IOS development judges whether the mobile phone has escaped from prison

Time:2022-5-7

This paper mainly introduces three ways to detect prison break

1. Judge by the prison break documents added after prison break

Judge whether these files exist, add them to the array and traverse the array. If there is any file, it is considered to be a prison break

- (BOOL)isJailBreak {
    NSArray *jailbreak_tool_paths = @[
        @"/Applications/Cydia.app",
        @"/Library/MobileSubstrate/MobileSubstrate.dylib",
        @"/bin/bash",
        @"/usr/sbin/sshd",
        @"/etc/apt"
    ];
    for (int i=0; i<jailbreak_tool_paths.count; i++) {
        if ([[NSFileManager defaultManager] fileExistsAtPath:jailbreak_tool_paths[i]]) {
            NSLog(@"The device is jail broken!");
            return YES;
        }
    }
    NSLog(@"The device is NOT jail broken!");
    return NO;
}

2. Can I open the Cydia protocol header

- (BOOL)isJailBreak {
    if ([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"cydia://"]]) {
        NSLog(@"The device is jail broken!");
        return YES;
    }
    NSLog(@"The device is NOT jail broken!");
    return NO;
}
IOS development judges whether the mobile phone has escaped from prison

IMG_6999.PNG

The code detected by the first two methods can be easily bypassed by installing the above plug-in to enable shielding detection through the jailbroken mobile phone, while the third method below cannot be bypassed after the test is enabled, so the third method is more recommended.

3. After the prison break, the mobile phone can get all the applications installed in the mobile phone. If it can be obtained, it means the prison break

- (BOOL)isJailBreak {
    if ([[NSFileManager defaultManager] fileExistsAtPath:@"User/Applications/"]) {
        NSLog(@"The device is jail broken!");
        NSArray *appList = [[NSFileManager defaultManager] contentsOfDirectoryAtPath:@"User/Applications/" error:nil];
        NSLog(@"appList = %@", appList);
        return YES;
    }
    NSLog(@"The device is NOT jail broken!");
    return NO;
}

In order to ensure the accuracy of judgment, three methods can be combined to judge in real use. As long as one method returns yes, it is considered as prison break. Then you can exit (0); Operation.

Of course, the attacker can directly replace the fileexistsatpath function of the system and make him always return false, so as to bypass the detection of software path. At this time, we need some C language functions to do more accurate detection.
Although C language detection functions are used here, the possibility of these functions being hook exists, such as fishhook..
If there are big guys who manually hook these functions or directly modify the binary, there’s nothing to prevent. Big guys, whatever you want..

So it also confirms the sentence: there is no absolute security, the only thing you can do is to delay the attacker’s footsteps.

For these functions, it is not recommended to write them separately, which is easy to be dropped by hook, so it is best to write them in functions that cannot be hook, such as

application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions

Who will the initialization function of hook program..

In addition, the jailbreak detection function had better not have the fields of jailbreak, canijailbreak, or antijailbreak, which can be easily located.