Once jailbroken, will iOS apps run with root privilege?

Question

Once an iOS device is jailbroken, we can build jailbreak apps (with theos) and it gets installed in the /Applications directory where the preloaded apps run with root privileges. If an app is built with Xcode, once it is installed, it gets into the /private/var/mobile/Applications/ folder, which is supposed to have Apple sandbox enforced (before jailbreak).

So, the questions I have are:

1. For a jailbroken device, will the apps in /private/var/mobile/Applications/ execute with root privileges or with mobile user privileges?

2. In case of Android, once rooted, the apps will have to gain root privileges by executing the su command. Is it the case when it comes to iOS as well?

I would like to understand the difference between these two development options (Theos / Xcode) and how it affects what operations my app can perform.

Answer 1

Long story short: no.

Jailbreaking is a necessary but not sufficient condition for gaining root. Apps will still be sandboxed by default.

What you can do for making your app run with root privileges is creating a startup shell script that has root:wheel ownership and 755 permissions, then create your actual executable with the same ownership, 7555 as permissions (i. e. set its "setuid" bit), then call setuid(0); from within main(), before calling UIApplicationMain().

Answer 2

Not disagreeing with anything H2CO3 said, but to add some further clarification ...

• Apps installed in /private/var/mobile/Applications/(†) with Xcode will run with user mobile privileges, even on jailbroken phones.

• Even on a jailbroken phone, apps installed to /private/var/mobile/Applications/(†) will be sandboxed almost (‡) like apps on a jailed phone. So, no reading other (normal) apps' data, even if those files are owned by user mobile.

• For a good description of the process that apps like Cydia use to run as root, see this answer. Or, just ssh into your phone, and take a look inside /Applications/Cydia.app/ yourself.

• If you simply copy/install an app (without doing what H2CO3 suggested) to /Applications/, it won't be sandboxed, but it will still run with mobile (UID=501) privileges:

iPhone5:~ root# cd /Applications

iPhone5:/Applications root# ls -altr ./HelloJB.app/
total 220
-rw-r--r--  1 root wheel   711 Apr  3 20:36 entitlements.xml
-rw-r--r--  1 root wheel   297 Apr  3 20:36 entitlements-daemon.xml
-rw-r--r--  1 root wheel  7972 Apr  3 20:36 embedded.mobileprovision
-rw-r--r--  1 root wheel 58755 Apr  3 20:36 date.zip
-rw-r--r--  1 root wheel   485 Apr  3 20:36 ResourceRules.plist
-rw-r--r--  1 root wheel     8 Apr  3 20:36 PkgInfo
-rw-r--r--  1 root wheel  1226 Apr  3 20:36 Info.plist
-rw-r--r--  1 root wheel 10960 Apr  3 20:36 Icon\@2x.png
-rw-r--r--  1 root wheel  8328 Apr  3 20:36 Icon.png
-rw-r--r--  1 root wheel   451 Apr  3 20:36 HelloJB.plist
-rwxr-xr-x  1 root wheel 61088 Apr  3 20:36 HelloJB*
-rwxr-xr-x  1 root wheel 42688 Apr  3 20:36 HelloDaemon*
drwxr-xr-x  2 root wheel   136 Apr  3 20:36 en.lproj/
drwxr-xr-x  2 root wheel   102 Apr  3 20:36 _CodeSignature/
drwxr-xr-x  4 root wheel   544 Apr  3 20:36 ./
drwxrwxr-x 54 root admin  1904 Apr  5 02:14 ../

iPhone5:/Applications root# ps -Aef | grep HelloJB
  501  9412     1   0   0:00.00 ??         0:00.33 /Applications/HelloJB.app/HelloJB

iPhone5:/Applications root# grep mobile /etc/passwd
mobile:*:501:501:Mobile User:/var/mobile:/bin/sh

(‡) Here's a good discussion, with input from Saurik, about how different jailbreaks may affect the sandbox. Long story short: it depends.

---

(†) Update: in recent versions of iOS, the location of 3rd-party apps has been moved to /var/mobile/Containers, and later to /var/containers/, but the same basic sandbox issues remain.