IPAAutoDec is a tool that decrypts IPA files on a jailbroken iOS device via SSH. It handles the entire workflow from uploading the IPA, installing it, decrypting the binaries, and repackaging it as a decrypted IPA file.
For the details on how to use the tool, see the Anvil's blog post - Locked Up But Not Locked Out: iOS App Pentesting Without Jailbreak.
- Automated Workflow: Handles the complete decryption process end-to-end
- Dependency Management: Automatically checks and installs required tools (appinst, fouldecrypt)
- SSH Integration: Connects to the jailbroken iOS device via SSH (default creds
root:alpine) - Binary Decryption: Decrypts all Mach-O binaries in the app bundle and extensions
- IPA Repackaging: Creates a properly structured decrypted IPA file and pulls it back from the iOS device
sshpass- for password-based SSH authenticationscpandssh- Network access to the jailbroken iOS device
- Jailbroken iOS device (rootful or rootless)
- SSH access enabled (OpenSSH or similar)
- Clone or download this repository:
git clone https://github.com/anvilsecure/IPAAutoDec
cd IPAAutoDec- Ensure the script is executable:
chmod +x ipa_auto_dec.sh./ipa_auto_dec.sh -h <device_ip> -i <path_to_ipa_file>./ipa_auto_dec.sh \
-h 192.168.1.100 \
-l 22 \
-u username \
-p password \
-i MyApp.ipa| Option | Description | Required | Default |
|---|---|---|---|
-h |
Device IP address or hostname | Yes | - |
-i |
Path to the IPA file to decrypt | Yes | - |
-l |
SSH port number | No | 22 |
-u |
SSH username | No | root |
-p |
SSH password | No | alpine |
-a |
Custom path to appinst .deb file | No | Use com.linusyang.appinst_1.1.4_iphoneos-arm64.deb for rootless jailbreak, nodelete-com.linusyang.appinst.deb for rootful |
-b |
Bundle identifier (auto-detected if not provided) | No | Extracted from IPA |
The tool performs the following steps automatically:
- Dependency Check: Verifies and installs required tools (unzip, fouldecrypt, appinst)
- Upload: Transfers the IPA file to the device
- Installation: Installs the IPA using
appinst - Decryption:
- Locates the installed app
- Copies app structure to temporary Payload directory
- Decrypts all Mach-O binaries using
fouldecrypt - Signs binaries with
ldid
- Repackaging: Creates a new IPA file with decrypted binaries
- Download: Pulls the decrypted IPA back to your computer
Problem: Cannot connect to device
- Verify device IP address is correct
- Ensure SSH is enabled on the device
- Check that device and computer are on the same network
- Verify firewall isn't blocking SSH port
Problem: appinst/fouldecrypt/zip/etc. installation fails
- Check that
dpkgandapt-getare working on the iOS device - Try installing manually with
dpkg -iandapt-get install -y unzip - Mind the versions -
com.linusyang.appinst_1.1.4_iphoneos-arm64.deb/moe.misty.fouldecrypt_0.0.3_iphoneos-arm64.debfor rootless jailbreaks,nodelete-com.linusyang.appinst.deb/moe.misty.fouldecrypt_0.0.3_iphoneos-arm.debfor rootful
Problem: Decryption fails
- Verify fouldecrypt is properly installed
- Check that the app is actually encrypted
- Ensure sufficient disk space on device
The tool uses fouldecrypt to decrypt Mach-O binaries. It:
- Finds all
_CodeSignaturedirectories in the app bundle - Identifies Mach-O binaries in each directory
- Decrypts each binary (fouldecrypt outputs to
/tmp/) - Moves decrypted binaries to the correct location in Payload structure
- Signs binaries with
ldid
- appinst by Linus Yang - for IPA installation
- fouldecrypt by Misty - for binary decryption