-2

After I attended a programming class, one of my friends showed me an app that would not allow him get past the first screen due to his jailbroken iPhone.

Since then I have been intrigued as to how the app was able to detect the jailbreak without being blocked by apple and, being the anti-jailbreak advocate that I am, I kept fruitlessly trying to find a reliable way to detect a jailbroken iOS device to prevent people from cheating if I ever decided to release a game on the App Store.

Does anyone know of a reliable method(s) to detect a device's jailbreak status that cannot be easily bypassed by said jailbroken device?

EDIT: based on recent comments, I would just like to clarify that the intention of this post is to share the knowledge I gained from finding that article, and to provide a place where other users can contribute their methods of jailbreak detection.

MoralCode
  • 1,954
  • 1
  • 20
  • 42
  • 1
    This is a very old question that has been asked many times, and has many different approaches that have evolved through time since back then when the first iPhone SDK was released. I believe there still isn't a fool-proof approach, but rather a myriad of small tests you can perform, and they keep changing as the arms race between Apple and the jailbreak community progresses. – Nicolas Miari Feb 03 '16 at 04:19
  • The intention of SO is **not** to "share an article", that is what blogs are for. – zaph Feb 04 '16 at 01:05
  • @zaph on the contrary, if stack overflow was ***not*** for sharing my newfound knowledge in the Q+A format that everyone else uses, then why is there a "answer your own question" button on the ask a question page? – MoralCode Feb 04 '16 at 02:03
  • @ACE, the button is for answers that can benefit others. The question was asked many many many times. You just copy-pasted the link that can be googled in 2 seconds. And the link is not even that usefull - Apple is known for rejecting apps with such checks. Like, you're not supposed to access files outside your sandbox. And shoudn't call APIs that sandbox does not allows. Everything else doesn't work very well. – creker Feb 04 '16 at 20:17

2 Answers2

3

The other day I stumbled across an article containing the exact answer I was looking for.

From https://www.theiphonewiki.com/wiki/Bypassing_Jailbreak_Detection

While there are countless ways apps can implement checks for jailbroken devices, they typically boil down to the following:

Existence of directories - Check your file system for paths like /Applications/Cydia.app/ and /private/var/stash, amongst a handful of others. Most often, these are checked using the -(BOOL)fileExistsAtPath:(NSString*)path method in NSFileManager, but more sneaky apps like to use lower-level C functions like fopen(), stat(), or access().

Directory permissions - Check the Unix file permissions of specific files and directories using NSFileManager methods as well as C functions like statfs(). Far more directories have write access on a jailbroken device than on one still in jail.

Process forking - sandboxd does not deny App Store applications the ability to use fork(), popen(), or any other C functions to create child processes on non-jailbroken devices. sandboxd explicitly denies process forking on devices in jail. if you check the returned pid on fork(), your app can tell if it has successfully forked or not, at which point it can determine a device's jailbreak status.

SSH loopback connections* - Due to the large portion of jailbroken devices that have OpenSSH installed, some apps will attempt to connect to 127.0.0.1 on port 22. If the connection succeeds, it means OpenSSH is installed and running on the device, therefore it is jailbroken.

system() - Calling the system() function with a NULL argument on a device in jail will return 0; doing the same on a jailbroken device will return 1. This is since the function will check whether /bin/sh exists, and this is only the case on jailbroken devices.[1]

dyld functions - By far the hardest to get around. Calling functions like _dyld_image_count() and _dyld_get_image_name() to see which dylibs are currently loaded. Very difficult to patch, as patches are themselves part of dylibs.

*Only a very small number of applications implement this (as it is not nearly as effective as the others)

the above passage was edited for brevity

I figured I'd post this here as a knowledge-share for those app developers wondering how that one app was able to successfully implement jailbreak detection when all other attempts at detecting jailbreak get rejected by Apple.

MoralCode
  • 1,954
  • 1
  • 20
  • 42
  • Thanks! Although, full confession, I did have it sitting in my notes until I was unbanned from asking questions... – MoralCode Feb 03 '16 at 04:24
  • @ACE if you end up creating checks then share your code here. – Sam B Feb 03 '16 at 04:29
  • @SamB I may create some kind of framework or library, but this is just to help answer the "my jailbreak detection was rejected" questions and provide some varying ways to check for jailbreak... – MoralCode Feb 03 '16 at 04:31
  • If you want to create a library or framework or something, by all means post it! – MoralCode Feb 03 '16 at 04:32
2

Blocking all jailbroken users probably wouldn't help you fight app piracy if you released a game on the App Store because it would force them to get a pirated version of the game to be able to play (instead of giving them the possibility to pay to play the game).

