Bypassing iOS Security Suite (ISS)

iOS Security Suite is an open-source library designed for iOS app developers to implement various security measures within their applications. 

One of the primary purposes of this library is to help developers detect if an iOS device is jailbroken, which can pose security risks to the application and its users. 

Jailbreaking involves removing the limitations imposed by Apple on iOS devices, allowing users to gain root access and install unauthorized software, install tweaks to modify the original behavior of the OS APIs, and more. 

Some of the key features of this iOS Security Suite are:

1. Jailbreak Detection
2. Emulator Detection
3. Debug Detection
4. Runtime Hook Detection
5. Proxy Detection

..and more

Check out the project on GitHub: iOSSecurity Suite.

In this article, we will bypass the jailbreak detection restriction implemented in a real-world application using the iOS Security Suite library that I encountered during an assessment.

Key takeaways

• iOS Security Suite is widely used for jailbreak and runtime detection in iOS apps, but its checks can be bypassed by attackers with common tools.
• Pentesters override the amIJailbroken() method using Frida or similar frameworks to simulate compromised environments and assess app resilience.
• The library relies on eight main checks (files, directories, symbolic links, DYLD libraries, URL schemes, and more) to flag jailbroken devices.
• Bypassing jailbreak detection reveals hidden risks. Apps may still function in insecure environments if security isn’t layered.

The application

To begin the assessment, let’s install the application on the device. The name of the application will not be disclosed throughout the article. 

I will use a tool called ios-deploy to install the ipa onto the device. It is recommended to install AppSync Unified on the device to avoid app signing issues, as it circumvents installd's signature checks.

Now that the app is installed, let’s open it and see if it opens at all.

As expected, the app shows an alert that the device appears to be rooted, hence it cannot proceed. This is not good since we want the application to work in the jailbroken environment for all our required tools to work during the assessment.

Let’s now analyze the restrictions in place and explore how to bypass them.

The analysis

Let’s first do some static analysis on the ipa file to figure out if there is some third-party library involved for the jailbreak detection.

We can start by unzipping the ipa file since it is essentially an archive of the application bundle that gets expanded during installation. The first place to start looking for installed frameworks is Payload/<name>.app/Frameworks/ directory.

Looking at the installed frameworks, we can figure out that this is a Flutter application that has two potential modules that are of interest:

• iOS Security Suite
• Flutter jailbreak detection

Since we know that this is a Flutter app, let’s start by looking into the flutter_jailbreak_detection.framework. 

Flutter jailbreak detection

Before diving into reverse engineering, let’s try to find the code for this library to gain a better understanding of how it detects jailbreak on the device. 

Searching on Google leads us to the project on GitHub, flutter_jailbreak_detection, that makes our lives a little easier. The library is using iOS Security Suite internally for the iOS platform to detect if the device is jailbroken.

If we navigate to flutter_jailbreak_detection/ios/Classes/SwiftFlutterJailbreakDetectionPlugin.swift file, we can see that it calls the IOSSecuritySuite.amIJailbroken() method to check the jailbroken state of the device.

So, if we bypass amIJailbroken() from the IOSSecuritySuite module, we essentially bypass the jailbreak check on the Flutter Jailbreak Detection module as well.

iOS security suite

Let’s now analyze the source code for IOSSecurity Suite for a better understanding of the amIJailbroken() method.

This will help us when reversing the binary to hook into this method using Frida, as we are dealing with Swift and can't directly hook by using class and method names, unlike with Objective-C methods. The iOS Security Suite comprises multiple modules, but we will focus specifically on the Jailbreak Detection part.

Browsing through the code, we can find the jailbreak checks implemented at IOSSecuritySuite/JailbreakChecker.swift. Let’s try to understand the logic behind how the device reaches a conclusion if it has a jailbreak installed.

3 primary methods can be used to detect jailbreak in the apps:

• amIJailbroken
• amIJailbrokenWithFailMessage
• amIJailbrokenWithFailedChecks

All of these return the jailbroken state along with additional information, as the name suggests. Each of them calls the performChecks method, based on which it returns the jailbroken state as true or false.

The logic

Let’s check the performChecks method, where all the logic of the checks happens.

The performChecks method contains the following eight checks:

1. Check URL Schemes: Checks if any suspicious URL schemes, such as sileo:// are accessible.
2. Check Existence Of Suspicious Files: Checks if any suspicious file paths exist via fileExists(atPath: path), fopen, and access methods using read-only mode.
3. Check Suspicious Files Can Be Opened: Checks if any suspicious file paths exist via isReadableFile(atPath: path), fopen, and access methods using writable mode.
4. Check Restricted Directories Writable: Checks if any restricted paths like “/”, “/root”, “private”, “jb” are mounted as read/write and performs a file write and delete on these paths.
5. Check Fork: Verifies if Fork successfully creates a new process (sandbox violation).
6. Check Symbolic Links: Checks if any non-standard symbolic links exist.
7. Check DYLD: Checks if any suspicious libraries like FridaGadget, CydiaSubstrate, etc. are loaded.
8. Check Suspicious ObjC Classes: Checks if Shadow is loaded, which is essentially a jailbreak detection evasion tweak.

