Difference between revisions of "Bypassing Jailbreak Detection"

From The iPhone Wiki
Jump to: navigation, search
(How To Detect Jailbroken Devices: more on system(NULL) returning 1 when jailbroken)
 
(6 intermediate revisions by 4 users not shown)
Line 10: Line 10:
 
* '''Process forking''' - sandboxd does not deny App Store applications the ability to use fork(), popen(), or any other C functions to create child processes on devices out of jail. sandboxd explicitly denies process forking on devices in jail. By checking the returned pid on fork(), a rogue app can tell if it has successfully forked or not, at which point it can determine a device's jailbreak status.
 
* '''Process forking''' - sandboxd does not deny App Store applications the ability to use fork(), popen(), or any other C functions to create child processes on devices out of jail. sandboxd explicitly denies process forking on devices in jail. By checking the returned pid on fork(), a rogue app can tell if it has successfully forked or not, at which point it can determine a device's jailbreak status.
 
* '''SSH loopback connections''' - Only a very small number of applications implement this (as it is not nearly as effective as the others). Due to the very large portion of jailbroken devices that have [[OpenSSH]] installed, some rogue apps will attempt to make a connection to 127.0.0.1 on port 22. If the connection succeeds, it means OpenSSH is installed and running on the device, which obviously indicates that it is jailbroken.
 
* '''SSH loopback connections''' - Only a very small number of applications implement this (as it is not nearly as effective as the others). Due to the very large portion of jailbroken devices that have [[OpenSSH]] installed, some rogue apps will attempt to make a connection to 127.0.0.1 on port 22. If the connection succeeds, it means OpenSSH is installed and running on the device, which obviously indicates that it is jailbroken.
* '''system()''' - Calling the system() function with no arguments on a device in jail will return 0; doing the same on a jailbroken device will return 1. Not sure why, but such is the case.
+
* '''system()''' - Calling the system() function with a NULL argument on a device in jail will return 0; doing the same on a jailbroken device will return 1. This is since the function will check whether <code>/bin/sh</code> exists, and this is only the case on jailbroken devices.[https://developer.apple.com/library/ios/documentation/System/Conceptual/ManPages_iPhoneOS/man3/system.3.html]
  +
* '''dyld functions''' - By far the hardest to get around. Calling functions like _dyld_image_count() and _dyld_get_image_name() to see which dylibs are currently loaded. Very difficult to patch, as patches are themselves part of dylibs.
   
== How To Reverse An App ==
+
== How To Reverse Engineer An App ==
 
# In order to dump or disassemble an app from the App Store, it must first be decrypted (often referred to as "[[Copy Protection Overview|cracking]]"), even if it is a free application.
 
# In order to dump or disassemble an app from the App Store, it must first be decrypted (often referred to as "[[Copy Protection Overview|cracking]]"), even if it is a free application.
 
# Using [[class-dump-z]] on the application's decrypted binary will dump all of the header files. Occasionally, these contain "giveaway" method names, like "deviceIsJailbroken" or "checkDeviceSecurity." Typically, hooking these methods is enough to disable the jailbreak detection measures, but it nearly guarantees that the patch will not work on other apps.
 
# Using [[class-dump-z]] on the application's decrypted binary will dump all of the header files. Occasionally, these contain "giveaway" method names, like "deviceIsJailbroken" or "checkDeviceSecurity." Typically, hooking these methods is enough to disable the jailbreak detection measures, but it nearly guarantees that the patch will not work on other apps.
Line 19: Line 20:
   
 
== xCon ==
 
== xCon ==
  +
See [[xCon]] on its separate page.
xCon is a collaborative project by [http://twitter.com/unimp0rtanttech n00neimp0rtant] and [http://twitter.com/olunatiko Lunatik] that aims to be an all-in-one solution for hooking every known method and function responsible for informing an application of a jailbroken device. At first, the project aimed to patch applications on a per-app basis, but now it uses lower-level hooks to cover any apps that attempt to use the same procedure, even patching apps not explicitly reversed by the developers. Originally an open-source project, it remains closed-source now to discourage App Store developers from working around xCon's hooks.
 
 
== App Patching Status ==
 
''You can find an app's current release version in its iTunes listing page, linked below in the app names. If an app's current release version is newer than the "Last Confirmed Working Version," please help by testing it out yourself with the latest release of xCon and updating the table as necessary.''
 
 
{| cellspacing="0" class="wikitable" style="text-align:center; width:100%;"
 
|-
 
!| App Name
 
!| Bundle Identifier
 
!| Patched?
 
