Performs comprehensive iOS application security assessments using Frida for dynamic instrumentation, Objection for runtime exploration, SSL pinning bypass for traffic interception, keychain extraction for credential analysis, and IPA static analysis for binary-level review. Use when conducting authorized iOS penetration tests, evaluating mobile app security posture against OWASP MASTG, or assessing iOS app data protection and transport security controls. Activates for requests involving iOS app pentesting, Frida-based iOS instrumentation, mobile app SSL pinning bypass, or IPA reverse engineering.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionperforming-ios-app-security-assessmentExecute the skills CLI command in your project's root directory to begin installation:
Fetches performing-ios-app-security-assessment from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate performing-ios-app-security-assessment. Access via /performing-ios-app-security-assessment in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
1
total installs
1
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
1
installs
1
this week
8.6K
stars
| name | performing-ios-app-security-assessment |
| description | 'Performs comprehensive iOS application security assessments using Frida for dynamic instrumentation, Objection for runtime exploration, SSL pinning bypass for traffic interception, keychain extraction for credential analysis, and IPA static analysis for binary-level review. Use when conducting authorized iOS penetration tests, evaluating mobile app security posture against OWASP MASTG, or assessing iOS app data protection and transport security controls. Activates for requests involving iOS app pentesting, Frida-based iOS instrumentation, mobile app SSL pinning bypass, or IPA reverse engineering. ' |
| domain | cybersecurity |
| subdomain | mobile-security |
| author | mukul975 |
| tags | - mobile-security - ios - frida - objection - ssl-pinning - keychain - ipa-analysis - owasp-mastg |
| version | 1.0.0 |
| license | Apache-2.0 |
| nist_csf | - PR.PS-01 - PR.AA-05 - ID.RA-01 - DE.CM-09 |
This skill is intended for authorized security testing, penetration testing engagements, CTF competitions, and educational purposes only. Unauthorized access to applications or devices is illegal. Always obtain written authorization before performing any security assessment. Misuse of these techniques may violate computer fraud and abuse laws in your jurisdiction.
Use this skill when:
Do not use against applications without explicit written authorization. Do not use on production devices containing real user data unless the engagement scope permits it.
pip install frida-tools fridapip install objectionExtract and analyze the IPA binary before runtime testing:
# Unzip IPA for static analysis
unzip target.ipa -d target_app/
# Check binary architectures and protections
otool -hv target_app/Payload/*.app/AppExecutable
otool -l target_app/Payload/*.app/AppExecutable | grep -A4 LC_ENCRYPTION
# Extract Info.plist for entitlements and URL schemes
plutil -p target_app/Payload/*.app/Info.plist
# Search for hardcoded secrets in binary strings
strings target_app/Payload/*.app/AppExecutable | grep -iE "api[_-]?key|secret|password|token|firebase"
# Check embedded provisioning profile
security cms -D -i target_app/Payload/*.app/embedded.mobileprovision
# Identify linked frameworks
otool -L target_app/Payload/*.app/AppExecutable
# For jailbroken device: verify Frida server is running
frida-ps -U
# Spawn target app with Frida
frida -U -f com.target.app --no-pause
# For non-jailbroken device: patch IPA with Frida Gadget
objection patchipa --source target.ipa --codesign-signature "Apple Development: [email protected]"
# Install patched IPA
ideviceinstaller -i target-patched.ipa
# Attach Objection to running app
objection --gadget "com.target.app" explore
Bypass certificate pinning to enable traffic interception:
# Using Objection's built-in bypass
objection --gadget "com.target.app" explore --startup-command "ios sslpinning disable"
# Using Frida script for more comprehensive bypass
frida -U -f com.target.app -l ssl_pinning_bypass.js --no-pause
# Verify bypass by configuring device proxy to Burp Suite
# Device Settings -> Wi-Fi -> HTTP Proxy -> Manual -> <burp_ip>:8080
# Install Burp CA certificate on device via http://<burp_ip>:8080/cert
The Frida SSL pinning bypass script hooks into NSURLSession, NSURLConnection, and AFNetworking/Alamofire trust evaluation delegates to override certificate validation at the TLS handshake level.