What you'd want is to check if the game is a legit version off the App Store. But even that could be potentially patched by the guys who crack games to release them...

You can check if the currently running executable is encrypted, which is a good way to know if the app has been pirated by looking at this answer.

Otherwise if it's a free game with in-app purchase, doing receipt validation helps block out most tweaks that get around paying for in-app purchases.

But there's definitely no way to absolutely block out app piracy.

You could always mention how had you worked on that game within the game... That could convince a few persons to pay for the legit version of the game.

Community
  • 1
  • 1
Felix Lapalme
  • 1,058
  • 1
  • 11
  • 25
  • 99% of the time this is really not how it works with iOS apps. You don't crack or patch IPA files (except 1% case). Instead you jailbreak the phone and block the OS from verifying your IPA. This can be easily done using a cydia tool. So anyways, as lap.felix said blocking all jailbroken devices will block your app for even legitimate users who have actually purchased your app from App Store (although their devices are jailbroken) – Rukshan Feb 03 '16 at 07:46
  • @sleepwalkerfx, 99% of the time you do crack IPA files which means decrypting them. That breaks the code signature and that's why you need a cydia tool to disable IPA verification. IPAs are encrypted with the apple id that purchased the app. You need to decrypt them or somehow get you that apple id. Like with chineses app stores that would let you install pirate apps even on a non-jailbroken device. Another way would be to resign the app with a developer certificate. – creker Feb 03 '16 at 08:31
  • @creker , No. 99% of the time you don't crack IPA files. I want you to try this first, and comment back here. Just compile and archive an IPA file from Xcode. Then get a jailbroken phone and sync that non-cracked IPA to your Jailbroken phone which has AppSync installed via cydia. You'll see how IPA works without cracking at all. It doesn't need any cracking. All you need is the cydia tweak for the iOS that's it. – Rukshan Feb 03 '16 at 11:31
  • @creker IPA verification fails even it's not cracked (untouched) unless you are trying it in a listed devices in your dev portal. Chinese app stores use bulk enterprise licensing, to publish their pirated apps to non-jailbroken devices. They have figured out how to ease the process of purchasing a developer slot and using its certificate to install ‘cracked’ apps. – Rukshan Feb 03 '16 at 11:41
  • @sleepwalkerfx, and what's that have to do with anything? Apps from the appstore are encrypted using apple ID that's downloaded or purchased them. If you want to pirate it and distribute to other users you have to crack it i.e. remove the encryption. Even if you have an enterprise account before you can resign it you have to crack it. I know that first hand - you can't do anything with AppStore IPAs until you crack them. App binary is encrypted, you can't even disassemble it. – creker Feb 03 '16 at 11:42
  • Chinese app stores actually don't use enterprise account. At least `kuiayong` is don't. Their apps are valid AppStore IPAs that been purchased from the AppStore by valid Apple IDs. When you install an app you have to install those Apple IDs into your device - there is a special button for that in `kuiayong`. If you don't iOS will ask you for Apple ID password that's purchased the app when you try to launch it. That fact proofs it's no an enterprise signed app. – creker Feb 03 '16 at 11:51
  • @creker my point was, if you have an jailbroken iphone with AppSync installed and an IPA file with you (cracked or not) it works right away unless developer has used special technique to detect if the phone is jailbroken just like OP asked here (99% Devs don't do that). So 99% of the time you don't need to crack IPAs to work in a jailbroken phone. You can test it yourself as I mentioned earlier. Just compile an IPA , don't crack, test in someone's jailbroken phone which isn't linked to your dev portal's test device list with its UDID. If it needed cracking it shouldn't work in that phone. – Rukshan Feb 08 '16 at 09:07
  • @creker as you know, compiled IPA files only works in devices that are linked to your developer account. If you try to install it in another device, it will fail. But if that other device is jailbroken and have AppSync installed, then this IPA will work. It just don't need to be cracked. You don't need to remove any encryption. You can distribute it to anyone with a jailbroken iphone. All IPA files work this way. Whether if it's from legitimately downloaded from app store or compiled version from Xcode. – Rukshan Feb 08 '16 at 09:25
  • @sleepwalkerfx, again, you're talking about completely different thing that has nothing to do with the topic. Developer IPAs generated by Xcode are out of the question, don't even mention them. The whole question is about AppStore apps. And they're encrypted. AppSync and jailbreak are useless unless you crack them. That's it, no other way around it. AppStore generated and Xcode generated IPAs are NOT the same. They're different because AppStore IPAs use FairPlay DRM that encrypts application binary. So please stop spreading misinformation and read about the topic before arguing. – creker Feb 08 '16 at 09:34