securing / iossecuritysuite Goto Github PK

https://twitter.com/OdysseyTeam_/status/1548722926102388736?s=20&t=6bS_k_yRWF_D1t0y-ze6Gw

• new url scheme
• ...

Hello.

What I'm trying to do is to check if the FileManager.default.fileExists function is a hooked function.

When I try with the following code

        typealias FunctionType = @convention(thin) (String) -> (Bool)
        func getSwiftFunctionAddr(_ function: @escaping FunctionType) -> UnsafeMutableRawPointer {
            return unsafeBitCast(function, to: UnsafeMutableRawPointer.self)
        }
        
        
        let funcAddr = getSwiftFunctionAddr(FileManager.default.fileExists)
        
        
        IOSSecuritySuite.amIMSHooked(funcAddr)

I get an error here

let funcAddr = getSwiftFunctionAddr(FileManager.default.fileExists)

INTERNAL ERROR: feature not implemented: nontrivial thin function reference

Anyone knows what is this and if there is any solution to actually check if this function is hooked?

Thanks a lot !

I am getting the below errors for both cocoa pod and manual installation. Need your expertise to resolve these issues.

Error statement:

• Cannot infer contextual base in reference to member 'custom'.
• Type 'IOSSecuritySuite' has no member 'getMachOFileHashValue'.
• Cannot infer contextual base in reference to member 'default'

denySymbolHook works when the app is running by XCode. The app crashed when I launch it directly without XCode. This happened on iOS 14. I can run the same app on iOS 12 without any issue.

The FrameworkClientDemo can reproduce this by adding code in viewDidAppear:

      IOSSecuritySuite.denySymbolHook("dlopen")
      let kernelHandle = dlopen("/usr/lib/system/libsystem_kernel.dylib", RTLD_LAZY)

The crash is not in the denySymbolHook method. When the symbol is invoked after denySymbolHook, then it crashes.
If I remove the first line code, then the app will not crash.

The crash log:

Hardware Model:      iPhone10,3
Process:             FrameworkClientApp [864]
Path:                /private/var/containers/Bundle/Application/0D0EA6FE-4CF8-42BC-8C4E-2289508F61A1/FrameworkClientApp.app/FrameworkClientApp
Identifier:          biz.securing.FrameworkClientApp.test20201120
Version:             1 (1.0)
Code Type:           ARM-64 (Native)
Role:                Foreground
Parent Process:      launchd [1]
Coalition:           biz.securing.FrameworkClientApp.test20201120 [780]


Date/Time:           2020-11-20 14:19:52.5214 +0800
Launch Time:         2020-11-20 14:19:52.3926 +0800
OS Version:          iPhone OS 14.2 (18B92)
Release Type:        User
Baseband Version:    6.02.01
Report Version:      104

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Subtype: KERN_INVALID_ADDRESS at 0x0000000000000000
VM Region Info: 0 is not in any region.  Bytes before following region: 4310532096
      REGION TYPE                 START - END      [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      UNUSED SPACE AT START
--->  
      __TEXT                   100ed8000-100eec000 [   80K] r-x/r-x SM=COW  ...workClientApp

Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [864]
Triggered by Thread:  0

Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed:
0   ???                             000000000000000000 0 + 0
1   libdyld.dylib                   0x0000000192f57fc0 dyld_stub_binder + 60
2   FrameworkClientApp              0x0000000100ee55cc 0x100ed8000 + 54732
3   FrameworkClientApp              0x0000000100ee6e9c 0x100ed8000 + 61084
4   UIKitCore                       0x00000001954a4e20 -[UIViewController _setViewAppearState:isAnimating:] + 832
5   UIKitCore                       0x00000001954a5780 -[UIViewController __viewDidAppear:] + 168
6   UIKitCore                       0x00000001954a5a80 -[UIViewController _endAppearanceTransition:] + 248
7   UIKitCore                       0x000000019538eb30 __48-[UIPresentationController transitionDidFinish:]_block_invoke + 136
8   UIKitCore                       0x000000019600ae40 -[_UIAfterCACommitBlock run] + 64
9   UIKitCore                       0x0000000195b6fcc8 _runAfterCACommitDeferredBlocks + 296
10  UIKitCore                       0x0000000195b5f1f8 _cleanUpAfterCAFlushAndRunDeferredBlocks + 200
11  UIKitCore                       0x0000000195b90790 _afterCACommitHandler + 76
12  CoreFoundation                  0x000000019327c86c __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 32
13  CoreFoundation                  0x0000000193276f40 __CFRunLoopDoObservers + 604
14  CoreFoundation                  0x0000000193277488 __CFRunLoopRun + 960
15  CoreFoundation                  0x0000000193276b90 CFRunLoopRunSpecific + 572
16  GraphicsServices                0x00000001a9599598 GSEventRunModal + 160
17  UIKitCore                       0x0000000195b60638 -[UIApplication _run] + 1052
18  UIKitCore                       0x0000000195b65bb8 UIApplicationMain + 164
19  FrameworkClientApp              0x0000000100ee7964 0x100ed8000 + 63844
20  libdyld.dylib                   0x0000000192f55588 start + 4

Thread 1:
0   libsystem_pthread.dylib         0x00000001d990d86c start_wqthread + 0

Thread 2:
0   libsystem_pthread.dylib         0x00000001d990d86c start_wqthread + 0

Thread 3:
0   libsystem_pthread.dylib         0x00000001d990d86c start_wqthread + 0

Thread 4:
0   libsystem_pthread.dylib         0x00000001d990d86c start_wqthread + 0

Thread 5:
0   libsystem_pthread.dylib         0x00000001d990d86c start_wqthread + 0

Thread 6 name:  com.apple.uikit.eventfetch-thread
Thread 6:
0   libsystem_kernel.dylib          0x00000001be3a2644 mach_msg_trap + 8
1   libsystem_kernel.dylib          0x00000001be3a1a48 mach_msg + 72
2   CoreFoundation                  0x000000019327d0ec __CFRunLoopServiceMachPort + 376
3   CoreFoundation                  0x0000000193277560 __CFRunLoopRun + 1176
4   CoreFoundation                  0x0000000193276b90 CFRunLoopRunSpecific + 572
5   Foundation                      0x00000001944947f8 -[NSRunLoop+ 30712 (NSRunLoop) runMode:beforeDate:] + 228
6   Foundation                      0x00000001944946d8 -[NSRunLoop+ 30424 (NSRunLoop) runUntilDate:] + 88
7   UIKitCore                       0x0000000195c0c438 -[UIEventFetcher threadMain] + 504
8   Foundation                      0x00000001945f14bc __NSThread__start__ + 848
9   libsystem_pthread.dylib         0x00000001d9908b3c _pthread_start + 288
10  libsystem_pthread.dylib         0x00000001d990d880 thread_start + 8

Thread 7:
0   libsystem_pthread.dylib         0x00000001d990d86c start_wqthread + 0

Thread 8:
0   libsystem_pthread.dylib         0x00000001d990d86c start_wqthread + 0

Thread 0 crashed with ARM Thread State (64-bit):
    x0: 0x0000000192f84714   x1: 0x00000001e9adb0e0   x2: 0x0000000000000000   x3: 0x00000001e9b158c0
    x4: 0x00000001e9b15910   x5: 0x0000000000000008   x6: 0x00000001e9b15918   x7: 0x00000001ea238710
    x8: 0x00000001e9ada000   x9: 0x0000000000000001  x10: 0xfffffffe00000000  x11: 0x0000000000000000
   x12: 0x0000000000000003  x13: 0x00000001970566a0  x14: 0x0000000000020000  x15: 0x0000000000000002
   x16: 0x0000000192f57f84  x17: 0x0000000100eed8b8  x18: 0x0000000000000000  x19: 0x0000000000000dc4
   x20: 0x0000000100eed8b8  x21: 0x00000001e9adb0e0  x22: 0x0000000106205860  x23: 0x0000000000000001
   x24: 0x0000000000000000  x25: 0x00000001dba1f000  x26: 0x0000000000000001  x27: 0x00000001dc06f000
   x28: 0x00000001ea191000   fp: 0x000000016ef25d90   lr: 0x0000000192f598bc
    sp: 0x000000016ef25d70   pc: 0x0000000000000000 cpsr: 0x60000000
   esr: 0x82000006 (Instruction Abort) Translation fault

