Ios Pentesting Tricks

Name: Ios Pentesting Tricks
Author: yaklang

yaklang/hack-skills

Run Frida and Objection hook recipes on iOS builds to bypass jailbreak checks and inspect auth classes during mobile security review.

Overview

iOS Pentesting Tricks is an agent skill for the Ship phase that supplies Frida recipes, Objection references, and iOS runtime hooking patterns for mobile security testing.

Install

npx skills add https://github.com/yaklang/hack-skills --skill ios-pentesting-tricks

What is this skill?

Frida JavaScript recipes for ObjC class and method enumeration filtered by auth/login/token keywords
Comprehensive jailbreak detection bypass hook patterns for common iOS paths and libraries
Objection command reference companion to the main iOS pentesting SKILL.md methodology
Reusable runtime hooking templates assuming core iOS testing workflow is already loaded

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).

What problem does it solve?

You know you need dynamic iOS tests but rewriting Frida enumerators and jailbreak bypass hooks from scratch burns hours on every audit.

Who is it for?

Developers or security freelancers performing authorized iOS app assessments with Frida/Objection already in the toolchain.

Skip if: Builders with no mobile binary to test, no legal authorization to instrument the app, or beginners who have not loaded the main iOS pentesting SKILL.md first.

When should I use this skill?

Load when you need Frida recipes for iOS-specific hooks, Objection command reference, or runtime hooking pattern templates after the main iOS pentesting SKILL.md is loaded.

What do I get? / Deliverables

You get ready-to-adapt Frida scripts and Objection workflows to probe auth surfaces and anti-tamper checks on a running iOS app.

Adapted Frida hook scripts
Enumerated class/method lists for auth-related surfaces
Documented bypass or detection test results

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

Runtime hooking and bypass scripts belong in pre-release security hardening, not greenfield feature coding. AppSec testing on shipped or candidate iOS binaries fits the Ship → security shelf alongside pentest methodology skills.

How it compares

Recipe appendix for dynamic iOS hooks—not a full methodology skill and not a cloud SAST scanner.

Common Questions / FAQ

Who is ios-pentesting-tricks for?

Solo security engineers and indie mobile devs doing authorized runtime analysis on iOS apps with Frida or Objection.

When should I use ios-pentesting-tricks?

During Ship security reviews before release, when reproducing pentest findings, or when hardening jailbreak and integrity checks on an IPA you own or are contracted to test.

Is ios-pentesting-tricks safe to install?

The skill text describes offensive-style hooks meant only on apps you may test; confirm scope and review the Security Audits panel on this Prism page before installation.

SKILL.md

READMESKILL.md - Ios Pentesting Tricks

# iOS Runtime Tricks — Frida Recipes, Objection Reference & Hooking Patterns

> **AI LOAD INSTRUCTION**: Load this when you need Frida recipes for iOS-specific hooks, Objection command reference, or runtime hooking pattern templates. Assumes the main [SKILL.md](./SKILL.md) is already loaded for general iOS testing methodology.

---

## 1. FRIDA RECIPES FOR iOS

### 1.1 ObjC Class Enumeration

```javascript
// List all classes containing a keyword
Java.perform || true;  // NOP for iOS
ObjC.enumerateLoadedClasses({
    onMatch: function(name) {
        if (name.toLowerCase().indexOf('auth') !== -1 ||
            name.toLowerCase().indexOf('login') !== -1 ||
            name.toLowerCase().indexOf('token') !== -1) {
            console.log('[Class] ' + name);
        }
    },
    onComplete: function() { console.log('[+] Class enumeration done'); }
});
```

### 1.2 Method Enumeration for a Class

```javascript
// List all methods of a specific class
var className = 'AppDelegate';
var methods = ObjC.classes[className].$ownMethods;
console.log('[' + className + '] Methods (' + methods.length + '):');
methods.forEach(function(method) {
    console.log('  ' + method);
});
```

