Why Hackers (and Pen Testers) Jailbreak iOS

And why no mobile app is safe on a Jailbroken iPhone

What is Jailbreaking iOS — ie: What does it mean to Jailbreak an iPhone?

Jailbreaking is the process of unlocking the iOS operating system on an Apple mobile device. Jailbreaking is a form of administrative privilege escalation, which bypasses Apple’s restrictions, resulting in full administrative control over the OS (the highest level of administrative privilege possible). Jailbreaking is often accomplished by exploiting bugs in Apple’s software/firmware or modifying system kernels to allow read and write access to the file system. Jailbreaking is one of the primary methods/tools for every hacker — both black hat hackers and white hat hackers (eg: penetration testers or security researchers). They all use Jailbreaking in similar ways (to compromise the security model of mobile devices, the operating system, and any app running on the device). The main difference is that black hat hackers have malicious intent, while white-hat hackers generally have non-malicious intent.

Below are the Top reasons people Jailbreak iOS:

1. To bypass Apple’s restrictions around installing software or connecting to alternative app store (repos) like Cydia.
2. To customize the OS, to change the behavior of their phone/operating system in ways that Apple does not support
3. Developers Jailbreak iOS to access and modify the file system, test new app builds with a wider selection of tools, to test the security model of their app
4. Gamers or hackers Jailbreak iOS to install game mods, tweaks, cheat tools, and more advanced hacking tools.
5. Pen testers and Hackers Jailbreak iOS to gain an advantage in compromising the security model, to expose weaknesses in mobile app protections, to disable anti-tampering or other security protections, to turn off security SDKs that have been hard-coded to the app.

Whatever the intent, Jailbreaking makes every hacker’s job much easier because it gives them a significant advantage in compromising the security model, due to the elevated level of privilege and full administrative control that Jailbreaking enables. You can think of Jailbreaking as a ‘gateway’ hacking tool: In other words, Jailbreaking is a fundamental hacking tool that gives hackers one or more of the following advantages:

• Jailbreaking makes it possible to obtain or use more advanced hacking tools (unfettered access to alternative repositories like Cydia, where hackers can obtain tweaks, mods, fake apps, clones, or get access to more powerful hacking or cheating tools).
• Using Jailbreaking, hackers can achieve more powerful outcomes with just about any tool (e.g.: use FRIDA to perform dynamic code injection, function hooking, method swizzling. These are all methods by which hackers alter the logical control flows of a mobile app to replace intended app behaviors with their own malicious behaviors.
• Jailbreaking enables hackers to use a much more extensive variety of hacking methods (e.g.:use emulators to alter memory and bypass in-app purchases in mobile games, to disable mobile advertising SDKs, to set-up a malware beacon inside the app)
• Jailbreaking makes it easier to bypass security controls or protections (e.g.: disable anti-tampering protections, turn off digital rights management checks, disable mobile threat detection (MTD) SDKs in the source code.

Jailbreaking results in a compromised security model, where you cannot trust any signals coming from the device (because on a Jailbroken device, the hacker is in control and change modify the signals to achieve their desired outcome). And while many of the above methods are still possible without Jailbreaking, there’s no question that Jailbreaking makes them better, easier, more powerful, etc. Any iOS app that runs on a Jailbroken device is in a vulnerable state, where hackers can amplify and increase the magnitude of their attacks — all with less effort.

Bottom line: Jailbreaking results in a compromised security model, where you cannot trust any signals coming from the device (because on a Jailbroken device, the hacker is in control and modify the signals to say or report whatever outcome they want — which is never good for your app.

What is Jailbreak Bypass (aka Jailbreak Hiding)?

Hackers use Jailbreak Bypass and Jailbreak Hiding tools to evade Jailbreak detection/protections. As mentioned above, Jailbreaking makes it easier to hack iOS apps and to compromise the mobile security model. So if a mobile app is protected with Jailbreak detection or Jailbreak protection, hackers will try to either bypass the protection or hide the fact that the device is Jailbroken. If they can evade detection, then they can operate in a Jailbreak state longer (doing whatever activity they used Jailbreak to achieve in the first place): such as play the game for free longer, or use more advanced or automated tools like emulators to modify in-app purchases, use FRIDA to inject malicious code, to use IDA-Pro to create a call graph to trace the app’s source code, to modify app workflows, or send fake signals to unsuspecting users to make their attacks seem more legitimate/credible.