I'm seeing console log: -canOpenURL: failed for URL: "undecimus://" - error: "The operation couldn’t be completed. (OSStatus error -10814.)" for all of the urls defined in LSApplicationQueriesSchemes in the ReadMe. Is this expected?

I have check out your code and tried to compile it shows Use of unresolved identifier 'Self’.

_Below I have mentioned the issue details:

_

Filename: JailbreakChecker
Line number: 113
Issue: Syntax error in self

Please check and update the code, thanks.

Hello,
I need help. I want more explanation about this script :

if let hashValue = IOSSecuritySuite.getMachOFileHashValue(.default), hashValue == "your-application-executable-hash-value" {
print("I have not been Tampered.")
}
else {
print("I have been Tampered.")
}

I generate the hash value from executable file but it's not matching with the app generated value.

Hi!
Current way of checking URL schemes won’t work. As doc says, queried schemes must be added to application plist - otherwise you’ll always get false from canOpenURL
https://developer.apple.com/documentation/uikit/uiapplication/1622952-canopenurl

I tested AntiMSHook with both substrate and substitute, and I found out that the version with substrate is not working.

For substitute, case starting with ADRP instruction works really fine and all functions(detection / deny) are normal.
However, in case of substrate, it can find patterns - LDR x16 and BR x16, but fails to find original(unhooked) address from vm_regions.

My tweak is :

...
static int (*orig_ViewController_testDummy)(int) = NULL;
int hook_ViewController_testDummy() {
        printf("testDummy Hooked!\n");
        return 1;
}
...

%ctor {
        %init(ViewController = objc_getClass("MSHookTester.ViewController"));
...
        //Find Symbol
        void* symbol_address = MSFindSymbol(NULL,"_$s12MSHookTester14ViewControllerC11viewDidLoadyyF9testDummyL_5valueS2i_tF");
        //unsigned long address_long = (unsigned long)symbol_address;

        //Hook Symbol
        MSHookFunction(symbol_address,
                        (void *)hook_ViewController_testDummy,
                        (void **)&orig_ViewController_testDummy);
}

And my swift code :

func testDummy(value: Int) -> Int{
            print("Test origin : \(value)")
            return value
        }
typealias FunctionType = @convention(thin) (Int) -> (Int)
func getSwiftFuncAddr(_ function: @escaping FunctionType) -> UnsafeMutableRawPointer {
    return unsafeBitCast(function, to: UnsafeMutableRawPointer.self)
}
let funcAddrDetect = getSwiftFuncAddr(testDummy)

//Check
print(IOSSecuritySuite.amIMSHooked(funcAddrDetect)) //true

//Hook Deny : print Unhooked!
if let origin: UnsafeMutableRawPointer = IOSSecuritySuite.denyMSHook(funcAddrDetect){
    print("testDummy origin exec : result (expects 15) : \(unsafeBitCast(origin, to: FunctionType.self)(15))")
} else {
    print("Unhooked!")
}

I've tested a lot and found out that comparing the original address with the address AFTER ldr/br instructions in vm_region always fails.

Am I doing something wrong?

