Skip to main content
This checklist provides a structured approach to iOS application penetration testing. Complete preparation steps first, then work through each category.

Preparation

  • Read iOS Basics to understand the iOS security model, sandboxing, Keychain, and data protection classes
  • Prepare your test environment (jailbroken device or Corellium, Frida/Objection installed)
  • Obtain the IPA file and install it on the test device
  • Perform initial analysis using MobSF static scan

Data Storage

Check all storage locations immediately after installing, after exercising all features, and after logging out and back in with a different account.
  • Plist files — check Library/Preferences/<bundleID>.plist for sensitive information stored via NSUserDefaults
  • Core Data (SQLite) — inspect at Library/Application Support/ for unencrypted sensitive data
  • YapDatabases (SQLite) — same directory as Core Data
  • Firebase — check for misconfigured Realtime Database unauthenticated access
  • Realm databases — find with find ./ -name "*.realm*", inspect with Realm Studio
  • Couchbase Lite — check Library/Application Support/
  • Binary cookies — inspect Library/Cookies/cookies.binarycookies with ios cookies get
  • Cache data — check Library/Caches/<BundleID>/Cache.db (WebKit and NSURLSession caches)
  • Automatic snapshots — check Library/Caches/Snapshots/ for sensitive screen captures
  • Keychain — dump with ios keychain dump (Objection) or Keychain-Dumper on jailbroken device
  • In summary: search for all sensitive information saved in the filesystem
# Find all plist files
find /private/var/mobile/Containers/Data/Application/{APPID}/ -name "*.plist"

# Find SQLite databases
find ./ -name "*.sqlite" -or -name "*.db"

# Find Realm databases
find ./ -name "*.realm*"

Keyboards & Cache

  • Does the application allow custom keyboards? Third-party keyboards may log keystrokes.
  • Check keyboard cache files at Library/Keyboard/{locale}-dynamic-text.dat for sensitive data in autocomplete suggestions
  • Sensitive input fields should set autocorrectionType = UITextAutocorrectionTypeNo and secureTextEntry = YES

Logs

  • Check if sensitive information is being logged via NSLog, NSAssert, fprintf, custom logging frameworks
  • Monitor device logs: 
    idevice_id --list
idevicesyslog -u <device_id> | grep <app_name>
  • Connect via Xcode: Window → Devices and Simulators → Open Console

Backups

  • Backups may include sensitive app data — create an iTunes/Finder backup and analyze it
  • Check Manifest.plist for IsEncrypted key
  • Test whether backup modification can bypass security controls (e.g., remove a PIN stored in a plist, restore, and observe bypass)
  • Critical files should use NSURLIsExcludedFromBackupKey to exclude from backups

Application Memory

  • Check for sensitive information in memory (passwords, tokens, PII)
  • Dump memory with Objection (memory dump all) or Fridump: 
    strings memory > strings.txt
rabin2 -ZZ memory > strings.txt
  • Use r2frida for real-time memory analysis without dumping: 
    r2 frida://usb//<app_name>

Broken Cryptography

  • Check for hardcoded passwords or keys used for encryption
  • Check for deprecated/weak algorithms: RC4, MD4, MD5, SHA1
  • Use Objection to monitor crypto libraries: 
    ios monitor crypt
  • Scan binary for weak hash functions: 
    otool -Iv <app> | grep -w "_CC_MD5"
otool -Iv <app> | grep -w "_CC_SHA1"

Local Authentication

  • Identify if local authentication is used (LocalAuthentication.framework, keychain biometrics)
  • If using LocalAuthentication.framework, try Objection biometrics bypass: 
    ios ui biometrics_bypass
  • If using keychain-based auth, create a custom Frida script to hook evaluatePolicy
  • Detect framework usage: 
    otool -L <AppName>.app/<AppName> | grep LocalAuthentication

Sensitive Functionality via IPC

  • Check if the app registers any URL scheme (check Info.plist for CFBundleURLTypes)
  • Check if the app receives sensitive data via the custom scheme that could be intercepted by another app registering the same scheme
  • Check if the app validates and sanitizes input from custom schemes
  • Check if sensitive actions are callable from anywhere via the scheme
  • Check if the app registers universal links (apple-app-site-association file)
  • Verify input validation on data received via universal links
  • Check the apple-app-site-association file for path patterns

UIPasteboard

  • Check if the app copies sensitive data to the general pasteboard
  • Monitor pasteboard for sensitive data exposure

WebViews

  • Identify which WebView types are used: UIWebView (deprecated), WKWebView, SFSafariViewController
  • Check status of javaScriptEnabled, JavaScriptCanOpenWindowsAutomatically, hasOnlySecureContent
  • Check if WebView can access local files with file:// (allowFileAccessFromFileURLs, allowUniversalAccessFromFileURLs)
  • Check if JavaScript can access native methods (JSContext, postMessage)

Network Communication

  • Perform MitM and search for web vulnerabilities in traffic
  • Check if the hostname of the certificate is verified
  • Check and attempt to bypass Certificate Pinning: 
    # Objection
ios sslpinning disable

Miscellaneous

  • Check for automatic patching/hot-updating mechanisms that bypass App Store review
  • Review third-party libraries for known CVEs
  • Check binary security properties: 
    otool -hv <app-binary> | grep PIE         # PIE flag
otool -I -v <app-binary> | grep stack_chk # Stack canaries
otool -I -v <app-binary> | grep objc_release # ARC

Build docs developers (and LLMs) love

Get started for freeTalk to us