AirWatch Detects Jailbreak

[IsaiahJTurner]

To be clear, this is NOT an "I have iOS 7 and it doesn't work!" issue. I have tested it with the latest version of the app on 3 iOS 6 devices to confirm. It has not worked for a while but before now, there was not an iOS 7 jailbreak so the community has slowed down.

Through my Burp Suite adventure I discovered a few things. I grabbed each of the IPA files for all previous versions and started working backwards to see when things went wrong hoping that there were unpatched things before to give me clues. I discovered that prior to version (and this may be slightly off as I have not checked recently) 4.1 they sent a JSON request unecrypted that included an "isCompromised" key and a value of either 0 or 1. This can no longer be overwritten because I think that this data is now encrypted. Not quite sure what encryption, I tired Base64 and got a small amount of readable data (the line reads "
 0 
1
I0
E
0-0(1&0$UAirWatch Device Services Root
0 " making me believe that it uses NSData but that did not seem to work either when I built a little app in Obj-C. Granted, I really don't know much about NSData so if you want to take a look at this whole string I can send it to you (just don't want to put it online). I do however know that the data is still in the same format because the app is nice enough to provide a detailed log.

I tried doing some stuff in Plex, some of that was needed to bypass the SSL validation until I discovered SSL Kill Switch (A tweak on GitHub) that made life allot easier. This is the beacon that contains the "isCompromised" status. `POST /deviceservices/SecureChannel.aws HTTP/1.1 Host: ds###.awmdm.com Proxy-Connection: keep-alive Accept-Encoding: gzip, deflate Content-Type: application/json Accept-Language: en-us Accept: / Content-Length: 3679 Connection: keep-alive x-aw-sdk-version: 3.3 User-Agent: AirWatch/4.8.888 CFNetwork/672.0.8 Darwin/14.0.0

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

beacon Base64/NSData/Some other unreadable data bundleId com.air-watch.agent deviceType 2 uid Some string of numbers and letters that I assume is entirely unafiliated with IOAESEncrytion ` I cannot seem to find out how the detection works in anything I try. Sorry if anything I say doesn't make sense. I might not have the terminology on some things rite. I might have gotten some things entirely wrong so I would love your feedback. Also sorry for making this more of a reverse engineering a specific app post verse what xCon usually does which is patch the source and not the specific apps. I just could not seem to find anyone who had a clue what this stuff meant and the few people I found couldn't help because they were busy.

[IsaiahJTurner]

I am working on getting a copy of IDA and then I will be of more use to actually figuring out how they detect it.

[sudden-break]

You can give officer a try, it's working for me http://www.sinfuliphone.com/showthread.php?s=39d75bd1813a1b0bb7f8dde299192b37&p=1052248#post1052248

[Toliver182]

@noodlecoder airwatch working for you?

[sudden-break]

yep, but it seems to cause some problems with attachement saving in apps like whatsapp etc.

[Toliver182]

its note working on airwatch for me on the latest version

[sudden-break]

@Toliver182 You installed Officer?

[Toliver182]

Yes i have Officer installed, It does cause the issues as expected in whatsapp but airwatch is still detected as jailbroken

[sudden-break]

Ah ok, status 1. So it is detected ... But i can use my company mail account again since i installed Officer.

[IsaiahJTurner]

I managed to hack AirWatch. Still working on a patch that can be installed through Cydia but if anyone wants the fix, Skype me @IsaiahJTurner and I will walk you through it. I don't want to post it here until I have a working patch for fear of AirWatch just updating the app before anyone gets to use it.

[IsaiahJTurner]

READ ALL OF THE STEPS FIRST!!! YOU WILL FAIL AT LIFE IF YOU DO NOT!!!!! Kinda a cheat for now, I have not had time to write a user-usuable version of the actual detection bypass but here is one way. The benefit of this way is that it cannot be patched by an AirWatch. It is an actual flaw in iOS. Preamble: If your organization uses an AirWatch server other then *.awmdm.com:443 you NEED TO figure it out buy either sniffing the traffic with Burp Suite. A self-signed SSL is not needed because hostnames are/can not be encrypted in SSL communication for obvious reasons.

