Flawed restriction logic

jjolano / shadow

A jailbreak detection bypass for modern iOS jailbreaks.

https://ios.jjolano.me

BSD 3-Clause "New" or "Revised" License

805 stars 132 forks source link

Flawed restriction logic #12

Closed PoomSmart closed 5 years ago

PoomSmart commented 5 years ago

Restricting /Applications/ is incorrect. There are apps that check exactly if this path exists. When it returns NO, this is rather suspicious and therefore caused by a jailbreak tweak.

jjolano commented 5 years ago

I haven't exactly documented my methods fully, but querying /Applications (by itself) is actually allowed - as evident on line 2493 on Tweak.xm: [shadow addPath:@"/Applications" restricted:YES hidden:NO];

(hidden:NO is the option that allows exact path queries)

Subpaths of /Applications are restricted, while /Applications itself is allowed. Additionally, there are hardcoded whitelisted apps under /Applications with restricted:NO (also seen in the next lines).

jjolano commented 5 years ago

I believe K PLUS is an application on the App Store that checks for system applications that normally exist, such as AppStore.app. Other jailbreak detection bypasses actually restrict /Applications outright and trigger this detection mechanism.

PoomSmart commented 5 years ago

Thanks for clarification. Other than that, restrict /bin/cp and /bin/su also

jjolano commented 5 years ago

Thanks for clarification. Other than that, restrict /bin/cp and /bin/su also

[shadow addPath:@"/bin" restricted:YES hidden:NO];
[shadow addPath:@"/bin/df" restricted:NO];
[shadow addPath:@"/bin/ps" restricted:NO];

Implicit restriction - df and ps seem to appear on stock rootfs so those are not restricted 😄