A comprehensive Claude Code skill that enables Claude to extract, analyze, and reverse engineer iOS applications. It processes IPA files, .app bundles, Mach-O binaries, dynamic libraries, and frameworks — producing structured documentation of APIs, security findings, embedded secrets, SDK inventories, and protection assessments.
- IPA/App Extraction — Unpack IPA archives and .app bundles, dump Objective-C/Swift class headers via
ipsw class-dump, extract Info.plist, entitlements, embedded frameworks, and string constants - API Endpoint Discovery — Find HTTP endpoints across URLSession, Alamofire, Moya, AFNetworking, GraphQL, and WebSocket patterns
- Call Flow Tracing — Follow execution paths from ViewControllers through ViewModels/Presenters down to the networking layer
- Security Auditing — Scan for ATS exceptions, certificate pinning issues, weak crypto, keychain misuse, jailbreak detection, and debug artifacts
- Cloud Credential Scanning — Deep-scan for leaked API keys and secrets from Firebase, AWS, GCP, Azure, Stripe, Twilio, SendGrid, and more — with LLM-assisted risk classification
- Deep Binary Reversing — Decompile functions, trace cross-references, and analyze crypto/auth/network code using radare2, rizin, or Ghidra headless
- SDK Fingerprinting — Identify all embedded third-party SDKs, detect versions, and cross-reference with known CVEs
- Protection Detection — Detect obfuscation tools, anti-debugging, dylib injection prevention, integrity checks, jailbreak detection, and FairPlay DRM encryption
- macOS with Xcode Command Line Tools (provides
otool,strings,plutil,codesign) - ipsw — Required. Provides class-dump and Mach-O analysis (
brew install blacktop/tap/ipsw) - radare2 or rizin — Recommended for deep binary analysis
- Ghidra — Optional. Enables advanced headless decompilation with included Java scripts
Linux is supported for static analysis of already-extracted files only.
The skill includes dependency check and auto-install scripts that handle setup automatically.
Add this repository as a skill in your Claude Code project:
claude mcp add-skill ios-reverse-engineering https://github.com/<owner>/iOS-claude-skill.gitOr clone and add locally:
git clone https://github.com/<owner>/iOS-claude-skill.gitThen reference the skill directory in your Claude Code configuration.
Once installed, Claude will automatically check and install dependencies when you first use the skill. You can also verify manually:
bash skills/ios-reverse-engineering/scripts/check-deps.shIf anything is missing:
bash skills/ios-reverse-engineering/scripts/install-dep.sh <dependency>The skill provides a user-invocable slash command for the most common workflow:
/extract-ipa /path/to/MyApp.ipa
This will:
- Check and install required dependencies
- Extract the IPA and dump class headers
- Analyze the app structure (Info.plist, entitlements, frameworks, architecture pattern)
- Present a summary and offer next steps
| Format | Description |
|---|---|
.ipa |
iOS App Store package (ZIP archive containing Payload/*.app) |
.app |
Application bundle directory |
| Mach-O binary | Raw executable binary |
.dylib |
Dynamic library |
.framework |
Framework bundle |
# Basic extraction
/extract-ipa MyApp.ipa
# Custom output directory
/extract-ipa MyApp.ipa -o ./my-analysis
# Skip class-dump (faster, metadata only)
/extract-ipa MyApp.ipa --no-classdump
# Extract specific architecture from fat binaries
/extract-ipa MyApp.ipa --thin arm64
# Demangle Swift symbols
/extract-ipa MyApp.ipa --swift-demangleAfter extraction, you can ask Claude to perform any of the following analyses. Each phase builds on the extracted output.
"Analyze the app structure"
Reads Info.plist, entitlements, class-dump output, and embedded frameworks. Identifies the architecture pattern (MVC, MVVM, VIPER, Coordinator) and key classes.
"Trace the login flow from the UI to the network layer"
Follows execution paths: ViewController -> ViewModel/Presenter -> Service/Repository -> API Client -> URLSession/Alamofire. Maps dependency injection and service creation patterns.
"Find all API endpoints and document them"
Searches for HTTP endpoints across all major networking libraries. Supports targeted searches:
--urlsession— URLSession patterns only--alamofire— Alamofire/AFNetworking only--graphql— GraphQL operations--websocket— WebSocket connections--auth— Authentication patterns--urls— Hardcoded URLs--swift-concurrency— Combine/async-await patterns--security— Security-related patterns
Produces structured documentation for each endpoint including method, path, parameters, headers, response type, and call chain.
"Run a security audit on this app"
Scans for:
- App Transport Security (ATS) exceptions
- Disabled certificate pinning
- Hardcoded secrets and API keys
- Jailbreak detection mechanisms
- Weak cryptography (MD5, ECB mode, hardcoded IVs)
- Keychain misuse (
kSecAttrAccessibleAlways) - Debug artifacts and staging URLs
"Scan for leaked API keys and credentials"
Deep-scans for credentials from 20+ cloud providers with targeted scan options:
--firebase/--aws/--gcp/--azure— Cloud providers--payments— Stripe, PayPal, RevenueCat--messaging— Twilio, SendGrid, Slack, OneSignal--analytics— Sentry, Mixpanel, Amplitude, Segment--jwt— JWT tokens--severity high— Critical and high severity only
Each finding is classified by the LLM: service type, client-safety assessment, blast radius, false positive likelihood, validation steps, and remediation.