1. On a NOT JAILBROKEN device (you can restore back to 7.X so do this while it is still possible!), enroll in AirWatch and let all the data and profiles get installed on the device. I recommend giving this process a day, it can be strange sometimes. Sidenote: If you want to, enable SSL sniffing and install the cert on the device and monitor for the encrypted beacon packet. I am not sure if this will work, I don't know if the encryption key is static, but keep a copy of the beacon packet and you could probably just use a cron job to send the uncompromised request on a compromised device. I am having trouble saying this so if you don't know what I am talking about, just move to step 2.
2. DELETE THE AirWatch app(s)!
3. Open iTunes and enable "Encrypted Backups" and set a password. This has some added benefits later on but theoretically is not needed. If you do this, there is still hope if AirWatch ever detects you because you can just bypass AirWatch entirely. For example, if your organization uses AirWatch to let you connect to the WiFi, you could just figure out the actual WiFi password and then AirWatch is not needed.
4. Disable any internet services (WiFi/Cellular/Bluetooth) on your device.
5. Jailbreak your device.
6. Turn on Wi-Fi. ENSURE THAT BURP SUITE IS STILL CONFIGURED! If it is not, bad stuff will happen! Do this quickly, like faster then light.
7. Open Cydia and do the setup stuff. Watch the traffic in Burp Suite and ONLY allow allow requests that are related to Cydia.
8. Install iFile. Keep monitoring to only allow Cydia traffic. Note: you can disable WiFi now to be safe.
9. Confirm you have the rite server written down by going to /var/mobile/library/ConfigurationProfiles/MDM.plist in iFile and looking at the CheckInURL.
10. Go to /etc/hosts in iFile and configure the AirWatch server to point to localhost.
11. (Most Important Step!). If it works, follow me on Twitter :p @IsaiahJTurner Theoretically, you can install the AirWatch app again now however, I suggest you do not. AirWatch will still detect your device as being compromised it just won't be able to notify the server. I think (not 100% positive) it can still delete the profiles, someone could test this please. It will not be able to notify your orginazation though so you are safe in that aspect. If is does delete the profiles, contact me and I will help you get the data from your encrypted backup. My Skype is IsaiahJTurner.

[sudden-break]

@IsaiahJTurner It works ^^

[IsaiahJTurner]

@noodlecoder Glad to have helped. If you ever want to make a donation, there is a link on my site http://isaiahjturner.com I'm off to look into a few more of the uncracked apps on the Xcon project. I think this trick might work for some of the other MDM solutions as well.

[Toliver182]

This will work in theory.

However to stay enrolled in the system the air watch app has to report home every two weeks The requires you to open the app and let it do a jailbreak check.

If the server doesn't receive this it removes the profile

Xcon is needed in the scenario

[IsaiahJTurner]

I am working on a test to see if the encryption key for the beacon packet is static. If so, the original request can just be repeated. Working on getting access to an admin panel to test this theory.

[IsaiahJTurner]

@toliver182 %

[IsaiahJTurner]

If the app has any in-app protection against the two week rule, that key is stored in a PLIST file in the Preferences app folder. Judging by the fact that there is an SQLite connection made rite after accessing the common jailbreak folders like /Applications/Cydia.app I think that might be how the value is passed to other methods instead of a return status. Using a loop script in bash I was able to copy the temporary files SQLite stores when that connection was made and the word "compromised" is seen after using a HEX decoder.

[IsaiahJTurner]

Oh, and with this app, as long as it isn't a company device (So for BYOD this is good) that sets off alarms when it becomes unenrolled, using this utitily https://code.google.com/p/iphone-dataprotection/issues/detail?id=122 you can access the stuff that AirWatch creates and enrollment is no longer necessary. The beta version is working for me.

[IsaiahJTurner]

Wow! AirWatch is really on the ball with things! They recently updated the app so the beacon has a "SampleValue" which I don't know what that is, but it patches one of my exploits. The method above still works though, they just patched the really cool thing I was working on releasing UGH! There goes all my work. i am going back to analyzing the binary using IDA. maybe I can patch something there. From what I can tell, the method that checks to see if the device is compromised is a dummy method. That is why Flex does not work. However, the compromised method in the AWBeacon class has allot going on so I am looking into that.

