iOS has always been considered a safe haven when it comes to mobile application security. Every year this operating system tries to come up with more and more efficient updates to make life easy for its users and the respective application and security service providers. However, for tech-savvy users, these timely improvements may not sound enough and there are always people who consider that there is room for more improvement. And hence comes the term ‘Jailbreaking’.
What does ‘Jailbreaking’ Mean?
'Jailbreaking' is the process by which a user can gain access to the administrative commands and functions of an operating system. It gives the ability (or permission) to alter or replace system applications, files, and settings, removing pre-installed applications, and running specialized applications (“apps”) that require administrator-level permissions.
In a 2020 research on 425 million devices, Wandera highlighted that there had been a 50% increase in the number of jailbroken devices from the previous year, a quite formidable jump!
With jailbreaking, one can actually remove almost all the restrictions from their iOS device and open up gateways to make unimaginable modifications. While this may sound pretty fascinating at first, this also opens up innumerable avenues for security vulnerabilities and threat actors to creep inside your device. So, let’s take a look at how application developers can take specific steps to ensure that their applications stay secure in the context of jailbroken devices.
What is Jailbreak Detection
Jailbreak Detection means that the application is detecting whether the application is running on a jailbroken device or not.
The goal of jailbreak detection is to make running the app on a non jailbroken device so that the attacker will not get more privileges, which in turn blocks some of the tools and techniques like reverse engineers etc. and it helps an application to prevent many vulnerabilities.
Difference Between One-Time and Run-Time Jailbreak Detection Bypass
One-Time Jailbreak Detection bypass
One-Time jailbreak detection bypass helps the pentester to permanently bypass the jailbreak detection for the respective application, Which means the pentester has to bypass the jailbreak detection only once.
For example, pentester can use the Liberty application for bypassing the jailbreak detection permanently. Once you bypass jailbreak detection with liberty application, it permanently bypasses the jailbreak detection for respective applications. You don’t need to bypass the jailbreak detection again and again.
Good Read: Here's How iOS Jailbreak Really Works
Run-Time Jailbreak Detection bypass
Run-time jailbreak detection bypass helps the pentester to bypass the jailbreak detection at run-time. This means you can manipulate the value at run time and then you have to bypass the jailbreak detection, again and again, it’s not permanent.
For example, we can use Frida & Objection for bypassing the jailbreak detection at run-time. Once you bypass jailbreak detection with Frida & Objection, it only works till you run the Frida or objection. As you stop the Frida or objection respective applications again start detecting that the device is jailbroken.
How to Bypass Jailbreak Detection
There are different ways to bypass jailbreak detection, let's discuss each in detail
1. Jailbreak Detection Bypass Via Hooking
- Installing Frida Server
By default the Frida server is running up on the iDevice, you don’t need to start a Frida server every time.
- Installing objection
sudo pip3 install objection
Note: While using objection make sure the application is opened in the device, otherwise the objection wouldn’t work.
A) Let's Bypass Jailbreak Detection via Hooking
1) Connect your device via USB and trust the device.
2) Run the below command to connect the application to objection and explore the application..
objection --gadget package_name explore
objection -g package_name explore
Run the below command for finding the package name of the application
-Ua=> show currently running application
3) Run the below command to search for the specific class
ios hooking search classes jailbreak
Search classes=> It is used to search for the classes related to the given word.
Jailbreak => Here we are looking for classes related to jailbreak. That's why we search for “jailbreak” so that we can get all the classes related to jailbreak. And if you are looking for other classes like login related etc, you can type login there.
4) Run the below commands to watch methods available for the given class
ios hooking watch class JailbreakDetection
watch=> To watch the methods available for the given class
JailbreakDetection=> It’s the name of the class and you can use any class which you think may be related to the function which you are looking for.
5) Run the below commands to dump the value of the given method
ios hooking watch method "+[JailbreakDetection isJailbroken]" --dump return
---dump return => It will return the value, when we call the particular method, it can be 0,1, true, false, etc.
"+” => here “+” symbol we write based on the method we called. When we call all methods of a particular class, it shows the symbol which is used by that particular method as highlighted in the above screenshot. Depending on the method, symbols can be “+” or “-”.
JailbreakDetection is the name of the class.
isJailbroken is the method of the class.
6) Run the below commands to set the return value of the given method.
ios hooking set return_valued "+[JailbreakDetection isJailbroken]" 1
set return_valued => It will set the returned value of the given class.
1 => Here we set the return value to “1” because when we open the application it’s giving the error as the device is jailbroken and returns the value to 0, so we change it’s value at run time to “1”. So that application will understand that the device is not jailbroken and we can run the application.
2. Jailbreak Detection Bypass Via Liberty Application
- Installing Liberty
- Bypass jailbreak detection using Liberty
1) Go to Settings and you will see the liberty application at the end.
2) Enable the application for which you want to bypass jailbreak detection.
There are many tools that are used to Bypass Jailbreak detection like FlyJB, Shadow, etc.
3. Jailbreak Detection Bypass Via Objection
Run the below command to connect the application to objection and explore the application.
objection --gadget package_name explore
Run the below command to bypass the jailbreak detection
ios jailbreak disable
4. Jailbreak Detection Bypass via Frida
- Bypassing jailbreak detection using frida
frida -U -f package_name -l jailbreak.js --no-pause
U => To use a connected USB device as a target
F => To indicates the package name
L => To load the script
https://codeshare.frida.re/@liangxiaoyi1024/ios-jailbreak-detection-bypass/ (Download the script from codeshare according to your iOS version)
--no-pause => To force the frida to “not to pause” app execution after injecting the script.
Mitigating Jailbreak Detection Bypass
The application should check for the presence of the following things, if any of the things are present, then the application should detect the device is jailbroken and should not allow it to run the application.1) Check the presence of any of the following file paths:
2) Check the presence of shell access
- Since non-jailbroken iOS devices do not have shell access, the presence of shell access indicates a jailbroken device.
- If the standard Foundation framework does not exist at the expected file path "/System/Library/Frameworks/Foundation.framework/Foundation"
Once a device is jailbroken, it becomes an easy target for threat actors who can flush volumes of malicious elements into the device and sniff sensitive user information. This also poses risks for the other genuine apps running on the jailbroken devices. Taking the required jailbreak detection bypass steps not only protects the app itself, but also the device and user data from being compromised at the hand of threat actors.