Difference between revisions of "Bypassing Jailbreak Detection"

From The iPhone Wiki
Jump to: navigation, search
m (xCon: No crackulous)
(App Patching Status)
Line 85: Line 85:
 
| [http://itunes.apple.com/us/app/directv-app-for-ipad/id421547368?mt=8 DirecTV for iPad]
 
| [http://itunes.apple.com/us/app/directv-app-for-ipad/id421547368?mt=8 DirecTV for iPad]
 
| com.directv.mobile.ipad.navigator.production
 
| com.directv.mobile.ipad.navigator.production
| {{yes}}
+
| {{no}}
 
| 1.3.9
 
| 1.3.9
  +
| Update 1.5.0 has new protection measures
|
 
 
|-
 
|-
 
|-
 
|-

Revision as of 17:50, 21 March 2012

Recently, a sizable handful of applications in Apple's own App Store have been implementing procedures to check the authenticity of the device on which the app itself is running, forbidding or inhibiting usage of certain features or even the app altogether. Obvious reasons are about the innate security risks of jailbreaking your device (e.g. banking companies don't want the blame for some rogue keylogger disguised as a tweak snagging your account info). However, most of the time, it seems as if companies are worried about the possibility of tweaks bypassing certain restrictions implemented into their apps. Video streaming apps are notorious for this; the companies don't want users bypassing restrictions on when and where you can stream their content, so instead of doing the responsible thing and obfuscating their restriction attempts, they instead block all jailbroken devices, regardless of malicious intent or lack thereof.

How To Detect Jailbroken Devices

For the sake of convenience within this article, a "rogue app" will refer to any app available in the App Store that actively implements jailbreak detection measures.

For the most part, jailbreak detection procedures are a lot less sophisticated that one might imagine. While there are countless ways apps can implement checks for jailbroken devices, they typically boil down to the following:

  • Existence of directories - Rogue apps love to check your file system for paths like /Applications/Cydia.app/ and /private/var/stash, amongst a handful of others. Most often, these are checked using the -(BOOL)fileExistsAtPath:(NSString*)path method in NSFileManager, but more sneaky apps like to use lower-level C functions like fopen(), stat(), or access().
  • Directory permissions - Similar to checking existence of directories, but checks the Unix file permissions of specific files and directories on the system using NSFileManager methods as well as C functions like statfs(). Far more directories have write access on a jailbroken device than on one still in jail.
  • Process forking - sandboxd does not deny App Store applications the ability to use fork(), popen(), or any other C functions to create child processes on devices out of jail. sandboxd explicitly denies process forking on devices in jail. By checking the returned pid on fork(), a rogue app can tell if it has successfully forked or not, at which point it can determine a device's jailbreak status.
  • SSH loopback connections - Only a very small number of applications implement this (as it is not nearly as effective as the others). Due to the very large portion of jailbroken devices that have OpenSSH installed, some rogue apps will attempt to make a connection to 127.0.0.1 on port 22. If the connection succeeds, it means OpenSSH is installed and running on the device, which obviously indicates that it is jailbroken.
  • system() - Calling the system() function with no arguments on a device in jail will return 0; doing the same on a jailbroken device will return 1. Not sure why, but such is the case.

How To Reverse An App

  1. In order to dump or disassemble an app from the App Store, it must first be decrypted (often referred to as "cracking"), even if it is a free application.
  2. Using class-dump-z on the application's decrypted binary will dump all of the header files. Occasionally, these contain "giveaway" method names, like "deviceIsJailbroken" or "checkDeviceSecurity." Typically, hooking these methods is enough to disable the jailbreak detection measures, but it nearly guarantees that the patch will not work on other apps.
  3. Tracing methods named like that in IDA using the Objective-C parsing feature can help pinpoint exactly which method is being used to detect the jailbreak.
  4. If the class-dumped headers don't give away anything, searching the binary for strings like "jail," "cydia," "apt," etc. often lead to the breaking point.

xCon

xCon is a collaborative project by n00neimp0rtant and Lunatik that aims to be an all-in-one solution for hooking every known method and function responsible for informing an application of a jailbroken device. At first, the project aimed to patch applications on a per-app basis, but now it uses lower-level hooks to cover any apps that attempt to use the same procedure, even patching apps not explicitly reversed by the developers. Originally an open-source project, it remains closed-source now to discourage App Store developers from working around xCon's hooks.

xCon is available free of charge in Cydia. No configuration is needed; just install and go.

App Patching Status

You can find an app's current release version in its iTunes listing page, linked below in the app names. If an app's current release version is newer than the "Last Confirmed Working Version," please help by testing it out yourself with the latest release of xCon and updating the table as necessary.

App Name Bundle Identifier Patched? Last Confirmed Working Version Notes
Action Movie FX com.badrobot.actionmoviefx No none Cannot even decrypt the binary, let alone class-dump or disassemble it.
Barclays PingIt uk.co.barclays.PingIt Yes 1.0.2
Cablevision Optimum com.cablevision.rDVR Yes 2.1.2
Cablevision Optimum (iPad) com.cablevision.iOTV Yes 2.1.1
Capital One UK com.ukcapitalone.capitalone Yes 5.1
Commbank Kaching au.com.commbank.kaching Yes 1.1.0
Cox TV Connect com.cox.ios.ipad.tvconnect Yes 1.0.1
DirecTV for iPad com.directv.mobile.ipad.navigator.production No 1.3.9 Update 1.5.0 has new protection measures
DirecTV Nomad com.directv.mobile.iphone.nomad.production Yes 1.8.1
DStv Mobile Decoder com.multichoice.DStvMobileDVBH Yes 1.01.07
Flixster/Movies/Ultraviolet com.jeffreygrossman.moviesapp Yes 5.21
Golden Screen Cinemas com.sinodynamic.gsc Yes 1.4
Good For Enterprise com.good.gmmiphone Yes 1.9.7
KB star com.kbstar.kbbank Yes 1.14.1
KB starPlus com.kbstar.starplus Yes 1.2.0
LOVEFiLM Player for iPad com.lovefilm.watchnow.ipad Yes 1.0
Maxis Movies com.maxis.moviebooking Yes 1.1.6
Maxis Movies (iPad) com.maxis.moviebookingipad Yes 1.1.2
McAfee EMM com.trustdigital.iTDClient Yes 4.7.1
MobileIron MyPhone@Work com.mobileiron.phoneatwork Yes 4.5.12
Sentinel 3: Homeworld com.Origin8.Sentinel3 No none Cannot find any suspicious method/function calls at all.
Skype com.skype.skype No none Cannot even decrypt the binary, let alone class-dump or disassemble it.
Sky Go com.bskyb.skygo Yes 2.0.2
Square com.squareup.square Yes 2.2.5
Telus Optik TV com.telus.nscreen Yes 1.1.2
TV live de la Orange com.orange.TVOrange Yes 1.0
TWC TV com.timewarnercable.simulcast Yes 2.6.1
Verizon Media Manager com.verizon.ams.flexview Yes 2.0.29.26
Voddler com.voddler.VoddlerHD Yes 1.2.1