# Dump all accessible keychain items via Objection
ios keychain dump
# Dump keychain with raw data output
ios keychain dump --json
# Check keychain item accessibility attributes
# Items with kSecAttrAccessibleAlways or kSecAttrAccessibleAfterFirstUnlock
# are accessible without device unlock - this is a finding
# Search for specific credential types
ios keychain dump | grep -i "password\|token\|secret\|oauth"
# Inspect NSUserDefaults for sensitive data leaks
ios nsuserdefaults get
# Check for sensitive data in app cookies
ios cookies get
# List all loaded classes
ios hooking list classes
# Search for security-relevant classes
ios hooking search classes Auth
ios hooking search classes Crypto
ios hooking search classes Biometric
ios hooking search classes Jailbreak
# Hook authentication methods to observe parameters and return values
ios hooking watch method "+[AuthManager validateCredentials:password:]" --dump-args --dump-return
# Monitor biometric authentication (LocalAuthentication framework)
ios hooking watch class LAContext
# Bypass jailbreak detection
ios jailbreak disable
# Search memory for sensitive strings
memory search "Bearer " --string
memory search "password" --string
# Dump loaded modules for third-party library identification
memory list modules
# List files in app sandbox
env
# Check for SQLite databases with sensitive data
sqlite connect Documents/app.db
sqlite execute query "SELECT name FROM sqlite_master WHERE type='table'"
# Inspect plist files for cached credentials
ios plist cat Library/Preferences/com.target.app.plist
# Check for sensitive data in app caches
find Library/Caches/ -type f
# Monitor pasteboard for credential leakage
ios pasteboard monitor
# Check binary cookies
ios cookies get
After SSL pinning bypass, analyze intercepted traffic:
# Verify App Transport Security (ATS) configuration in Info.plist
# Check for NSAllowsArbitraryLoads = true (disables ATS)
ios plist cat Info.plist | grep -A5 NSAppTransportSecurity
# Hook URL session delegates to monitor all network calls
ios hooking watch class NSURLSession
ios hooking watch class NSURLSessionConfiguration
# Check for certificate transparency validation
ios hooking search classes CT
ios hooking search classes Certificate
| Term | Definition |
|---|---|
| Frida | Dynamic instrumentation toolkit that injects a JavaScript engine into target processes, enabling runtime hooking, tracing, and modification of iOS app behavior |
| Objection | Runtime mobile exploration toolkit built on Frida providing pre-built commands for common security tests including keychain dump, SSL pinning bypass, and method hooking |
| SSL Pinning | Client-side certificate validation that restricts which TLS certificates the app trusts, preventing proxy-based traffic interception; bypassed by hooking trust evaluation functions |
| Keychain | iOS secure storage API for credentials and tokens; items have accessibility attributes that control when they can be read (e.g., only when device is unlocked) |
| IPA | iOS App Store Package; a ZIP archive containing the app binary, frameworks, assets, and provisioning profile that can be extracted for static analysis |
| OWASP MASTG | Mobile Application Security Testing Guide; comprehensive methodology for iOS and Android security testing organized by MASVS verification categories |
| Frida Gadget | Shared library (.dylib) injected into IPA for non-jailbroken testing; enables Frida instrumentation without requiring a jailbroken device |
| Method Swizzling | Objective-C runtime technique that exchanges method implementations at runtime; used by Frida to intercept and modify method behavior |
--startup-command to hook detection checks before they execute, or rename frida-server binary.ios hooking list classes and grep for demangled names, or use frida-trace with wildcard patterns.## Finding: Insecure Keychain Storage with kSecAttrAccessibleAlways
**ID**: IOS-001
**Severity**: High (CVSS 7.5)
**OWASP MASTG**: MASTG-TEST-0055 (Testing Data Storage)
**MASVS Category**: MASVS-STORAGE
**Description**:
The application stores OAuth refresh tokens in the iOS Keychain with
the accessibility attribute kSecAttrAccessibleAlways, making them
readable even when the device is locked or after a reboot without
user authentication.
**Proof of Concept**:
1. Attach Objection to com.target.app: objection --gadget com.target.app explore
2. Execute: ios keychain dump
3. Observe refresh_token item with Accessible: kSecAttrAccessibleAlways
4. Token value is accessible without device unlock
**Impact**:
An attacker with physical access to a locked device or forensic
image can extract OAuth refresh tokens and gain persistent access
to the user's account without knowing device passcode.
**Remediation**:
Store sensitive credentials with kSecAttrAccessibleWhenUnlockedThisDeviceOnly
and enable biometric protection via kSecAccessControlBiometryCurrentSet.
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
Registry listing for performing-ios-app-security-assessment matched our evaluation — installs cleanly and behaves as described in the markdown.
We added performing-ios-app-security-assessment from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Solid pick for teams standardizing on skills: performing-ios-app-security-assessment is focused, and the summary matches what you get after install.
Useful defaults in performing-ios-app-security-assessment — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
Registry listing for performing-ios-app-security-assessment matched our evaluation — installs cleanly and behaves as described in the markdown.
Useful defaults in performing-ios-app-security-assessment — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
Keeps context tight: performing-ios-app-security-assessment is the kind of skill you can hand to a new teammate without a long onboarding doc.
I recommend performing-ios-app-security-assessment for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
performing-ios-app-security-assessment is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
performing-ios-app-security-assessment reduced setup friction for our internal harness; good balance of opinion and flexibility.
showing 1-10 of 73