Getting Started with iOS 13+ App Pentesting

In today’s world, there are so many resources in information security for learning. However, one might get confused about where to start exactly?

If you’re interested to learn about how to perform security reviews/pentest of iOS Apps running on iOS 13+ (latest version), this blog is for you. Here I’ll introduce you to a free and open-source project to help you in getting started with the learning of iOS app pentesting and security.

Note: Like my other blogs, this blog will also be short, to the point and easy to understand. So you might not find too many descriptions, theory.


  • MacBook Or
  • Jailbroken iPhone / iPad running latest iOS

If you’re already familiar with some AppSec concepts like web app security, how you started learning it? Probably using some vulnerable web app? WebGoat? DVWA?

One of the above, right? Similarly, you can start learning iOS App Security, using intentionally vulnerable iOS App – OWASP iGoat.You can find more about iGoat at –

Condition 1: If you have MacBook, follow the below steps. If you don’t have Macbook, you can jump on Condition 2.

Step 1: Git clone project from If you’re not familiar with git, simply use the Download Zip option.

Step 2: Inside iGoat-Swift folder, open iGoat-Swift.xcodeproj.

Step 3: Now select the target device as you wish. I’ve selected iPhone 11 running iOS 13.3 and click play!

Condition 2: If you have an iPhone / iPad (physical iDevice)

Step 1: Download iGoat (.IPA) file from

Step 2: Install AppSync Unified in Cydia (on your iPhone / iPad)

Step 3: Use iFunBox to install IPA on iDevice

That’s all! You have successfully installed the intentionally vulnerable iOS App – iGoat! What’s next?

You can start with Data Protection (Rest) challenges.

Let’s take a look at sample challenge –

  1. If you think, your answer is right! Selection option 1 of ‘Verify.
  2. Need hints? Select Option 2 of ‘Hints‘.
  3. Need Solution? Select Option 3 of ‘Solutions’

You can find more documentation of this project at

If you’re facing any issues while following the blog, please drop it in the comment section.

If you find any issues or want to request a feature, update at


  1. OWASP iGoat –
  2. iGoat Project Code –

Leave a Comment