Everything You Need to Know about iOS Jailbreak Detection Bypass

iOS has always been considered a haven for mobile application security. Every year, this operating system develops more efficient updates to make life easier for its users and the respective application and security service providers. However, for tech-savvy users, these timely improvements may not be enough, and there are always people who consider that there is room for improvement. Hence, the term ‘Jailbreaking’. 

What is jailbreaking?

'Jailbreaking' is the process by which a user can access the administrative commands and functions of the iOS operating system. It gives the ability (or permission) to alter or replace system applications, files, and settings, remove pre-installed applications, and run specialized applications (“apps”) that require administrator-level permissions. 

In a 2020 research on 425 million devices, Wandera highlighted that there had been a 50% increase in jailbroken devices from the previous year, a quite formidable jump!

With jailbreaking, one can remove almost all the restrictions from their iOS device and open up gateways to make unimaginable modifications.

While this may sound pretty fascinating initially, it also opens up innumerable avenues for security vulnerabilities and threat actors to creep inside your device. So, let’s look at how application developers can take specific steps to ensure that their applications stay secure in jailbroken devices.

What is jailbreak detection?

Jailbreak detection means that the application is detecting whether the application is running on a jailbroken device. 

Jailbreak detection aims to prevent the attacker from gaining more privileges by running the app on a non-jailbroken device. This, in turn, blocks some tools and techniques, such as reverse engineers, and helps an application prevent many vulnerabilities.

Difference between one-time and run-time jailbreak detection bypass 

One-time jailbreak detection bypass

One-time jailbreak detection bypass helps the pen tester permanently bypass the jailbreak detection for the respective application. This means the pen tester has to bypass the jailbreak detection only once.

For example, the pen tester can permanently bypass the jailbreak detection using the Liberty application. Once you bypass jailbreak detection with the Liberty application, it permanently bypasses it for respective applications. You don’t need to bypass the jailbreak detection again and again.

Good Read: What is Jailbreaking an iPhone? How Does it Work?

Run-time jailbreak detection bypass

Run-time jailbreak detection bypass helps the pentester bypass the jailbreak detection at runtime. This means you can manipulate the value at run time, and then you have to bypass the jailbreak detection again and again; it’s not permanent. 

For example, we can use Frida and Objection to bypass jailbreak detection at runtime. Once you bypass jailbreak detection with Frida and Objection, it only works until you run Frida or Objection. As you stop Frida or Objection, the respective applications start detecting that the device is jailbroken again. 

How to bypass jailbreak detection?

There are different ways to bypass iPhone jailbreak detection. Let's discuss each in detail.

1. Jailbreak detection bypass via hooking

a. Installing Frida server

By default, the Frida server is running on the iDevice; you don’t need to start a Frida server every time. 

sudo pip3 install objection

Note: When using an objection, ensure the application is open on the device; otherwise, the objection will not work.

Let's bypass jailbreak detection via hooking

objection --gadget package_name explore

Or

objection -g package_name explore
Run the below command to find the package name of the application

Frida-ps -Ua 

-Ua=> show currently running application 

3) Run the below command to search for the specific class

ios hooking search classes jailbreak

Search classes=> It is used to search for the classes related to the given word.

Jailbreak => Here, we are looking for classes related to jailbreak. That's why we searched for “jailbreak” to get all the classes related to jailbreak.  And if you are looking for other classes that are login-related, you can type login there. 

4) Run the below commands to watch methods available for the given class

ios hooking watch class JailbreakDetection

watch=> To watch the methods available for the given class

JailbreakDetection=> It’s the name of the class, and you can use any class that you think may be related to the function you are looking for. 

5) Run the below commands to dump the value of the given method 

ios hooking watch method "+[JailbreakDetection isJailbroken]" --dump return

---dump return =>  It will return the value when we call the particular method; it can be 0,1, true, false, etc. 

"+” => here “+” symbol we write based on the method we called. When we call all methods of a particular class, it shows the symbol used by that particular method, as highlighted in the above screenshot. Symbols can be “+” or “-” depending on the method.

JailbreakDetection is the name of the class.

isJailbroken is the method of the class. 

6) Run the below commands to set the return value of the given method.

ios hooking set return_valued "+[JailbreakDetection isJailbroken]" 1

set return_valued => It will set the returned value of the given class. 

1 => Here we set the return value to “1” because when we open the application, it’s giving the error as the device is jailbroken and returns the value to 0, so we change its value at run time to “1”. So that the application will understand that the device is not jailbroken and we can run the application. 

2. Jailbreak bypass via liberty application

Many tools are used to bypass jailbreak detection, such as FlyJB, Shadow, etc. 

3. Jailbreak detection bypass via objection

Run the below command to connect the application to the objection and explore the application.

objection --gadget package_name explore

Run the below command to bypass the jailbreak detection

ios jailbreak disable

4. Jailbreak detection bypass via Frida

Bypassing jailbreak detection using Frida

Frida -U -f package_name -l jailbreak.js --no-pause

U => To use a connected USB device as a target 

F =>  To indicates the package name

L =>  To load the script

Jailbreak.js =>

https://codeshare.frida.re/@liangxiaoyi1024/ios-jailbreak-detection-bypass/ (Download the script from codeshare according to your iOS version)

--no-pause => To force the Frida to “not to pause” app execution after injecting the script. 

Mitigating jailbreak detection bypass

The application should check for the presence of the following things. If any of them are present, the application should detect that the device is jailbroken and should not allow it to run the application.

• "/Applications/Cydia.app"
• "/Applications/blackra1n.app"
• "/Applications/FakeCarrier.app"
• "/Applications/Icy.app"
• "/Applications/IntelliScreenx.app"
• "/Applications/MxTube.app"
• "/Applications/RockApp.app"
• "/Applications/SBSettings.app"
• "/Applications/WinterBoard.app"
• "/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist"
• "/Library/MobileSubstrate/DynamicLibraries/Veency.plist"
• "/private/var/lib/apt"
• "/private/var/lib/cydia"
• "/private/var/mobile/Library/SBSettings/Themes"
• "/private/var/stash"
• "/private/var/tmp/cydia.log"
• "/System/Library/LaunchDaemons/com.ikey.bbot.plist"
• "/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist"
• "/usr/sbin/sshd"
• "/usr/libexec/sftp-server"
• "/usr/sbin/sshd"

Final thoughts

Once a device is jailbroken, it becomes an easy target for threat actors, who can flush volumes of malicious elements into it and sniff sensitive user information. This poses risks for other genuine apps running on jailbroken devices. Taking the required jailbreak detection bypass steps protects the app, the device, and user data from being compromised by threat actors.