IOS security defense (20): jailbreak detection Attack and Defense

Source: Internet
Author: User

Attack and Defense Against jailbreak Detection

In the process of application development, we want to know whether the device is jailbroken, what permissions are being used to run the program, and take defense and security prompt measures accordingly.

Compared with earlier versions, iOS7 has upgraded the sandbox mechanism and blocked the portal for sharing data with almost all application sandboxes. Even in the case of jailbreak, there are many restrictions, greatly increasing the difficulty of attacks at the application layer. For example, before iOS7, we can try to write a file out of the sandbox to determine whether it is jailbroken, but iOS7 does not have this permission after jailbreak, and the old method will cause a false positive.

So how should we detect jailbreak? What If attackers break the attack? This article focuses on the attack and defense of jailbreak detection.

<喎?http: kf ware vc " target="_blank" class="keylink"> Release/Io6zE47/release/GwstewwcvI58/C1L3T/release + PGJyIC8 + PGJyIC8 + release + Lmlu/fV39axvdPL + LaoxL + release + rvhPGJyIC8 + release "brush: java; "> + (BOOL) isJailbroken {if ([[NSFileManager defaultManager] fileExistsAtPath: @"/Applications/Cydia. app "]) {return YES ;}//...}
Attackers may change the installation path of these tools to avoid your judgment.

Then, you can try to open the URL scheme registered by the cydia application:

if([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"cydia://package/com.example.package"]]){     NSLog(@"Device is jailbroken");}

However, not all tools register URL scheme, and attackers can modify the URL scheme of any application.

Then, you can try to read the Application List to see if you have the following permissions:

if ([[NSFileManager defaultManager] fileExistsAtPath:@"/User/Applications/"]){        NSLog(@"Device is jailbroken");        NSArray *applist = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:@"/User/Applications/"                                                                               error:nil];        NSLog(@"applist = %@",applist);}

Devices that have been moved to jail can obtain the following information:

Attackers may hook up the NSFileManager method to make your ideas unfeasible.

Then, you can avoid NSFileManager and use tools such as stat series functions to detect Cydia:

  void checkCydia(void){    struct stat stat_info;    if (0 == stat("/Applications/", &stat_info)) {        NSLog(@"Device is jailbroken");    }}

Attackers may use the Fishhook principle to hook up stat.

Then, you can check whether stat is from the system database and whether it has been replaced by an attacker:

  void checkInject(void){    int ret ;    Dl_info dylib_info;    int(*func_stat)(const char *, struct stat *) = stat;    if ((ret = dladdr(func_stat, &dylib_info))) {        NSLog(@"lib :%s", dylib_info.dli_fname);    }}

If the result is not/usr/lib/system/libsystem_kernel.dylib, 100% is attacked.
If libsystem_kernel.dylib is replaced by attackers ......

There's nothing to defend against, too ......

Then, you may wonder if your application is linked to an Abnormal dynamic library.

List all linked dynamic libraries:

  void checkDylibs(void){    uint32_t count = _dyld_image_count();    for (uint32_t i = 0 ; i < count; ++i) {        NSString *name = [[NSString alloc]initWithUTF8String:_dyld_get_image_name(i)];        NSLog(@"--%@", name);    }}

Generally, the output result of the jailbreak server contains the string Library/MobileSubstrate. dylib.

Attackers may change the name of MobileSubstrate, but the principle is to inject a dynamic library through DYLD_INSERT_LIBRARIES.

Then, you can check the environment variables of the current program running:

void printEnv(void){    char *env = getenv("DYLD_INSERT_LIBRARIES");    NSLog(@"%s", env);}

If no jailbreaking device returns null, The jailbreaking device has its own advantages, especially in the old iOS version jailbreak environment.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.