Dumping decrypted iOS application IPA binaries
iOS applications distributed via the App Store are encrypted using Apple's FairPlay DRM. During an audit, we must decrypt the binary to inspect its structure. We run the app on a jailbroken iOS device and dump the decrypted memory space to reconstruct the Mach-O binary file using tools like frida-ios-dump or bfdecrypt:
# Run frida-ios-dump to decrypt and packaging the application as IPA
python3 dump.py com.fintech.iosapp -o app_decrypted.ipa
# Load the decrypted Mach-O binary into Hopper or Ghidra for analysis Bypassing jailbreak detection and SSL pinning
Swift applications implement client-side checks to detect jailbroken devices and enforce SSL pinning (using libraries like TrustKit). We bypass these checks at runtime by intercepting calls to security APIs. Using Frida, we hook the system files checks (like checking for `/Applications/Cydia.app`) or class methods to force them to return clean states:
if (ObjC.available) {
// Hook and bypass a custom Swift Jailbreak detector class
const JailbreakDetector = ObjC.classes.JailbreakDetector;
Interceptor.attach(JailbreakDetector["- isDeviceJailbroken"].implementation, {
onLeave: function (retval) {
console.log("[iOS Audit] Bypassing iOS jailbreak verification check.");
retval.replace(ptr("0x0")); // Force return false
}
});
} Extracting secrets from iOS Keychain storage
The iOS Keychain is the secure place to store persistent secrets. However, if the device is jailbroken, the Keychain is accessible. During a penetration test, we execute scripts that interface with the Security framework to dump all Keychain items associated with the application's access group:
# Connect via SSH to jailbroken iPhone and dump keychain entries
ssh root@192.168.1.50
cd /tmp
./keychain_dumper -a The Fix: Bind highly sensitive operations to biometric credentials by setting the kSecAccessControlBiometryAny or kSecAccessControlBiometryCurrentSet flags on Keychain entries. This forces the Secure Enclave to verify biometric presence before releasing the secret token.
Insecure temp storage (Pasteboard and Snapshots)
We audit how the iOS application handles temporary data. Common findings include:
- Pasteboard Leakage: App failing to clear the general pasteboard after copying sensitive data (e.g., wallet recovery phrases), exposing it to other installed apps.
- Background Screen Snapshots: When an app goes to the background, iOS takes a snapshot of the screen. If sensitive transaction data or balances are visible, the snapshot is cached on disk. Developers must mask the screen before background transitions.
Decrypted access token leaked in plist file
During an audit of an iOS Swift investment application, we inspected the app sandbox folder at `/var/mobile/Containers/Data/Application/` after completing a transaction. We found the user's active API authorization token and full name written to a standard plist preferences file. Fix priority: high. Remediated by migrating the authorization token to the Keychain and deleting the plist entries.
Building an iOS mobile application in Swift? Schedule a security review.
Book an iOS Swift PentestFrequently asked questions
How does iOS Keychain security get bypassed during a pentest?
On jailbroken devices, we use tools like Keychain-Dumper or Frida scripts to query the SQLite keychain database directly, dumping all stored passwords, access tokens, and certificates.
What is the security risk of storing data in plist files?
Properties list (plist) files are stored in plain text xml/binary format inside the application sandbox. If session tokens or personal details are written here, they can be read by anyone with physical access to the device or sandbox access.
Can Swift applications prevent jailbreak detection bypass?
No. Jailbreak detection is a client-side check. We locate jailbreak validation functions in the compiled Swift binary and use Frida to force them to return false, allowing the app to run on compromised devices.
Related reading
Blog: React Native pentesting guide · Flutter security checklist · Hardcoded key leaks
Services: Mobile penetration testing · Secure architecture review