iOS Jail break detection

Post date: Jan 31, 2014 11:53:56 AM

Any or a combination of the following indicates a jailbroken phone

• Run unsigned code

• Shell/SSH access to bash

  • fopen("/bin/bash", "r");

  • /usr/sbin/sshd

• Access to /private directories in the file system

  • /private/var

• Mobile Substrate – provides a foundation for preloading code into application before launch.

  • /library/MobileSubstrate/MobileSubstrate.dylib

• Cydia

  • /var/lib/cydia

  • /var/temp/cydia/log

Private Access on Jailbreak iPhone

View Keychain

/private/var/keychain/keychain.db

View db files (Keychain, CoreData, SQLite, Cache)

SSH to device Copy to desktop

run sqlite3 <db file name>

view tables: sqlite3> .tables

sqlite3> select *from <Table Name>

Info.plist

/private/var/mobile/Applications/Documents/App-Info.plist

NSUserDefaults

/private/var/mobile/Applications/<app Name folder>/Library/Preferences/<Bundle Identifier>.plist

CoreData

/private/var/mobile/Applications/Documents/<file Name>.sqlite

NSKeyedArchiver

/private/var/mobile/Applications/Documents/<file Name>.<extension>

Browser Cookies & Cache

/private/var/mobile/library/cookies/Cookies.binarycookies

/private/var/mobile/Library/Caches/com.apple.mobilesafari/Cache.db

Hybrid App Cache & Cookies

/var/mobile/Applications/<app Name folder>/Library/Caches/ < {file Name}.localstorage>

/var/mobile/Applications/<app Name folder>/Library/cookies/Cookies.binarycookies