Skip to content
/ frida-ipa-extract Public

Robust Frida-based tool to dump decrypted iOS apps as .ipa from a jailbroken device supports App Store, sideloaded and system.

lautarovculic.com

License

WTFPL license
78 stars 8 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

lautarovculic/frida-ipa-extract

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
frida_ipa_extract
frida_ipa_extract
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
extract.py
extract.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

frida-ipa-extract

This project was inspired by frida-ios-dump. Since I recently encountered problems with that tool, I decided to create frida-ipa-extract with greater robustness and additions to address problems we face today. Extract a decrypted .ipa from a jailbroken iOS device using Frida. Supports apps installed via App Store, sideload, and system apps.

Requirements

  • Python 3.9+
  • frida and paramiko
  • Jailbroken iOS device with frida-server running
  • For SSH mode: OpenSSH on the device

Install dependencies:

python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt

Usage

python extract.py -U -f com.example.app -o MyApp.ipa
python extract.py -U -f com.example.app -o MyApp.ipa --sandbox
python extract.py -U -f com.example.app -o MyApp.ipa --no-resume
python -m frida_ipa_extract -U --pid 1234 -o MyApp.ipa
./extract.py -U "My Running App"
python extract.py -H 192.168.100.32 -P 2222 -u root -p password -f com.example.app

Arguments:

  • -f <target>: spawn an app (bundle id or app name)
  • --pid <pid>: attach to a running PID
  • target (positional): app name/bundle id of a running app
  • -o <path>: output IPA path (defaults to <AppName>.ipa)
  • -U: connect via USB
  • -H <host> -P <port> -u <user> -p <pass>: connect via SSH (paramiko)
  • --sandbox: dump the app sandbox to <AppName>-sandbox in the current directory
  • --no-resume: keep a spawned app suspended (useful if the app crashes due jailbreaks detections when instrumented)

If you do not pass -f or --pid, the tool attaches to a running app. If no target is provided, it will list running apps and prompt you to choose.

Notes

  • When using SSH without -U, the tool opens a local tunnel to frida-server on port 27042 and uses SFTP to download the app bundle. If you pass both -U and -H, USB is used for Frida and SSH is used only for file transfer.
  • When using USB without SSH, the bundle is pulled via Frida RPC (slower for large apps).
  • If the app is not running, use -f to spawn it.
  • Make sure frida-server is running on the device before dumping.
  • A progress bar is shown while files are being downloaded.
  • If a Frida session is lost mid-download, the tool retries by switching to a stable system process; for stubborn apps use --no-resume or SSH transfer.

Troubleshooting

  • Frida attach timed out: the app may block attach; use -f to spawn or try --no-resume.
  • script has been destroyed during download: the app crashed; retry with --no-resume or use SSH transfer (-H/-u/-p).
  • No running apps found: the app is not running; use -f to spawn it.

About

Robust Frida-based tool to dump decrypted iOS apps as .ipa from a jailbroken device supports App Store, sideloaded and system.

lautarovculic.com

Topics

apple ipa mobile-security ios-security frida frida-server ios-hacking frida-scripts frida-ios-dump frida-dump mobile-hacking ios-security-tool ipa-extractor

Resources

Readme

License

WTFPL license
Activity

Stars

78 stars

Watchers

0 watching

Forks

8 forks
Report repository

Languages