Application Security Blog | Technical Insights | Corellium

How to Bypass Jailbreak Detection with Frida | Corellium

Written by Steven Smiley | Jul 26, 2023 4:05:21 PM

Jailbreak detection algorithms serve as a powerful barrier in the world of iOS security, preventing users with jailbroken devices from accessing particular apps. While this protects app developers and improves device security, it can also make security testing for iOS applications difficult, constricting the scope of analysis.

This blog post explores the start of an interesting topic, avoiding jailbreak detection for iOS applications. This post will use the iOS DVIA-2 (Damn Vulnerable Application). We will start with a beginner method for jailbreak bypasses by looking at the app's classes and using the capabilities of Corellium's virtualized platform rather than relying on physical devices.

We walk you through the process of setting up Corellium's virtualized device environment, examining the pertinent DVIA-2 classes, and how to bypass jailbreak detection. By following along, you'll discover approaches that may be used with different apps and useful insights into how iOS applications function.

Please be aware that this blog post's sole goal is education, written with researchers, developers, and iOS security enthusiasts in mind. Respecting the limits set by developers and application providers and abiding by ethical standards are crucial.

Setup and Configuration

To get started with the DVIA-2 application, we must download the iPA and set up a virtualized iOS jailbroken device for us to work with.

The DVIA-2 application can be downloaded here.

Once you have the iPA, in Corellium, you will need to set up an iOS device, for this exercise, I will be using an iPhone 7 Plus on 15.7.1.

Once the device is created and booted up, we can install the DVIA-2 iPA that we obtained above. That can be installed easily through the “Files” tab on the left of Corellium.

Identifying Classes – Jailbreak Test 2

You can now launch the DVIA-2 application from your device and navigate to the “Jailbreak Detection” menu. We will be working on challenge 2 to look at classes. The other challenges require more in-depth reverse engineering, which I will cover in a separate blog post.

The first thing we need to do is identify the classes within the DVIA application that are responsible for jailbreak detection. The following Frida script can be used to either dump all class names (if the search field is blank) or search for a specific search time like I am below (looking for Jailbreak).

The above script can be added into the Frida console within Corellium. From the Frida tab attach to the DVIA application (make sure the app is running) and execute the script. 

Once the script has been executed, you should see the following classes within the DVIA-2 application relating to “Jailbreak”

Identifying Methods

Now that we have a good idea of what class is being used for Jailbreak detection (JailbreakDetection), we can start looking at the methods that are used. The following script can be used to enumerate methods to a specific class name (set at the beginning of the script). 

We need to run this script against the DVIA-2 application in the Frida console within Corellium using the same methods we did above. The results should be similar to the following: 

The one we are looking for in this situation is the following method under the JailbreakDetection class: 

+ isJailbroken

Hooking Methods to Modify Results

So now that we have the class and the method, we need to hook it to see what is being returned. Below is a script we can use: 

Note: This script can be utilized for multiple apps. Just make sure to update the class and function to reflect the app you are testing. 

We can run this script within the Corellium platform; unlike the two scripts we ran above, this script will require user interaction after it is run. When running it, click the “Jailbreak Test 2” within the DVIA-2 application to see the results (should be similar to below).

 

If you selected any other test within the DVIA-2 application, you won’t see the results because their implementations require some more in-depth reverse engineering. Sticking to the “Jailbreak Test 2” will ensure it continues to work. 

Modifying the Values

Now that we got a Boolean value of 1 getting returned, we need to focus on writing a script to flip that to bypass the jailbreak detection. Below is the script we can use: 

Note: similar to the above script, this can be used for other apps if you change the class name, function name and the value to modify. 

When you run this script and click “Jailbreak Test 2,” you will notice that the device is no longer shown as jailbroken. 

 

Hopefully this helps you learn the basics of Frida scripting for iOS applications. Please watch for upcoming webinars and blog posts to go more in-depth with Frida scripting, iOS reverse engineering, and more. 

Unlock Superior Mobile Security Testing with Corellium

Equip your security teams with unprecedented tools for both manual and automated testing, freeing up valuable engineering time and saving money. Discover the power of Corellium’s high-fidelity virtual devices and spin-up near limitless combinations of device and OS with one-click jailbreak/root access. Set up a meeting today to see how we can streamline your processes and reduce costs.