!| Last Confirmed Working Version
 
!| Notes
 
|-
 
| [http://itunes.apple.com/us/app/action-movie-fx/id489321253?mt=8 Action Movie FX]
 
| com.badrobot.actionmoviefx
 
| {{no}}
 
| none
 
| Cannot even decrypt the binary, let alone class-dump or disassemble it. Crackulous outputs "Cracking failed" error.
 
|-
 
|-
 
| [http://itunes.apple.com/gb/app/barclays-pingit/id496552142?mt=8 Barclays PingIt]
 
| uk.co.barclays.PingIt
 
| {{yes}}
 
| 1.0.2
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/us/app/optimum/id387231038?mt=8 Cablevision Optimum]
 
| com.cablevision.rDVR
 
| {{yes}}
 
| 2.1.2
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/us/app/optimum-for-ipad/id424612367?mt=8 Cablevision Optimum (iPad)]
 
| com.cablevision.iOTV
 
| {{yes}}
 
| 2.1.1
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/gb/app/capital-one-uk/id481679012?mt=8 Capital One UK]
 
| com.ukcapitalone.capitalone
 
| {{yes}}
 
| 5.1
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/au/app/commbank-kaching/id475728226?mt=8 Commbank Kaching]
 
| au.com.commbank.kaching
 
| {{yes}}
 
| 1.1.0
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/us/app/cox-tv-connect-for-ipad/id474096909?mt=8 Cox TV Connect]
 
| com.cox.ios.ipad.tvconnect
 
| {{yes}}
 
| 1.0.1
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/us/app/directv-app-for-ipad/id421547368?mt=8 DirecTV for iPad]
 
| com.directv.mobile.ipad.navigator.production
 
| {{yes}}
 
| 1.3.9
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/us/app/directv-nomad/id448679509?mt=8 DirecTV Nomad]
 
| com.directv.mobile.iphone.nomad.production
 
| {{yes}}
 
| 1.8.1
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/za/app/dstv-mobile-decoder/id403946447?mt=8 DStv Mobile Decoder]
 
| com.multichoice.DStvMobileDVBH
 
| {{yes}}
 
| 1.01.07
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/us/app/movies-by-flixster-rotten/id284235722?mt=8 Flixster/Movies/Ultraviolet]
 
| com.jeffreygrossman.moviesapp
 
| {{yes}}
 
| 5.21
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/us/app/golden-screen-cinemas/id413024972?mt=8 Golden Screen Cinemas]
 
| com.sinodynamic.gsc
 
| {{yes}}
 
| 1.4
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/us/app/good-for-enterprise/id333202351?l=es&mt=8 Good For Enterprise]
 
| com.good.gmmiphone
 
| {{yes}}
 
| 1.9.7
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/us/app/kbseutabaengking/id373742138?mt=8 KB star]
 
| com.kbstar.kbbank
 
| {{yes}}
 
| 1.14.1
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/us/app/kb-starplus/id381065734?mt=8 KB starPlus]
 
| com.kbstar.starplus
 
| {{yes}}
 
| 1.2.0
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/gb/app/lovefilm-player-for-ipad/id454468674?mt=8 LOVEFiLM Player for iPad]
 
| com.lovefilm.watchnow.ipad
 
| {{yes}}
 
| 1.0
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/us/app/maxis-movies/id369867024?mt=8 Maxis Movies]
 
| com.maxis.moviebooking
 
| {{yes}}
 
| 1.1.6
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/us/app/maxis-movies-for-ipad/id418096484?mt=8 Maxis Movies (iPad)]
 
| com.maxis.moviebookingipad
 
| {{yes}}
 
| 1.1.2
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/us/app/mcafee-enterprise-mobility/id322111072?mt=8 McAfee EMM]
 
| com.trustdigital.iTDClient
 
| {{yes}}
 
| 4.7.1
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/us/app/mobileiron-myphone-work-client/id320659794?mt=8 MobileIron MyPhone@Work]
 
| com.mobileiron.phoneatwork
 
| {{yes}}
 
| 4.5.12
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/us/app/sentinel-3-homeworld/id396103539?mt=8 Sentinel 3: Homeworld]
 
| com.Origin8.Sentinel3
 
| {{no}}
 
| none
 
| Cannot find any suspicious method/function calls at all.
 
|-
 
|-
 
| [http://itunes.apple.com/us/app/skype/id304878510?mt=8 Skype]
 
| com.skype.skype
 
| {{no}}
 
| none
 
| Cannot even decrypt the binary, let alone class-dump or disassemble it. Crackulous outputs "Cracking failed" error.
 
