Trellis provides deep binary analysis and reports that enable pentesters and bug bounty hunters to focus their efforts on the most critical security issues. The static analysis performed by Trellis is equivalent to multiple days of work by a skilled iOS security analyst and reverse engineer. Reports contain any actionable static analysis findings along with Frida scripts for targeted and efficient dynamic runtime vulnerability analysis.
Trellis is not designed to provide findings ready to be copied and pasted into an iOS mobile app pentest report. Additional testing and validation may be required.
AI is not used in any way. Your data remains private and secure. Email [email protected] to inquire about the self-hosted option for businesses that cannot share their mobile applications with third parties.
Analysis categories and features:
- Weak Encryption: Flags cryptographic implementations that use broken algorithms, hardcoded keys, or misconfigured parameters — allowing attackers to decrypt protected data.
- Insecure Network Connections: Identifies disabled certificate validation and missing certificate pinning that expose users to man-in-the-middle attacks.
- Exposed Keychain Data: Detects secrets stored with overly permissive access controls — data that can be read without user authentication or that syncs to iCloud unintentionally.
- Jailbreak Detection Gaps: Maps the app's jailbreak defenses to reveal where security controls can be bypassed on compromised devices.
- Debugger Attachment Risks: Finds missing anti-debug protections that allow attackers to attach a debugger and extract secrets or manipulate app behavior at runtime.
- Plaintext Sensitive Storage: Locates passwords, tokens, and personal data written to unprotected files or system preferences where other apps or backups can access them.
- WebView Injection Risks: Detects JavaScript bridges and insecure content loading patterns that enable attackers to inject malicious scripts into the app's web views.
- Malicious Deep Link Exploitation: Identifies URL handlers that accept untrusted input and perform dangerous actions — enabling phishing attacks that hijack app functionality.
- Unprotected Local Databases: Flags SQLite databases missing encryption and SQL injection vulnerabilities that expose stored user data.
- Credential Leakage in Logs: Detects passwords, tokens, and sensitive values written to device logs — readable by any app with logging access.
- Exposed API Endpoints: Extracts hardcoded server addresses and API endpoints that reveal backend infrastructure to reverse engineers.
- Unsafe Data Deserialization: Finds insecure deserialization patterns that can be exploited to execute arbitrary code when processing untrusted data.
- Inter-Process Communication Abuse: Detects IPC services exposed without authentication that allow malicious apps to trigger privileged actions or extract data.
- Clipboard Data Exposure: Flags sensitive data written to the system clipboard — readable by any app running in the background.
- Hardcoded Secrets in Binary: Scans the binary directly for embedded passwords, API keys, and credentials without requiring decompilation.
- Bypassable Biometric Checks: Identifies biometric authentication enforced only on the client side — trivially bypassed without touching the sensor using runtime tools.
- Runtime Authentication Bypass: Detects hardcoded credential comparisons and client-side validation logic that attackers can hook and bypass with tools like Frida.
- Deep Binary Analysis: Uses advanced ARM64 analysis and cross-referencing to surface vulnerabilities that simpler pattern-matching misses.
- Actionable Reports: Generates an HTML report and JSON data files. The JSON files can be used for integration with other tools or AI analysis.
- Exploit Verification Scripts: Produces ready-to-run Frida instrumentation scripts to confirm whether identified vulnerabilities are exploitable in practice.
Example findings:
View an example Trellis report →
🔴 Critical
Hardcoded Secret Flows to Crypto Sink
DescriptionFunction references both hardcoded secret and crypto selector decryptData:withPassword:error:
Location0x1001978e8 (Offset: 0x1978e8)
Function_$s7DVIA_v239BrokenCryptographyDetailsViewControllerC21textFieldShouldReturnySbSo06UITextI0CF
Evidence:
- sink:
decryptData:withPassword:error:
- sink_type:
Crypto operation (ObjC dispatch)
- secret_value:
@daloq3as$qweasdlasasjdnj
- secret_address:
0x100389440
- crypto_selector:
decryptData:withPassword:error:
- detection_method:
forward_selector_search
Impact Hardcoded secret is passed to crypto operation via ObjC message dispatch
🟠 High
Obfuscation: Decode Loop
DescriptionByte-by-byte decode loop detected: data@0x10086f668, transform=[xor(0x5a) → sub(0x3)] → decoded: "<redacted>"
Location0x100149c7c (Offset: 0x149c7c)
Functionsub_100149bc4
Evidence:
- data_address:
0x10086f668
- transform_chain:
xor(0x5a) → sub(0x3)
- loop_bound:
9
- string_constructor_present:
False
- confidence:
medium
- decoded_value:
<redacted>
Impact Data-segment bytes are decoded at runtime via a transform loop — classic secret obfuscation pattern
Recommendation Decoded value: "<redacted>"
🟠 High
XSS via User Input in loadHTMLString
DescriptionloadHTMLString:baseURL: caller also references user input (UITextField/UITextView) — XSS likely
Location0x10016be94 (Offset: 0x16be94)
FunctionloadHTMLString:baseURL:
Evidence:
- method:
loadHTMLString:baseURL:
- baseURL:
unknown
- taint_source:
UITextField/UITextView reference in caller
Impact User input flows to WebView HTML rendering without sanitization — attacker can inject JavaScript via text fields
Trellis — iOS Mobile Application Vulnerability SAST Scanner