iOS Dynamic Analysis with Corellium (#2194)

* iOS Dynamic Analysis Support with Corellium Jailbroken iOS devices * Corellium API layer for complete device and project management * Frida instrumentation (attach, spawn and inject) over SSH local port forward * Shell access over SSH * MobSF httptools proxy integration over SSH remote port forward * Device File upload and download over SSH * Frida scripts for core defense bypass, monitoring, and tracing * Helper iOS Frida scripts for pentesting and malware analysis * Screen cast with touch, swipe and text input support from web UI * Dynamic Analysis device data dump and report Generation * Android Certificate analysis, replaced oscrypto with cryptography for public key parsing * Python minimum support is 3.10 * Bumped httptools to latest, fixes httptools repeat bug * Added unzip to docker to fix a bug
MobSF · Dec 3, 2023 · 2aecb90 · 2aecb90
1 parent 4685d8e
commit 2aecb90
Show file tree

Hide file tree

Showing 148 changed files with 10,444 additions and 1,604 deletions.
diff --git a/.github/workflows/mobsf-test.yml b/.github/workflows/mobsf-test.yml
@@ -12,7 +12,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-22.04, macos-latest, windows-latest]
-        python-version: [3.9, '3.10', '3.11']
+        python-version: ['3.10', '3.11']
 
     runs-on: ${{ matrix.os }}
     steps:

diff --git a/.sonarcloud.properties b/.sonarcloud.properties
@@ -1,4 +1,4 @@
 sonar.sources=.
 sonar.exclusions=mobsf/static/**/*,mobsf/templates/**/*
 sonar.sourceEncoding=UTF-8
-sonar.python.version=3.7, 3.8, 3.9, 3.10, 3.11
+sonar.python.version=3.10, 3.11
diff --git a/Dockerfile b/Dockerfile
@@ -32,8 +32,10 @@ RUN apt update -y && apt install -y  --no-install-recommends \
     curl \
     git \
     jq \
+    unzip \
     android-tools-adb && \
-    locale-gen en_US.UTF-8 
+    locale-gen en_US.UTF-8 && \
+    apt upgrade -y
 
 ENV MOBSF_USER=mobsf \
     MOBSF_PLATFORM=docker \

diff --git a/README.md b/README.md
@@ -1,13 +1,13 @@
 # Mobile Security Framework (MobSF)
-Version: v3.7 beta
+Version: v3.8 beta
 
 ![](https://cloud.githubusercontent.com/assets/4301109/20019521/cc61f7fc-a2f2-11e6-95f3-407030d9fdde.png)
 
 Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF supports mobile app binaries (APK, XAPK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.
 
 Made with ![Love](https://cloud.githubusercontent.com/assets/4301109/16754758/82e3a63c-4813-11e6-9430-6015d98aeaab.png) in India
 
-[![python](https://img.shields.io/badge/python-3.9+-blue.svg?logo=python&labelColor=yellow)](https://www.python.org/downloads/)
+[![python](https://img.shields.io/badge/python-3.10+-blue.svg?logo=python&labelColor=yellow)](https://www.python.org/downloads/)
 [![PyPI version](https://badge.fury.io/py/mobsf.svg)](https://badge.fury.io/py/mobsf)
 [![platform](https://img.shields.io/badge/platform-osx%2Flinux%2Fwindows-green.svg)](https://github.com/MobSF/Mobile-Security-Framework-MobSF/)
 [![License](https://img.shields.io/:license-GPL--3.0--only-blue.svg)](https://www.gnu.org/licenses/gpl-3.0.html)