|-
 
|-
 
| [http://itunes.apple.com/gb/app/sky-go/id446086440?mt=8 Sky Go]
 
| com.bskyb.skygo
 
| {{yes}}
 
| 2.0.2
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/us/app/square/id335393788?mt=8 Square]
 
| com.squareup.square
 
| {{yes}}
 
| 2.2.5
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/ca/app/telus-optik-tv-hd/id467260646?mt=8 Telus Optik TV]
 
| com.telus.nscreen
 
| {{yes}}
 
| 1.1.2
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/us/app/tv-live-de-la-orange/id390896393?mt=8 TV live de la Orange]
 
| com.orange.TVOrange
 
| {{yes}}
 
| 1.0
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/us/app/twc-tv/id420455839?mt=8 TWC TV]
 
| com.timewarnercable.simulcast
 
| {{yes}}
 
| 2.6.1
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/us/app/verizon-media-manager/id460536890?mt=8 Verizon Media Manager]
 
| com.verizon.ams.flexview
 
| {{yes}}
 
| 2.0.29.26
 
|
 
|-
 
|-
 
| [http://itunes.apple.com/no/app/voddler/id409806444?mt=8 Voddler]
 
| com.voddler.VoddlerHD
 
| {{yes}}
 
| 1.2.1
 
|
 
|-
 
|}
 

Latest revision as of 04:51, 18 September 2013

Recently, a sizable handful of applications in Apple's own App Store have been implementing procedures to check the authenticity of the device on which the app itself is running, forbidding or inhibiting usage of certain features or even the app altogether. Obvious reasons are about the innate security risks of jailbreaking your device (e.g. banking companies don't want the blame for some rogue keylogger disguised as a tweak snagging your account info). However, most of the time, it seems as if companies are worried about the possibility of tweaks bypassing certain restrictions implemented into their apps. Video streaming apps are notorious for this; the companies don't want users bypassing restrictions on when and where you can stream their content, so instead of doing the responsible thing and obfuscating their restriction attempts, they instead block all jailbroken devices, regardless of malicious intent or lack thereof.

How To Detect Jailbroken Devices

For the sake of convenience within this article, a "rogue app" will refer to any app available in the App Store that actively implements jailbreak detection measures.

For the most part, jailbreak detection procedures are a lot less sophisticated that one might imagine. While there are countless ways apps can implement checks for jailbroken devices, they typically boil down to the following:

  • Existence of directories - Rogue apps love to check your file system for paths like /Applications/Cydia.app/ and /private/var/stash, amongst a handful of others. Most often, these are checked using the -(BOOL)fileExistsAtPath:(NSString*)path method in NSFileManager, but more sneaky apps like to use lower-level C functions like fopen(), stat(), or access().
  • Directory permissions - Similar to checking existence of directories, but checks the Unix file permissions of specific files and directories on the system using NSFileManager methods as well as C functions like statfs(). Far more directories have write access on a jailbroken device than on one still in jail.
  • Process forking - sandboxd does not deny App Store applications the ability to use fork(), popen(), or any other C functions to create child processes on devices out of jail. sandboxd explicitly denies process forking on devices in jail. By checking the returned pid on fork(), a rogue app can tell if it has successfully forked or not, at which point it can determine a device's jailbreak status.
  • SSH loopback connections - Only a very small number of applications implement this (as it is not nearly as effective as the others). Due to the very large portion of jailbroken devices that have OpenSSH installed, some rogue apps will attempt to make a connection to 127.0.0.1 on port 22. If the connection succeeds, it means OpenSSH is installed and running on the device, which obviously indicates that it is jailbroken.
  • system() - Calling the system() function with a NULL argument on a device in jail will return 0; doing the same on a jailbroken device will return 1. This is since the function will check whether /bin/sh exists, and this is only the case on jailbroken devices.[1]
  • dyld functions - By far the hardest to get around. Calling functions like _dyld_image_count() and _dyld_get_image_name() to see which dylibs are currently loaded. Very difficult to patch, as patches are themselves part of dylibs.

How To Reverse Engineer An App

  1. In order to dump or disassemble an app from the App Store, it must first be decrypted (often referred to as "cracking"), even if it is a free application.
  2. Using class-dump-z on the application's decrypted binary will dump all of the header files. Occasionally, these contain "giveaway" method names, like "deviceIsJailbroken" or "checkDeviceSecurity." Typically, hooking these methods is enough to disable the jailbreak detection measures, but it nearly guarantees that the patch will not work on other apps.
  3. Tracing methods named like that in IDA using the Objective-C parsing feature can help pinpoint exactly which method is being used to detect the jailbreak.
  4. If the class-dumped headers don't give away anything, searching the binary for strings like "jail," "cydia," "apt," etc. often lead to the breaking point.

xCon

See xCon on its separate page.