"Decompile the authentication functions"
Uses radare2/rizin or Ghidra headless for binary-level analysis:
--quick— Functions + strings + imports only--secrets— Focus on credential handling code--network— Focus on networking code--crypto— Focus on crypto implementations--auth— Focus on authentication logic--decompile "sym.objc.AuthService.login"— Decompile a specific function--decompile-pattern "auth\|login\|token"— Decompile matching functions--xrefs "sym.imp.CCCrypt"— Cross-references to a function--callgraph "sym.objc.NetworkManager.request"— Call graph visualization--entropy— Detect packing/encryption--tool ghidra— Force Ghidra headless with Java analysis scripts
Included Ghidra scripts:
DecompileAllFunctions.java— Full or security-targeted decompilationFindSecrets.java— Credential and API key detection in decompiled codeExportAPICalls.java— Network API symbol tracingExportCryptoUsage.java— Crypto function usage and weak pattern detectionExportStringXrefs.java— String cross-references categorized by type
"Identify all third-party SDKs"
Detects embedded SDKs by framework names, linked libraries, class prefixes, SDK-specific strings, and symbols. Categories include: Networking, Analytics, Advertising, Authentication, Payments, Push Notifications, Maps, Social, Database, Cloud Storage, UI/UX, Security, Messaging, Crash Reporting, A/B Testing, Deep Linking, and AR/ML.
Options:
--check-cves— Cross-reference detected SDK versions with known vulnerabilities--verbose— Show match details--json— JSON output for programmatic use
"What protections does this app use?"
Detects anti-tampering mechanisms and outputs a protection score (0-20):
--obfuscation— iXGuard, SwiftShield, OLLVM, Arxan, name obfuscation ratio, string encryption, control flow flattening--debugger— ptrace, sysctl, timing checks, exception ports, SIGTRAP handlers--injection—__RESTRICTsegment, DYLD checks, library enumeration, Substrate/Frida detection--integrity— Runtime code signing, binary hash checks, team ID verification, receipt validation--jailbreak— File path checks, URL schemes, sandbox escape tests, environment variables--encryption— FairPlay DRM detection
| Score | Level |
|---|---|
| 15-20 | Heavily protected |
| 10-14 | Well protected |
| 5-9 | Moderately protected |
| 1-4 | Lightly protected |
| 0 | Unprotected |
Most analysis scripts support --report <file.md> to generate structured Markdown reports:
"Extract the app, scan for secrets, fingerprint SDKs, detect protections, and generate reports for everything"
iOS-claude-skill/
├── commands/
│ └── extract-ipa.md # /extract-ipa slash command definition
├── skills/
│ └── ios-reverse-engineering/
│ ├── SKILL.md # Main skill definition and workflow
│ ├── scripts/
│ │ ├── check-deps.sh # Dependency checker
│ │ ├── install-dep.sh # Auto-installer for dependencies
│ │ ├── extract-ipa.sh # IPA/app extraction and class-dump
│ │ ├── find-api-calls.sh # API endpoint discovery
│ │ ├── deep-secret-scan.sh # Cloud credential scanner
│ │ ├── reversing-analyze.sh # Binary reversing with r2/Ghidra
│ │ ├── detect-sdks.sh # SDK fingerprinting
│ │ ├── detect-protections.sh# Protection detection
│ │ └── ghidra/ # Ghidra headless Java scripts
│ │ ├── DecompileAllFunctions.java
│ │ ├── FindSecrets.java
│ │ ├── ExportAPICalls.java
│ │ ├── ExportCryptoUsage.java
│ │ └── ExportStringXrefs.java
│ └── references/
│ ├── setup-guide.md # Tool installation guide
│ ├── class-dump-usage.md # ipsw class-dump reference
│ ├── api-extraction-patterns.md
│ ├── call-flow-analysis.md
│ ├── cloud-secrets-patterns.md
│ ├── reversing-tools-guide.md
│ ├── sdk-fingerprinting.md
│ └── anti-tampering-patterns.md
├── LICENSE # Unlicense (public domain)
└── README.md
- Security research — Audit iOS apps for vulnerabilities, leaked credentials, and weak crypto before responsible disclosure
- Penetration testing — Map attack surfaces, identify API endpoints, and assess protections during authorized engagements
- CTF competitions — Quickly extract and analyze iOS challenge binaries
- Competitive analysis — Understand how other apps are built, what SDKs they use, and how they structure their APIs
- Compliance auditing — Verify that apps meet security standards (ATS, cert pinning, keychain usage, data encryption)
- Incident response — Rapidly assess a suspicious IPA for malicious behavior, data exfiltration, or embedded malware
This project is released into the public domain under the Unlicense. See LICENSE for details.