Everything You Need to Know about iOS Jailbreak Detection Bypass
Are you a programmer, bug bounty hunter, or AppSec engineer in need of a reliable and affordable VPS? Look no further than DigitalOcean! With their user-friendly platform and high-performance servers, you can easily set up the perfect environment for your projects.
And now, you can get started with a free $200 credit over 60 days by using my Affiliate Link . This is a great opportunity to try out DigitalOcean’s services and see how they can benefit your workflow.
iOS has always been considered as a safest place when it comes to mobile application security. Every year this Operating System tries to come up with more and more efficient and safest updates to provide ease to the users and respective applications.
What does ‘Jailbreaking’ Mean?
‘Jailbreaking’ is the process by which a user can gain access to the administrative commands and functions of an operating system. It gives the ability (or permission) to alter or replace system applications, files, and settings, removing pre-installed applications, and running specialized applications (“apps”) that require administrator-level permissions.
With jailbreaking, one can actually remove almost all the restrictions from their iOS device and open up gateways to make unimaginable modifications. While this may sound pretty fascinating at first, this also opens up innumerable avenues for security vulnerabilities and threat actors to creep inside your device. So, let’s take a look at how application developers can take specific steps to ensure that their applications stay secure in the context of jailbroken devices.
Jailbreaking can be done by a lot of software/Applications, here we will talking about using UnC0ver or Checkra1n, Depending on the iPhone and IOS version.
Unc0ver
Unc0ver is an semi-untethered jailbreak Application and it supports IOS iOS 11.0–14.8. This means that it does not require a computer to rejailbreak and instead, you can install the Unc0ver app via a signing service such as Altstore in our case. It’s IPA can be downloaded by visiting https://unc0ver.dev/ and clicking the Download Button. It’s IPA can be installed to iPhone by using Altstore using usb cable.
- Once unc0ver installed on respective iPhone , open the app and tap the “Jailbreak” to get started.
- Once jailbreaking finished, iPhone will be jailbroken respectively.
What is Jailbreak Detection?
Jailbreak Detection means that the application is detecting whether the application is running on a jailbroken device or not.
The goal of jailbreak detection is to make running the app on a non jailbroken device so that the attacker will not get more privileges, which in turn blocks some of the tools and techniques like reverse engineers etc. and it helps an application to prevent many vulnerabilities.
Jailbreak Detection Bypass
There are two main types of Jailbreaking Bypass
- One-Time Jailbreak Detection bypass
- Run-Time Jailbreak Detection bypass
Difference Between One-Time and Run-Time Jailbreak Detection Bypass
One-Time Jailbreak Detection bypass
One-Time jailbreak detection bypass helps the pentester to permanently bypass the jailbreak detection for the respective application, Which means the pentester has to bypass the jailbreak detection only once.
For example, pentester can use the Liberty or iHide application for bypassing the jailbreak detection permanently. Once you bypass jailbreak detection with Liberty or iHide application, it permanently bypasses the jailbreak detection for respective applications. You don’t need to bypass the jailbreak detection again and again.
Run-Time Jailbreak Detection bypass
Run-time jailbreak detection bypass helps the pentester to bypass the jailbreak detection at run-time. This means you can manipulate the value at run time and then you have to bypass the jailbreak detection, again and again, it’s not permanent.
For example, we can use Frida & Objection for bypassing the jailbreak detection at run-time. Once you bypass jailbreak detection with Frida & Objection, it only works till you run the Frida or objection. As you stop the Frida or objection on respective applications, It will again start detecting that the device is jailbroken.
Bypassing Jailbreak Detection
There are different ways to bypass jailbreak detection, let’s discuss each in detail.
Installing Frida
- Open Cydia and click Sources Tab At Bottom.
- Tap Edit and ADD new URL/repo link as https://build.frida.re.
- Tap All Packages > Frida.
- Install it.
Installing Objection
sudo pip3 install objection
Note: While using objection make sure the application is opened in the device, otherwise the objection wouldn’t work.
Let’s Bypass Jailbreak Detection via Hooking
Connect your device via USB and trust the device and Run below command to explore the application with objection
objection --gadget/-g package_name explore
- Run
Frida-ps -Uafor getting the package name of application,-Uawill list down the active/running applications.
Run the below command to search for the specific class i.e Jailbreak, Root Detection etc…
ios hooking search classes jailbreak
Search classesIt is used to search for the classes related to the given word.
Run the below commands to watch methods available for the given Class
ios hooking watch class JailbreakDetection
watch— to watch the methods available for the given classJailbreakDetection— it’s the name of the method from the class we think to look into the content.
Run the below commands to dump the value of the given method
ios hooking watch method "+[JailbreakDetection isJailbroken]" --dump return
---dump-return— It will return the value, when we call the particular method, it can be 0,1, true, false, etc."+"— here “+” symbol we write based on the method we called. When we call all methods of a particular class, it shows the symbol which is used by that particular method as highlighted in the above screenshot. Depending on the method, symbols can be “+” or “-“.JailbreakDetectionis the name of the class.isJailbrokenis the method of the class.
Run the below commands to set the return value of the given method
ios hooking set return_valued "+[JailbreakDetection isJailbroken]" 1
set return_valued— It will set the returned value of the given class.1— Here we set the return value to “1” because when we open the application it’s giving the error as the device is jailbroken and returns the value to 0, so we change it’s value at run time to “1”. So that application will understand that the device is not jailbroken and we can run the application.
2. Jailbreak Detection Bypass Via Objection
Run the below command to connect the application to objection and explore the application.
objection --gadget\-g package_name explore
Run the below command to bypass the jailbreak detection
ios jailbreak disable
3. Jailbreak Detection Bypass Via Liberty Application
Installing Liberty
- Visit Cydia and Sources Tab At Bottom
- Tap Edit and ADD new Link as https://ryleyangus.com/repo (Named Ryley’s Repo) and click add source
- Visit Repo and Install Tweak Named “Liberty Lite”
- Visit Liberty from Settings and Turn on “Block Jail Breaking” for respective app.
4. Jail breaking Bypass via iHide Application
Installing iHide
- Visit Cydia and Sources Tab At Bottom
- Tap Edit and ADD new Link as https://repo.kc57.com (Named repo.kc57.com) and click add source
- Visit Repo and Install Tweak Named “iHide”
- Visit iHide from Settings and Turn on “Block Jail Breaking” for respective app.
5. Jailbreak Detection Bypass via Frida
Bypassing jailbreak detection using frida
frida -U -f package_name -l jailbreak.js --no-pause
U— To use a connected USB device as a targetF— To indicates the package nameL— To load the script Jailbreak.js => https://codeshare.frida.re/@liangxiaoyi1024/ios-jailbreak-detection-bypass/ (Download the script from codeshare according to your iOS version)--no-pause— To force the Frida to “not to pause” app execution after injecting the script.
For projects please contact on Fiverr, I’m available 24/7 for a reply
