# iOS Jailbreak Detection in 2023

In this blog post, I'll show what detection methods exist and share code examples. But more importantly, I'll discuss the motivation for jailbreak detection, share related implementation, and present information so that you assess if jailbreak detection is a good idea in 2023 (or in general).

## Background - what's a Jailbreak

Jailbreaking is the use of a [privilege escalation](https://en.wikipedia.org/wiki/Privilege_escalation) [exploit](https://en.wikipedia.org/wiki/Exploit_(computer_security)) to remove software restrictions imposed by Apple by

* modifying the operating system (enforced by a "locked [bootloader](https://en.wikipedia.org/wiki/Bootloader)")
    
* installing non-officially approved applications (known as "tweaks") via sideloading utilizing package managers such as [Cydia](https://www.cydiafree.com/) or [Sileo](https://getsileo.app/)
    
* **granting the user elevated administration-level privileges (rooting)**
    

![](https://upload.wikimedia.org/wikipedia/commons/thumb/3/36/ScreenshotofCydia.jpg/221px-ScreenshotofCydia.jpg align="center")

<mark>"Virtual" jailbreaks are nowadays often advertised but are </mark> [<mark>scams</mark>](https://www.theiphonewiki.com/wiki/Scam_Jailbreaks_and_Unlocks)<mark>!</mark>

## Motivation - why and who cares

Stakeholders of **enterprise apps** are concerned that the missing sandbox restrictions on a jailbroken device can be exploited by tweaks and comprise the security level of their apps.

Apps with **sensitive or valuable data** are therefore often required, by their stakeholders, to implement jailbreak detection to increase security.

The **OWASP MASVS (Mobile Application Security Verification Standard)** is the industry standard for mobile app security. Its purpose is to be used by mobile software architects and developers seeking to develop secure mobile applications, as well as security testers, to ensure completeness and consistency of test results.

The very first requirement concerning resilience, [MSTG-RESILIENCE-1](https://github.com/OWASP/owasp-mastg/blob/v1.5.0/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#owasp-masvs), reads as follows:

> The app detects, and responds to, the presence of a rooted or jailbroken device either by alerting the user or terminating the app.

## Implementation - jailbreak detection methods

I recommend reading [this](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/jailbreak-detection-methods/) good article about Jailbreak Detection Methods.

* Filesystem-based Detection
    
* API-based Detection
    
* OpenSSH Service Detection
    
* Cydia Scheme Detection
    

[Various code examples](https://github.com/OWASP/owasp-mastg/blob/v1.5.0/Document/0x06j-Testing-Resiliency-Against-Reverse-Engineering.md#jailbreak-detection-mstg-resilience-1) can be found in the MASTG, including this one.

```swift
do {
    let pathToFileInRestrictedDirectory = "/private/jailbreak.txt"
    try "This is a test.".write(toFile: pathToFileInRestrictedDirectory, atomically: true, encoding: String.Encoding.utf8)
    try FileManager.default.removeItem(atPath: pathToFileInRestrictedDirectory)
    // Device is jailbroken
} catch {
    // Device is not jailbroken
}
```

A well-maintained, BSD 2-Clause licensed implementation, reusable as a Swift package, can be found on GitHub.

%[https://github.com/securing/IOSSecuritySuite] 

The simplest method returns `true` or `false` if you want to know if the device is jailbroken or not.

```swift
if IOSSecuritySuite.amIJailbroken() {
	print("This device is jailbroken")
} else {
	print("This device is not jailbroken")
}
```

There is also a more verbose API to know what indicators were identified.

```swift
let jailbreakStatus = IOSSecuritySuite.amIJailbrokenWithFailMessage()
if jailbreakStatus.jailbroken {
	print("This device is jailbroken")
	print("Because: \(jailbreakStatus.failMessage)")
} else {
	print("This device is not jailbroken")
}
```

The `failMessage` is a String containing comma-separated indicators.

Example: `Cydia URL scheme detected, Suspicious file exists: /Library/MobileSubstrate/MobileSubstrate.dylib, Fork was able to create a new process`

## Concerns - how accurate is Jailbreak Detection

There are popular iOS jailbreak detection bypass tweaks such as [A-Bypass](https://onejailbreak.com/blog/a-bypass-tweak/), [Not a bypass](https://www.idownloadblog.com/2023/01/06/not-a-bypass/), [Shadow](https://github.com/jjolano/shadow), and [others](https://ios.cfw.guide/blocking-jailbreak-detection/).