diff --git a/mobsf/DynamicAnalyzer/forms.py b/mobsf/DynamicAnalyzer/forms.py
@@ -0,0 +1,6 @@
+"""File upload to iOS form."""
+from django import forms
+
+
+class UploadFileForm(forms.Form):
+    file = forms.FileField()
diff --git a/...ls/frida_scripts/auxiliary/class_trace.js → ..._scripts/android/auxiliary/class_trace.js b/...ls/frida_scripts/auxiliary/class_trace.js → ..._scripts/android/auxiliary/class_trace.js
diff --git a/...a_scripts/auxiliary/get_loaded_classes.js → ...s/android/auxiliary/get_loaded_classes.js b/...a_scripts/auxiliary/get_loaded_classes.js → ...s/android/auxiliary/get_loaded_classes.js
diff --git a/...ls/frida_scripts/auxiliary/get_methods.js → ..._scripts/android/auxiliary/get_methods.js b/...ls/frida_scripts/auxiliary/get_methods.js → ..._scripts/android/auxiliary/get_methods.js
diff --git a/...scripts/auxiliary/search_class_pattern.js → ...android/auxiliary/search_class_pattern.js b/...scripts/auxiliary/search_class_pattern.js → ...android/auxiliary/search_class_pattern.js
diff --git a/...s/frida_scripts/auxiliary/string_catch.js → ...scripts/android/auxiliary/string_catch.js b/...s/frida_scripts/auxiliary/string_catch.js → ...scripts/android/auxiliary/string_catch.js
diff --git a/...frida_scripts/auxiliary/string_compare.js → ...ripts/android/auxiliary/string_compare.js b/...frida_scripts/auxiliary/string_compare.js → ...ripts/android/auxiliary/string_compare.js
diff --git a/...ools/frida_scripts/default/api_monitor.js → ...da_scripts/android/default/api_monitor.js b/...ools/frida_scripts/default/api_monitor.js → ...da_scripts/android/default/api_monitor.js
diff --git a/..._scripts/default/debugger_check_bypass.js → .../android/default/debugger_check_bypass.js b/..._scripts/default/debugger_check_bypass.js → .../android/default/debugger_check_bypass.js
diff --git a/...ools/frida_scripts/default/root_bypass.js → ...da_scripts/android/default/root_bypass.js b/...ools/frida_scripts/default/root_bypass.js → ...da_scripts/android/default/root_bypass.js
@@ -33,8 +33,8 @@ Java.performNow(function () {
     };
 
     // String.contains check
-    var String = Java.use('java.lang.String');
-    String.contains.implementation = function (name) {
+    var javaString = Java.use('java.lang.String');
+    javaString.contains.implementation = function (name) {
         if (name == "test-keys") {
             send("[RootDetection Bypass] test-keys check");
             return false;

diff --git a/...ida_scripts/default/ssl_pinning_bypass.js → ...pts/android/default/ssl_pinning_bypass.js b/...ida_scripts/default/ssl_pinning_bypass.js → ...pts/android/default/ssl_pinning_bypass.js
diff --git a/...zer/tools/frida_scripts/others/aes_key.js → ...s/frida_scripts/android/others/aes_key.js b/...zer/tools/frida_scripts/others/aes_key.js → ...s/frida_scripts/android/others/aes_key.js
diff --git a/...rida_scripts/others/bypass_flag_secure.js → ...ipts/android/others/bypass_flag_secure.js b/...rida_scripts/others/bypass_flag_secure.js → ...ipts/android/others/bypass_flag_secure.js
diff --git a/...ols/frida_scripts/others/bypass_method.js → ...a_scripts/android/others/bypass_method.js b/...ols/frida_scripts/others/bypass_method.js → ...a_scripts/android/others/bypass_method.js
diff --git a/...zer/tools/frida_scripts/others/default.js → ...s/frida_scripts/android/others/default.js b/...zer/tools/frida_scripts/others/default.js → ...s/frida_scripts/android/others/default.js
diff --git a/.../tools/frida_scripts/others/file_trace.js → ...rida_scripts/android/others/file_trace.js b/.../tools/frida_scripts/others/file_trace.js → ...rida_scripts/android/others/file_trace.js
diff --git a/...rida_scripts/others/fingerprint_bypass.js → ...ipts/android/others/fingerprint_bypass.js b/...rida_scripts/others/fingerprint_bypass.js → ...ipts/android/others/fingerprint_bypass.js
diff --git a/...gerprint_bypass_via_exception_handling.js → ...gerprint_bypass_via_exception_handling.js b/...gerprint_bypass_via_exception_handling.js → ...gerprint_bypass_via_exception_handling.js
diff --git a/...ls/frida_scripts/others/get_android_id.js → ..._scripts/android/others/get_android_id.js b/...ls/frida_scripts/others/get_android_id.js → ..._scripts/android/others/get_android_id.js
diff --git a/...yzer/tools/frida_scripts/others/helper.js → ...ls/frida_scripts/android/others/helper.js b/...yzer/tools/frida_scripts/others/helper.js → ...ls/frida_scripts/android/others/helper.js
diff --git a/.../frida_scripts/others/hook_constructor.js → ...cripts/android/others/hook_constructor.js b/.../frida_scripts/others/hook_constructor.js → ...cripts/android/others/hook_constructor.js
diff --git a/...da_scripts/others/hook_java_reflection.js → ...ts/android/others/hook_java_reflection.js b/...da_scripts/others/hook_java_reflection.js → ...ts/android/others/hook_java_reflection.js
diff --git a/.../frida_scripts/others/inputstream_dump.js → ...cripts/android/others/inputstream_dump.js b/.../frida_scripts/others/inputstream_dump.js → ...cripts/android/others/inputstream_dump.js
diff --git a/...ols/frida_scripts/others/intent_dumper.js → ...a_scripts/android/others/intent_dumper.js b/...ols/frida_scripts/others/intent_dumper.js → ...a_scripts/android/others/intent_dumper.js
diff --git a/...ida_scripts/others/jni_hook_by_address.js → ...pts/android/others/jni_hook_by_address.js b/...ida_scripts/others/jni_hook_by_address.js → ...pts/android/others/jni_hook_by_address.js
diff --git a/...r/tools/frida_scripts/others/jni_trace.js → ...frida_scripts/android/others/jni_trace.js b/...r/tools/frida_scripts/others/jni_trace.js → ...frida_scripts/android/others/jni_trace.js
diff --git a/...ipts/others/keyguard_credential_intent.js → ...roid/others/keyguard_credential_intent.js b/...ipts/others/keyguard_credential_intent.js → ...roid/others/keyguard_credential_intent.js
diff --git a/...ols/frida_scripts/others/tracer_cipher.js → ...a_scripts/android/others/tracer_cipher.js b/...ols/frida_scripts/others/tracer_cipher.js → ...a_scripts/android/others/tracer_cipher.js
diff --git a/...ipts/others/tracer_keygenparameterspec.js → ...roid/others/tracer_keygenparameterspec.js b/...ipts/others/tracer_keygenparameterspec.js → ...roid/others/tracer_keygenparameterspec.js
diff --git a/...s/frida_scripts/others/tracer_keystore.js → ...scripts/android/others/tracer_keystore.js b/...s/frida_scripts/others/tracer_keystore.js → ...scripts/android/others/tracer_keystore.js
diff --git a/...scripts/others/tracer_secretkeyfactory.js → ...android/others/tracer_secretkeyfactory.js b/...scripts/others/tracer_secretkeyfactory.js → ...android/others/tracer_secretkeyfactory.js
diff --git a/...cripts/others/webview_enable_debugging.js → ...ndroid/others/webview_enable_debugging.js b/...cripts/others/webview_enable_debugging.js → ...ndroid/others/webview_enable_debugging.js
diff --git a/mobsf/DynamicAnalyzer/tools/frida_scripts/ios/auxiliary/class-trace.js b/mobsf/DynamicAnalyzer/tools/frida_scripts/ios/auxiliary/class-trace.js
@@ -0,0 +1,49 @@
+/* Description: Hook all the methods of a particular class
+ * Mode: S+A
+ * Version: 1.0
+ * Credit: https://github.com/interference-security/frida-scripts/blob/master/iOS
+ * Author: @interference-security
+ */
+//Twitter: https://twitter.com/xploresec
+//GitHub: https://github.com/interference-security
+function hook_class_method(class_name, method_name)
+{
+	var hook = ObjC.classes[class_name][method_name];
+		Interceptor.attach(hook.implementation, {
+			onEnter: function(args) {
+			send("[AUXILIARY] Detected call to: " + class_name + " -> " + method_name);
+		}
+	});
+}
+
+function run_hook_all_methods_of_specific_class(className_arg)
+{
+	send("Started: Hook all methods of a specific class");
+	send("Class Name: " + className_arg);
+	//Your class name here
+	var className = className_arg;
+	//var methods = ObjC.classes[className].$methods;
+	var methods = ObjC.classes[className].$ownMethods;
+	for (var i = 0; i < methods.length; i++)
+	{
+		send("[AUXILIARY] [-] "+methods[i]);
+		send("[AUXILIARY] \t[*] Hooking into implementation");
+		//eval('var className2 = "'+className+'"; var funcName2 = "'+methods[i]+'"; var hook = eval(\'ObjC.classes.\'+className2+\'["\'+funcName2+\'"]\'); Interceptor.attach(hook.implementation, {   onEnter: function(args) {    console.log("[*] Detected call to: " + className2 + " -> " + funcName2);  } });');
+		var className2 = className;
+		var funcName2 = methods[i];
+		hook_class_method(className2, funcName2);
+		// send("[AUXILIARY]  \t[*] Hooking successful");
+	}
+	send("[AUXILIARY] Completed: Hook all methods of a specific class");
+}
+
+function hook_all_methods_of_specific_class(className_arg)
+{
+	try {
+		setImmediate(run_hook_all_methods_of_specific_class,[className_arg])
+	} catch(err) {}
+}
+
+
+//Your class name goes here
+hook_all_methods_of_specific_class('{{CLASS}}')
diff --git a/mobsf/DynamicAnalyzer/tools/frida_scripts/ios/auxiliary/find-app-classes-methods.js b/mobsf/DynamicAnalyzer/tools/frida_scripts/ios/auxiliary/find-app-classes-methods.js
@@ -0,0 +1,52 @@
+/* Description: Dump all methods inside classes owned by the app only
+ * Mode: S+A
+ * Version: 1.0
+ * Credit: PassionFruit (https://github.com/chaitin/passionfruit/blob/master/agent/app/classdump.js) & https://github.com/interference-security/frida-scripts/blob/master/iOS
+ * Author: @interference-security
+ */
+//Twitter: https://twitter.com/xploresec
+//GitHub: https://github.com/interference-security
+function run_show_app_classes_methods_only()
+{
+    send("Started: Find App's Classes and Methods")
+    var free = new NativeFunction(Module.findExportByName(null, 'free'), 'void', ['pointer'])
+    var copyClassNamesForImage = new NativeFunction(Module.findExportByName(null, 'objc_copyClassNamesForImage'), 'pointer', ['pointer', 'pointer'])
+    var p = Memory.alloc(Process.pointerSize)
+    Memory.writeUInt(p, 0)
+    var path = ObjC.classes.NSBundle.mainBundle().executablePath().UTF8String()
+    var pPath = Memory.allocUtf8String(path)
+    var pClasses = copyClassNamesForImage(pPath, p)
+    var count = Memory.readUInt(p)
+    var classesArray = new Array(count)
+    for (var i = 0; i < count; i++)
+    {
+        var pClassName = Memory.readPointer(pClasses.add(i * Process.pointerSize))
+        classesArray[i] = Memory.readUtf8String(pClassName)
+		var className = classesArray[i]
+		send("[AUXILIARY] Class: " + className);
+		//var methods = ObjC.classes[className].$methods;
+		var methods = ObjC.classes[className].$ownMethods;
+		for (var j = 0; j < methods.length; j++)
+		{
+			send("[AUXILIARY] \t[-] Method: " + methods[j]);
+			try
+			{
+				send("[AUXILIARY] \t\t[-] Arguments Type: " + ObjC.classes[className][methods[j]].argumentTypes);
+				send("[AUXILIARY] \t\t[-] Return Type: " + ObjC.classes[className][methods[j]].returnType);
+			}
+			catch(err) {}
+		}
+    }
+    free(pClasses)
+    send("App Classes found: " + count);
+    send("Completed: Find App's Classes")
+}
+
+function show_app_classes_methods_only()
+{
+    try {
+        setImmediate(run_show_app_classes_methods_only)
+	} catch(err) {}
+}
+
+show_app_classes_methods_only()
diff --git a/mobsf/DynamicAnalyzer/tools/frida_scripts/ios/auxiliary/find-app-classes.js b/mobsf/DynamicAnalyzer/tools/frida_scripts/ios/auxiliary/find-app-classes.js
@@ -0,0 +1,39 @@
+/* Description: Dump classes owned by the app only
+ * Mode: S+A
+ * Version: 1.0
+ * Credit: PassionFruit (https://github.com/chaitin/passionfruit/blob/master/agent/app/classdump.js) & https://github.com/interference-security/frida-scripts/blob/master/iOS
+ * Author: @interference-security
+ */
+//Twitter: https://twitter.com/xploresec
+//GitHub: https://github.com/interference-security
+function run_show_app_classes_only()
+{
+    send("Started: Find App's Classes")
+    var free = new NativeFunction(Module.findExportByName(null, 'free'), 'void', ['pointer'])
+    var copyClassNamesForImage = new NativeFunction(Module.findExportByName(null, 'objc_copyClassNamesForImage'), 'pointer', ['pointer', 'pointer'])
+    var p = Memory.alloc(Process.pointerSize)
+    Memory.writeUInt(p, 0)
+    var path = ObjC.classes.NSBundle.mainBundle().executablePath().UTF8String()
+    var pPath = Memory.allocUtf8String(path)
+    var pClasses = copyClassNamesForImage(pPath, p)
+    var count = Memory.readUInt(p)
+    var classesArray = new Array(count)
+    for (var i = 0; i < count; i++)
+    {
+        var pClassName = Memory.readPointer(pClasses.add(i * Process.pointerSize))
+        classesArray[i] = Memory.readUtf8String(pClassName)
+        send("[AUXILIARY] " + classesArray[i])
+    }
+    free(pClasses)
+    send("App Classes found: " + count);
+    send("Completed: Find App's Classes")
+}
+
+function show_app_classes_only()
+{
+    try {
+        setImmediate(run_show_app_classes_only)
+	} catch(err) {}
+}
+
+show_app_classes_only()
diff --git a/mobsf/DynamicAnalyzer/tools/frida_scripts/ios/auxiliary/find-specific-method.js b/mobsf/DynamicAnalyzer/tools/frida_scripts/ios/auxiliary/find-specific-method.js
@@ -0,0 +1,53 @@
+/* Description: Find a specific method in all classes in the app
+ * Modified for MobSF
+ * Mode: S+A
+ * Version: 1.0
+ * Credit: PassionFruit (https://github.com/chaitin/passionfruit/blob/master/agent/app/classdump.js) & https://github.com/interference-security/frida-scripts/blob/master/iOS
+ * Author: @interference-security
+ */
+//Twitter: https://twitter.com/xploresec
+//GitHub: https://github.com/interference-security
+function find_specific_method_in_all_classes(func_name)
+{
+    send("Searching for method [" + func_name + "] in all Classes");
+    var free = new NativeFunction(Module.findExportByName(null, 'free'), 'void', ['pointer'])
+    var copyClassNamesForImage = new NativeFunction(Module.findExportByName(null, 'objc_copyClassNamesForImage'), 'pointer', ['pointer', 'pointer'])
+    var p = Memory.alloc(Process.pointerSize)
+    Memory.writeUInt(p, 0)
+    var path = ObjC.classes.NSBundle.mainBundle().executablePath().UTF8String()
+    var pPath = Memory.allocUtf8String(path)
+    var pClasses = copyClassNamesForImage(pPath, p)
+    var count = Memory.readUInt(p)
+    var classesArray = new Array(count)
+    for (var i = 0; i < count; i++)
+    {
+        var pClassName = Memory.readPointer(pClasses.add(i * Process.pointerSize))
+        classesArray[i] = Memory.readUtf8String(pClassName)
+		var className = classesArray[i]
+		//var methods = ObjC.classes[className].$methods;
+		var methods = ObjC.classes[className].$ownMethods;
+		for (var j = 0; j < methods.length; j++)
+		{
+			if(methods[j].includes(func_name))
+			{
+				send("[AUXILIARY] Class: " + className);
+				send("[AUXILIARY] \t[-] Method: " + methods[j]);
+				try
+				{
+					send("[AUXILIARY] \t\t[-] Arguments Type: " + ObjC.classes[className][methods[j]].argumentTypes);
+					send("[AUXILIARY] \t\t[-] Return Type: " + ObjC.classes[className][methods[j]].returnType);
+				}
+				catch(err) {}
+			}
+		}
+    }
+    free(pClasses)
+    send("Completed: Find specific Method in all Classes");
+}
+
+
+//Your function name goes here
+var METHOD = '{{METHOD}}'
+try {
+    find_specific_method_in_all_classes(METHOD)
+} catch(err) {}
diff --git a/mobsf/DynamicAnalyzer/tools/frida_scripts/ios/auxiliary/get-methods.js b/mobsf/DynamicAnalyzer/tools/frida_scripts/ios/auxiliary/get-methods.js
@@ -0,0 +1,61 @@
+/* Description: Get all methods of the class
+ * Modified for MobSF 
+ * Mode: S+A
+ * Version: 1.0
+ * Credit: PassionFruit (https://github.com/chaitin/passionfruit/blob/master/agent/app/classdump.js) & https://github.com/interference-security/frida-scripts/blob/master/iOS
+ * Author: @interference-security
+ */
+//Twitter: https://twitter.com/xploresec
+//GitHub: https://github.com/interference-security
+function run_get_app_methods_in_class()
+{
+    var targetClass = '{{CLASS}}';
+    var found = false;
+    send("Looking for methods in: " + targetClass)
+
+    var free = new NativeFunction(Module.findExportByName(null, 'free'), 'void', ['pointer'])
+    var copyClassNamesForImage = new NativeFunction(Module.findExportByName(null, 'objc_copyClassNamesForImage'), 'pointer', ['pointer', 'pointer'])
+    var p = Memory.alloc(Process.pointerSize)
+    Memory.writeUInt(p, 0)
+    var path = ObjC.classes.NSBundle.mainBundle().executablePath().UTF8String()
+    var pPath = Memory.allocUtf8String(path)
+    var pClasses = copyClassNamesForImage(pPath, p)
+    var count = Memory.readUInt(p)
+    var classesArray = new Array(count)
+    for (var i = 0; i < count; i++)
+    {
+        var pClassName = Memory.readPointer(pClasses.add(i * Process.pointerSize))
+        classesArray[i] = Memory.readUtf8String(pClassName)
+		var className = classesArray[i]
+        if (className === targetClass)
+        {
