IPA File Extraction using Jailbroken iPhone

Static analysis is an important aspect of any MAPT activity. Tools like MobSF are helping pentesters performing automated static analysis. But to perform these scans we need an IPA file. In this short post, we will look at one such such method which provides sure shot way to extract IPA file out of an Jailbroken iPhone (or iPad for that matter).


a. MacOS (Don’t worry if you don’t have MacBook. I have wrote a detailed article on How to Create an almost perfect MacOS VM)
b. Jailbroken iPhone with Frida installed on it.
c. Frida-tools installed on MacOS


We will be using couple of free, open-source tools for this activity.

a. iproxy: This little utility helps connecting iPhone SSH over USB. This is not by default installed in MacOS.

iproxy not found error

You can install it via Homebrew by simply running following command:

brew install usbmuxd

iproxy installed via Homebrew

Note: If you don’t about Homebrew, it is an amazing package manager just like APT (Linux) or Chocolatey (Windows). You must explorer it.

You can verify successful install by running following command:

iproxy 2222 22

iproxy running successfully

b. AloneMonkey’s Frida-ios-dump: This is the utility which will allow us to extracted unencrypted iOS IPA files.


It’s installation is straight forward.

Pull it from Github, by running command:

git clone https://github.com/AloneMonkey/frida-ios-dump

Git Clone

Install the requirements mentioned requirements.txt file inside cloned directory. It doesn’t matter which Python 3.x or 2.x. It supports both.

sudo pip install -r requirements.txt --upgrade

Requirements installed

With this pre-requisites are met.

IPA Extraction

a. Connect iPhone to MacOS

b. Run frida-ps command in order to get “Display Name” of target app.

Getting Display Name of Target App

c. Run following command to download decrypted version of IPA.

python dump.py <display name>

It generally ask you to start app on iPhone before initiating dump, so make sure to run app on device.

On successful completion, IPA file get generated on same folder as frida-ios-dump folder.

Why this tedious way than iFunbox?

Now you may ask why follow this bit inconvenient way to extract IPA file. We can use iMazing or iFunbox as well, right? Well, most important reason to use this particular tools is because it gives out “unencrypted” IPA files. Which means these files are easy for static analysis. Not only that, these IPAs works fine when sideloaded on other iPhones as well as Corellium VMs too.

Hope this was useful!!! Will meet in next post :)




Tech, Money, Learning, Books, Things

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to deploy a OpenStack DevStack @ KVM for development purposes in an automated way

Adventurers Sigil

How to Host Label Studio on AWS Elastic Beanstalk

How to land a Data Engineer job in the US ?

Introduction to Python. | RajCoding

AWS AI Self Reflection

What’s new in the Scrum Guide 2020?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shashank's Blog

Shashank's Blog

Tech, Money, Learning, Books, Things

More from Medium

Log4j Vulnerability Explained

Insecure Deserialization — FAQ

Searching for Deserialization Protection Bypasses in Microsoft Exchange (CVE-2022–21969)

Log4Shell — Simple Techincal Explanation of the Exploit