The reason why you should keep maintaining Jailbreak detection in your iOS apps

Photo by FLY:D on Unsplash

The reason why you should keep maintaining Jailbreak detection in your iOS apps

In case you really care about your apps' security.

As an iOS engineer working on banking apps, security is always my first consideration. One leak and the project's security will be at risk.

iOS developers use Jailbreak detection as a standard technique to prevent that case from happening. However, it may break and doesn't work properly after time passes.

To clarify the mentioned technique, I will provide some information you may need to know first.

Why use Jailbreak detection?

Your app may contain some hardcoded secret keys, and it's most likely you don't want them to get leaked by any chance. Jailbroken devices can access and modify apps' files and settings. Therefore, the attackers could be able to find them or other sensitive stuff. As a result, it could threaten the app's security.

How does it work?

The technique will check for some specific suspicious files, tools, and directories which are getting written inside the disk after a device is Jailbroken. The subject starts right after here...


As I explained how the detection works above, the detection you use may look for some directories like this:

/bin/bash

/usr/sbin/sshd

/etc/apt

/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist

/System/Library/LaunchDaemons/com.ikey.bbot.plist

/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist

/Library/MobileSubstrate/DynamicLibraries/Veency.plist

Or this URL scheme alone:

cydia://

Unfortunately, this may not work and not detect the Jailbreak because in the recent Jailbreak tools, Cydia is not the pre-installed app. Therefore, the detection will not be able to detect its schemes and files. But instead, apps like Zebra, Sileo and some more pre-installed apps and tools get installed. So, the check to find the schemes and directories should be like this:

undecimus://

sileo://

zbra://

filza://

activator://

/Applications/Sileo.app

/Applications/FlyJB.app

/Applications/Zebra.app

I'm not writing down every suspicious directory because they're too many. For an up-to-date resource, please refer here.

The problem

New and additional Jailbreak apps and tools might keep getting installed during or/and after the process. And it keeps adding more new directories.

Due to that reason, you must consider expanding your directory and scheme checks for them as well. Otherwise, your detection might malfunction or not work at all!

You should also keep in mind that there's no 100% guaranteed way to detect Jailbroken devices. They can either be bypassed or there might be a malfunction with your implementation.

Lastly, I suggest relying on this up-to-date, pure Swift library called IOSSecuritySuite. It contains almost every check the detections require to work, as well as detecting some other attacking process, such as reverse engineering, debugging module usage and more.

Conclusion

iOS developers are using a technique for detecting Jailbroken devices. You may consider this approach to keep your hardcoded secrets safe from attackers.

The technique will check for some suspicious files, tools, and directories which is getting written inside the disk after a device is Jailbroken.

Finally, you must consider expanding your directory and scheme checks for the new and additional Jailbreak apps and tools if you want your detection to function properly.

Keep guarding and stay your app safe! 🙌🏻