Home > iOS Pentesting

Extracting IPAs (App Store / IPA Dumpers)

Extracting iOS IPAs is one of the most important skills in iOS pentesting because every App Store binary is encrypted with FairPlay DRM. Reverse engineering, static analysis, class inspection, string extraction and entitlement inspection are impossible until the decrypted binary is dumped directly from a device’s memory. This chapter provides a full-length, in-depth, practical workflow covering every real-world method: Bagbak, frida-ios-dump, TrollStore, manual extraction, App Store tools, device filesystem extraction and validation. Every step is actionable, command-driven and tailored for pentesting environments.

Why IPAs Must Be Decrypted

App Store apps arrive encrypted. When you launch an app on a real device, iOS decrypts the binary in memory. IPA dumpers hook this moment and extract the binary after iOS decrypts it. That decrypted version is what you use for static analysis.

Encrypted IPA = useless for analysis
Decrypted IPA = full reverse engineering possible

You cannot meaningfully inspect an IPA until the cryptid flag is 0.

Step 1: Preparing the Jailbroken Environment

Most extraction methods require jailbreak + Frida.

Install dependencies:

apt update
apt install wget curl unzip python3 pip nodejs npm

SSH into device:

iproxy 2222 22
ssh root@localhost -p 2222

Verify Frida server is running:

frida-ps -U

If no output, start Frida server:

/usr/local/bin/frida-server &

Method 1: Bagbak (Most Reliable Modern Dumper)

Bagbak is currently the best tool for dumping fully decrypted IPAs. Simple, stable and fast.

Install bagbak on computer

npm install -g bagbak

Verify:

bagbak --version

Dump the IPA

Find app bundle ID:

frida-ps -U | grep -i appname

Dump:

bagbak com.example.app

Bagbak will:

  • Spawn the app

  • Hook the decryption process

  • Copy decrypted binary

  • Rebuild a Payload directory

  • Generate a fully decrypted dump

Output will look like:

./com.example.app/Payload/AppName.app/

Rebuild IPA

cd com.example.app
zip -r decrypted.ipa Payload/

This IPA is ready for full static analysis.

Method 2: frida-ios-dump (legacy but widely used)

Still used in many pentesting labs and automation workflows.

Install

git clone https://github.com/AloneMonkey/frida-ios-dump.git
cd frida-ios-dump
pip3 install -r requirements.txt

Export USBMUXD socket for USB tunneling

export USBMUXD_SOCKET_ADDRESS=/var/run/usbmuxd

Dump the IPA

python3 dump.py com.example.app

This produces a decrypted IPA inside the repo directory.

Method 3: TrollStore Extraction (No Jailbreak Needed on Supported Devices)

If your device supports TrollStore exploits (iOS 14–17 depending on device), you can install and run apps in a decrypted state.

Install TrollStore

Follow device-specific exploit steps.

Install an app using TrollStore

TrollStore will produce a decrypted app bundle automatically.

Export IPA

TrollStore → Installed App → Export IPA

This yields a fully decrypted IPA even without jailbreak.

Method 4: Manual Extraction from Jailbroken Filesystem

Sometimes tools fail. Manual extraction gives full control.

Step 1: Find the installed app bundle

ls /var/containers/Bundle/Application/

Each folder corresponds to an installed app.

Step 2: Identify the correct app

Inside each UUID folder:

cd /var/containers/Bundle/Application/UUID/
ls

You will see:

AppName.app

Step 3: Copy the .app to computer

scp -P 2222 -r root@localhost:/var/containers/Bundle/Application/UUID/AppName.app .

This gives the app bundle but the binary inside is still encrypted.
Dump it using Bagbak or Frida afterwards.

Method 5: Apple Configurator IPA Extraction (macOS)

This produces encrypted IPAs only, but useful for obtaining the latest IPA from the App Store.

Install Apple Configurator 2

Open App Store → Install

Download the IPA

Configurator:

  • Add → Apps → Search App Store → Download

  • Right-click app → Export IPA

This IPA is encrypted and must be decrypted using Bagbak or Frida.

Method 6: Using ideviceinstaller / ios-deploy for Device App Extraction

You can pull app data or app containers but not decrypted binary by default.

Install tools:

macOS:

brew install ideviceinstaller ios-deploy

List installed apps:

ideviceinstaller -l

Extract container:

ideviceinstaller -i com.example.app

Still encrypted → must be decrypted using another method.

Method 7: FLEX Injection (Partial Extraction)

You can inject FLEX debugging UI using Frida and extract:

  • Resources

  • Config files

  • Local databases

  • Cached API results

Inject FLEX:

frida -U -f com.example.app -l inject_flex.js --no-pause

Good for partial extraction, but not a full IPA dump.

Validating Whether an IPA Is Fully Decrypted

After extraction, always check the binary’s encryption status.

otool -l Payload/AppName.app/AppName | grep cryptid

Results:

cryptid 1  → encrypted (invalid for analysis)
cryptid 0  → decrypted (safe for RE)

If cryptid is still 1:

  • Dump failed

  • Wrong app version

  • App may use advanced DRM

  • Frida server version mismatch

  • Bagbak version mismatch

Repeat dump after ensuring Frida versions match:

frida --version

and

strings frida-server | head

Best Practical Extraction Workflow

  1. Install bagbak

  2. Start Frida server on device

  3. Identify bundle ID

  4. Run bagbak with bundle ID

  5. Get decrypted Payload folder

  6. Zip into IPA

  7. Validate cryptid = 0

  8. Begin static analysis

  9. Inspect Info.plist, entitlements, strings, frameworks

This is the workflow used in professional pentests.

Real Pentesting Tasks After IPA Extraction

Once decrypted, you can:

  • Extract entitlements

  • Inspect ATS configuration

  • Search for hardcoded API keys

  • Inspect databases and internal configs

  • Reverse engineer the binary

  • Identify hidden endpoints

  • Map backend routes

  • Find local secrets

  • Look for Jailbreak detection routines

  • Identify weak crypto

  • Enumerate private frameworks

All advanced app-sec testing starts here.

Intel Dump

  • IPAs from App Store are encrypted and useless for RE

  • Decryption happens only at runtime on a real device

  • Bagbak is the most reliable IPA dumper

  • frida-ios-dump still widely used in labs and scripts

  • TrollStore can dump decrypted IPAs on supported devices

  • Manual filesystem extraction requires later decryption

  • Apple Configurator exports encrypted IPAs only

  • Always check cryptid flag before analysis

  • Decrypted IPA enables reverse engineering, string search, binary patching and entitlement review

HOME LEARN COMMUNITY DASHBOARD