Bypassing iOS Frida Detection with LLDB and Frida

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://tonygo.tech/blog/2025/8ksec-ios-ctf-writeup
• Blog Title: Bypassing iOS Frida Detection with LLDB and Frida
• Suggested Section: Mobile Pentesting -> iOS Pentesting -> (new page) iOS Frida/Jailbreak Detection Bypass & Swift Function Hooking

🎯 Content Summary

This post is an in-depth CTF-style write-up showing how to bypass Swift-based Frida detection in an iOS app and steal a flag passed as a Swift String argument by combining LLDB and Frida on a jailbroken device.

Context, Device & Tooling
The target is an 8ksec iOS application challenge (.ipa) where the goal is to intercept a call to dummyFunction(flag:) and recover the flag passed as a Swift string.
The author u...

🔧 Technical Details

Runtime Bypass of Swift Jailbreak/Frida Detection via LLDB
When an iOS app uses a Swift boolean-returning function such as systemSanityCheck() -> Bool to centralize jailbreak/Frida detection, you can defeat it without patching the binary. Attach LLDB via debugserver, list symbols with image lookup -rn (e.g., searching for Check or frida), and set a breakpoint on the suspected detection function. Once hit, run finish to execute the function, then overwrite the ARM64 return register with zero: register write x0 0. Continuing execution (c) forces the detection to always return false, neutralizing alert-and-exit logic. This general pattern works for any Swift-based detection routine that returns a simple Bool.

Discovering Swift Target Functions Using frida-trace and Mangled Names
To hook a specific high-level Swi...

🤖 Agent Actions

Summary:

• Added a comprehensive “LLDB-Assisted Frida Detection Bypass & Swift Hooking” section to the iOS Frida configuration guide, covering remote debugserver/LLDB setup, Swift jailbreak-check patching, discovery of mangled Swift symbols via frida-trace, and a practical Swift String hook that handles both inline and heap-backed arguments.
• Updated the References section to cite the new research source on bypassing Swift-based Frida detection.

Tests: Not run; documentation-only changes.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://tonygo.tech/blog/2025/8ksec-ios-ctf-writeup

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> iOS Pentesting -> (new page) iOS Frida/Jailbreak Detection Bypass & Swift Function Hooking".

Repository Maintenance:

• MD Files Formatting: 913 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge