Everything You Need to Know about iOS Jailbreak Detection Bypass

iOS has always been considered a safe haven when it comes to mobile application security. Every year this operating system tries to come up with more and more efficient updates to make life easy for its users and the respective application and security service providers. However, for tech-savvy users, these timely improvements may not sound enough and there are always people who consider that there is room for more improvement. And hence comes the term ‘Jailbreaking’. 

What does ‘Jailbreaking’ Mean?

'Jailbreaking' is the process by which a user can gain access to the administrative commands and functions of an operating system. It gives the ability (or permission) to alter or replace system applications, files, and settings, removing pre-installed applications, and running specialized applications (“apps”) that require administrator-level permissions. 

In a 2020 research on 425 million devices, Wandera highlighted that there had been a 50% increase in the number of jailbroken devices from the previous year, a quite formidable jump!

With jailbreaking, one can actually remove almost all the restrictions from their iOS device and open up gateways to make unimaginable modifications. While this may sound pretty fascinating at first, this also opens up innumerable avenues for security vulnerabilities and threat actors to creep inside your device. So, let’s take a look at how application developers can take specific steps to ensure that their applications stay secure in the context of jailbroken devices.

 

What is Jailbreak Detection

Jailbreak Detection means that the application is detecting whether the application is running on a jailbroken device or not. 

The goal of jailbreak detection is to make running the app on a non jailbroken device so that the attacker will not get more privileges, which in turn blocks some of the tools and techniques like reverse engineers etc. and it helps an application to prevent many vulnerabilities.

 

Difference Between One-Time and Run-Time Jailbreak Detection Bypass 

Difference Between One-Time and Run-Time Jailbreak Detection Bypass 

 

One-Time Jailbreak Detection bypass

One-Time jailbreak detection bypass helps the pentester to permanently bypass the jailbreak detection for the respective application, Which means the pentester has to bypass the jailbreak detection only once.

For example, pentester can use the Liberty application for bypassing the jailbreak detection permanently. Once you bypass jailbreak detection with liberty application, it permanently bypasses the jailbreak detection for respective applications. You don’t need to bypass the jailbreak detection again and again.

Good Read: Here's How iOS Jailbreak Really Works

Run-Time Jailbreak Detection bypass

Run-time jailbreak detection bypass helps the pentester to bypass the jailbreak detection at run-time. This means you can manipulate the value at run time and then you have to bypass the jailbreak detection, again and again, it’s not permanent. 

For example, we can use Frida & Objection for bypassing the jailbreak detection at run-time. Once you bypass jailbreak detection with Frida & Objection, it only works till you run the Frida or objection. As you stop the Frida or objection respective applications again start detecting that the device is jailbroken. 

 

How to Bypass Jailbreak Detection 

There are different ways to bypass jailbreak detection, let's discuss each in detail

1. Jailbreak Detection Bypass Via Hooking


  • Installing Frida Server

 

Bypass Jailbreak Detection 

By default the Frida server is running up on the iDevice, you don’t need to start a Frida server every time. 

  • Installing objection 

sudo pip3 install objection

Note: While using objection make sure the application is opened in the device, otherwise the objection wouldn’t work.

 

A) Let's Bypass Jailbreak Detection via Hooking


1) Connect your device via USB and trust the device.
2) Run the below command to connect the application to objection and explore the application..

objection --gadget package_name explore

Or

objection -g package_name explore
Run the below command for finding the package name of the application

Frida-ps -Ua 

-Ua=> show currently running application 

Bypass Jailbreak Detection via Hooking

 

3) Run the below command to search for the specific class

ios hooking search classes jailbreak

Search classes=> It is used to search for the classes related to the given word.

Jailbreak => Here we are looking for classes related to jailbreak. That's why we search for “jailbreak” so that we can get all the classes related to jailbreak.  And if you are looking for other classes like login related etc, you can type login there. 

ios hooking search classes jailbreak

 

4) Run the below commands to watch methods available for the given class

ios hooking watch class JailbreakDetection

watch=> To watch the methods available for the given class

JailbreakDetection=> It’s the name of the class and you can use any class which you think may be related to the function which you are looking for. 

ios hooking watch class JailbreakDetection

 

5) Run the below commands to dump the value of the given method 

 

ios hooking watch method "+[JailbreakDetection isJailbroken]" --dump return

---dump return =>  It will return the value, when we call the particular method, it can be 0,1, true, false, etc. 

"+” => here “+” symbol we write based on the method we called. When we call all methods of a particular class, it shows the symbol which is used by that particular method as highlighted in the above screenshot. Depending on the method, symbols can be “+” or “-”.

JailbreakDetection is the name of the class.

isJailbroken is the method of the class. 

 

ios hooking watch method



6) Run the below commands to set the return value of the given method.

 

ios hooking set return_valued "+[JailbreakDetection isJailbroken]" 1

set return_valued => It will set the returned value of the given class. 

1 => Here we set the return value to “1” because when we open the application it’s giving the error as the device is jailbroken and returns the value to 0, so we change it’s value at run time to “1”. So that application will understand that the device is not jailbroken and we can run the application. 

ios hooking set return_valued

 

 

2. Jailbreak Detection Bypass Via Liberty Application

 

  • Installing Liberty

Jailbreak Detection Bypass Via Liberty Application

 

  • Bypass jailbreak detection using Liberty 

    1) Go to Settings and you will see the liberty application at the end.
    2) Enable the application for which you want to bypass jailbreak detection. 

Bypass jailbreak detection using Liberty 

 

Block Jailbreak Detection

There are many tools that are used to Bypass Jailbreak detection like FlyJB, Shadow, etc. 

 

3. Jailbreak Detection Bypass Via Objection

Run the below command to connect the application to objection and explore the application.

objection --gadget package_name explore

objection --gadget package_name explore

 

Run the below command to bypass the jailbreak detection

ios jailbreak disable

Run the below command to bypass the jailbreak detection

  1.  

4. Jailbreak Detection Bypass via Frida


  • Bypassing jailbreak detection using frida

frida -U -f package_name -l jailbreak.js --no-pause

 

U => To use a connected USB device as a target 

F =>  To indicates the package name

L =>  To load the script

Jailbreak.js =>

https://codeshare.frida.re/@liangxiaoyi1024/ios-jailbreak-detection-bypass/ (Download the script from codeshare according to your iOS version)

--no-pause => To force the frida to “not to pause” app execution after injecting the script. 

 

Bypassing jailbreak detection using frida

   

Mitigating Jailbreak Detection Bypass

The application should check for the presence of the following things, if any of the things are present, then the application should detect the device is jailbroken and should not allow it to run the application.

1) Check  the presence of any of the following file paths:

  • "/Applications/Cydia.app"
  • "/Applications/blackra1n.app"
  • "/Applications/FakeCarrier.app"
  • "/Applications/Icy.app"
  • "/Applications/IntelliScreenx.app"
  • "/Applications/MxTube.app"
  • "/Applications/RockApp.app"
  • "/Applications/SBSettings.app"
  • "/Applications/WinterBoard.app"
  • "/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist"
  • "/Library/MobileSubstrate/DynamicLibraries/Veency.plist"
  • "/private/var/lib/apt"
  • "/private/var/lib/cydia"
  • "/private/var/mobile/Library/SBSettings/Themes"
  • "/private/var/stash"
  • "/private/var/tmp/cydia.log"
  • "/System/Library/LaunchDaemons/com.ikey.bbot.plist"
  • "/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist"
  • "/usr/sbin/sshd"
  • "/usr/libexec/sftp-server"
  • "/usr/sbin/sshd"

 

2) Check the presence of shell access
  • Since non-jailbroken iOS devices do not have shell access, the presence of shell access indicates a jailbroken device.

3) Check the Non-existence of standard framework at the expected file path
  • If the standard Foundation framework does not exist at the expected file path "/System/Library/Frameworks/Foundation.framework/Foundation"

4) Check for the existence of the Frida server. 

Final Thoughts

Once a device is jailbroken, it becomes an easy target for threat actors who can flush volumes of malicious elements into the device and sniff sensitive user information. This also poses risks for the other genuine apps running on the jailbroken devices. Taking the required jailbreak detection bypass steps not only protects the app itself, but also the device and user data from being compromised at the hand of threat actors.  

Published on Sep 3, 2021
Vaishali Nagori
Written by Vaishali Nagori
Vaishali is an Associate Security Analyst at Appknox, She has hands-on experience in Web Applications, API, Android & iOS Penetration Testing. She has secured 70+ Applications in various sectors like E-Commerce, Banking, Management, Gaming, Trading, government, Tax management, financial sectors, and more. She loves to dance and connect with new people. You can find her on Linkedin: http://www.linkedin.com/in/vaishali-nagori

Questions?

Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now