[iOS Application Security] Jailbreak 12.4 and SSL pinning bypass | How to set up your iOS Testing Lab

Hello Everyone — Long time no see!

It’s been a long time since I published my last blog so I’ve decided to come up with a good topic since there are many questions being asked around Jailbreak and how to bypass SSL pinning. This version of the blog I’ll explain how to jailbreak iOS 12.4 and bypass SSL pinning. This will give you a decent idea on how to set up your iOS testing lab.

Surprisingly, this is the first time in 4 years a public version of iOS is Jailbreakable 12.4. In the most bizarre turn of events, you can almost do this without a computer. From iPhone 6 all the way to the iPhone 10, so without further ado, I am going to dive into the technical details and show you how to practically jailbreak your iOS without a computer.


This blog post is only meant for educational purposes and security research. Please note that you might lose all the data from the device, so make sure you have backed it all up beforehand.


Unc0ver v3.5.0 can jailbreak iOS 12.4 on A7-A11 devices, but A12(X) devices are still excluded at this time. Pwn20wnd also adds that while the jailbreak works on iOS 12.4, the success rate is lower than it was on previous versions of iOS. [1] https://www.idownloadblog.com/2019/08/18/unc0ver-jailbreak-ios-12-4/

unc0ver jailbreak for iOS 11.0–12.4. You can check to see if your device can be jailbroken using the following website: https://canijailbreak.com

JailBreaking —

Jailbreaking is generally are of two types. Jailbreaking totally depends upon the iOS version your device is using.

1. Tethered

Tethered jailbreaks require the iOS device to be connected to a computer while it is booting. If it is booted without a computer connected, it will not boot up. These kinds of jailbreaks are usually based on exploits of the Boot ROM, LLB or iBoot. While these jailbreaks are hard for Apple to patch, they are quite inconvenient to its users.

2. Untethered

Untethered jailbreaks do not need the iOS device to be connected to a computer during bootup, making them very user-friendly. Usually, the device is jailbroken once by connecting it to a computer that then exploits a vulnerability to patch the kernel.

Ref: https://promon.co/security-news/ios-jailbreak/

Jailbreaking iPhone 7 with iOS 12.4

Checking your iOS version

Settings → General → About
Device Details
Device Details
Details of Devices which I have used for Jailbreak

The testing environment used for jailbreaking

if your devices are compatible with Jailbreak then you should have developers’ account.

You may enroll for a developer’s account via https://developer.apple.com

Installing Cydia Impactor

Cydia Impactor is a GUI tool for working with mobile devices. It has features already but is still very much a work-in-progress. It is developed by saurik.

Downloading & Installing Cydia Impactor. (Developers Account Required)

Cydia Impactor

Note: Cydia requires your Apple ID and password so using a newly created Apple ID is highly recommended.

Download IPA from here https://github.com/pwn20wndstuff/Undecimus but please make sure you are using the latest release. As of now, v3.5.5 is the latest version.

Drag the IPA file and drop it into the impactor, then click on start.his will prompt you for the Apple ID username and password.

Apple Id Username
Your Apple Id password

Your Apple Id password

Before proceeding to jailbreak, please restart your device then activate the airplane mode.

Activate Airplane Mode

Open unc0ver app and click on jailbreak

Source : https://github.com/pwn20wndstuff/Undecimus

Verify the Unc0ver App

Settings → General → Profiles & Device Management → email@company.com

Your devices may restart multiple times so you will likely need to click on jailbreak for about 2–3 times for a complete jailbreak.

Once your device is jailbroken, you will get Cydia as you can see below.

Cydia App

Congratulations! Your devices in now jailbroken using Unc0ver.

Burp Suite Free/Pro — Downloading and configuring

Setting Proxy lister — Proxy → Options → Proxy Listener → AddBind to port: 8XXXBind to address : All interfaces (192.168.X.X)Click “Ok”* Note: Ip ranges may vary in your device 
Settings → wifi → (i) from connected network → Configure Proxy → ManualServer : 8082
Tap on [i]

Now select Configure Proxy → Manual

HTTP Proxy

Now save the configuration then open the browser and visit http://burp in order to download the Portswigger CA Certificate and configuration.

Tap on CA Certificate to download the certificate.

Allow downloading of the configuration file.

Select the device in which you wish to install the certificate.

Now, on your iPhone, go to:

Settings → General → Profiles & Device Management 
Profiles & Device Management → Portswigger CA

Install the Portswigger CA Certificate

SSH to the iOS device

SSH is the secure shell used to connect to different machines.

1. Finding the IP address of the device.

Settings → Connected Network → Click on [i]

The IP address of the device —

2. Available users on the iOS device are the following:

mobile — default password — alpineroot — default password — alpine

Connecting as mobile and getting root privileges.

ssh mobile@ // you should change it using passwd utility


You can use Cyberduck on the other hand.

Installing SSL KILL Switch 2

We will use Blackbox tool to disable SSL certificate validation — including certificate pinning — within iOS and OS X Apps. The second iteration of

https://github.com/iSECPartners/ios-ssl-kill-switch .

The latest version as of now is v0.13. You can download the deb file from:https://github.com/nabla-c0d3/ssl-kill-switch2/releases

or direct download the version 0.13 from:



The following dependencies should be installed using Cydia:

  • Debian Packager
  • Cydia Substrate
  • PreferenceLoader

Install MTerminal form Cydia


Open the MTerminal

Enter Command SU

SU — Super User Mode

Enter Password — alpine

This will allow you to be as a root user

Type Command “ls” to view the files

ls to view the files

Type command

dpkg -i <package_name>.deb

This will install the package ssl.deb

Once the ssl.deb is installed

Goto Settings → Look for “SSL kill switch 2”

SSL Kill Switch 2
Enable SSL kill Switch 2

Now you can intercept the traffic of any iOS application.

Finally, if you wish to install tools and components on the iOS device, I recommend reading Sahil Ahamad blog post.

If you have any query or question just DM on Twitter, I will be happy to assist.

In the meantime, you can learn from the intensive iOS security guide.

If you like my blog posts and my work, please consider checking out my “Buy me a coffee” page


Huge thanks go to Prateek Tiwari and Yassine Aboukir for proofreading and reviewing the present write-up.

Until next time!

Independent web application security Researcher