TutorialsiOS IPA scanning

Tutorial: iOS IPA security scanning

Statically analyze an iOS app on Linux — no macOS host, no physical device, no jailbreak. Pencheff fetches the .ipa, parses its plists and Mach-O headers, and maps findings to OWASP MASVS.

Scenario

  • Artifact. Acme.ipa, hosted at a URL you control.
  • Goal. Transport-security, URL-scheme, binary-hardening, and secret findings — mapped to OWASP MASVS — for the iOS team.
⚠️

FairPlay limit. App Store IPAs are encrypted (cryptid=1), which hides the compiled code section from static analysis. Pencheff flags this in the report and still extracts everything from the plists, resources, entitlements, and Mach-O headers. For full code-level depth, scan a development/enterprise build.

Inputs you need

ItemWhere it goes
Artifact URL (.ipa)Artifact URL field
SHA-256 of the fileSHA-256 field — integrity gate
shasum -a 256 Acme.ipa

Time budget

PhaseWall time
Fetch + verify + unpack1–2 min
Static analysis (plist, Mach-O, secrets)1–2 min
Total~4 min

Steps

1. Register the target

app.pencheff.comRegister targetMobile & Client SecurityiOS Application:

  • NameAcme iOS — release
  • Artifact URLhttps://builds.acme.com/Acme.ipa
  • SHA-256 — the digest from above

2. Run the scan

Commission scan from the target page. Pencheff downloads and verifies the IPA, unzips it, and parses:

  • Info.plist — App Transport Security (NSAllowsArbitraryLoads), custom URL schemes (CFBundleURLTypes), privacy permission strings.
  • The Mach-O binary — PIE, stack canary, and the cryptid encryption flag (via LIEF where available; otool is used when present).
  • Embedded provisioning profile and bundled framework/SDK versions.

The app is never executed.

3. Read the findings

CategoryExamples
mobile_communicationATS disabled / arbitrary loads, cleartext endpoints
mobile_misconfigdeeplink-hijackable custom URL schemes, missing Mach-O hardening
mobile_secretsAPI keys / tokens in plists, resources, or strings

Every finding is mapped to OWASP MASVS with remediation. If the binary is FairPlay-encrypted, the report says so explicitly so you know the code-level depth was capped.

Deliverable

A MASVS-mapped findings register exportable to DOCX/JSON/CSV.

Next