[IsaiahJTurner]

Not much progress with IDA. Maybe I can figure something out using Cycript I'll report back if I can figure anything out.

[IsaiahJTurner]

The AirWatch app was updated, but I can confirm this method still works. I tested it just moments ago. I have been walking people through it for free, add me on Skype: IsaiahJTurner and mention AirWatch in the contact request.

[leelouch]

Hi, does it work with ios 8.1 ?

[leelouch]

work on ios 8.1 iphone 5, nice and Thx !

[IsaiahJTurner]

@leelouch glad i could help :D

[thatcoleyouknow]

@IsaiahJTurner does this work with a backup from iOS 7 or 8.1? I'm tempted to test this, but want to make sure it'll work since I've already updated to iOS 8.1.

[leelouch]

@colereynolds if you jailbreak your ios 8 and if you follow all the steps before, and then you restore your backup, it must work yes ! but you may loose your jailbreak !, I had an issue doing that after jailbreak ! but issue might be fixed with last cydia update v 1.14 to 1.16 :) good luck

[jws43]

I have Airwatch v4.9.3 and being detected but still allowing access. Going to find out when IT guy is back next week if going to be allowed to keep my jailbreak but would be ideal if xCon could bypass detection entirely.

[nullogy]

Does anyone know if this method is still working? I tried to reach out to Isiah with no luck.

[thatcoleyouknow]

Yes. I'm doing it now on iOS 9. Restore your iPhone to new, enroll in AirWatch, delete the AirWatch app, then jailbreak.

Sent from my iPhone

On Oct 31, 2015, at 5:11 PM, nullogy notifications@github.com wrote:

Does anyone know if this method is still working? I tried to reach out to Isiah with no luck.

— Reply to this email directly or view it on GitHub.

[nullogy]

If I restore right now, it'll upgrade the phone to 9.1 and then I can't JB. My current status is iOS 9.0.1, jailbroken with AirWatch installed. What do you think my options could be?

Thanks!

[leelouch]

too late ! u need to wait for the next jailbreak windows ! But I confirm it still working with 9.0.1

[nullogy]

I have no other option in the mean time, correct?

[leelouch]

no option ! but ... I may have an option for u , but it is risky. Saurik released a tool called cydia impactor that remove jailbreak without restoring your iphone! I do not know if it is released for 9.0x . you may need to wait a little bit. So the idea is to remove the jailbreak . then enroll your device and than jailbreak :) it may work . but if for a reason the re jailbreak fail , u will need to restore an update to latest version . good luck

[thatcoleyouknow]

Could you not just remove the AirWatch app and be good to go? Or has it not installed your profiles yet?

Sent from my iPhone

On Oct 31, 2015, at 5:47 PM, nullogy notifications@github.com wrote:

If I restore right now, it'll upgrade the phone to 9.1 and then I can't JB. My current status is iOS 9.0.1, jailbroken with AirWatch installed. What do you think my options could be?

Thanks!

— Reply to this email directly or view it on GitHub.

[nullogy]

@colereynolds, I have the AirWatch app installed with the profiles. After my device was jailbroken. I think my only option right now would be to see if the method that @leelouch mentioned works.

[thatcoleyouknow]

I guess I'm confused on what your issue is... If you uninstall the AirWatch app, it won't report that your device is compromised anymore. The only reason you need to use Cydia Impactor is if it wouldn't install the profiles or if the jailbreak detection is preventing you from doing something..

Sent from my iPhone

On Oct 31, 2015, at 9:34 PM, nullogy notifications@github.com wrote:

@colereynolds, I have the AirWatch app installed with the profiles. After my device was jailbroken. I think my only option right now would be to see if the method that @leelouch mentioned works.

— Reply to this email directly or view it on GitHub.

[nullogy]

@colereynolds, can you message via twitter if you have one? I can be reached at @TheMBAer.

[thatcoleyouknow]

Just followed you. Follow me back, and I'll DM you tomorrow.

Sent from my iPhone

On Oct 31, 2015, at 10:27 PM, nullogy notifications@github.com wrote:

@colereynolds, can you message via twitter if you have one? I can be reached at @TheMBAer.

— Reply to this email directly or view it on GitHub.