stek29
commented
6 years ago If a tweak is able to inject into the springboard, he will be able to hook those functions
Honestly user has installed such tweak he is fucked anyway.
Open littlelailo opened 6 years ago
stek29
commented
6 years ago If a tweak is able to inject into the springboard, he will be able to hook those functions
Honestly user has installed such tweak he is fucked anyway.
littlelailo
commented
6 years ago Honestly user has installed such tweak he is fucked anyway.
Another idea 😄 : Prompt the user if we inject into an application which is running under uid 0. This way we would at least protect users (in some cases), which were just careless and not dumb . Problem here is, that we don't know if a tweak really wants to inject into an application or is there a possibility?
nullpixel
commented
6 years ago this could call local authentication
kirb
commented
6 years ago If you can inject code into SpringBoard, you’re either already root or the filesystem has bad permissions. /Library/MobileSubstrate and /bootstrap should both be entirely owned by root:wheel with no write permission for group/world. If unprivileged users have permission to write to files/dirs that really should be only writable by root, and could lead to being able to do privesc things like silently accept su prompts, (to borrow @stek29’s phrasing) you’re fucked anyway.
Regarding app blacklist, this could just be included as another screen within the Electra app. Once jailbroken the app isn’t any useful, so it could instead show some useful preferences such as this. Downside to this is the app must be signed at the time. If the jailbreak has been running for weeks (months! years!) the app is probably on a cert that’s expired. Possibly this could be overridden in amfid (don’t know how that would work)? The next best thing would be installing another “Electra Settings” app that’s ldid-signed, or using PreferenceLoader (but the jailbreak really shouldn’t depend on tweaks for its functionality).
nullpixel
commented
6 years ago I have the idea of being able to confirm with a passcode or with the fingerprint sensor
We can use https://developer.apple.com/documentation/localauthentication
stek29
commented
6 years ago @kirb I'm pretty sure that expired app would start when jailbroken due to amfid accepting everything, but I haven't tried it
littlelailo
commented
6 years ago I'm pretty sure that expired app would start when jailbroken
Confirmed, had one of Ian Beers old exploits laying around. When unjailbroken it won't open and after the jb it functioned normally.
As suggested by @stek29 I opened that issue, to discuss the usage of notifications in various parts of the jailbreak. Those are:
setuid command
Some users want a supersu style jailbreak, which would be possible with this. Every time an app wants to elevate to root, it has to call up to jbd, which could then send out a notification to the user and ask for permission. We could also add a plist with a set of trusted binaries which will elevate without prompting the user and could add functionality for the user to add paths to that plist.
Problems
If a tweak is able to inject into the springboard, he will be able to hook those functions which will display the notification to the user and auto submit it. I have the idea of being able to confirm with a passcode or with the fingerprint sensor (where I don't know if this is even possible to implement...), but this is not the ideal solution. Another solution would be to call out to a url scheme, which will open the electra app (we could make sure that it is really the app) and then let the user flip a switch there, again not that ideal.
unsandbox/injection
Some apps have a jailbreak detection mechanism and other apps won't work properly if tweaks hook functions in them. The solution to this problem is some sort of blacklisting mechanism, which won't inject tweaks into those apps. We could simply use a plist and check in launchd/xpc_proxy if the app is in it. If it is, we don't inject anything/platformize/unsandbox. But we need a user interface for this and I think one good idea would be to use notifications for this. If the user installs a new app and opens it for the first time, then it won't be in that list. Jailbreakd can detect that and prompt the user, if he wants to a) inject into the app b) inject once into the app or c) don't injection into the app. If he choses a) we save the app into the plist, if he selects b) we simply don't save and for c) we save it and set some attribute which let jbd know that it shouldn't inject.
Problems
There is one problem: If an app updates and that causes problems or a user installs a new tweak which hooks the wrong functions, he needs to change his decision. Without a gui he won't be able to do this. But I've an idea for that. We could detect (idk if we are really able to do this, because I never tried it, but it should be possible) if a user presses both volume buttons and launches an app. If he does, we remove the app from the plist and prompt him again.
springboard crash
If we detect a crash, we could prompt the user, if he wants to respring (go back to normal) or if he wants to stay in save mode rather then spawning the app, which causes problems for some users (#91 ).
Discussion
As I've already mentioned this should be a discussion, whether or not we implement those features. So let me know what you guys think about them.