+            found = true;
+            send("[AUXILIARY] Class: " + className);
+            //var methods = ObjC.classes[className].$methods;
+            var methods = ObjC.classes[className].$ownMethods;
+            for (var j = 0; j < methods.length; j++)
+            {
+                send("[AUXILIARY] \t[-] Method: " + methods[j]);
+                try
+                {
+                    send("[AUXILIARY] \t\t[-] Arguments Type: " + ObjC.classes[className][methods[j]].argumentTypes);
+                    send("[AUXILIARY] \t\t[-] Return Type: " + ObjC.classes[className][methods[j]].returnType);
+                }
+                catch(err) {}
+            }
+        }
+    }
+    free(pClasses)
+    if (!found)
+    {
+        send("Class not found: " + targetClass)
+    } else 
+    {
+	    send("Completed Enumerating Methods in Class: " + targetClass)
+    }
+}
+
+
+try {
+    run_get_app_methods_in_class()
+} catch(err) {}
diff --git a/mobsf/DynamicAnalyzer/tools/frida_scripts/ios/auxiliary/search-class-pattern.js b/mobsf/DynamicAnalyzer/tools/frida_scripts/ios/auxiliary/search-class-pattern.js
@@ -0,0 +1,57 @@
+/* Description: Find classes matching a pattern
+ * Modified for MobSF
+ * Mode: S+A
+ * Version: 1.0
+ * Credit: PassionFruit (https://github.com/chaitin/passionfruit/blob/master/agent/app/classdump.js) & https://github.com/interference-security/frida-scripts/blob/master/iOS
+ * Author: @interference-security
+ */
+//Twitter: https://twitter.com/xploresec
+//GitHub: https://github.com/interference-security
+function findClasses(pattern)
+{
+    var foundClasses = [];
+    var free = new NativeFunction(Module.findExportByName(null, 'free'), 'void', ['pointer'])
+    var copyClassNamesForImage = new NativeFunction(Module.findExportByName(null, 'objc_copyClassNamesForImage'), 'pointer', ['pointer', 'pointer'])
+    var p = Memory.alloc(Process.pointerSize)
+    Memory.writeUInt(p, 0)
+    var path = ObjC.classes.NSBundle.mainBundle().executablePath().UTF8String()
+    var pPath = Memory.allocUtf8String(path)
+    var pClasses = copyClassNamesForImage(pPath, p)
+    var count = Memory.readUInt(p)
+    var classesArray = new Array(count)
+    for (var i = 0; i < count; i++)
+    {
+        var pClassName = Memory.readPointer(pClasses.add(i * Process.pointerSize))
+        classesArray[i] = Memory.readUtf8String(pClassName)
+        if (classesArray[i].match(pattern)) {
+            foundClasses.push( classesArray[i]);
+        }
+    }
+    free(pClasses)
+    return foundClasses;
+}
+
+
+function getMatches(){
+	var matches;
+	try{
+		var pattern = /{{PATTERN}}/i;
+		send('Class search for pattern: ' + pattern)
+		matches = findClasses(pattern);
+	}catch (err){
+		send('Class pattern match [\"Error\"] => ' + err);
+		return;
+	}
+	if (matches.length>0)
+		send('Found [' + matches.length +  '] matches')
+	else
+		send('No matches found')
+	matches.forEach(function(clz) { 
+		send('[AUXILIARY] ' + clz)
+	});
+}
+
+
+try {
+    getMatches();
+} catch(err) {}
diff --git a/mobsf/DynamicAnalyzer/tools/frida_scripts/ios/auxiliary/string-capture.js b/mobsf/DynamicAnalyzer/tools/frida_scripts/ios/auxiliary/string-capture.js
@@ -0,0 +1,14 @@
+function captureString() {
+  send('Capturing strings')
+  Interceptor.attach(ObjC.classes.NSString['+ stringWithUTF8String:'].implementation, {
+    onLeave: function (retval) {
+      var str = new ObjC.Object(ptr(retval)).toString()
+      send('[AUXILIARY] [NSString stringWithUTF8String:] -> '+ str);
+      return retval;
+    }
+  });
+}
+
+try {
+  captureString();
+} catch(err) {}