Friday 14 June 2013

Defeating "simple" jailbreak detection with theos...

More and more developers are starting to build Jailbreak detection into their apps. A Jailbroken device is classed by many (especially MDM vendors) as compromised. I think this is a fair approach to take, many corporates don't want the risk of devices with un-verified software running on their network.

The problem with jailbreak detection is it can always be defeated. Due to the nature of Objective C it will always be possible to locate the method that is performing the detection and hook it so that it responds in the manner the original developer didn't intend.

When I first started to look at this I wasn't aware of xCon, if you are not interested in how to defeat simple jailbreak detection and just want to get round some non trivial Jailbreak detection in an app grab it from Cydia. The guys have done a good job to cover a lot of apps and for most it works well. You will probably find that it works on some apps that aren't listed too.

The process for patching out Jailbreak detection is something like this:
  1. Decrypt application
  2. Copy to your mac
  3. Dump classes using class-dump-z
  4. Find class that checks for jailbreak detection
  5. Create a patch with theos to hook it.
  6. Install & re run application.
For this you will need:
  1. An Jailbroken iOS device with mobile substrate installed
  2. A mac with Theos installed

Here it is in a bit more detail....

Step 1 - Decrypt application 
There is a long way to decrypt iPhone applications and a quick way. LightBulbOne's blog is a good read and has details on what to do if you want to try the longer way. I prefer the quick  way (some might say lazy) using tools. The best tool I have found so far is clutch. Having done it the long way I would suggest you use clutch! You can find clutch out on the internets and on some Cydia repos, it's commonly used by "Crackers" to pirate apps so sometimes goes missing or gets taken down.


To use clutch simply type the following at a shell prompt.

                  # ./clutch "name of your app"

Clutch will then automagically create an .ipa file of your application which you can then extract the decrypted binary from.

Step 2 - Copy the .ipa to your laptop and extract
This is a pretty straight forward step, just use Cyberduck or SCP to copy the .ipa to a folder or location on your laptop you can easily access. Using your favourite unarchiver extract the contents of the .ipa to a folder. I just use unzip from a cmd line.


Step 3 - Dump the class info
There is a great tool called class-dump-z that if you have looked at reversing iOS apps before you will be well aware of. You will need to grab it from here.

Once you have got class-dump-z you will need to run it against the application binary that can be found in the directory .../Payload/<nameofapp>.app/ . Usually the executeable will match the name of the application. To dump the class run the following command:

                     # class-dump-z Payload/DME\ 4.app/DME\ 4 > dump.txt



Step 4 - Locate method performing Jailbreak Detection
Next, open up the dump.txt file you just created using textpad or another editor. I have been using sublime recently and love it as you can set the language and get some colour coding to help you. Next look through the file or search for anything with "jail", "break" or "detection" in.


Here we can see a class "DMEDevice" that has a method of type BOOL called "isJailBroken". Now we can assume as this is a BOOL type that it is going to either return false or true. If we can hook this method and force it to always return false then we can probably evade the jail break detection.

Step 5 - Hooking with Theos
Theos is a  tool created by Dusten Howett and is used for jailbreak development to create .deb packages and install them on to your device there are some good articles and Wikis on installing theos check out the links below if you haven't got it installed already:

http://iphonedevwiki.net/index.php/Theos
http://iphonedevwiki.net/index.php/Theos/Getting_Started
http://brandontreb.com/beginning-jailbroken-ios-development-your-first-tweak

Once you have got theos installed you will need to create a new instance to do this use the (nic.pl script) following:

                    # $THEOS/bin/nic.pl

This will launch the menu, select option 5 "Tweak" and then fill in the relvant details.


The most important one to get right is the "MobileSubstrate Bundle filter". This tells your newly created tweak the application it needs to hook. If you don't know this you will be able to locate it in the file:

/var/mobile/Library/Caches/com.apple.mobile.installation.plist

It's a binary plist so you will need to use plutil that comes with com.ericasadun.utilities and downloadable from cydia. Simply type the following and then look for the "MobileSubstrate Bundle filter".

# plutil /var/mobile/Library/Caches/com.apple.mobile.installation.plist | grep "CFBundleName" -B1 | grep <App Name> -B1

Where <App Name> is the name of the application your are looking for.



Next you will need to add the required code into the file Tweak.xm file in your project directory.



Using your favoured editor open Tweak.xm and remove all the example code that is in the file. Next add the following:

%hook <Name of Class>
+(BOOL)<Name of Method>
        // Call the original method 
  %orig;

//Pop up an alert to show you got hooked, this is just for debug, you don't really need it
UIAlertView *alert = [[UIAlertView alloc] initWithTitle:@"isa56k pwning..." 
message:@"No Jailbreaks Here" 
delegate:nil 
cancelButtonTitle:@"Bye Bye" 
otherButtonTitles:nil];
[alert show];
[alert release];
        // The most important bit, return false and lie about the jailbreak status!!
return false;

}
%end

The items in RED above need to match up with your application. This is what my Tweak.xm looks like:


The most important part of the tweak is the really the final line of code in the function "return false". Every time that [DMEDevice isJailbroken] is now called in the application it will be replaced with our patch / tweak fooling the app telling it that it is not Jailbroken.

I have included a UI Alert so that we know our patch is being run, without this it can be difficult to tell that it has actually been called. You could remove this code once you are happy your tweak is working.

As we are using UIAlertView for a bit of debug we need to also include UIKit framework in our Makefile as well as a few other bits and pieces. Open up the Makefile in your project directory and add the following (some will already exist).

GO_EASY_ON_ME = 1
#The ip of your device that you will install the tweak on
export THEOS_DEVICE_IP=<YOUR DEVICE IP>
#The architecture you wish to compile for
export ARCHS=armv7 
export TARGET=iphone:latest:4.3
export SDKVERSION = 6.1

include theos/makefiles/common.mk

TWEAK_NAME = isnotjailbroken
isnotjailbroken_FILES = Tweak.xm
# Add this line in so that the UIKit framework is included
isnotjailbroken_FRAMEWORKS = UIKit

include $(THEOS_MAKE_PATH)/tweak.mk

It's worth noting that when adding in a framework the tweakname must match as below in red:

TWEAK_NAME = isnotjailbroken
isnotjailbroken_FILES = Tweak.xm
# Add this line in so that the UIKit framework is included
isnotjailbroken_FRAMEWORKS = UIKit

It took me ages to spot isnotJailbroken had an uppercase J when debugging an error!!

Here is my Makefile..



Step 6 - Install and Run
The final step is to make, package and install the tweak on to the jailbroken device. from inside your project directory type the following:

                    #sudo make package install

This should compile and then install the patch on your jailbroken device. I have got public key auth set up on my iOS test device so that I am not prompted to enter a password, but you maybe prompted to enter your SSH password for the devices root account at this point.


Next launch the application and check that you get the alert pop up, if you do then your tweak / hook is being called :)



This is only very simple Jailbreak detection, other apps have started to mask when they are checking for jailbreak detection and exactly how they are doing it. I believe some MDM vendors regularly change the methods and the code that checks to keep hackers on their toes.