I'm trying to ver my bases and I'm just missing some way to control repackaged apps

Xcode version

Version 13.2.1 (13C100)

Swift version

Swift 5

Installation platform & version

Cocoapods 1.11.2

Goals

Using AdjustBridge

Expected results

Deleting an AdjustBridge Instance from Memory(When self.adjustBridge = nil)

Actual results

The AdjustBridge instance remains in memory

Steps to reproduce

    self.adjustBridge = AdjustBridge()
    self.adjustBridge?.loadWKWebViewBridge(webView, wkWebViewDelegate: self)
    self.adjustBridge = nil

Details

Please help
Unfortunately, I do not have suitable experience in Objective-C
I noticed the following behavior:
When an optional AdjustBridge object is initialized and deleted, it remains in memory. Judging by the debug, it is held by the "messageHandlers" dictionary objects that are created by Adjust.
Unlocking the library and applying [_base.messageHandlers removeAllObjects]; before removing gives a result. Please tell me how to fix this issue. Thank you!

Originally posted by @San4es1er in adjust/ios_sdk#585

Thanks for this project, I have a small issue.

When following the README and using the below fragment to add it as a dependency:

.package(url: "https://github.com/securing/IOSSecuritySuite.git", from: "1.4.0")

I get the following error:

Fetching https://github.com/securing/IOSSecuritySuite.git
Fetching https://github.com/apple/example-package-deckofplayingcards.git
error: the package dependency graph could not be resolved; unable to find any available tag for the following requirements:
    https://github.com/securing/IOSSecuritySuite.git @ 1.4.0..<2.0.0

Looking at the actual releases I see releases with 1.4 instead of 1.4.0. However, changing it to 1.4 will trigger the error:

Invalid semantic version string '1.4'

Currently the IOSSecuritySuite.amIReverseEngineered() method return only the Bool value whether the app is potentially reverse engineered or not.
Could You add more information what was detected ?

static func amIReverseEngineered() -> ReverseEngineeredStatus { ... }

eg. IOSSecuritySuite.amIJailbrokenWithFailedChecks() returns JailbreakStatus with failMessage

Is there any way how to target on ARMv7s architecture?

Thanks

Can this result in rejection from App Review?

Hello.
As I see in your code you are using FileManager.default.fileExists to determine if there is any path that can be opened.
And you also have an array of paths that you want to check.

Isn't it really easy for the most common AntiJB detection tweaks to overwrite this function and return false when something like this list of text appears?

ex. https://github.com/XsF1re/FlyJB-X/blob/9476f70948663e00e0769bf643592fa3f50b84be/Tweaks/ObjCHooks.xm#L56

How do you approach these cases?

Hello Team,

Can this library get bypassed by LibertyLite and Shadow tool?

https://yalujailbreak.net/liberty-lite/
https://github.com/jjolano/shadow

Hi!

Unfortunately on M1 Mac the app with this library implemented now reports a jailbroken device. Is this something that came up before? Is there a fix or at least a workaround?

Thank you 🙇

All non jailbroken devices got jailbreak message because of ExistenceOfSuspiciousFiles of this path "/usr/sbin/".

kindly check it

if #available(iOS 14.0, *), ProcessInfo.processInfo.isiOSAppOnMac { ... }

not sure if this would be helpfull. but i thought why not :D
( too lazy to create a PR though ^^ sry )

Hi,
We're using IOSSecuritySuite in our app and suddenly a lot of our clients started to get our App blocked ( which is our default behavior when a jailbreak is detected ) after the iOS 14.4 update. I really don't know if the update is the cause but we've managed to reproduce the detection in a "pure" iOS 14.4 ( bought from an oficial Apple reseller store ) and it indeed happens.
Using the method:

let jailbreakStatus = IOSSecuritySuite.amIJailbrokenWithFailMessage()
if jailbreakStatus.jailbroken {
	print("This device is jailbroken")
	print("Because: \(jailbreakStatus.failMessage)")
} else {
	print("This device is not jailbroken")
}

The message is: "Cydia:// URL scheme detected". Does anyone reported this? Is there something we can do?

Thanks!

