iOS Jail break detection
Post date: Jan 31, 2014 11:53:56 AM
Any or a combination of the following indicates a jailbroken phone
Run unsigned code
Shell/SSH access to bash
fopen("/bin/bash", "r");
/usr/sbin/sshd
Access to /private directories in the file system
/private/var
Mobile Substrate – provides a foundation for preloading code into application before launch.
/library/MobileSubstrate/MobileSubstrate.dylib
Cydia
/var/lib/cydia
/var/temp/cydia/log
Private Access on Jailbreak iPhone
View Keychain
/private/var/keychain/keychain.db
View db files (Keychain, CoreData, SQLite, Cache)
SSH to device Copy to desktop
run sqlite3 <db file name>
view tables: sqlite3> .tables
sqlite3> select *from <Table Name>
Info.plist
/private/var/mobile/Applications/Documents/App-Info.plist
NSUserDefaults
/private/var/mobile/Applications/<app Name folder>/Library/Preferences/<Bundle Identifier>.plist
CoreData
/private/var/mobile/Applications/Documents/<file Name>.sqlite
NSKeyedArchiver
/private/var/mobile/Applications/Documents/<file Name>.<extension>
Browser Cookies & Cache
/private/var/mobile/library/cookies/Cookies.binarycookies
/private/var/mobile/Library/Caches/com.apple.mobilesafari/Cache.db
Hybrid App Cache & Cookies
/var/mobile/Applications/<app Name folder>/Library/Caches/ < {file Name}.localstorage>
/var/mobile/Applications/<app Name folder>/Library/cookies/Cookies.binarycookies