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1674171187083/5f1ed80f-dbef-41d0-b83c-4eb7bffd0b9a.webp align="center")

Such tweaks anticipate that Jailbreak detection implementations will perform certain checks and try to fake results.

<mark>Common bypass tweaks often do not work on specific apps and attackers might need to create/use bypasses made specifically for a certain app.</mark>

> I tested on a jailbroken iPad Air 2 running iOS 15.7.3 and verified that the [open-source implementation](https://github.com/securing/IOSSecuritySuite/blob/1.9.5/IOSSecuritySuite/JailbreakChecker.swift) protects an app against the following bypass teaks
> 
> * A-Bypass
>     
> * Choicy
>     
> * Hestia
>     
> * Not a Bypass
>     

A jailbreak detection implementation might use `FileManager` to detect if a file directory can be accessed that normally is not, e.g. `/var/log/syslog`. If `true` then Apple's sandboxing system is comprised and the app runs on a jailbroken device.

A jailbreak detection bypass tweak might hook into `FileManager` and return `false` to hoodwink you.

For a more comprehensive example, including how to analyze jailbreak detection within an iOS app, I recommend the following article:

%[https://www.romainthomas.fr/post/21-07-pokemongo-anti-frida-jailbreak-bypass/] 

<mark>Bottom line: jailbreak detection can ALWAYS be reversed-engineered and evaded by DEDICATED attackers</mark>

## Evaluation - is it worthwhile to have Jailbreak Detection in 2023

The increased feeling of security, at least against common detection bypass tweaks, comes with a price tag.

* Ongoing efforts to research and update the detection implementation are needed to protect against the common bypass tweaks.
    
* Ongoing costs to obtain and maintain test devices for the sole purpose of jailbreak detection.
    

I cannot tell you if the efforts are justified for your business case. What I can share is some current numbers so that you can quantify the threat level.

## Stats: jailbreak vulnerability for devices running iOS 16

As of February 2023, the latest major iOS release (= 16) has approximately ~ 64% [market share worldwide](https://gs.statcounter.com/ios-version-market-share/mobile-tablet/worldwide/#monthly-202301-202302-bar).

![iOS Market Stats Worldwide Jan-Feb 2023](https://cdn.hashnode.com/res/hashnode/image/upload/v1675565459502/e3fb6651-6c76-4144-ba58-72a67ec89593.svg align="center")

Only 10 out of the [46 devices](https://support.apple.com/en-us/HT213411) compatible with iOS 16 can be jailbroken:

* iPhone 8, 8 Plus, and X
    
* iPad 5-7, iPad Pro 9.7-inch, 10.5-inch, 12.9.-inch (1st & 2nd gen)
    

That is due to the unpatchable [checkm8](https://9to5mac.com/2019/09/27/ios-unpatchable-ios-exploit-jailbreak-iphone-x/) exploit, found in the [Bootrom](https://www.theiphonewiki.com/wiki/Bootrom) of Apple’s chips from A5 to A11 Bionic, and the folks behind the [Palera1n](https://appledb.dev/jailbreak/palera1n.html) jailbreak that leverages the exploit.

%[https://twitter.com/palera1n/status/1602421528368488454?s=20&t=PHd9W9Q6VeXcWqJ9uNk1AQ] 

I was able to jailbreak my iPad Air 2 device running iOS 15.7.3 within a day with Palera1n but had to do a factory reset of the device first.

%[https://www.youtube.com/watch?v=ryCrq6ty9a8] 

[Determine whether a public jailbreak is available for your version of iOS](https://appledb.dev/)

## Question - what alternatives exist?

Apple introduced a new feature called App Attest with iOS 14.

This feature, part of the `DeviceCheck` framework, aims to reduce the inappropriate use of developer servers through compromised apps and minimizes the risk of unauthorized features like "game cheats, ad removal, or access to premium content".

%[https://developer.apple.com/videos/play/wwdc2021/10244/] 

You can sign server requests to prove to your server that they came from an **unmodified** app version.

> It's important to know that **App Attest is not a "is this device jailbroken?" check**, as that has been proven over and over to be impossible to pinpoint. Instead, it aims to **protect server requests** in order to make it harder for hackers to create compromised versions of your app that unlock premium features or inserts features like cheats \[...\] Note the word **harder**: as jailbreakers have physical access to their devices, nothing will **completely** safe-guard you from fraud in this case.

%[https://swiftrocks.com/app-attest-apple-protect-ios-jailbreak] 

Apple does note that "no single policy can eliminate all fraud," and adds that App Attest isn't able to pinpoint a device with a compromised operating system.