Hey guys,

I am currently playing around with this and found out that calling the denyDebugger() does only partially solve the issue. Of course this can be bypassed by writing into memory, but still, whenever I run debugserver *:1234 -waitfor MyApp I am still able to run the app because the wait option interrupts directly on the launch screen, even before the init call of the AppDelegate.swift.

Whenever I attach the debugger and run continue, the app crashes thanks to the denied debugger access inside of the init call of AppDelegate. However this opens up vulnerabilities, since I am still able to interact the debugger as long as I don't let the app run the denyDebugger() function.

Is this something I will just have to live with? Seems to make the function suite ineffective in my eyes, but I'm ready to be proven wrong. :)

Cheers,
bob_mosh

Hi,
I'm noticing that the last release (1.5.0) doesn't contain the last commits. For example, it's not present the zbra URL scheme check. Is it possible to release a new version of the library?

Thanks,
Giorgio

Please add the "apt-repo://" url scheme as the Saily Package Manager uses this scheme, this is another Cydia alternative just like Zebra, Installer 5, and Sileo.

Hi,

First of all, I love this project. Thanks for all you do.

I'm sure you've heard the latest news about NSO/Pegasus exploits and the forensic investigation by Amnesty International and Citizen Labs.
Would it be possible to add some of the IOCs they uncovered, like for example scanning for any process that's been associated with Pegasus? https://github.com/AmnestyTech/investigations/blob/master/2021-07-18_nso/processes.txt

I think adding that functionality would make ISS even better.

Cheers

Issue: Calling this function on an Emulated Device returns two "False Positives"

IOSSecuritySuite.amIJailbrokenWithFailMessage()

Suspicious file exists: /bin/bash, Suspicious file can be opened: /bin/bash

Fork was able to create a new process (sandbox violation)

Proposal: Maybe skip those two Checks if its run on an Emulated Device ?
IOSSecuritySuite.amIRunInEmulator()

Tested via: iPhoneXS iOS 12.2 Simulator | XCode 11.3.1

First of all, thanks for the lib and I'm a beginner when it comes to iOS security. I found some methods, amIRuntimeHook, denySymbolHook in the doc but both ask for parameters. I don't know what to pass to these parameters. What I want is to detect any hooking. Is it even possible? The goal to detect hooking and stop the app from functioning. Thanks.

With the new versions of shadow jailbreak it's possible to bypass jailbreak devices - https://github.com/jjolano/shadow

A-Bypass, the tweak for jailbreak bypass, seems to be unable to detect current jailbroken status.
Will there be any solution to find out whether this tweak is enabled?

Repo : https://repo.co.kr

I wanted to use the Anti MSHook capability and decided to test out its effectiveness by writing a Theos Tweak using MSHook to hook a swift function that I wrote in an iOS application. I followed the implementation details in the README. However it seems that the Anti MSHook functions, amIMSHooked and denyMSHook both do not work as my tweak is still able to modify the function. Am I doing something wrong?

Swift Code under ViewController Class :

func CoolBeans(value: Int) -> Int{ return value }
typealias FunctionType = @convention(c) (Int) -> (Int)
func getSwiftFuncAddr(_ function: @escaping FunctionType) -> UnsafeMutableRawPointer { return unsafeBitCast(function, to: UnsafeMutableRawPointer.self)}
let funcAddrDetect = getSwiftFuncAddr(CoolBeans)
print(IOSSecuritySuite.amIMSHooked(funcAddrDetect))

Theos Tweak :

static int (*orig_ViewController_CoolBeans)(int) = NULL;
int hook_ViewController_CoolBeans() { // Do Something Different from Original Function }
%ctor {
  %init(ViewController = objc_getClass("mshook.ViewController"));
  MSHookFunction(MSFindSymbol(NULL,"_$s6mshook14ViewControllerC11viewDidLoadyyF9CoolBeansL_5valueS2i_tF"),
  (void *)hook_ViewController_CoolBeans,
  (void **)&orig_ViewController_CoolBeans);
}

Not sure whether the following is relevant but, logging the loading of my tweak and when the getSwiftFuncAddr() is called, I found out that the tweak loads first which means that the function has already been tampered with by the time I call getSwiftFuncAddr(). I also logged the "CoolBeans" function address from both my tweak and the the output of getSwiftFuncAddr() and there is a difference in both addresses.

