1

Jailbreak detection
mechanisms and how
to bypass them
Sthack - 0x0a Edition
2021 October 15
 Whoami 2

 Eloi Benoist-Vanderbeken
 @elvanderb on twitter

 Working for Synacktiv

 Offensive security company
 90 ninjas
 3 departments: pentest, reverse engineering, development
 Sthack sponsor!

 Reverse engineering technical lead

 30 reversers
 Focus on low level dev, reverse, vulnerability research/exploitation
 If there is software in it, we can own it :)
 We are hiring!

2 / 31
 3

Introduction
 JailBreak detection 4

 iOS
 Closed operating system
 No easy way to get root
 JailBreaks bypass iOS security to get (almost) full access
 JailBreak detection
 Used by banking applications and games
 To make sure that the environment is “safe”…
 …or to block cheats/cracks
 Security researchers need to
 Assess / reverse protected applications

4 / 31
 iOS specificities 5

 Signature
 All the code must be signed by Apple (enforced by the system)
 All the data is also signed (enforced by the App Store)
 Memory protection
 W^X
 Only WebContent process can use JiT pages
 No side loading
 “Apps may not […] download, install, or execute code which introduces or
changes features or functionality of the app”
 Public API
 “Apps may only use public APIs”
 Theoretically enforced by the App Store review process
 Actually only used to block malicious tracking methods or deprecated/buggys
APIs

5 / 31
 Frida 6

 https://frida.re
 “Dynamic instrumentation toolkit for developers, reverse-
engineers, and security researchers”
 Allows you to inject JavaScript to instrument any process
 iOS / Android / Windows / macOS / Linux / QNX...
 Lots of features
 Lots of bindings (.NET, Python, Node.js, Swift…)
 Low level C API

6 / 31
 Debugging an iOS app 7

 Without a JailBreak
 With ptrace (lldb / frida) → app needs the get-task-allow entitlement
 By injecting code (frida) → app needs to be repackaged
And you can only do data only instrumentation
 In both case, you need to resign the application…
 … but it has a lot of side effect
Different Team ID
File are modified
 With a JailBreak
 No entitlements are required
 Frida is able to attach to any process
Except system ones on post A12 iPhones because of PPL

7 / 31
 8

Case study
 The target 9

 A banking app
 Immediately crash when launched on a jailbroken device
 Exception Type: EXC_BAD_ACCESS (SIGSEGV)
 Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000200
 Executable is quite large
 31MB
 Nothing special at first sight
 Methods name are not obfuscated
 Strings are in cleartext
 We tried a few scripts¹
 But without luck

9 / 31
1: most notably this one: https://blog.spacepatroldelta.com/a?ID=01600-8a224e7e-6ceb-4e65-88b9-4545d6523275
Around the crash… 10

10 / 31
Around the crash… 11

11 / 31
Around the crash… 12

12 / 31
Around the crash… 13

13 / 31
Around the crash… 14

14 / 31
 Syscalls 15

 Syscalls are directly executed

 400+ syscalls
 Hooking APIs is not sufficient
 Not very compliant with the “Apps may only use public APIs” policy…
 Strings are decrypted on the fly
 Integrity checks
 Impossible to just find and replace blacklisted paths
 What we would like to do
 Intercept all the syscall with Frida
 Manipulate the arguments
 Replace the return value

15 / 31
 Interception with Frida
Examples are from the doc: https://frida.re/docs/javascript-api/
16

 Classically used to intercept function arguments or return values

 Or to completely replace its implementation

16 / 31
 Interception with Frida 17

 But can also be used to intercept arbitrary instructions

 Useful to dump process state in the middle of a

function…
 But not magic nor perfect
 May have to patch multiple instructions to redirect execution flow
 May trash registers (an issue is open)

17 / 31
 Using breakpoints 18

 Frida also allows to intercept exceptions!

 Replace all the syscall with breakpoints

 Ensure that we only patch one instruction
 Catch the exception to intercept all the syscalls
 Modify the context to emulate them

18 / 31
Patch all the syscalls 19

19 / 31
 The nasty crash… 20

 After a few tries we implemented several syscalls

 In parallel we found that normal function are also used
 Process always crashed just after the checks
 Invalid deref, exit(0), objc_msgSend with invalid pointers etc.
 Easy to find the check
 But then the process started to crash…
 … this time with trashed PC / LR
 No easy way to find the underlying test

20 / 31
 Stalker 21

 Frida has a Dynamic Binary Instrumentation engine

 Stalker
 Can be used to log all the basic blocks executed
 Idea
 Run the app until the last successfully bypassed check
 Trace all the basic blocks
 Wait for the program to crash
 Make sure to use sync method
 Frida loses the buffered messages when the app crashes
 This quickly gave us the culprit
 An API that we weren’t hooking yet

21 / 31
Stalker 22

22 / 31
 Protections 23

 Try to find JailBreak files

 open, utimes, stat, pathconf, stat64, fopen
 Both syscalls and functions
 Try to block/detect debuggers
 ptrace(PT_DENY_ATTACH);
 Check if the parent pid is launchd
 getppid() == 1
 Try to detect if the rootfs is writable
 getfsstat64, statvfs

23 / 31
 24

Solution
 A generic API 25

 A generic interface to hook both functions and syscalls

25 / 31
 A generic API 26

 Handle special cases

26 / 31
 27

Future
 Other techniques 28

 Try to load an invalid signature

 fcntl(F_ADDSIGS);
 Check if some JailBreak libraries are loaded in your process
 /usr/lib/substitute-inserter.dylib for example
 Can use dlopen / memory scanning / dyld internal structures etc.
 Check if your process is instrumented
 Check code integrity
CRC, derive constants from the code, check API entries, etc.
 Time code execution
 Try to detect Frida
 Check signature state
 Via csops(CS_OPS_MARKKILL)
 Crash later
 Use a global context
 Put the crash long after the detection
 Complicate the backtracing

28 / 31
 Future of iOS instrumentation 29

 Harder and harder to attack iOS devices

 Pointer signature (PAC)
Per process and per Team ID keys
A lot of kernel data pointers are now signed
 API hardening
Impossible to manipulate a system process even with its task port
Impossible to force a system process to send its task port in a mach message
 Sandboxing
More and more kernel API are sandboxed

ioctl, fcntl, syscalls, necp etc.
More and more services are sandboxed
 Isolation
Kernel allocations segregation
 Apple not only kills bugs but also exploit techniques
 JailBreaks are more and more precious

29 / 31
 PPL 30

 All the memory management is done in a special CPU state

 Impossible to patch the page tables with an arbitrary kernel write
 PPL also protect userland services
 PPL knows all the system services
Hashes are hardcoded in its data
 Forbid to inject third party executable code in a system process
 Could be deployed for all the processes
 If they don’t have a special entitlement
 And since iOS 15, entitlements are also checked by PPL
 Still possible to manipulate the process…
 With data only manipulation
 Or by using hardware breakpoints
 …but not that easy nor handy
 Needs to sign pointers with the distant process key
 Not an infinite number of hardware breakpoint
 All the tool will have to be recoded

30 / 31
 31