Everything You Need to Know about iOS Jailbreak Detection Bypass

iOS has always been considered a safe haven when it comes to mobile application security. Every year this operating system tries to come up with more and more efficient updates to make life easy for its users and the respective application and security service providers. However, for tech-savvy users, these timely improvements may not sound enough, and there are always people who consider that there is room for more improvement. And hence comes the term ‘Jailbreaking’. 

What does jailbreaking an iPhone mean?

'Jailbreaking' is the process by which a user can gain access to the administrative commands and functions of the iOS operating system. It gives the ability (or permission) to alter or replace system applications, files, and settings, remove pre-installed applications, and run specialized applications (“apps”) that require administrator-level permissions. 

In a 2020 research on 425 million devices, Wandera highlighted that there had been a 50% increase in the number of jailbroken devices from the previous year, a quite formidable jump!

With jailbreaking, one can actually remove almost all the restrictions from their iOS device and open up gateways to make unimaginable modifications. While this may sound pretty fascinating at first, it also opens up innumerable avenues for security vulnerabilities and threat actors to creep inside your device. So, let’s take a look at how application developers can take specific steps to ensure that their applications stay secure in the context of jailbroken devices.

What is jailbreak detection?

Jailbreak Detection means that the application is detecting whether the application is running on a jailbroken device. 

The goal of jailbreak detection is to prevent the attacker from gaining more privileges by running the app on a non-jailbroken device. This, in turn, blocks some tools and techniques, such as reverse engineers, and helps an application prevent many vulnerabilities.

Difference between one-time and run-time jailbreak detection bypass 

One-time jailbreak detection bypass

One-time jailbreak detection bypass helps the pentester permanently bypass the jailbreak detection for the respective application. This means the pentester has to bypass the jailbreak detection only once.

For example, the pen tester can use the Liberty application to bypass the jailbreak detection permanently. Once you bypass jailbreak detection with the liberty application, it permanently bypasses the jailbreak detection for respective applications. You don’t need to bypass the jailbreak detection again and again.

Good Read: Here's How iOS Jailbreak Really Works.

Run-time jailbreak detection bypass

Run-time jailbreak detection bypass helps the pentester bypass the jailbreak detection at runtime. This means you can manipulate the value at run time, and then you have to bypass the jailbreak detection again and again; it’s not permanent. 

For example, we can use Frida and Objection to bypass jailbreak detection at runtime. Once you bypass jailbreak detection with Frida and Objection, it only works until you run Frida or Objection. As you stop Frida or Objection, the respective applications start detecting that the device is jailbroken again. 

How to bypass jailbreak detection 

There are different ways to bypass iPhone jailbreak detection. Let's discuss each in detail.

1. Jailbreak detection bypass via hooking

• Installing Frida server

By default the Frida server is running up on the iDevice, you don’t need to start a Frida server every time. 

• Installing objection 

sudo pip3 install objection

Note: When using an objection, make sure the application is opened on the device; otherwise, the objection will not work.

A) Let's bypass jailbreak detection via hooking

objection --gadget package_name explore

Or

objection -g package_name explore
Run the below command to find the package name of the application

Frida-ps -Ua 

-Ua=> show currently running application 

ios hooking search classes jailbreak

Search classes=> It is used to search for the classes related to the given word.

Jailbreak => Here we are looking for classes related to jailbreak. That's why we search for “jailbreak” so that we can get all the classes related to jailbreak.  And if you are looking for other classes like login related etc, you can type login there. 

ios hooking watch class JailbreakDetection

watch=> To watch the methods available for the given class

JailbreakDetection=> It’s the name of the class and you can use any class which you think may be related to the function which you are looking for. 

ios hooking watch method "+[JailbreakDetection isJailbroken]" --dump return

---dump return =>  It will return the value, when we call the particular method, it can be 0,1, true, false, etc. 

"+” => here “+” symbol we write based on the method we called. When we call all methods of a particular class, it shows the symbol which is used by that particular method as highlighted in the above screenshot. Depending on the method, symbols can be “+” or “-”.

JailbreakDetection is the name of the class.

isJailbroken is the method of the class. 

6) Run the below commands to set the return value of the given method.

ios hooking set return_valued "+[JailbreakDetection isJailbroken]" 1

set return_valued => It will set the returned value of the given class. 

1 => Here we set the return value to “1” because when we open the application it’s giving the error as the device is jailbroken and returns the value to 0, so we change it’s value at run time to “1”. So that application will understand that the device is not jailbroken and we can run the application. 

2. Jailbreak bypass via liberty application

• Installing liberty

• Bypass jailbreak detection using Liberty 
  
  1) Go to Settings, and you will see the liberty application at the end.
  2) Enable the application for which you want to bypass jailbreak detection. 

Many tools are used to bypass jailbreak detection, such as FlyJB, Shadow, etc. 

3. Jailbreak detection bypass via objection

Run the below command to connect the application to the objection and explore the application.

objection --gadget package_name explore

Run the below command to bypass the jailbreak detection

ios jailbreak disable

4. Jailbreak detection bypass via Frida

• Bypassing jailbreak detection using Frida

Frida -U -f package_name -l jailbreak.js --no-pause

U => To use a connected USB device as a target 

F =>  To indicates the package name

L =>  To load the script

Jailbreak.js =>

https://codeshare.frida.re/@liangxiaoyi1024/ios-jailbreak-detection-bypass/ (Download the script from codeshare according to your iOS version)

--no-pause => To force the Frida to “not to pause” app execution after injecting the script. 

Mitigating jailbreak detection bypass

The application should check for the presence of the following things. If any of them are present, the application should detect that the device is jailbroken and should not allow it to run the application.

• "/Applications/Cydia.app"
• "/Applications/blackra1n.app"
• "/Applications/FakeCarrier.app"
• "/Applications/Icy.app"
• "/Applications/IntelliScreenx.app"
• "/Applications/MxTube.app"
• "/Applications/RockApp.app"
• "/Applications/SBSettings.app"
• "/Applications/WinterBoard.app"
• "/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist"
• "/Library/MobileSubstrate/DynamicLibraries/Veency.plist"
• "/private/var/lib/apt"
• "/private/var/lib/cydia"
• "/private/var/mobile/Library/SBSettings/Themes"
• "/private/var/stash"
• "/private/var/tmp/cydia.log"
• "/System/Library/LaunchDaemons/com.ikey.bbot.plist"
• "/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist"
• "/usr/sbin/sshd"
• "/usr/libexec/sftp-server"
• "/usr/sbin/sshd"

• Since non-jailbroken iOS devices do not have shell access, the presence of shell access indicates a jailbroken device.
  
  

• If the standard Foundation framework does not exist at the expected file path "/System/Library/Frameworks/Foundation.framework/Foundation"
  
  

Final thoughts

Once a device is jailbroken, it becomes an easy target for threat actors, who can flush volumes of malicious elements into the device and sniff sensitive user information. This also poses risks for the other genuine apps running on jailbroken devices. Taking the required jailbreak detection bypass steps protects the app, the device, and user data from being compromised by threat actors.