Dear Developers,

I'm enquiring on this line:

Could you shed some light on the full path of a suspiciousLibrary? I'm interested to know in the case of the "/.file" for detection against HideJB.

Appreciate it.
Thank you!

I can get a machOFileHashValue of main executable from code. But how do I get the value to store in server which will be later retrieved from app? Because every build generates new mach-o value.

Please add here following code to clean up all opened files.

        defer {
            close(sock)
        }

According to my local tests, iOS deployment target can be safely downgraded from 10.0 to 9.0.

This is important for me because I would like to add [IOSSecuritySuite](https://github.com/securing/IOSSecuritySuite) as a dependency to an SDK (which has deployment target 9.0). Probably it may be useful for someone else.

*I can help with PR and GHA CI if need

Hi, my app crashed in method 'swiftOnceDenyFishHooK'.
System: iOS 11.2.6, 11.4.1, 12.0.0, 12.0.1, 12.1.4.

I use "amIRuntimeHook" to check my custom UIViewController`s method, how to fix it?

Hi Team,

We have been using your SDK from past 2 years and recently our customers have complained regarding jailbreak issue.
They complained that they are getting "Jailbreak error: cydia://" on their app, even their device is also not jailbroken.

We have tested on our end as well. There is one app on Appstore which is causing this error.
App link: https://apps.apple.com/ng/app/realconnect-dhre/id1346538794
When we are installing the above application into our device, its giving "cydia://" is installed as its checking for "cydia://" url scheme.

Please help us to know the root cause as we are loosing customers.

Regards,
Himanshu Jindal

Hi there, this is possibly a dumb question but I'm new with iOS security and I'm having some doubts about using the library.

I created a dumb app to test some knowledge and imported the iOSSecuritySuite library via Swift Package Manager. In my test app, I created a class with two functions as shown below (I'm trying to understand the difference between RuntimeHookChecker and MSHookChecker)

import Foundation

typealias FunctionType = @convention(thin) (OtherClass) -> () -> (Bool)

class OtherClass {
  init() { }

  func hookThisFunctionToTestMSHookDetection() -> Bool {
    return false
  }
  
  @objc dynamic func hookThisFunctionToTestRuntimeHookDetection() -> Bool {
    return false
  }
}

So, on my ViewController, I has two buttons that call

  func getSwiftFunctionAddr(_ function: @escaping FunctionType) -> UnsafeMutableRawPointer {
    return unsafeBitCast(function, to: UnsafeMutableRawPointer.self)
  }

  @IBAction func callMSHook(_ sender: Any) {
    let funcAddr = getSwiftFunctionAddr(OtherClass.hookThisFunctionToTestMSHookDetection)
    let amIMSHooked = IOSSecuritySuite.amIMSHooked(funcAddr)
    
    self.textView.text = "MSHook = \(amIMSHooked)\notherClass = \(otherClass.hookThisFunctionToTestMSHookDetection())"
  }
  
  @IBAction func callRuntime(_ sender: Any) {
    let amIRuntimeHooked: Bool = IOSSecuritySuite.amIRuntimeHooked(dyldWhiteList: [], detectionClass: OtherClass.self, selector: #selector(OtherClass.hookThisFunctionToTestRuntimeHookDetection), isClassMethod: false)
    
    self.textView.text = "RuntimeHook = \(amIRuntimeHooked)\notherClass = \(otherClass.hookThisFunctionToTestRuntimeHookDetection())"
  }