Hackers combine Jailbreak tools with Jailbreak bypass tools to kill two birds with one stone. For example, hackers combine the use of Jailbreak tools like CheckRa1n, Unc0ver, Zylon, PlankFilza, Chimera etc, (which they use to Jailbreak iOS), alongside special-purpose Jailbreak Bypass or Jailbreak hiding tools like FlyJB, JailProtect, Liberty Lite, TweakRestrictor, KernBypass. The first set of tools is used to achieve Jailbreak status, while the second set of tools is used to conceal the fact that the device is Jailbroken or to bypass Jailbreak protection/detection mechanisms in the app.

How to Protect iOS Apps against Jailbreak and Jailbreaking Hiding Tools

As a mobile app developer, you have several options when it comes to building Jailbreak Prevention into your app. The purpose of jailbreak prevention is to build runtime protections into your app that allow it to defend itself if it’s running on a device that has been jailbroken. You have DIY options (such as implementing 3rd party libraries or 3rd party commercial SDKs). These both require mobile developers to code the solution themselves by modifying the source code of the mobile app according to the rough guidelines of the 3rd party libraries and/or SDK. Alternatively, you can use a no-code mobile development and security platform like Appdome to build Jailbreak Prevention into any iOS app for you — without coding. Whatever way you go, be sure to pick a solution that can do the following:

• Perform continuous Jailbreak checks — not just upon app initialization
• Detect at multiple code and API layers — eg: Native code and non-native code and APIs. This is especially important if your app is built in a cross-platform or non-native framework like React Native, Cordova, Xamarin, etc, or if the app is built with multiple programming languages (Swift + Objective C). Building protections into your app that have dependencies on the specific coding language may mean that you need to implement multiple solutions in order to ensure broad protection
• Detect Jailbreak via multiple detection mechanisms: inspect for changes made in superuser status, detect irregular file system modifications, detect attempts to circumvent Apple’s app-signing procedures.
• Detect Jailbreak hiding and Jailbreak bypass tools like FlyJB or Liberty Lite. This is especially important because as I said before, Jailbreaking is one of the top ‘go-to’ tools of every hacker, and they will go through extreme measures in order to continue using Jailbreak reliably.
• Jailbreak prevention should be a part of a cohesive, layered security defense, where it complements other security protections like app shielding, anti-tampering, anti-debugging, RASP, encryption, and obfuscation. This is especially important because hackers have many tools, methods, and techniques at their disposal when it comes to hacking mobile apps. It’s important to understand that mobile apps sit in public app stores where anybody can download the app and reverse engineer it, either by extracting the binary or run it thru a disassembler/decompiler to access the source code in minutes. If that’s not enough, chances are, the code is largely unobfuscated and the data largely unencrypted. And at best, maybe there’s a lightweight anti-tampering library in the app (which a moderately experienced developer/hacker can diable in about 5 minutes). On a Jailbroken device, an app that is so lightly protected doesn’t stand a chance. And if you do implement Jailbreak prevention via DIY methods, it’s important that the Jailbreak protection isn’t the ONLY protection in the app. Because if the hacker can’t jailbreak the phone, they can still decompile, debug, and reverse engineer their way to obtain what they are looking for — usually that’s your customer’s data.

The best Jailbreak defense is one that self-detects, operates at multple layers, and reinfornces other protections in the app. There’s no silver bullet in mobile app security. As always, keep safe and keep your mobile apps and users safe too.

PS: At Appdome we’re at work on a new no-code mobile app security offering which is specifically designed to protect iOS and Android apps that are under constant bombardment by experienced, motivated hackers using specialized tools. Key industry segments are mobile games, retail and fintech. If you have such an app, I’d love to hear your use case. We might have space for you in our private Beta program (which I happen to run). As thanks for participating in the Beta, our white hat ‘red team’ will perform a free penetration test on your app. And if you secure your app on Appdome (which takes less than 5 minutes), we’ll guarantee that your app will pass a future penetration test.

Drop me a line at alan@appdome.com