downloaded certificate.

Settings → about → Certificate Trust Settings

Enable the trust for the root certificate

Now, You should be able to intercept the HTTP and HTTPs traffic from the iOS device.

Installing Hopper

Hopper is an excellent modern disassembler, decompiler, and debugger. The control flow graph and pseudo code feature.

Installing IDA

IDA is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all. Just grab an evaluation version if you want a test drive.

External Tools/Apps Installation for iOS devices.

Commands you should know, before proceeding.

scp — Secure copy(scp) — scp allows files to be copied to, from, or between different hosts. It uses ssh for data transfer and provides the same authentication and same level of security as ssh.

uicache — Removing or update application logo from ui caches

ssh — Secure Shell, SSH (developed by SSH Communications Security Ltd.) is a secure protocol for remote logins. Using an SSH client, a user can connect to a server to transfer information in a more secure manner than other methods, such as telnet.

dpkg — Debian Package Manager, dpkg is a software package installation and management tool.

chmod — chmod is used to change the permissions of files or directories.

mv — The mv command moves, or renames, files and directories on your filesystem.

cp — The cp command is makes copies of files and directories.

SSH to the iOS device.

SSH is the secure shell used to connect to different machines.

  1. Finding the IP address of the device.

Settings → Connected Network → Click on (i)

IP address of the device —

2. Available Users on the iOS device.

mobile — default password — alpine

root — default password — alpine

3. Connecting as mobile and getting root privileges.

password=alpine // you should change it using passwd utility

Getting root privilege


password = alpine (you should also change it)

Changing Default Password


New password: Retype new password:

Installing Class-Dump

Class-dump —

Note: NOT supported in iOS 11, If you guys found working one, please let me know.

scp -r [email protected]:~
password: alpine (default)
ssh [email protected]  
password:alpine (default)

cd class-dump-z/iphone\_armv6
cp class-dump-z /usr/bin //copying class-dump-z to /usr/bin   

ERROR: sh:/usr/bin/class-dump-z: Bad CPU type in executable.

Unfortunately — Class-dump is also not supported by the iOS 11.2.6 :(

I’ve kept the installation instructions because maybe your version supports it.

Installing Clutch.

Clutch is a high-speed iOS decryption tool. Clutch supports the iPhone, iPod Touch, and iPad as well as all iOS version, architecture types, and most binaries.

Github Repository:

For installation instructions please refer to above Github repository.

Killall Xcode

git clone`  
cd Clutch` 
xcodebuild clean build

run the following command under the build directory.

scp -r Clutch [email protected]<Ip-address-of-ios-device>:~
scp -r Clutch [email protected]:~

ssh [email protected]  


cp Clutch /usr/bin


Installing Introspy iOS

Blackbox tool to help understand what an iOS application is doing at runtime and assist in the identification of potential security issues.


Download the Debian package from the above repository.

Copying the Debian file into the iOS device.

scp -r com.isecpartners.introspy-v0.5.1-iOS\_9.deb [email protected]:~

dpkg -i com.isecpartners.introspy-v0.5.1-iOS\_9.deb

Successfully installed.

Installing SSL KILL Switch 2

Blackbox tool to disable SSL certificate validation — including certificate pinning — within iOS and OS X Apps.

Github Repository —

scp -r com.nablac0d3.sslkillswitch2\_0.12.deb [email protected]:~

ssh [email protected]`1

dpkg -i com.nablac0d3.sslkillswitch2\_0.12.deb

Successfully installed.

Let’s talk about Damn Vulnerable iOS Application (DVIA)

Damn Vulnerable iOS App (DVIA) is an iOS application that is damn vulnerable. Its main goal is to provide a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills in a legal environment. Created By Prateek Gianchandani (@prateekg147).

Installing Damn Vulnerable iOS Application (Version -1)

Github Repository —

Download the .ipa file and Open with “Archive Utility‘.

You will have extracted folder and you will get payload folder with “DamnVulnerableIOSApp”.

We need to move this to the iOS device.

pwd // print work directory.


scp -r /Users/sahil/Desktop/ [email protected]:~

Password : alpine (default)

Password: alpine


password: alpine


mv /Applications/

cd /Applications

cd /

Giving root execution permission to DamnVulnerableIOSApp.

chmod +x DamnVulnerableIOSApp`

exit //changing from root to mobile`


After finishing “uicache”, You should be able to see the DVIA version-1 in your apps.

DVIA Version 2 Installation — Similar to Version 1

Github Repository:

Installation of the version 2 is also same, I recommend doing it because you will be more familiar with the process.

scp -r [email protected]:~

ssh [email protected]
password: alpine

password: alpine

ls //seeing the file is successfully copied into the device.

moving the from root directory to /Applications.

mv /Applications/

cd /Applications/DVIA-v2

Changing the executable permissions.

chmod** +x DVIA-v2


After finishing “uicache”, You should be able to see the DVIA version-1 in your apps.

File Explorer / iFile — Not supported in iOS 11.2.6

I got the iFile from the mega link provided in the following blog post.

Use the following iFile with your own risk, I don’t know it is from the trusted source or not.

scp -r [email protected]:~

mv** /Applications/

chmod** +x iFile


But. unfortunately, the devs have not updated the iFile app to work with iOS 11.

I’ve kept the installation instructions because maybe your version supports it.

If you guys find the working iFile app version for 11.2.6 let me know.

This post is getting too long and there many things to be added.

In the mean time you can learn from the intensive iOS security guide.

I’m planning to cover the following things in up coming posts.

  • Understanding the Architecture of the iOS application.
  • installing and Configuring Introspy iOS
  • SSL KILL Switch 2
  • Using iExplorer
  • Using Hopper and IDA
  • Using Clutch and Class-dump
  • Other tools installation and configurations.
  • Your Recommendations
  • Security Issues In Damn Vulnerable iOS application V-1
  1. Insecure Data Storage
  2. Jailbreak Detection
  3. Runtime Manipulation
  4. Sensitive information in memory
  5. Privacy detection
  6. Security Decision via untrusted input.
  7. Side channel Data leakage
  8. Transport Layer Security
  9. Client Side security
  10. Broken Cryptography
  11. Binary patching
  • Security Issues In Damn Vulnerable iOS application V-2
  1. Local Data Storage
  2. Jailbreak Detection
  3. Excessive Permissions
  4. Runtime Manipulation
  5. Anti anti Hooking/Debugging
  6. Binary Protection
  7. Touch/Face ID Bypass
  8. Phishing
  9. Side Channel Data leakage
  10. IPC issues
  11. Broken Cryptography
  12. WebView issues
  13. Network Layer Security
  14. Application Patching
  15. Sensitive Information is Memory
  16. Data Leakage to Third parties

Credits and References.

I do not own any tools and Utilities listed in this blogpost. Every tool belongs to their respective owners.

Prateek Gianchandani

DVIA (Damn Vulnerable iOS App) - A vulnerable iOS app for pentesting

Until next Time.

Written on September 22, 2018