### 1.3 Jailbreak Detection Bypass

```javascript
// Comprehensive jailbreak detection bypass for iOS
var paths = [
    '/Applications/Cydia.app', '/usr/sbin/sshd', '/bin/bash',
    '/usr/bin/ssh', '/etc/apt', '/private/var/lib/apt/',
    '/usr/local/bin/cycript', '/usr/lib/libcycript.dylib',
    '/var/lib/cydia', '/var/cache/apt', '/var/lib/apt',
    '/Library/MobileSubstrate/MobileSubstrate.dylib',
    '/private/var/stash', '/.cydia_no_stash',
    '/Applications/Sileo.app', '/var/jb'
];

// Hook NSFileManager
var fm = ObjC.classes.NSFileManager;
Interceptor.attach(fm['- fileExistsAtPath:'].implementation, {
    onEnter: function(args) {
        this.path = ObjC.Object(args[2]).toString();
    },
    onLeave: function(retval) {
        for (var i = 0; i < paths.length; i++) {
            if (this.path === paths[i]) {
                retval.replace(ptr(0));
                console.log('[JB Bypass] fileExistsAtPath blocked: ' + this.path);
                return;
            }
        }
    }
});

// Hook canOpenURL (Cydia URL scheme check)
var app = ObjC.classes.UIApplication;
Interceptor.attach(app['- canOpenURL:'].implementation, {
    onEnter: function(args) {
        this.url = ObjC.Object(args[2]).toString();
    },
    onLeave: function(retval) {
        if (this.url.indexOf('cydia://') !== -1 ||
            this.url.indexOf('sileo://') !== -1) {
            retval.replace(ptr(0));
            console.log('[JB Bypass] canOpenURL blocked: ' + this.url);
        }
    }
});

// Hook fopen for /etc/fstab, /bin/sh checks
var fopen = Module.findExportByName(null, 'fopen');
Interceptor.attach(fopen, {
    onEnter: function(args) {
        this.path = args[0].readUtf8String();
    },
    onLeave: function(retval) {
        if (this.path === '/bin/sh' || this.path === '/etc/fstab' ||
            this.path === '/bin/bash') {
            retval.replace(ptr(0));
        }
    }
});

// Hook fork() — should return -1 on non-jailbroken
var fork = Module.findExportByName(null, 'fork');
Interceptor.attach(fork, {
    onLeave: function(retval) {
        retval.replace(ptr(-1));
        console.log('[JB Bypass] fork() → -1');
    }
});

console.log('[+] Jailbreak detection bypass installed');
```

### 1.4 SSL Pinning Bypass (iOS-Specific)

```javascript
// Hook SecTrustEvaluateWithError (iOS 12+)
var SecTrustEvaluateWithError = Module.findExportByName('Security', 'SecTrustEvaluateWithError');
if (SecTrustEvaluateWithError) {
    Interceptor.attach(SecTrustEvaluateWithError, {
        onLeave: function(retval) {
            retval.replace(ptr(1));  // Return true (trusted)
        }
    });
}

// Hook SecTrustEvaluate (legacy)
var SecTrustEvaluate = Module.findExportByName('Security', 'SecTrustEvaluate');
if (SecTrustEvaluate) {
    Interceptor.attach(SecTrustEvaluate, {

What is this skill?

Frida JavaScript recipes for ObjC class and method enumeration filtered by auth/login/token keywords

Comprehensive jailbreak detection bypass hook patterns for common iOS paths and libraries

Objection command reference companion to the main iOS pentesting SKILL.md methodology

Reusable runtime hooking templates assuming core iOS testing workflow is already loaded

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).

SKILL.md

READMESKILL.md - Ios Pentesting Tricks

# iOS Runtime Tricks — Frida Recipes, Objection Reference & Hooking Patterns

> **AI LOAD INSTRUCTION**: Load this when you need Frida recipes for iOS-specific hooks, Objection command reference, or runtime hooking pattern templates. Assumes the main [SKILL.md](./SKILL.md) is already loaded for general iOS testing methodology.

---

## 1. FRIDA RECIPES FOR iOS

### 1.1 ObjC Class Enumeration