I installed this app in my jailbroken iPhone and used Frida to change the return of OtherClass' functions with the script bellow

var targetModule = 'HookDetectionPoC';
var addr = ptr(0x9530);
var moduleBase = Module.getBaseAddress(targetModule);
var targetAddress = moduleBase.add(addr);
Interceptor.attach(targetAddress, {
    onEnter: function(args) {
        this.context.x0=0x01
    },
});

addr = ptr(0x9514);
moduleBase = Module.getBaseAddress(targetModule);
targetAddress = moduleBase.add(addr);
Interceptor.attach(targetAddress, {
    onEnter: function(args) {
        this.context.x0=0x01  
    },
});

This was able to modify the result of the functions and now they are returning true instead of false. Unfortunately, the hook detections not working and are returning false always.

Someone can help me to test the hook detection?

Hi All,
Recently I updated library from 1.7.1 to 1.9.1 and submitted to AppStore review on Nov 19, 2021.
It detected jail broken device from AppStore review team causing App was rejected due to showing error screen (we implemented it to present suspicious device detection)

Here is device info

• Device type: iPhone
• OS version: iOS 15.1

Podflie.lock
- IOSSecuritySuite (1.9.1)

Here is code snippet

var isSuspiciouDevice: Bool {
    let amIDebugged = IOSSecuritySuite.amIDebugged() ? true : false
    let amIReverseEngineered = IOSSecuritySuite.amIReverseEngineered() ? true : false
    let jailbreakStatus = IOSSecuritySuite.amIJailbrokenWithFailMessage()
    return (jailbreakStatus.jailbroken || amIReverseEngineered || amIDebugged)
  }

Unfortunately, we do not track jailbreakStatus.failMessage from user's device. So now I would like to ask everyone has this issue or not.

We submitted v.1.9.1 before (around Nov 5, 2021) but had no issue. So it might be some changes from AppStore Review team ?

thanks for the SDK first and foremost, doesn this detect jjolano/shadow tool?

thanks for the SDK first and foremost, does this detect jjolano/shadow tool?

Hi, One of our customers devices is returning the message that it is jailbroken but according to him the device is not jailbroken

I have checked his device with one other library DVIA and it is showing that the device is not jailbroken

Hi,

I was just testing the new feature since Frida 12.7.12, where the Frida Gadget can be installed in a running iOS app on a non-jailbroken device that is running in debug mode (repackaing with the Frida-gadget is not needed anymore):

Changes in 12.7.12: Full-featured iOS lockdown integration and unified devices, so Frida-based tools don’t need to worry as much about jailed vs jailbroken. When interacting with a jailed iOS device, Gadget is now injected automatically and there is no need to repackage the app, it only has to be debuggable. (https://frida.re/news/2019/09/18/frida-12-7-released/)

See also: https://www.nowsecure.com/blog/2020/01/02/how-to-conduct-jailed-testing-with-frida/

I was testing this with the sample app that I created (https://github.com/sushi2k/SwiftSecurity). There was no Frida server running on the iOS device, the app was not re-packaged with Frida and just in debug mode. When I was attaching Frida to the running process the frida-gadget was injecting and I got the Frida CLI:

$ frida -U "SwiftSecurity"
     ____
    / _  |   Frida 12.8.5 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://www.frida.re/docs/home/

[iPhone::SwiftSecurity]-> Frida.version
"12.8.5"

But in the app when I press the button "Check for RE Tools" it's not detecting Frida, and it looks like this https://github.com/sushi2k/SwiftSecurity/blob/master/swiftsecurity.png?raw=true

If I start the Frida-server on the jailbroken phone, the button turn's red. As the frida-gadget is injected into the app the library should be able to detect it (see https://github.com/securing/IOSSecuritySuite/blob/master/IOSSecuritySuite/ReverseEngineeringToolsChecker.swift#L18).

Any idea why your library is not detecting this "new" injection mechanism in Frida?

Sorry if this post became a bit too long and complicated...