Jailbreaking iPhone and Setting Up Dynamic Analysis Lab

iOS Pen-testing dynamic analysis lab setup.

This article documents the complete setup process for building an iOS dynamic analysis lab for penetration testing.

The guide covers:

• Jailbreaking iPhone devices
• Installing Cydia components
• Configuring AppSync Unified
• Installing AFC2
• Frida instrumentation setup
• Burp Suite interception
• OpenSSH connectivity
• Permanent jailbreak persistence

Hardware Information

• Device Model: iPhone 6
• Software Version: iOS 12.5.1

Preface

1. Disclaimer
2. Jailbreaking iPhone 6
3. Installing Tools and Components
4. Installing IPA Files
5. Connecting via OpenSSH
6. Installing Burp Certificates

Disclaimer

This research is intended strictly for educational purposes and security testing in authorized environments.

Jailbreaking

Several jailbreak frameworks exist for iOS devices. During testing, checkra1n was initially used successfully on iOS 11.4.8.

However, after device reboot the jailbreak state was lost and the device repeatedly entered recovery mode without reaching DFU mode.

The workaround involved using unc0ver directly from Safari.

Install unc0ver

Navigate to:

https://ipa-apps.me

Download unc0ver v6.1.1 for iOS 11.0–14.3 devices.

Run unc0ver

Launch unc0ver and select Jailbreak.

If the jailbreak process fails:

• Open Settings inside unc0ver
• Enable Restore RootFS
• Retry jailbreak

Once successful the device installs Cydia automatically.

What is Cydia?

Cydia acts as an unofficial package manager for jailbroken iOS devices and enables installation of tweaks, tooling and unsigned applications.

Install AppSync Unified

AppSync Unified allows installation of unsigned IPA files.

Add the repository:

cydia.angelxwind.net

Search and install:

AppSync Unified

Install AFC2 Patch

AFC2 enables full filesystem access over USB.

Search for:

Apple File Conduit "2"

Install Frida

Frida is a dynamic instrumentation framework widely used for runtime analysis and application hooking.

• Visit https://frida.re/docs/ios/
• Install Frida server for your architecture
• Run Frida tools from your workstation

frida-ps -U

Installing IPA Files

Unsigned IPA files can be installed using 3uTools.

Installing Burp Suite Certificates

To intercept HTTPS traffic:

• Connect both devices to same WiFi
• Configure Burp listener
• Set proxy in iPhone
• Install PortSwigger CA certificate

Connect via OpenSSH

OpenSSH is automatically installed after jailbreaking.

ssh root@

Default password:

alpine

Permanent Jailbreaking

Untethered jailbreak state can be preserved using SafeShutdown.

Add the repository:

http://apt.cydiakk.com

Configure SafeShutdown

SafeShutdown prevents jailbreak core files from being removed during unexpected power loss or shutdown.

Additional Resources

• https://frida.re/docs/ios/
• https://www.pentesteracademy.com/course?id=2
• https://web.securityinnovation.com/hubfs/iOS%20Hacking%20Guide.pdf
• https://resources.infosecinstitute.com/topic/ios-application-security-part-1-setting-up-a-mobile-pentesting-platform/

Conclusion

A properly configured iOS dynamic analysis environment significantly improves application assessment capabilities.

Combining jailbreak tooling, Frida instrumentation, Burp Suite, and filesystem access provides a complete platform for advanced mobile application testing.

Thank you for reading.