IPA File Extraction using Jailbroken iPhone

Shashank's Blog
3 min readDec 10, 2021

--

Static analysis is an important aspect of any MAPT activity. Tools like MobSF are helping pentesters performing automated static analysis. But to perform these scans we need an IPA file. In this short post, we will look at one such such method which provides sure shot way to extract IPA file out of an Jailbroken iPhone (or iPad for that matter).

Pre-requisite

a. MacOS (Don’t worry if you don’t have MacBook. I have wrote a detailed article on How to Create an almost perfect MacOS VM)
b. Jailbroken iPhone with Frida installed on it.
c. Frida-tools installed on MacOS

Setup

We will be using couple of free, open-source tools for this activity.

a. iproxy: This little utility helps connecting iPhone SSH over USB. This is not by default installed in MacOS.

iproxy not found error

You can install it via Homebrew by simply running following command:

brew install usbmuxd

iproxy installed via Homebrew

Note: If you don’t about Homebrew, it is an amazing package manager just like APT (Linux) or Chocolatey (Windows). You must explorer it.

You can verify successful install by running following command:

iproxy 2222 22

iproxy running successfully

b. AloneMonkey’s Frida-ios-dump: This is the utility which will allow us to extracted unencrypted iOS IPA files.

frida-ios-dump

It’s installation is straight forward.

Pull it from Github, by running command:

git clone https://github.com/AloneMonkey/frida-ios-dump

Git Clone

Install the requirements mentioned requirements.txt file inside cloned directory. It doesn’t matter which Python 3.x or 2.x. It supports both.

sudo pip install -r requirements.txt --upgrade

Requirements installed

With this pre-requisites are met.

IPA Extraction

a. Connect iPhone to MacOS

b. Run frida-ps command in order to get “Display Name” of target app.

Getting Display Name of Target App

c. Run following command to download decrypted version of IPA.

python dump.py <display name>

It generally ask you to start app on iPhone before initiating dump, so make sure to run app on device.

On successful completion, IPA file get generated on same folder as frida-ios-dump folder.

Why this tedious way than iFunbox?

Now you may ask why follow this bit inconvenient way to extract IPA file. We can use iMazing or iFunbox as well, right? Well, most important reason to use this particular tools is because it gives out “unencrypted” IPA files. Which means these files are easy for static analysis. Not only that, these IPAs works fine when sideloaded on other iPhones as well as Corellium VMs too.

Hope this was useful!!! Will meet in next post :)

--

--