iOS Safety Suite is an open-source library designed for iOS app builders to implement varied safety measures inside their functions.
One of many main functions of this library is to assist builders detect if an iOS gadget is jailbroken, which might pose safety dangers to the applying and its customers.
Jailbreaking entails eradicating the restrictions imposed by Apple on iOS units, permitting customers to realize root entry and set up unauthorized software program, set up tweaks to change the unique conduct of the OS APIs, and extra.
A few of the key options of this iOS Safety Suite are:
- Jailbreak Detection
- Emulator Detection
- Debug Detection
- Runtime Hook Detection
- Proxy Detection
..and extra
Try the challenge on GitHub: iOSSecurity Suite.
On this article, we are going to bypass the jailbreak detection restriction carried out in a real-world software utilizing the iOS Safety Suite library that I encountered throughout an evaluation.
Key takeaways
- iOS Safety Suite is extensively used for jailbreak and runtime detection in iOS apps, however its checks will be bypassed by attackers with frequent instruments.
- Pentesters override the amIJailbroken() methodology utilizing Frida or related frameworks to simulate compromised environments and assess app resilience.
- The library depends on eight predominant checks (information, directories, symbolic hyperlinks, DYLD libraries, URL schemes, and extra) to flag jailbroken units.
- Bypassing jailbreak detection reveals hidden dangers. Apps should operate in insecure environments if safety isn’t layered.
The applying
To start the evaluation, let’s set up the applying on the gadget. The identify of the applying won’t be disclosed all through the article.
I’ll use a software known as ios-deploy to put in the ipa onto the gadget. It is suggested to put in AppSync Unified on the gadget to keep away from app signing points, because it circumvents installd’s signature checks.
.png?width=782&height=397&name=image%20(16).png)
Now that the app is put in, let’s open it and see if it opens in any respect.
.png?width=336&height=518&name=image%20(17).png)
As anticipated, the app reveals an alert that the gadget seems to be rooted, therefore it can’t proceed. This isn’t good since we wish the applying to work within the jailbroken setting for all our required instruments to work throughout the evaluation.
Let’s now analyze the restrictions in place and discover the way to bypass them.
The evaluation
Let’s first do some static evaluation on the ipa file to determine if there’s some third-party library concerned for the jailbreak detection.
We are able to begin by unzipping the ipa file since it’s basically an archive of the applying bundle that will get expanded throughout set up. The primary place to begin searching for put in frameworks is Payload/
.png?width=778&height=230&name=image%20(18).png)
Wanting on the put in frameworks, we are able to determine that this can be a Flutter software that has two potential modules which might be of curiosity:
- iOS Safety Suite
- Flutter jailbreak detection
Since we all know that this can be a Flutter app, let’s begin by trying into the flutter_jailbreak_detection.framework.
Flutter jailbreak detection
Earlier than diving into reverse engineering, let’s attempt to discover the code for this library to realize a greater understanding of the way it detects jailbreak on the gadget.
Looking on Google leads us to the challenge on GitHub, flutter_jailbreak_detection, that makes our lives slightly simpler. The library is utilizing iOS Safety Suite internally for the iOS platform to detect if the gadget is jailbroken.
If we navigate to flutter_jailbreak_detection/ios/Courses/SwiftFlutterJailbreakDetectionPlugin.swift file, we are able to see that it calls the IOSSecuritySuite.amIJailbroken() methodology to test the jailbroken state of the gadget.
.png?width=780&height=471&name=image%20(19).png)
So, if we bypass amIJailbroken() from the IOSSecuritySuite module, we basically bypass the jailbreak test on the Flutter Jailbreak Detection module as properly.
iOS safety suite
Let’s now analyze the supply code for IOSSecurity Suite for a greater understanding of the amIJailbroken() methodology.
This may assist us when reversing the binary to hook into this methodology utilizing Frida, as we’re coping with Swift and might’t instantly hook through the use of class and methodology names, not like with Goal-C strategies. The iOS Safety Suite includes a number of modules, however we are going to focus particularly on the Jailbreak Detection half.
