A hardened Frida script to bypass IOSSecurity framework protections in iOS applications by intercepting runtime security checks at their decision points.
Designed for: Penetration testers, reverse engineers, and mobile security researchers conducting authorized testing.
The IOSSecurity framework implements multiple runtime protections through a centralized checker class (JailbreakChecker):
- Jailbreak Detection (
amIJailbroken) - Debugger Detection (
amIDebugged) - Runtime Hook Detection (
amIRuntimeHooked) - Reverse Engineering Detection (
amIReverseEngineered)
These checks typically aggregate into:
JailbreakChecker.performChecks()When triggered, protected apps may:
- ❌ Terminate immediately
- 🔒 Restrict functionality
- 🚫 Block critical features
Rather than bypassing individual checks, this script targets the aggregation layer where security decisions are enforced.
- ✅ Single point of control → All downstream checks become ineffective
- ✅ App behaves as clean → No jailbreak/debug/hook state detected
- ✅ Analysis continues → Uninterrupted dynamic testing
ObjC.classes.JailbreakChecker['- performChecks']
ObjC.classes.JailbreakChecker['- amIJailbroken']
// ... etc- Direct class method interception
- High reliability when symbols are available
- Explicit return value control
PERFORM_REGEX = /JailbreakChecker.*performChecks/i
BOOL_REGEX = /(amIJailbroken|amIDebugged|amIRuntimeHooked|amIReverseEngineered)/i- Scans all loaded modules
- Regex-based strict matching
- Catches variations and obfuscated names
- ✔️ Validates executable memory regions
- ✔️ Deduplicates hook targets (prevents double-hooking)
- ✔️ Graceful error handling
performChecks → FORCE_CLEAN (1) // Clean state
Boolean APIs → FORCE_FALSE (0) // Not jailbroken/debugged/hookedJailbreakChecker.performChecks→ Returns clean state (1)
All forced to return false (0):
amIJailbrokenamIDebuggedamIRuntimeHookedamIReverseEngineered
| Feature | Description |
|---|---|
| Regex-Based Matching | Strict symbol identification with pattern validation |
| Objective-C Fallback | High-reliability hooks via runtime class introspection |
| Safe Attach | Executable validation + deduplication checks |
| Preview Mode | Non-intrusive symbol scanning without hooking |
| Configurable Behavior | Adjustable return values per target |
| Reduced False Positives | Explicit hook type metadata prevents misclassification |
| Detailed Logging | Clear console output for debugging |
frida -U -f com.target.app -l iossecurity_slayer_v2.jsfrida -U -N com.target.app -l iossecurity_slayer_v2.jsEdit these constants at the top of the script:
/* CONFIG (EXPLICIT CONTROL) */
const FORCE_CLEAN = 1; // performChecks return: 1 = clean, 0 = detected
const FORCE_FALSE = 0; // Boolean APIs return: 0 = false, 1 = true
const ENABLE_PREVIEW = false; // true = scan only (no hooks), false = hook| Setting | Values | Purpose |
|---|---|---|
FORCE_CLEAN |
1 (default) |
Makes performChecks return "clean state" |
0 |
Alternative if app logic is inverted | |
FORCE_FALSE |
0 (default) |
Boolean checks return false (not detected) |
1 |
Alternative if app logic is inverted | |
ENABLE_PREVIEW |
false (default) |
Hooks are applied |
true |
Only logs matches without hooking (dry-run) |
FORCE_CLEAN between 0/1.
[*] IOSSecurity bypass starting (Hardened v2)
[✓] ObjC JailbreakChecker hooks installed
[+] performChecks hooked in IOSSecurity.framework
[+] Bool API hooked in IOSSecurity.framework
[✓] Hooking completed
[Slayer] total hooks: 5
[Slayer] IOSSecurity.framework -> JailbreakChecker.performChecks → forced CLEAN state
[Slayer] IOSSecurity.framework -> amIJailbroken → forced Bool = false
[Slayer] IOSSecurity.framework -> amIDebugged → forced Bool = false
[PREVIEW] IOSSecurity.framework -> JailbreakChecker.performChecks @ 0x1023a4f80
[PREVIEW] IOSSecurity.framework -> amIJailbroken @ 0x1023a5120
[*] IOSSecurity bypass starting (Hardened v2)
[!] No hooks applied
[i] Possible reasons:
• Symbols stripped
• Static linking
• Different framework implementation
[Slayer] total hooks: 0
- ❌ Symbols are stripped → No function names available for regex matching
- ❌ Static linking → Framework compiled directly into app binary
- ❌ Inline functions → Compiler optimizations eliminate function calls
- ❌ Custom implementation → App uses different security framework
- ❌ Anti-Frida protections → Detection/blocking of Frida itself
- ⏱️ Initial scan may take 2-5 seconds (module enumeration)
- 💾 Memory overhead minimal (only hooked addresses stored)
⚠️ AUTHORIZED TESTING ONLY
This tool is intended for:
• Security research on applications you own or have permission to test
• Educational purposes in controlled environments
• Authorized penetration testing engagements
Unauthorized use against applications without explicit written permission
is illegal and unethical.
THE AUTHOR IS NOT RESPONSIBLE FOR MISUSE OR DAMAGES.
This script is provided as-is for security research purposes. Use responsibly and ethically.
Slayer
Hardened v2 - Explicit control, strict matching, high reliability
- ✨ Explicit return value control (no ambiguity)
- ✨ Strict regex-based symbol matching
- ✨ Objective-C fallback hooks
- ✨ Safe attachment mechanism
- ✨ Preview mode for non-intrusive scanning
- ✨ Reduced false positives via metadata tagging
- Initial release with basic hooking
Happy Hunting! 🎯