Penetration testing

Top tools for mobile iOS assessments

Pedro Tavares
November 24, 2021 by
Pedro Tavares

The mobile landscape has become one of the main challenges for IT security teams from a security viewpoint in the last few years. With the digital evolution, a small device can access critical applications and sensitive data from organizations, with the BYOD (Bring Your Own Device) continuing to grow and create a new paradigm between the organizations and their employees. In this sense, the security and perimeter of risk of these devices should be properly managed. 

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Top tools for iOS assessments

Mobile security framework (MobSF)

MobSF is the short form to mobile security framework, and this is an automated framework to execute static and dynamic mobile assessments. This tool can perform tests under Android, iOS and Windows applications and find malicious content such as URLs, bad source-code, IP addresses, encrypted blocks and more. 

This framework is equipped with a REST API for integration with DevSecOps pipelines. MobSF is capable of performing runtime security assessments and interactive and instrumented tests using its built-in dynamic analyzer.


Frida toolkit

Frida is a toolkit designed to allow dynamic code instrumentation. This tool can inject custom JavaScript code into a process and modify its behavior in runtime.

By using Frida, injecting code to bypass execution restrictions (root detection, SSL pinning etc) and techniques that developers use to secure mobile applications is possible and easy.

Frida is also equipped with a set of standalone tools:

  • frida-ps: command-line tool for listing processes
  • frida-trace : a tool for dynamically tracing calls and methods
  • frida-discover: a tool for discovering internal functions
  • frida-ls-devices: command-line tool for listing attached devices
  • frida-kill: command-line tool for killing processes



Passionfruit is a GUI webapp developed to interact with iOS applications and dump and analyze their content easily.

With this app, it’s possible to list all URL schemas, check signatures, list metadata, see if the app is encrypted, check loaded frameworks, log SQLite operations, bypass jailbreak detection, list Objectiv-C classes and so on. Dump keychain, binary cookies and user defaults are also possible.

This is, in fact, an application that should be part of your mobile arsenal for red teaming assessments.



Grapefruit is a runtime application instrumentation tool for iOS. This tool is very similar to the passionfruit app but with a different layout and many new features. It is under development but is the next generation of passionfruit.



This is a small script that can be the best friend when analyzing IPA (iOS) files. In short, it decrypts IPA files from jailbroken devices.

After that, the application source code can be analyzed and reversed by using radare2 or other tools.



Radare is a portable reversing framework, open-source and with a lot of features, including:

  • Disassemble (and assemble for) many different architectures
  • Debug with local native and remote debuggers (gdb, rap, webui, r2pipe, winedbg and windbg)
  • Run on Linux, *BSD, Windows, OSX, Android, iOS, Solaris and Haiku
  • Perform forensics on file systems and data carving
  • Be scripted in Python, Javascript, Go and more
  • Support collaborative analysis using the embedded web server
  • Visualize data structures of several file types
  • Patch programs to uncover new features or fix vulnerabilities
  • Use powerful analysis capabilities to speed up reversing
  • Aid in software exploitation



Objection is a tool powered by Frida and built to help experts execute their mobile assessments without needing a jailbroken or rooted mobile device. 

This tool is composed of a group of features, including:

  • Root detection bypass
  • SSL pinning bypass
  • Dump Keystore
  • Dump Android Heap
  • Monitors Android copy/paste buffer cache
  • Hook a method(s) of a class in runtime
  • Execute custom Frida scripts; and
  • Work with the Android intents


What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Red teaming and IOS assessment 

This article compiles considerations on the iOS landscape, and what red teaming tools should be selected to audit iOS mobile apps. Nonetheless, it’s important to notice that each tool has its features and goals, so the tools used must be selected depending on the priority and features to secure.

Other tools and practical examples how to reverse IPA applications here.



Pedro Tavares
Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog

In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.