Update Information about obtaining and extracting iOS apps

[bernhste]

During an iOS penetration test, I came across the following situation: The target app required a version larger than the latest jailbroken iOS, and it was only distributed through TestFlight. And this situation is becoming more common.

This lead me down a rabbit hole about how we can access iOS IPAs in 2025 and beyond.

So I tested the current (Dec 2025) available techniques methods to access iOS apps:

1. Developers provides unencrypted IPA for mobile devices, Xcode-Simulator, Mac compatibility layer.
   • Directly patch frida.re gadget and resign it using the appropriate embedded.mobileprovision
   • Test it on a current stock device
2. Download the prod IPA from the official store
   • OS version requirement <= latest Jailbreak: use dynamic FairPlay decryption (e.g. frida-ios-dump (MASTG-TOOL-0050)
   • OS version requirement > latest Jailbreak: Downgrade version and use static FairPlay decryption using TrollDecryptJB. However, this method only decrypted the main binary, not plugins an frameworks.
3. Download IPA from TestFlight
   • OS version requirement <= latest Jailbreak: Test it on the jailbroken device directly.
   • OS version requirement > latest Jailbreak: Basically out of luck?

The last point was a dead end for me. I intercepted the TestFlight traffic on an old jailbroken device using Burp, changed the OS version and tricked TestFlight into installing it on the old device. But the static decryption with TrollDecryptJB did not work. So without the decrypted IPA I was not able to fully test the profile MAS-L2.

My question though is: How should we address this situation in MASTG? Because one can argue, that this situation is very uncommon for ethical hackers as they work together with a developer which wants to provide the decrypted IPA. Such cases can happen.

In any case, I would like to update MASTG-TECH-0054: Obtaining and Extracting Apps to add the downgrade/TrollStoreJB technique for the app store IPA as this is useful for ethical security testers.

[Alefiya101]

Hi, thanks for sharing this scenario,it definitely feels more common lately.

I’d be happy to help with a small documentation update to MASTG-TECH-0054 that explains current iOS/TestFlight limitations (2025+), especially cases where obtaining a decrypted IPA isn’t feasible without developer cooperation.

I’m not suggesting new bypass techniques, just clearer guidance and scope clarification for testers.

Does this sound like an acceptable direction before I draft anything?

[cpholguera]

@Alefiya101 could you please tell us more about your expertise on the matter?

[Alefiya101]

Sure.
My understanding comes from reviewing the current MASTG content that I could find and well-documented iOS security behavior. I’m familiar with how FairPlay encryption, TestFlight vs. App Store distribution, and jailbreak availability impact the feasibility of obtaining a testable IPA on newer iOS versions.

I feel it is sufficient for me to accurately outline the constraints and limitations in MASTG-TECH-0054, strictly as guidance and without introducing new techniques.

[cpholguera]

@Alefiya101 Before we assign a ticket, we do need to verify that you have relevant mobile application security experience. Based on your profile, I don't immediately see any relevant projects? Can you share what kind of expertise you have in mobile security? The company you're working for? Other relevant open source project contributions? LinkedIn profile, personal website or similar.

We are unfortunately forced to ask for this as we are being overrun with unverified AI generations which greatly reduce the quality of the project. Without existing experience, it's impossible to know if the AI is hallucinating or not. Are you planning to use AI?

[bernhste]

@cpholguera You can assign it to me and I'll propose an update to https://mas.owasp.org/MASTG/techniques/ios/MASTG-TECH-0054/