Skip to main content

iOS Testing Commands

This assumes my iOS tools from GitHub are installed in your $PATH. Any command below that is preceded with > means that it is a sub-command under the primary command above it.

Last Update: July 20, 2025

Jailbreak Information

Task	Command(s)
Rootless Jailbreaks	The root filesystem is read-only, rootless jailbreaks changes root to `/var/jb`. The root user home directory will be at `/var/jb/var/root`.
Rootful Jailbreaks	The root filesystem is remounted as read-write. The root user home directory is at the normal location `/var/root`
Corellium	There are no changes to the filesystem in a Corellium virtual device.

Device Information

Task	Command(s)
Get UUID of the device	`idevice_id -l`
Get UUID of the device (macOS)	`ioreg -p IOUSB -l \| grep "USB Serial"`
Get device information	`ideviceinfo` `ideviceinfo -s`
Install an application (macOS)	`ideviceinstaller -i filename.ipa`
Install an application (Linux)	Install `ipainstaller` from the package manager. `ideviceinstaller install filename.ipa`
Install an application (On-Device)	`ipainstaller filename.ipa`
Take a screenshot of the device	`idevicescreenshot`
Get log messages from device	`idevicesyslog` `idevicesyslog \| grep searchterm`

Static Analysis

Task	Command(s)
Obtain App Information	`appinfo bundle-id` `objection -g AppName run env`
Static Analysis Information	`MachOAnalyzer bundle-id`
Get Executable Name	`plutil -extract CFBundleExecutable raw Info.plist`
List App Permissions	`plutil -p Info.plist \| grep Description`
List Libraries & Frameworks	`otool -L binary-name`
Print Binary Load Commands	`otool -l binary-name`
Check if binary is encrypted	`otool -l binary-name \| grep -A 4 LC_ENC`
Check for Stack Protection	`otool -Iv binary-name \| grep __stack_chk`
Check if PIE is enabled	`otool -hv binary-name`
Check if ARC is in use	`otool -Iv binary-name \| grep -iw _objc_autorelease`
Binary Protections	`objection -g AppName run ios info binary`
Dump Classes/Methods	`otool -oV binary-name` `rabin2 -cc binary-name`
Check if binary is a FAT file	`lipo -info binary-name` `rabin2 -A binary-name`
Extract architecture from FAT file	`lipo -thin arm64 -o appname.arm64 binary-name` `rabin2 -x binary-name`
Extract App Entitlements	`getentitlements bundle-id` `rabin2 -T binary-name` `extract_mobileprovision binary-name`
Executable Details	`rabin2 -I binary-name`

Data Storage

Task	Command(s)
Dump Keyboard Cache	`keyboardcachedump` `strings /var/mobile/Library/Keyboard/en-dynamic.lm/*.dat`
Dump Data Protection Values	`dataprotection bundle-id` `frida -U -l ios-data-protection.js -f AppName`
Dump Keychain	`objection -g AppName run ios keychain dump` `objection -g AppName run ios keychain dump --json output.json` `frida -U -l dumpkeychain.js -f AppName`
Get Cookies	`objection -g AppName run ios cookies get` `cd DATA-DIR/Library/Cookies` `> cookieParser Cookies.binarycookies`
Get log entries	`idevicesyslog \| grep app-name`
Binary Strings	`strings -n 6 binary-name` `rabin2 -zz binary-name`
Memory Dump (on device)	`memdump pid`
Memory Dump (Objection)	`objection -g AppName explore` `> memory dump all destination-file > memory search search-string --string > memory dump from_base hex-base size local-destination`
Memory Search (Objection)	`objection -g AppName explore > memory search search-string --string > memory dump from_base hex-base size local-destination`
Memory Dump (Fridump)	`python3 fridump.py -U -o output-dir -s AppName`
Display a Property List (PLIST) File	On-Device: `plutil filename.plist` macOS/Linux: `plutil -p filename.plist`
Convert PLIST (Any => XML)	`plutil -convert xml1 filename.plist`
Convert PLIST (Any => Binary)	`plutil -convert binary1 filename.plist`
Convert PLIST (Any => JSON)	`plutil -convert json filename.plist`
Search for File Extensions	`find DATA-DIR -iname *.xml`
Common File Extensions	`txt, xml, db, sqlite, sqlite3, json, html, js, cer, pem, cert, crt, pub, key, pfx, p12, pkcs7, realm*, cblite, cblite2`

SQLite3 Commands

Task	Command(s)
Common SQLite3 File Extensions	`.db, .sqlite, .sqlite3, .data`
Open Database	`sqlite3 database-name`
Close Database	`> .exit`
List Tables	`> .tables`
Show DB Schema	`> .schema > .schema tablename`
Select All Data from a Table	`> SELECT * FROM tablename;`
Select Specific Data Examples	`> SELECT user,password FROM tablename; > SELECT * FROM tablename WHERE column-name like '%value%';`
Attach a Database	`> ATTACH DATABASE database-name AS database-name;`
Databse Optimization	`> VACUUM`
Database `-wal` File	Write ahead log - stores data before it is pushed to the main database file
Database `-shm` File	Shared memory - stores data that is shared across database connections

Dynamic Analysis

Task	Command(s)
HTTP Caching	`cd DATA-DIR/Library/Caches/$bundle_id/ dumpCache Cache.db output.txt`
Monitoring Cryptography (Objection)	`objection -g AppName explore > ios monitor crypto`
File System Monitoring (fsmon)	`fsmon -P binary-name fsmon -p pid fsmon /private/var/containers/Bundle/Application/UUID/AppName.app fsmon /private/var/mobile/Containers/Data/Application/UUID`
Check for Local Server on Device	`netstat -an \| grep -w LISTEN lsof -i :port-number nmap -sS -sV -p- --open device-ip-address`
Create a Full Backup	`idevicebackup2 backup --full ./output-directory`
Bypass Jailbreak Detection (Objection)	`objection -g AppName explore > ios jailbreak disable`
Bypass SSL Pinning (Objection)	`objection -g AppName explore > ios sslpinning disable`
Print NSUserDefaults Data (Objection)	`objection -g AppName explore > ios nsuserdefaults get`
Monitor Pasteboard (Objection)	`objection -g AppName explore > ios pasteboard monitor`
Get NSURLCredentialStorage (Objection)	`objection -g AppName explore > ios nsurlcredentialstorage dump`