The checkURLSchemes method looks like this:

When each of these checks is performed, it updates the passed variable as true or false. If all checks passed, the jailbroken state becomes false and vice versa.

return !performChecks().passed

Jailbreak detection checks in the iOS Security Suite

The bypass

Now that we know how the logic is written, we can start reverse engineering the app to find the amIJailbroken() method and hook into it using Frida. 

The first step is to find the offset of this method and hook it to observe the method in action, returning the jailbroken state without modifying anything.

The binary

From the initial analysis, we saw IOSSecuritySuite.framework installed in the app. Let’s analyze the compiled binary for this module in r2 to find the methods we are looking for.

Since this is not a very big binary, we will be using the aaa command to analyze it and list the methods using the afl command.

From the source code analysis, we know that the methods we are interested in start with “amI”, so we can use grep to filter out all the restrictions implemented, or just grep “amIJail” to get the jailbreak-related methods. If you encounter an app that implements more restrictions, a similar approach can be taken to bypass them.

Since we are only interested in amIJailbroken, let’s analyze that method and cross-reference it to the source code.

By analyzing the binary code and cross-referencing it with the source, we can theoretically confirm that overriding the return value of this method to false should bypass jailbreak detection, regardless of any failed checks.

The script

Before modifying the return value, let's hook into the function and check the return value when the device is jailbroken. This will ensure that we are hooking into the correct function.

Since this is a swift module and we do not have direct access to its classes and methods, we will need to find the exact address of the method loaded in memory. To do that, we need to find the base address of the IOSSecuritySuite module using the Module.getBaseAddress Frida method and add the offset for the amIJailbroken method that we found using r2.

We will use the following script to hook and print the return value when the method is called.

var targetModule = "IOSSecuritySuite";

var moduleBase = Module.getBaseAddress(targetModule);

var targetAddress_amIJailbroken = moduleBase.add(ptr(0x00009b74));

Interceptor.attach(targetAddress_amIJailbroken, {
  onEnter: function(args) {
    console.log("amIJailBroken Called");
  },

  onLeave: function(retval) {
    console.log(`amIJailbroken retval ${retval}`);
  },
});

Running the script gives us the following output:

We can see that we can hook into the amIJailbroken() method, and the return value is true. As a result, the app pops up a prompt and does not proceed. To bypass it, let’s set the return value to false.

The modified script is as follows:

var targetModule = "IOSSecuritySuite";
var moduleBase = Module.getBaseAddress(targetModule);
var targetAddress_amIJailbroken = moduleBase.add(ptr(0x00009b74));

Interceptor.attach(targetAddress_amIJailbroken, {
  onEnter: function(args) {
    console.log("amIJailBroken Called");
  },

  onLeave: function(retval) {
    console.log(`Bypassing amIJailbroken!!`);
    retval.replace(0);
  },

Let’s run the script now and see if we bypass the rooted prompt..

..and voila, we successfully bypassed the jailbreak detection implementation from IOSSecurity Suite.

The challenge

We bypassed the jailbreak detection by overriding the return value of the amIJailbroken() method.

Another approach would be to individually hook into all of the checks present in the performChecks() method and override them as passed (if failed), which in turn will also bypass the detection. I will leave this approach for you to try as a practice exercise for the new skill you might have learned from this article.

Happy hacking!

Frequently Asked Questions (FAQs)

1. What is iOS Security Suite used for?

iOS Security Suite is an open-source library that helps iOS developers detect jailbreaks, debuggers, proxies, and runtime tampering in mobile apps.

2. Can jailbreak detection libraries like iOSSecuritySuite be bypassed?

Yes. Attackers and pentesters often bypass these checks using frameworks like Frida by overriding return values or hooking into detection methods.

3. Why do pentesters bypass jailbreak detection during security testing?

Pentesters bypass jailbreak detection to test how an app behaves in compromised environments and identify whether critical functions remain exposed when security controls fail.

4. What tools are commonly used to bypass jailbreak detection on iOS apps?

Tools like Frida, Objection, and Radare2 are widely used by security testers to hook into and manipulate app behavior on jailbroken devices.

5. Is jailbreak detection enough to secure enterprise mobile apps?

No, it isn’t. While helpful, jailbreak detection alone cannot stop advanced attackers. Enterprises should combine it with real-device testing, dynamic analysis, and compliance-aligned security solutions like Appknox.