Harder than Normal Anti-Jailbreak code (Mobile - iOS)


#1

A lot of people struggle with doing anything in the anti-jailbreak or anti-debugging world of iOS. If they do, they are things like the easy to bypass methods here:

Some of these protection routines use the NSFileManager methods fileExistsAtPath and fileExistsAtPath:isDirectory to check to see if certain Cydia files and directories exist:

/Applications/Cydia.app/
/private/var/stash
/private/var/lib/apt
/Library/MobileSubstrate/
/bin/bash
/var/cache/apt

Nesolabs released some pretty killer boilerplate code for this that does it in ARM!

Why ARM assembly code? Common jailbreak detection checks are typically implemented in Objective-C or C. These checks can be easily circumvented using publicly known techniques, such as runtime hooking or C function hooking (see [3], [4] and [5]). To thwart these hooking techniques, all AppMinder Jailbreak Detection checks are implemented in ARM assembly code. In order to bypass these checks, an attacker would have to modify the app’s executable code using techniques like in-memory or binary patching. To complicate this process as much as possible, AppMinder Jailbreak Detection incorporates various code obfuscation techniques, as well as self-integrity checks and anti-debugging measures. AppMinder Jailbreak Detection also supports some level of polymorphism. This means that the assembly code of each individual jailbreak check is mutated, while keeping the original semantics intact. These measures are intended to make it more difficult to bypass the jailbreak detection checks in an automated fashion.

Check it out if you secure an iOS app! I would absolutely HATE reversing that on standard 1-2 week engagement.


#2

That’s very interesting but of course it’s not safe against binary patching. Self modifying code and anti-debugger techniques do not always help, especially with a very patient attacker that performs static binary analysis… :slight_smile:


#3

Here is a post I did that expands on the patching process mentioned above http://blog.ioactive.com/2015/09/the-ios-get-out-of-jail-free-card.html