Decrypt App

iOS apps that are installed from the Apple App Store will be protected with Apple's Digital Rights Management (DRM) software called FairPlay. However, when the app launches, iOS will load it unencrypted into memory. So, defeating this is as simple as extracting the app from memory. Either of the two tools below will easily automate this for you.

Decrypt with Clutch (On Device Option)

OWASP MSTG (clutch section)

The Clutch program is designed to run on the iOS device. As such, the resulting IPA file will be stored on the device and would need to be manually copied to your Mac.

To run the program, follow these instructions:

// The -i option shows all installed apps:
# Clutch -i
Installed apps:
1:   Example App <com.example.app>

// Using the number from the list, dump the app:
# Clutch -d 1
Zipping Example.app
ASLR slide: 0x102964000
Dumping <ExampleApp> (arm64)
Patched cryptid (64bit segment)
Writing new checksum
DONE: /private/var/mobile/Documents/Dumped/com.example.app-iOS13.0-(Clutch-2.0.4).ipa
Finished dumping com.example.app in 5.5 seconds

The resulting IPA will be in the /private/var/mobile/Documents Dumped directory as shown above. Copy this to your macOS system for processing.

// From macOS, pull the IPA file from the device:
$ scp root@device:/private/var/mobile/Documents/Dumped/com.example.app-iOS13.0-(Clutch-2.0.4).ipa .

Decrypt with Frida-ios-dump (macOS Option)

OWASP MSTG (Using frida-ios-dump section)

The frida-ios-dump program is a Python3 script that uses Frida to decrypt the binary and then dump the application into an IPA file. The IPA file is saved locally on the Mac that runs the script.

To run the script, follow these instructions:

cd frida-ios-dump
python dump.py -o /path/to/save/ipa appname

For output, you only select the directory - no filename is required (filename is based on display name). The appname is the name of the app you want to decrypt. The app must be running in the foreground on the device.