3 min read

Mobile App Hardening: Root and Jailbreak Detection

Mobile App Hardening: Root and Jailbreak Detection

Unlike other operating systems like Windows, Linux, or OSX, both Android and iOS operating systems are usually shipped with built-in user rights restrictions. The process of removing such restrictions, which is not supported by either Google or Apple, is called rooting and jailbreaking, respectively, for Android and iOS.

In both of these operating systems, limiting the user's rights is a very important and natural way to keep them safe. Therefore, rooted or jailbroken phones present important security risks for a mobile banking or payment application.

At first glance, rooted or jailbroken devices may seem to give users more freedom, but they actually make mobile applications more vulnerable. This puts mobile and payment apps that run on these modified systems at risk. 

MASC Product sheet

In a rooted or jailbroken device, applications can have much more privileges than they should have. This means that malware will also be able to do things it would never be able to do in a non-modified device and may be hard or close to impossible to remove.

A root malware for instance can use a library like Xposed on Android to intercept the calls to the SSL libraries from a banking or payment application and read the confidential data transferred to financial institutions. Less obvious is that malware can root the operating system themselves and therefore a rooted device can be a sign of infection. 

To protect against the risks posed by rooted/jailbroken devices, banking apps or other apps with sensitive data need the ability to detect such conditions and to respond to them by preventing the execution or restricting the functionalities of the application. In what follows, we will see what corresponding techniques are used for jailbreak and rooting detection.

Jailbreak Detection Techniques (iOS)

Cydia & File-Based Checks

One very straightforward method to detect a jailbroken device is to check for the presence of Cydia. Cydia is a package manager that locates and installs unauthorized iOS binaries designed and developed for jailbroken devices. Here is a list of popular binaries reached through the Cydia platform:

  • Auxo. 
  • BiteSMS, Messages+
  • 3G Unrestrictor
  • iFile
  • Merge
  • NoNewsIsGoodNews
  • Sparrow+
  • TetherMe
  • Zephyr

As the developers of the application mention, Cydia needs a jailbroken device to run. So, finding Cydia on a device equals the fact that the device is jailbroken.

File Permissions

A jailbroken device allows users to reach and modify files or directories outside their sandbox, thus a successful modification of such files is the sign of jailbreak. For instance, the directory /private should not be writable by an application in iOS. Jailbreaking also changes partitions, so it must create several system symbolic links that also can be detected.

System APIs

Jailbreak detectors may call the system( ) function and other similar functions. Here are some typical return values from such operating system functions and how they indicate the presence of an ios jailbroken device or not:

System( )

Jailbroken

0

no

1

yes

 

Fork( )

Jailbroken

Failure

no

Success

yes

 

_dyld_image_name(...)

Jailbroken

-

no

‘MobileSubstrate’

yes

 

Checking Broken Kernel

A broken kernel is a sign that a jailbreak operation was performed. It’s possible to detect such a state by asking iOS to verify an incorrect code signature. An incorrect code signature will always be validated with a broken device, while an unbroken device will correctly report a bad signature.

Rooting Detection Techniques (Android)

Rooting detection will follow approximately the same technique as with iOS. 

SafetyNet

SafetyNet is the ‘official’ rooting detection package for Android. It can detect an unlocked bootloader, which is the obvious sign of a rooted device. SafetyNet is a complex system using billions of devices that are play-enabled. It gathers information from various sources and can allow the detection of a rooted device. 

Checking Files and Packages

The presence of several packages is a sign of a rooted Android device, for example:

  • Superuser.apk
  • com.noshufou.android.su
  • com.thirdparty.superuser
  • eu.chainfire.supersu
  • com.koushikdutta.superuser
  • com.zachspong.temprootremovejb
  • Com.ramdroid.appquarantine

One can also check for the following files; 

  • /system/bin/su
  • /system/xbin/su
  • /sbin/su
  • /system/su
  • /system/bin/.ext/.su
  • /system/usr/we-need-root/su-backup
  • /system/xbin/mu

Checking the BUILD tag 

Build tags that do not contain ‘standard’ values such as ‘test’, etc., indicate a rooted device.

Checking Permissions

Same as with iOS, a root detector can try to perform several operations outside of its normal rights and check whether they can complete or not. If a mobile banking/payment application can perform operations only possible for a root user, then obviously, a rooted device is detected. 

Conclusion

There are various ways to implement jailbreak and rooting detection, however, it should be seen only as a ‘helper’ countermeasure. On its own, detecting rooted/jailbroken devices doesn’t bring a lot of security. The important part is how the mobile app responds to the risks in combination with other security / defense mechanisms built into the app. Therefore, it is important that strong anti-tamper and obfuscation systems are in place as well.

 

Read White Paper

References and Further Reading

  • Read more articles about application security for mobile banking applications (2018 - today), by Martin Rupp, Stefan Hansen and more
  • Internet Security Threat Report, Volume 24 (February 2019), by Symantec Corporation 
  • MASC Mobile App Security Core (2019), Web page by Cryptomathic