2
WHITE PAPER
Process
All jailbreaks exploit iOS vulnerabilities to either bypass,
disable or patch the signature checks that run when an
iOS device boots to ensure it loads only Apple-approved
software. One of the most popular sources of non-Apple-
approved software is Cydia, an app that helps users nd and
download software for their jailbroken iOS devices. While the
technical mechanisms behind each jailbreak technique remain
complex, the end-user experience today is relatively simple
due to tools that largely automate the jailbreaking process.
Popular jailbreaking tools include:
Absinthe
blackra1n
Corona
evasi0n
greenpois0n
JailbreakMe
limera1n
Pangu
PwnageTool
redsn0w
sn0wbreeze
Spirit
TaiG
Given their dependence on specic iOS vulnerabilities, each
jailbreaking tool typically works on only a limited range of iOS
versions and devices. The evasi0n tool, for example, which
helped jailbreak over 7 million iOS devices in 2013,
5
works
for iOS 6.0-6.1.2 and 7.0-7.0.6 (using evasi0n7). More recent
tools include TaiG, used to jailbreak iOS 8.0-8.1.2, and Pangu,
whose latest version, Pangu8, can jailbreak iOS 8.0-8.1.
In the early days of iOS, many jailbreak techniques could not
survive device reboots. These so-called “tethered jailbreaks”
required users to connect devices to a computer if they wanted
to reboot it in a jailbroken state. Most modern jailbreak tools
(e.g. evasi0n, TaiG and Pangu) are “untethered”, however, and
allow devices to independently reboot in a jailbroken state.
The automation provided by these tools has put jailbreaking
within the technical reach of most iOS users and reduced
jailbreak processing time to a matter of minutes. Most modern
jailbreak tools require users to take only the following steps:
1. Manually verify the iOS version (via: Settings >
General > About > Version)
2. Backup device data (An optional precaution)
3. Manually enable or disable a few basic device
settings (e.g. “turn off device passcode”)
4. Download the jailbreak software to a computer
5. Connect the device to a computer via USB, open
the jailbreak app, and run it
6. Wait for the device to automatically reboot
Jailbreak Detection Evasion
The enterprise security risks posed by jailbreaking compound
in the face of tools (e.g. xCon and FLEX) that can help users
easily evade common jailbreak detection methods. A user can
download xCon, for example, directly from the 3rd-party app
store Cydia.
Mobile device management (MDM) services provide
jailbreak detection, as do many media and nancial service
apps that want to limit content pirating and account
compromise, respectively. Unfortunately, these jailbreak
detections rely on a combination of relatively straight-forward
and evadable tests, such as:
• Checking for les or directories common to jailbroken
devices, such as Cydia
• Checking for elevated directory permissions
(i.e. more directories with “write” permission)
• Checking to see if an app can successfully write les
outside of its sandbox
The fundamental limitation with these and comparable detection
tests is that as client-side tests they can be accessed, reverse-
engineered, and evaded by attackers. In addition, the apps
performing these jailbreak detection tests (e.g. the MDM app)
must go through Apple’s app review process, limiting the scope
of data they can collect to analyze a device’s jailbreak status.
5
“Evasi0n Is The Most Popular Jailbreak Ever: Nearly Seven Million iOS Devices Hacked In Four Days”. Forbes. February 2013.
http://www.forbes.com/sites/andygreenberg/2013/02/08/evasi0n-is-the-most-popular-jailbreak-ever-nearly-seven-million-ios-deviceshacked-in-four-days