Jailbreak checks on jailbroken devices are easy to disarm

sat2eesh / ios-jailBroken

Detect if a device is jailbroken and also detect if an app is cracked on a non jailbrkoen device.

194 stars 35 forks source link

Jailbreak checks on jailbroken devices are easy to disarm #7

Open uroboro opened 9 years ago

uroboro commented 9 years ago

These checks are futile if the user has installed a tweak with the following source code (Using CydiaSubstrate)

MSHook(BOOL, isDeviceJailbroken) { return NO; }
MSHook(BOOL, isAppStoreVersion) { return YES; }
MSHook(BOOL, isAppCracked) { return NO; }
%ctor {
    MSHookFunction(isDeviceJailbroken, MSHake(isDeviceJailbroken));
    MSHookFunction(isAppStoreVersion, MSHake(isAppStoreVersion));
    MSHookFunction(isDeviceJailbroken, MSHake(isAppCracked));
}

perfaram commented 8 years ago

This is inherent to jailbreak and jailbreak detection... At best, one could change the method names.

uroboro commented 8 years ago

Those can be found after disassembling the binary. If this is inlined, a developer can hook the functions and methods used to make the checks. Even having a RESTRICT/restrict section in the Mach-O header is of no use since this can be stripped out of the installed binary without needing to unencrypt it.

perfaram commented 8 years ago

And that's exactly why I say that trying to detect jailbreak is doomed. IMHO, the most certain way to check for jailbreak is the following :

const char **names;
    unsigned libNamesCount = 0;
    names = objc_copyImageNames(&libNamesCount);
    for (unsigned libIdx = 0; libIdx < libNamesCount; ++libIdx) {
        NSString* name = @(names[libIdx]);
        if ([name isKindOfClass:NSClassFromString(@"NSString")]) {
            if ([name.lowercaseString containsString:@"substrate"]) {
                *ret = YES;
                return true;
            }
        }
    }
    free(names);

But I'm not saying it is safe, because one could interpose between me and objc_copyImageNames. However, it is advantagingly clean (no fork, no file writes) and quick (no multiple fopen on known jailbreak-related files).

DHowett commented 8 years ago

I would argue that checking for a jailbroken device is misguided at best and ignorant at worst. It serves only to lock potentially paying customers out of the apps they buy and use because of what they choose to do to their personal property.

perfaram commented 8 years ago

That's your opinion (and happens to be mine, too). But there is demand for such solutions. So we provide it, freely, openly, because it may help some. That's the one of the goals of open source after all. And we do our best when creating those solutions, even knowing that because of the very nature and goals of jailbreak, detection is _doomed_.

NB : Please note that this repo is not mine, and that I'm not talking on behalf of its owner. My solution for JB detection is here

uroboro commented 8 years ago

Again, this is all it takes:

%hook PFSK_Common
+ (BOOL)isJailbroken:(BOOL *)ret error:(NSError **)error {
    *ret = NO;
    return YES;
}
%end

perfaram commented 8 years ago

Goddamn, as I ALREADY said three times, jailbreak detection is _doomed_. I know it. We all do.