Does any know how to bypass entitlements in iOS 8?

Question

As you aware that the famous _XPConnectionHasEntitlement has no longer works in iOS 8, is there anyother way to bypass the entitlements with the tweaks that requires entitlements? I come to know that _BSAuditTokenTaskHasEntitlement might solve the issue, but I can't get through it.

I'm using following snippet of code to hook into backboardd & assertionsd.

static int (*orig_BSAuditTokenTaskHasEntitlement)(id connection, NSString *entitlement);
static int hooked_BSAuditTokenTaskHasEntitlement(id connection, NSString *entitlement) {
    NSLog(@"Got it.");
    if (xpc_connection_get_pid(connection) == [[UIDevice currentDevice] __qrwaGetPIDForProcess:@"SpringBoard"] && [entitlement isEqualToString:@"com.apple.multitasking.unlimitedassertions"]) {
        return 1;
    } else {
        return orig_BSAuditTokenTaskHasEntitlement(connection, entitlement);
    }
}

%ctor {
          %init;
          MSHookFunction(((int *)MSFindSymbol(NULL, "_BSAuditTokenTaskHasEntitlement")), (int*) hooked_BSAuditTokenTaskHasEntitlement, (int**) &orig_BSAuditTokenTaskHasEntitlement);
}

The problem with it, the NSLog statements never printed. So I feel that something wrong with syntax of the function _BSAuditTokenTaskHasEntitlement, but not sure.

If anyone points me right direction, I appreciate their help.

Why don't you just sign your app with the entitlement? Will be much easier. `XPCConnectionHasEntitlement` is not the only one. There're many ways to check entitlement of the calling process which iOS use. For example, many processes use this http://opensource.apple.com/source/libsecurity_codesigning/libsecurity_codesigning-55032/lib/SecTask.h — creker, Aug 05 '15 at 12:42
It looks like you need to hook `BKSAuditTokenTaskHasEntitlement` — creker, Aug 05 '15 at 12:43
@creker thanks for the tip. Do you have any running sample how to hook into that? Also this is a tweak not an App. — prathumca, Aug 05 '15 at 13:22
No, I just looked at what backboardd uses inside - he is using `BKSAuditTokenTaskHasEntitlement` to check for entitlements — creker, Aug 05 '15 at 13:28
@creker hmm, are the args of the '**BKSAuditTokenTaskHasEntitlement**' same as **XPCConnectionHasEntitlement**? Does it take connection & entitlement as arguments? — prathumca, Aug 05 '15 at 13:32
Oops, forgot about the arguments. No, obviously it takes different arguments. First argument is a pointer to an internal C structure - I don't know which one but you can just write `void* arg1` as the first argument, it doesn't matter. Second argument is `CFStringRef entitlement`. — creker, Aug 05 '15 at 14:05
@creker **_BSAuditTokenTaskHasEntitlement** is the method to hook, and its working fine except for the **com.apple.multitasking.unlimitedassertions** entitlement. **BKSAuditTokenTaskHasEntitlement** is also not working for the same entitlement. — prathumca, Aug 05 '15 at 15:20
I looked at disassembly - assertionsd does call `BSAuditTokenTaskHasEntitlement` when it checks for `com.apple.multitasking.unlimitedassertions`. The check is done in only one place and the entitlement is not used anywhere else. — creker, Aug 05 '15 at 16:47
@creker Well I'm using OBJCIPC for communications from **com.apple.mobilesms.notifications** to other sandboxed app. But the message never delivered and the logs points to that entitlement. — prathumca, Aug 05 '15 at 19:46
yeah, I know that problem - IPC in sandboxed environment is a real pain. I never used OBJCIPC but looking at the source it looks exactly like what I wrote for myself - localhost TCP connection, central daemon which acts as a server and can send and receive notifications, queueing. And it works for me - I can communicate with any app, even sandboxed one. Only thing, looks like OBJCIPC can even launch the receiving app if needed but do you really need that? Other than that it looks a bit much and I would suggest you write your own lightweight IPC over localhost TCP. — creker, Aug 05 '15 at 22:00
In fact, all those tricks with entitlements are exactly for that purpose - to be able to launch and bring into the background other apps from SpringBoard which acts as a central server daemon. It have nothing to do with the actual IPC. — creker, Aug 05 '15 at 22:05
@creker thats correct. Since the OBJCIPC is doing what I really needed. But the problem is I can't communicate with the app (confirmed: app is running in background). i.e. App never receives the message. So clue whats really went wrong. Does your code open sourced? — prathumca, Aug 06 '15 at 06:43
It's probably suspended, not actually running in the background. In that case you do need OBJCIPC to wake up the process. I don't have such a problem, most of my processes are always running and for others it doesn't matter if they're suspended - queued notifications will be delivered once they return to the foreground. No, my code is not open sourced but there is not really much to show - a couple of sockets and simple logic around them. — creker, Aug 06 '15 at 08:31
@creker Thanks, I'm pretty sure that the sandboxed app is running in background, and I'm trying to send a message from **MessagesNotificationViewService** app where I don't have any luck. The other communications from one app to other just works fine. — prathumca, Aug 06 '15 at 09:06
Well, then it's not the entitlement that causes this. If both apps are in active state then they can communicate through local TCP connection which OBJCIPC uses. There're two main things that can prevent that: 1. One app is in background, but not running. 2. One app is restricted by it's sandbox profile and can't use sockets. The latter is common for system daemons but I didn't found any sandbox profile in `MessagesNotificationViewService`. — creker, Aug 06 '15 at 15:57
Did you ever find a solution to this? I am trying to force another app to have full backgrounding, but it's proving difficult on iOS 8 — Darren, Dec 02 '15 at 13:48

Does any know how to bypass entitlements in iOS 8?

0 Answers0