Shopping via the code, we are able to discover the jailbreak checks carried out at IOSSecuritySuite/JailbreakChecker.swift. Let’s attempt to perceive the logic behind how the gadget reaches a conclusion if it has a jailbreak put in.
.png?width=786&height=345&name=image%20(20).png)
3 main strategies can be utilized to detect jailbreak within the apps:
- amIJailbroken
- amIJailbrokenWithFailMessage
- amIJailbrokenWithFailedChecks
All of those return the jailbroken state together with extra data, because the identify suggests. Every of them calls the performChecks methodology, based mostly on which it returns the jailbroken state as true or false.
The logic
Let’s test the performChecks methodology, the place all of the logic of the checks occurs.
.png?width=777&height=502&name=image%20(21).png)
The performChecks methodology comprises the next eight checks:
- Examine URL Schemes: Checks if any suspicious URL schemes, comparable to sileo:// are accessible.
- Examine Existence Of Suspicious Information: Checks if any suspicious file paths exist through fileExists(atPath: path), fopen, and entry strategies utilizing read-only mode.
- Examine Suspicious Information Can Be Opened: Checks if any suspicious file paths exist through isReadableFile(atPath: path), fopen, and entry strategies utilizing writable mode.
- Examine Restricted Directories Writable: Checks if any restricted paths like “/”, “/root”, “personal”, “jb” are mounted as learn/write and performs a file write and delete on these paths.
- Examine Fork: Verifies if Fork efficiently creates a brand new course of (sandbox violation).
- Examine Symbolic Hyperlinks: Checks if any non-standard symbolic hyperlinks exist.
- Examine DYLD: Checks if any suspicious libraries like FridaGadget, CydiaSubstrate, and so on. are loaded.
- Examine Suspicious ObjC Courses: Checks if Shadow is loaded, which is actually a jailbreak detection evasion tweak.
.png?width=778&height=692&name=image%20(22).png)
The checkURLSchemes methodology seems to be like this:
.png?width=777&height=547&name=image%20(23).png)
When every of those checks is carried out, it updates the handed variable as true or false. If all checks handed, the jailbroken state turns into false and vice versa.
return !performChecks().handed
Jailbreak detection checks within the iOS Safety Suite
|
Detection methodology |
What it seems to be for |
Danger if bypassed |
|
URL schemes |
Suspicious schemes like sileo:// |
Jailbreak app publicity |
|
Suspicious information |
Paths like /root/, /jb |
Root entry to app information |
|
File entry checks |
Learn/write entry in restricted directories |
Privilege escalation |
|
Restricted directories |
Write/delete in /, /personal |
System-level tampering |
|
Fork course of |
Sandbox violation checks |
Malicious course of injection |
|
Symbolic hyperlinks |
Non-standard symlinks |
Hidden jailbreak traces |
|
DYLD libraries |
FridaGadget, CydiaSubstrate |
Runtime code injection |
|
ObjC courses |
Shadow & jailbreak evasion tweaks |
Stealth bypass strategies |
The bypass
Now that we all know how the logic is written, we are able to begin reverse engineering the app to seek out the amIJailbroken() methodology and hook into it utilizing Frida.
Step one is to seek out the offset of this methodology and hook it to look at the strategy in motion, returning the jailbroken state with out modifying something.
The binary
From the preliminary evaluation, we noticed IOSSecuritySuite.framework put in within the app. Let’s analyze the compiled binary for this module in r2 to seek out the strategies we’re searching for.
.png?width=787&height=113&name=image%20(24).png)
Since this isn’t a really large binary, we will likely be utilizing the aaa command to research it and listing the strategies utilizing the afl command.
From the supply code evaluation, we all know that the strategies we’re fascinated by begin with “amI”, so we are able to use grep to filter out all of the restrictions carried out, or simply grep “amIJail” to get the jailbreak-related strategies. In case you encounter an app that implements extra restrictions, the same method will be taken to bypass them.
