iOS - Accessing filesystem outside sandbox on a jailbroken device

Question

I'm developing an app using theos [application_swift] and would like to gain access to the filesystem, outside the sandbox.

To my understanding, using the [application_swift] with theos should enable me to access files outside the sandbox, but I've tried using FileManager.default.fileExists(atPath:) to access the file I like and the result was that the file was not found.

Worth mentioning I'm obviously running on a jailbroken device running 11.2.

Am I missing something?

score 3 · Accepted Answer · answered Dec 24 '18 at 10:56

3

I've been able to solve this issue by adding com.apple.private.security.no-container to my entitlements file and adding them using codesign.

codesign --entitlements app.entitlements -f -s "iPhone Developer: xxxxxxxxxxxxxxxxx" MyApp.app

answered Dec 24 '18 at 10:56

gkpln3

1,317
10
24

Do you know if it is possible from inside of XCode ? – rustyMagnet Nov 16 '20 at 10:50
I did not try to make Xcode do it for me, and I don't know if that would work, but you can just add a build step to run a script to do that for you. – gkpln3 Nov 16 '20 at 13:33

score 2 · Answer 2 · answered Oct 28 '18 at 10:23

2

Jailbreak doesn't open everything to everyone, that's not how it works in general and could open different things depending on specific jailbreak. For example, electra on iOS 11 allows me to read SMS database from inside a regular app. But I still can't read someone else's sandbox. It all depends on how jailbreak is implemented and what it patches inside the kernel. It could even be that you can't access anything outside of the sandbox. That's actually would be preferable to preserve security of AppStore apps.

It could also be much simpler - Swift knows which paths you shouldn't try to access and throws an error without even actually trying to access them. Try to access the files with C or Objective-C as these are proven to work without any artificial restrictions.

answered Oct 28 '18 at 10:23

creker

9,400
1
30
47

It’s obviously possible for apps (im talking about apps that are being installed from Cydia rather than the AppStore) to access files ourside the sandbox, take a look at Fileza, or iFile for example. – gkpln3 Oct 30 '18 at 15:25
@gkpln3 of course they work. They're installed outside of the sandbox and have no restrictions because of that. I'm not familiar with theos (never used it for jailbreak development) and, more importantly, don't know how you installing your app. If you just run from the Xcode then it's still in the sandbox. If you're copying it over SSH to `/Applications` directory or launch it from the terminal, then it should have full access to the file system. – creker Oct 30 '18 at 15:35
I did exactly that (theos is installing the app stright to /Applications), yet i still get no access to the filesystem.. i’ve heard i should try using entitlements to disable sandboxing, like done on a mac program, but i did not understand how it is done using theos – gkpln3 Oct 30 '18 at 18:04
@gkpln3, try ObjC application just in case. Sandboxing shouldn't be active for your app. Sandboxing is applied in two cases - application is launched from the location where AppStore apps are installed or entitlements actually specify which sandbox profile should be applied. Some system applications use that, it's an opt-in feature. But even in case of AppStore apps - like I said, Electra jailbreak allows me to access system files from inside of the sandbox. Like SMS database. – creker Nov 01 '18 at 00:47

score 0 · Answer 3 · answered Nov 19 '18 at 02:51

0

If you're still looking for the answer to this, you must add the com.apple.private.security.no-sandbox entitlement to your app.

answered Nov 19 '18 at 02:51

Tanner H.

304
1
13

Tried it, didn't work. Actually what did solve this for me was adding `com.apple.private.security.no-container` to the entitlements file. – gkpln3 Dec 24 '18 at 10:53

score 0 · Answer 4 · answered Nov 16 '20 at 08:32

I like your plist permisson change. If you want an alternative, like @Creker said, try stat or access from C.

I have seen your problem, when trying to detect a Frida running on a jailbroken device:

    NSString *frida_on_filesystem = @"/usr/sbin/frida-server";
    NSURL *theURL = [ NSURL fileURLWithPath:frida_on_filesystem isDirectory:NO ];
    NSError *err;
    
    if ([ theURL checkResourceIsReachableAndReturnError:&err]  == YES )
        return YES;
    
    if ( err != NULL ) {
        NSLog(@"[*]Error in file check: %ld", (long)err.code);
        if ( err.code == 257 )
            NSLog(@"[*]Sandbox permission error.");
    }
    
    FILE *file;
    file = fopen(frida_on_filesystem.fileSystemRepresentation, "r");
    if ( !file )
        NSLog(@"[*]if ObjC APIs fails, fopen also failed!");

but then access() - which loads from libsystem_kernel.dylib - works:

return (access(frida_on_filesystem.fileSystemRepresentation, F_OK) == 0) ? YES : NO;

iOS - Accessing filesystem outside sandbox on a jailbroken device

4 Answers4