What starting position does this attack require?

The first step is Replay tokens against the API (T1078) — a initial access primitive. Assumed environment: jailbroken iOS device (palera1n / Dopamine) with Frida-server installed.

What is the final impact of this kill-chain?

The final step lands on objection -g explore (MOB-FRIDA-HOOK), which falls under Execution. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

Jailbreak detection bypass → keychain dump

Test on a jailbroken device. Hook jailbreak-detection routines, run objection to dump the entire app keychain — recovers session tokens, refresh tokens, biometric keys.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Replay tokens against the API

T1078 · Valid Accounts

Credential Access

ios keychain dump

MOB-IOS-KEYCHAIN · iOS Keychain Dump (jailbroken)

Defense Evasion

Bypass jailbreak detection (Liberty / Frida)

MOB-IOS-JB-BYPASS · iOS Jailbreak Detection Bypass

Defense Evasion

Sideload IPA on jailbroken device

MOB-IOS-IPA-RESIGN · IPA Repackaging / Resigning

Execution

objection -g <pkg> explore

MOB-FRIDA-HOOK · Frida Runtime Hooking

§ Context

Assumed environment: jailbroken iOS device (palera1n / Dopamine) with Frida-server installed. Target IPA can be installed via TrollStore / sideloadly.

§ Steps

01
Replay tokens against the APIInitial Access
T1078— Valid Accounts
02
ios keychain dumpCredential Access
MOB-IOS-KEYCHAIN— iOS Keychain Dump (jailbroken)
03
Bypass jailbreak detection (Liberty / Frida)Defense Evasion
MOB-IOS-JB-BYPASS— iOS Jailbreak Detection Bypass
04
Sideload IPA on jailbroken deviceDefense Evasion
MOB-IOS-IPA-RESIGN— IPA Repackaging / Resigning
05
objection -g <pkg> exploreExecution
MOB-FRIDA-HOOK— Frida Runtime Hooking

§ References

T1078Valid Accounts

§ Frequently asked

What is the "Jailbreak detection bypass → keychain dump" attack path?: Test on a jailbroken device. Hook jailbreak-detection routines, run objection to dump the entire app keychain — recovers session tokens, refresh tokens, biometric keys. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Replay tokens against the API (T1078) — a initial access primitive. Assumed environment: jailbroken iOS device (palera1n / Dopamine) with Frida-server installed.
What is the final impact of this kill-chain?: The final step lands on objection -g <pkg> explore (MOB-FRIDA-HOOK), which falls under Execution. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.