iOS
Frida iOS Reference
Operational Modes
| Mode | Requirements | Capabilities |
|---|---|---|
| With Jailbreak | Cydia + Frida repo | System services, all apps, full instrumentation |
| Without Jailbreak | iOS 13+, Developer Disk Image, Gadget dylib | Debuggable apps only |
With Jailbreak
Prerequisites
- Jailbroken iOS device with Cydia installed
- USB cable
- Frida installed on the host machine (
pip install frida-tools) - Host OS: Windows, macOS, or Linux (Linux requires Frida ≥ 6.0.9 for USB support)
Device Setup
- Open Cydia on the iOS device.
- Navigate to Manage → Sources → Edit → Add.
- Enter repository URL:
https://build.frida.re - Search for and install the Frida package.
This installs frida-server as a daemon that accepts connections over USB.
Smoke Test
Plug in the iOS device via USB and run on the host:
1frida-ps -U
Expected output (device connected):
PID NAME
488 Clock
116 Facebook
312 IRCCloud
1711 LinkedIn
…
If the device is not yet connected:
Waiting for USB device to appear...
Linux note (Frida < 6.0.9): USB (
-U) is not supported. Use WiFi with an SSH tunnel:1ssh -L 27042:localhost:27042 root@<device-ip> 2frida-ps -R # -R = remote (localhost:27042)Frida 6.0.9+ has usbmuxd integration;
-Uworks directly.
Example: Trace Crypto Calls in an App
Target: Twitter app on device. Traces all variants of CCCryptorCreate from Apple’s libcommonCrypt.dylib.
1frida-trace -U -i "CCCryptorCreate*" Twitter
Sample output during attach:
Uploading data...
CCCryptorCreate: Auto-generated handler …/CCCryptorCreate.js
CCCryptorCreateFromData: Auto-generated handler …/CCCryptorCreateFromData.js
CCCryptorCreateWithMode: Auto-generated handler …/CCCryptorCreateWithMode.js
CCCryptorCreateFromDataWithMode: Auto-generated handler …/CCCryptorCreateFromDataWithMode.js
Started tracing 4 functions. Press Ctrl+C to stop.
Trigger network activity in the app; expected trace output:
3979 ms CCCryptorCreate()
3982 ms CCCryptorCreateWithMode()
3983 ms CCCryptorCreate()
3983 ms CCCryptorCreateWithMode()
The auto-generated .js handler files can be live-edited while the trace is running. Consult man CCryptorCreate for argument details to extend the handlers.
Without Jailbreak
How It Works
Frida injects Gadget automatically into debuggable apps. No frida-server or root access is required. Automatic injection was introduced in Frida 12.7.12.
Prerequisites
| Requirement | Details |
|---|---|
| iOS version | iOS 13 or newer (recommended). Older versions are experimental. |
| Developer Disk Image | Must be mounted on the device. Xcode mounts it automatically on USB discovery; or use ideviceimagemounter manually. |
| Gadget dylib | Must be present locally. On macOS: ~/.cache/frida/gadget-ios.dylib. Exact path shown in error output if missing. |
| App type | Must be a debuggable app (i.e., built with get-task-allow entitlement). App Store apps are not debuggable. |
Workflow
- Ensure Gadget is cached locally (download via
fridaCLI; it will show the exact path in the error message if absent). - Mount the Developer Disk Image (Xcode does this automatically).
- Attach to a debuggable app — Frida injects Gadget automatically:
1frida -U -f com.example.MyApp
Building Custom Tools
Use the Frida APIs to build programmatic instrumentation tools.
Key substitution for USB-connected iOS devices:
Replace any frida.attach(...) call with:
1frida.get_usb_device().attach(...)
Relevant API references:
Quick Reference
| Task | Command |
|---|---|
| List processes on USB device | frida-ps -U |
| Attach to running app | frida -U -n AppName |
| Spawn and attach to app | frida -U -f com.bundle.id |
| Trace function by name pattern | frida-trace -U -i "FunctionName*" AppName |
| Use WiFi tunnel (old Linux) | frida-ps -R (after SSH tunnel on port 27042) |