CTF-Writeups/iOS/Bypassing Jailbreak Detection.md

iOS Pentesting - Bypassing Jailbreak Detection

For bypassing jailbreak detection I will be showcasing it through DVIA-2 , which is a vulnerable iOS application that teaches about various vulnerabilities and how to abuse them, I already have a jail broken iphone (I'll cover on how to jailbreak an iphone hopefully) and it's complicated, mostly ios is Semi-Untethered Jailbroken which means that it will need to be jailbroken again on either reboot or shutdown. The device which I am using is already jailbroken with unc0ver which jailbreaks versions 11.0 - 14.8 and the ios version I have is 12.5.5

Installing IPA

We can install any third party IPA through Cydia Impactor , 3utools or Sideloadly, I'll go with Sideloadly now it does need an apple developer ID to bind it with the IPA as there are a lot of restrictions in an iphone

After having it installed we can try exploring differnet vulnerabilities in an iphone application

But the focus of this post is bypassing jailbreak detection and SSL pinning so I'll try to cover jailbreak tests in this app

Bypassing Jailbreak detection Using Liberty

These tests show a popup whether a device is jailbroken or not and some of the tests terminates the application on detection of jailbreak

I'll try to bypass jailbreak detection first through some tools like ihide and liberty-lite but in this scenario only liberty was able to successfully bypass jailbreak detection on all checks so first install liberty through cydia which is a third party app store that gets installed during the jailbreak process

Now go to settings, there you'll see liberty and toggle on block jailbreak detection

After launching the app we'll see that it bypass all checks for jailbreak detection

Bypassing Jailbreak Detection through Frida

To bypass this with frida, we need to first install frida through cydia and after installing, it will automatically start the frida-server so we don't have to start it by ourself, to verify that frida is running we can use list the processes running

frida-ps -Uia

So frida is working fine, we need to now inject a jailbreak detection bypass script from here https://gist.github.com/izadgot/5783334b11563fb08fee4cd250455ede

frida -l ./jailbreak_bypass.js -f com.highaltitudehacks.DVIAswiftv2 -U

This will bypass all the checks implemented in this application it's not necessary that this will always work, on clicking any of the tests it will bypass the check for jailbreak detection by marking the return values as false for existence of Cydia, sshd binary, bash binary, apt and cydia package

Bypassing Jailbreak Detection through Objection

If it has been bypassed by frida script it can also be bypassed through objection as well

objection -g explore com.highaltitudehacks.DVIAswiftv2

ios jailbreak disable

We can also change the boolean value of the function which is responsible for jailbreak detection for that need to search for jailbreak class

ios hooking search classes jailbreak

Now we need to find the function name which detects jailbreak, for that we need to watch the methods used by JailbreakDetection class, clicking on any of the jailbreak test we'll get an output that isJailbroken function is being called

ios hooking watch class JailbreakDetection

Watching the method isJailbroken

ios hooking watch method "+[JailbreakDetection isJailbroken]" --dump-args --dump-backtrace --dump-return

Clicking the test again to trigger this fuction we'll get a return value of 1 returning true, which means that device is jailbroken

So we need to hook this function and set the return value to false which would return 0

ios hooking set return_value "+[JailbreakDetection isJailbroken]" false

And this would bypass jailbreak detection

Bypassing Jailbreak Detection Through HideJB

HideJB is another application which can bypass jailbreak detection that is installed through cydia which works similarly to liberty

Launch the DVIA-2 application and you'll see that this will bypass jailbreak detection as well

There are some other tools which I didn't used for bypassing detection including Shadow, Hestia and A-Bypass. in the next few articles I'll try to cover bypassing SSL pinning and some other vulnerabilities in iOS including dumping keychain and also jailbreaking iOS.

References

• https://bypass.beerpsi.me/
• https://www.andnixsh.com/2020/10/how-to-bypass-jailbreak-detection.html
• https://www.techacrobat.com/bypass-jailbreak-detection/
• https://www.nowsecure.com/blog/2021/09/08/basics-of-reverse-engineering-ios-mobile-apps/
• https://gist.github.com/izadgot/5783334b11563fb08fee4cd250455ede
• https://unc0ver.dev/