How to break IOS Jailbreak Detection Using Corellium?

--

Photo by William Hook on Unsplash

Introduction:

Jailbreaking, the process of removing software restrictions on iOS devices, has been a topic of interest for many tech enthusiasts and researchers. However, from a security standpoint, it also raises concerns for app developers and organizations who want to protect their software from potential vulnerabilities. To combat this, various techniques have been developed to detect jailbroken devices and prevent certain apps from running on them. One such technique involves the use of Corellium, a powerful mobile device emulation platform. In this blog post, we will explore how Corellium can be leveraged to break jailbreak detection mechanisms and understand the implications it brings.

Understanding Jailbreak Detection: Before diving into the details, let’s briefly discuss jailbreak detection. Many mobile apps employ jailbreak detection mechanisms to identify whether a user’s device has been jailbroken. These mechanisms typically look for specific signs that indicate a device has been compromised, such as the presence of certain files or modifications to the system. If a jailbreak is detected, the app may refuse to run or limit its functionality to protect against potential security risks.

Introducing Corellium:

Corellium, developed by a company of the same name, is a powerful platform that allows for the virtualization and emulation of iOS devices. It provides researchers, developers, and security professionals with the ability to analyze and test iOS software in a controlled environment without physical access to an actual device. By running iOS instances within Corellium, one can closely examine the behavior of apps and the underlying system, making it an invaluable tool for exploring various security aspects.

Breaking Jailbreak Detection with Corellium: Corellium can play a crucial role in understanding how to jailbreak detection mechanisms work and subsequently circumvent them. By running an app within Corellium’s emulated iOS environment, one can closely monitor its behavior and identify the specific checks and triggers employed to detect jailbreaks. Here’s a step-by-step process of how Corellium can be leveraged to break jailbreak detection:

  1. Set up a Corellium environment: Create an account on the Corellium platform and set up an iOS device emulation instance. This will provide you with a virtual iOS device to work with.
  2. Install the target app: Install the app that employs jailbreak detection onto the emulated iOS device within Corellium.
  3. Monitor the app’s behavior: Launch the app and closely monitor its behavior within Corellium. Look for any error messages, log entries, or prompts that indicate the detection of a jailbroken device.
  4. Reverse-engineer the detection mechanism: Analyze the app’s code and associated files to identify the specific techniques used for jailbreak detection. This may involve examining file locations, system API calls, or checks for known jailbreak-related artifacts.
  5. Develop a mitigation strategy: Once you understand the jailbreak detection mechanism, you can start devising strategies to circumvent it. This may involve modifying certain files, intercepting system calls, or patching specific code segments within the app.
  6. Test and validate the mitigation: Implement your mitigation strategy and test the app within Corellium to ensure that it no longer detects the jailbroken environment. Monitor the app’s behavior and verify that it functions as intended.
  7. Document your findings: As a responsible researcher, document your findings, methodologies, and any potential implications of bypassing jailbreak detection mechanisms. Share your knowledge with the community to foster awareness and further discussions around mobile security.

How to Connect with Corellium with your device?

Installing Tunnelblick for macOS

  1. Download the appropriate version of Tunnelblick for your machine from tunnelblick.net/downloads.html.
  2. Navigate to tunnelblick.net/cInstall.html and follow the instructions to install Tunnelblick.
  3. Navigate to tunnelblick.net/cKextsInstallation.html to install the system extensions for Tunnelblick.

Connecting via Tunnelblick

  1. First, click on your device.
  1. Click CONNECT and then DOWNLOAD OVPN FILE.
  2. Add the VPN Configuration file to Tunnelblick by dragging the file over the Tunnelblick Application Icon. Navigate to tunnelblick.net/cInstallConfigurations.html for detailed instructions.
  3. Click the TunnelBlick icon, then “Connect …”
  1. GO to VPN Details and then to Utilities and install system extension
  1. The text will turn green, and you are now connected to the VPN!

Once connected to the VPN. Open up a local terminal, paste the ssh command to connect, and press the enter key. In our example, it is ssh root@10.11.1.1. Then enter the password alpine.

Replacing the Built-In Frida Server on iOS

This can be achieved with the following script placed in the references section of this article. Complete the following steps to replace the frida-server binary for iOS.

Important note: Updating frida-server to version 16.0.8 will not work, this is a known issue.

  1. Create a bash file that will contain the script.
touch frida_upate.sh
  1. Edit the bash file and paste into the script below.

Script to replace the version frida-server on your iOS device.

vim frida_update.sh
#!/bin/bash
FRIDA_VER=$1
# contains plist
cd /Library/LaunchDaemons/
# move plist to root
mv re.frida.server.plist ~
cd ~
# unload service
launchctl unload re.frida.server.plist
# stash plist
mv re.frida.server.plist /Library/LaunchDaemons
mv /Library/LaunchDaemons/re.frida.server.plist /Library/LaunchDaemons/re.frida.server.backup
# fetch FRIDA
wget -O /tmp/frida_${FRIDA_VER}_iphoneos-arm.deb https://github.com/frida/frida/releases/download/${FRIDA_VER}/frida_${FRIDA_VER}_iphoneos-arm.deb
# update server, agent and plist
dpkg -i /tmp/frida_${FRIDA_VER}_iphoneos-arm.deb
# restore plist
mv /Library/LaunchDaemons/re.frida.server.backup /Library/LaunchDaemons/re.frida.server.plist
# launch service using new plist
launchctl load /Library/LaunchDaemons/re.frida.server.plist
# delete package
rm /tmp/frida_${FRIDA_VER}_iphoneos-arm.deb
  1. Make the script executable for your user.
chmod u+x frida_update.sh
  1. Run the script from the root directory of your iOS device and pass in the version of frida-server you would like to run.
cd ~
./frida_update 16.0.19
  1. You can verify the frida-server was updated.
frida-server --version

You can now begin interacting with the device’s Frida-server.

Port Forwarding

If you want to connect without USBFlux using -H or --host, you should add a new entry 27042->27042 to the PORT FORWARDING tab of your device and then use:

For iOS virtualized devices Corellium provides the capability to enable port forwarding so these devices can interact in depth with systems on your local network. You can add new ports whenever you would like by entering a Device Port and Access Port.

Jailbreak Detection Bypass via Frida

Bypassing jailbreak detection using Frida

frida -H ip:27042 -f package_name -l jailbreak.js

Jailbreak Detection Bypass Via Objection

Run the below command to connect the application to the objection and explore the application.

objection --gadget\-g package_name explore

Run the below command to bypass the jailbreak detection

ios jailbreak disable

Important Considerations:

It’s essential to note that breaking jailbreak detection mechanisms using Corellium or any other means should always be performed within legal boundaries and ethical guidelines. Respect the terms and conditions set by app developers and avoid any malicious intentions.

References

--

--

THE HOW TO BLOG |Siddhanth Dwivedi

Siddhanth Dwivedi | Senior Security Engineer & AWS Community Builder 👨🏾‍💻