.png?width=782&height=213&name=image%20(25).png)
Since we’re solely fascinated by amIJailbroken, let’s analyze that methodology and cross-reference it to the supply code.
.png?width=778&height=376&name=image%20(26).png)
By analyzing the binary code and cross-referencing it with the supply, we are able to theoretically affirm that overriding the return worth of this methodology to false ought to bypass jailbreak detection, no matter any failed checks.
The script
Earlier than modifying the return worth, let’s hook into the operate and test the return worth when the gadget is jailbroken. This may make sure that we’re hooking into the proper operate.
Since this can be a swift module and we should not have direct entry to its courses and strategies, we might want to discover the precise tackle of the strategy loaded in reminiscence. To do this, we have to discover the bottom tackle of the IOSSecuritySuite module utilizing the Module.getBaseAddress Frida methodology and add the offset for the amIJailbroken methodology that we discovered utilizing r2.
We are going to use the next script to hook and print the return worth when the strategy known as.
var targetModule = "IOSSecuritySuite";var moduleBase = Module.getBaseAddress(targetModule);
var targetAddress_amIJailbroken = moduleBase.add(ptr(0x00009b74));
Interceptor.connect(targetAddress_amIJailbroken, {
onEnter: operate(args) {
console.log("amIJailBroken Known as");
},onLeave: operate(retval) {
console.log(`amIJailbroken retval ${retval}`);
},
});
Working the script provides us the next output:
.png?width=783&height=355&name=image%20(27).png)
We are able to see that we are able to hook into the amIJailbroken() methodology, and the return worth is true. In consequence, the app pops up a immediate and doesn’t proceed. To bypass it, let’s set the return worth to false.
The modified script is as follows:
var targetModule = "IOSSecuritySuite";
var moduleBase = Module.getBaseAddress(targetModule);
var targetAddress_amIJailbroken = moduleBase.add(ptr(0x00009b74));Interceptor.connect(targetAddress_amIJailbroken, {
onEnter: operate(args) {
console.log("amIJailBroken Known as");
},onLeave: operate(retval) {
console.log(`Bypassing amIJailbroken!!`);
retval.change(0);
},
Let’s run the script now and see if we bypass the rooted immediate..
.png?width=778&height=352&name=image%20(28).png)
..and voila, we efficiently bypassed the jailbreak detection implementation from IOSSecurity Suite.
The problem
We bypassed the jailbreak detection by overriding the return worth of the amIJailbroken() methodology.
One other method could be to individually hook into all the checks current within the performChecks() methodology and override them as handed (if failed), which in flip can even bypass the detection. I’ll go away this method so that you can attempt as a observe train for the brand new ability you may need discovered from this text.
Completely happy hacking!
Continuously Requested Questions (FAQs)
1. What’s iOS Safety Suite used for?
iOS Safety Suite is an open-source library that helps iOS builders detect jailbreaks, debuggers, proxies, and runtime tampering in cell apps.
2. Can jailbreak detection libraries like iOSSecuritySuite be bypassed?
Sure. Attackers and pentesters typically bypass these checks utilizing frameworks like Frida by overriding return values or hooking into detection strategies.
3. Why do pentesters bypass jailbreak detection throughout safety testing?
Pentesters bypass jailbreak detection to check how an app behaves in compromised environments and determine whether or not important features stay uncovered when safety controls fail.
4. What instruments are generally used to bypass jailbreak detection on iOS apps?
Instruments like Frida, Objection, and Radare2 are extensively utilized by safety testers to hook into and manipulate app conduct on jailbroken units.
5. Is jailbreak detection sufficient to safe enterprise cell apps?
No, it isn’t. Whereas useful, jailbreak detection alone can’t cease superior attackers. Enterprises ought to mix it with real-device testing, dynamic evaluation, and compliance-aligned safety options like Appknox.