Detect if iOS app hacked

Question

My friend got a jailbroken iPad. When he installed Business Model Generation App from Installous and tried to use it, the application showed a UIAlertView with the following message:

Does anybody know how to do that?

I have 2 ideas:

1. If there is some set flag when you download app from the App Store, then you can use this flag: if flag = NO, you show the UIAlertView.
2. Something with a server (but in this case, you should know all device IDs and who installed your application from the App Store).

Am I right? How can I implement this feature?

Answer 1

This is an old question, but being a jailbreak developer myself, I think it can help folks who stumble upon it while searching for jailbreak detection bypass or such things, which are more and more relevant these days. The problem OP has is now very often present, more than it used to be.

These kinds of applications, even nowadays in 2020 detect various jailbreak utilities. I am a jailbreak developer myself. When we build a jailbreak for whatever iOS version, we add quite some base binaries to aid further.

Nowadays we place them in various hidden folders like /jb/bin or /jailbreak/binbag/ or /jb/jbstuff/ etc, while in the past they used to be placed literally on the default iOS directories such as /bin /sbin etc.

Applications that have jailbreak detection do a [NSFileManager defaultManager] fileExistsAtPath:... to check for the presence of Cydia, these base binaries (most of the times they check for /bin/bash, but nowadays for even more), and today, they even check if the ROOT FS has been remounted as R/W (it's normally RO, with only /var being writeable).

Tweaks downloaded from Cydia usually don't check for jailbreak detection (well, most of the times - there is drama between various jailbreak devs so there are artificial limitations even today), but they check the repo you downloaded from.

Most of the time it's as simple as what AppSync Unified tweak ended up doing.

There's a variable or a #define somewhere in the code of the tweak with the proper Cydia repo URL or identifier, and the tweak checks the Cydia lists to see if the tweak has been downloaded from there. If it hasn't, it would present an alert.

Some tweaks implement strange DRMs with license being downloaded from server-side every time you reboot the phone (this is odd and very little used int he jailbreak community).

Here's an example of what the AppSync Unified Tweak does:

#define DPKG_PATH "/var/lib/dpkg/info/net.angelxwind.appsyncunified.list"

....

if (access(DPKG_PATH, F_OK) == -1) {
        NSLog(@"You seem to have installed AppSync Unified from a Cydia/APT repository that is not cydia.akemi.ai (package ID net.angelxwind.appsyncunified).");
        NSLog(@"If someone other than Linus Yang (laokongzi) or Karen/あけみ is taking credit for the development of this tweak, they are likely lying.");
        NSLog(@"Please only download AppSync Unified from the official repository to ensure file integrity and reliability.");

}

....

So in the case of this jailbreak tweak, it just checks the repo it's been downloaded from. A simple patch in here would be to just load the AppSyncUnified.dylib into an arm64/arm disassembler like Hopper or IDA or even Radare2 and patch the branch. Make it a B instead of a conditional branch, so that the result of the comparison is never accounted for. As simple as that. If you wanna analyze the full source-code of AppSync Unified, there's the GitHub repo.

Of course, as I said, many tweaks use more sophisticated schemes like server-side DRM, but none of them are failproof.

*Please do understand that I do not condone tweak piracy. This reply is made to aid newcomers to this page and it aims to provide some insight into the current status of jailbreak detection and jailbreak tweaks DRM. Please buy the paid tweaks from the appropriate repos, they only cost a dollar or so.

Answer 2

I'm using this code on swift:

if Bundle.main.infoDictionary?["SignerIdentity"] != nil
     || !FileManager.default.fileExists(atPath: ("\(Bundle.main.bundlePath)/SC_Info"))
     || !FileManager.default.fileExists(atPath: ("\(Bundle.main.bundlePath)/iTunesMetadata.​plist")){
        // Jailbroken
}

Answer 3

You can detect two files: SC_Info and iTunesMetadata.​plist.

If you can't find them, then your app was pirated: these files are installed after downloading from the App Store.

This is the code to check:

NSString * bundlePath = [ [NSBundle mainBundle] bundlePath ];
if ( ! [ [NSFileManager defaultManager] fileExistsAtPath: ( @"%@/SC_Info", bundlePath ) ] )
{
    // jailbroken
}
if ( ! [ [NSFileManager defaultManager] fileExistsAtPath: ( @"%@/iTunesMetadata.​plist", bundlePath ) ] )
{
    // jailbroken
}

Answer 4

It's rather simple, but you could check if the cydia app is installed (By checking if it's folder exists). If it's installed, then you do not trust the device. This leaves the risk of uncorrectly letting out jailbroken iPhones/iPads that downloaded your app from app store.

Answer 5

There are some libraries around which can detect if an app is cracked (and jailbroken as well), this question gives a good overview but basically its done by checking the signer identity

one library is AntiCrack. I havent used this library so I dont know how well it works