```javascript
// List all classes containing a keyword
Java.perform || true;  // NOP for iOS
ObjC.enumerateLoadedClasses({
    onMatch: function(name) {
        if (name.toLowerCase().indexOf('auth') !== -1 ||
            name.toLowerCase().indexOf('login') !== -1 ||
            name.toLowerCase().indexOf('token') !== -1) {
            console.log('[Class] ' + name);
        }
    },
    onComplete: function() { console.log('[+] Class enumeration done'); }
});
```

### 1.2 Method Enumeration for a Class

```javascript
// List all methods of a specific class
var className = 'AppDelegate';
var methods = ObjC.classes[className].$ownMethods;
console.log('[' + className + '] Methods (' + methods.length + '):');
methods.forEach(function(method) {
    console.log('  ' + method);
});
```

### 1.3 Jailbreak Detection Bypass

```javascript
// Comprehensive jailbreak detection bypass for iOS
var paths = [
    '/Applications/Cydia.app', '/usr/sbin/sshd', '/bin/bash',
    '/usr/bin/ssh', '/etc/apt', '/private/var/lib/apt/',
    '/usr/local/bin/cycript', '/usr/lib/libcycript.dylib',
    '/var/lib/cydia', '/var/cache/apt', '/var/lib/apt',
    '/Library/MobileSubstrate/MobileSubstrate.dylib',
    '/private/var/stash', '/.cydia_no_stash',
    '/Applications/Sileo.app', '/var/jb'
];

// Hook NSFileManager
var fm = ObjC.classes.NSFileManager;
Interceptor.attach(fm['- fileExistsAtPath:'].implementation, {
    onEnter: function(args) {
        this.path = ObjC.Object(args[2]).toString();
    },
    onLeave: function(retval) {
        for (var i = 0; i < paths.length; i++) {
            if (this.path === paths[i]) {
                retval.replace(ptr(0));
                console.log('[JB Bypass] fileExistsAtPath blocked: ' + this.path);
                return;
            }
        }
    }
});

// Hook canOpenURL (Cydia URL scheme check)
var app = ObjC.classes.UIApplication;
Interceptor.attach(app['- canOpenURL:'].implementation, {
    onEnter: function(args) {
        this.url = ObjC.Object(args[2]).toString();
    },
    onLeave: function(retval) {
        if (this.url.indexOf('cydia://') !== -1 ||
            this.url.indexOf('sileo://') !== -1) {
            retval.replace(ptr(0));
            console.log('[JB Bypass] canOpenURL blocked: ' + this.url);
        }
    }
});

// Hook fopen for /etc/fstab, /bin/sh checks
var fopen = Module.findExportByName(null, 'fopen');
Interceptor.attach(fopen, {
    onEnter: function(args) {
        this.path = args[0].readUtf8String();
    },
    onLeave: function(retval) {
        if (this.path === '/bin/sh' || this.path === '/etc/fstab' ||
            this.path === '/bin/bash') {
            retval.replace(ptr(0));
        }
    }
});

// Hook fork() — should return -1 on non-jailbroken
var fork = Module.findExportByName(null, 'fork');
Interceptor.attach(fork, {
    onLeave: function(retval) {
        retval.replace(ptr(-1));
        console.log('[JB Bypass] fork() → -1');
    }
});

console.log('[+] Jailbreak detection bypass installed');
```

### 1.4 SSL Pinning Bypass (iOS-Specific)

```javascript
// Hook SecTrustEvaluateWithError (iOS 12+)
var SecTrustEvaluateWithError = Module.findExportByName('Security', 'SecTrustEvaluateWithError');
if (SecTrustEvaluateWithError) {
    Interceptor.attach(SecTrustEvaluateWithError, {
        onLeave: function(retval) {
            retval.replace(ptr(1));  // Return true (trusted)
        }
    });
}

// Hook SecTrustEvaluate (legacy)
var SecTrustEvaluate = Module.findExportByName('Security', 'SecTrustEvaluate');
if (SecTrustEvaluate) {
    Interceptor.attach(SecTrustEvaluate, {

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is ios-pentesting-tricks for?

When should I use ios-pentesting-tricks?

Is ios-pentesting-tricks safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is ios-pentesting-tricks for?

When should I use ios-pentesting-tricks?

Is ios-pentesting-tricks safe to install?

SKILL.md