From c88797748ef72432ed5e1ec8ac2887ca75364d4b Mon Sep 17 00:00:00 2001 From: Ilya Knyazkov Date: Tue, 20 Jul 2021 15:22:37 +0300 Subject: [PATCH 1/8] Add new dir on check jailbreak --- Utils/Utils/BrightSide/BrightSide.swift | 72 ++++++++++++++++++++----- 1 file changed, 58 insertions(+), 14 deletions(-) diff --git a/Utils/Utils/BrightSide/BrightSide.swift b/Utils/Utils/BrightSide/BrightSide.swift index 368910d..0fcc636 100644 --- a/Utils/Utils/BrightSide/BrightSide.swift +++ b/Utils/Utils/BrightSide/BrightSide.swift @@ -7,7 +7,7 @@ // import Foundation -import UIKit +import class UIKit.UIApplication public final class BrightSide { @@ -44,21 +44,17 @@ public final class BrightSide { private extension BrightSide { - /// Method will return true, if any of the files typical for the jailbreak exists - private static func isJailbreakDirectoriesExist() -> Bool { - let jailbreakDirectories = [ - "/Applications/Cydia.app", - "/Library/MobileSubstrate/MobileSubstrate.dylib", - "/bin/bash", - "/usr/sbin/sshd", - "/etc/apt", - "/private/var/lib/apt/" - ] - return jailbreakDirectories.map { FileManager.default.fileExists(atPath: $0) }.reduce(false, { $0 || $1 }) + /// Method will return true, if any of the files or dir, typical for the jailbreak, exists + static func isJailbreakDirectoriesExist() -> Bool { + let jailbreakRelativelyFilesAndPaths = suspiciousSystemFiles + + suspiciousAppsDir + + suspiciousSystemDir + return jailbreakRelativelyFilesAndPaths + .allSatisfy(FileManager.default.fileExists(atPath:)) } /// Method will return true if we can open cydia package - private static func canOpenCydia() -> Bool { + static func canOpenCydia() -> Bool { guard let cydiaURL = URL(string: "cydia://package/com.example.package") else { return false } @@ -66,8 +62,56 @@ private extension BrightSide { } /// Method will return true if current device is simulator - private static func isSimulator() -> Bool { + static func isSimulator() -> Bool { return ProcessInfo.processInfo.environment["SIMULATOR_DEVICE_NAME"] != nil } } + +// MARK: - Suspicious dir + +extension BrightSide { + + static var suspiciousAppsDir: [String] { + return [ + "/Applications/Cydia.app", + "/Applications/blackra1n.app", + "/Applications/checkra1n.app", + "/Applications/Zeon.app", + "/Applications/FakeCarrier.app", + "/Applications/Icy.app", + "/Applications/IntelliScreen.app", + "/Applications/MxTube.app", + "/Applications/RockApp.app", + "/Applications/SBSettings.app", + "/Applications/WinterBoard.app" + ] + } + + static var suspiciousSystemDir: [String] { + return [ + "/private/var/lib/apt", + "/private/var/lib/apt/", + "/private/var/lib/cydia", + "/private/var/mobile/Library/SBSettings/Themes", + "/private/var/stash", + "/usr/bin/sshd", + "/usr/libexec/sftp-server", + "/usr/sbin/sshd", + "/etc/apt", + "/bin/bash" + ] + } + + static var suspiciousSystemFiles: [String] { + return [ + "/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist", + "/Library/MobileSubstrate/DynamicLibraries/Veency.plist", + "/private/var/tmp/cydia.log", + "/System/Library/LaunchDaemons/com.ikey.bbot.plist", + "/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist", + "/Library/MobileSubstrate/MobileSubstrate.dylib" + ] + } + +} From 8397abb108ddad4983b3dc5660926274e6d29157 Mon Sep 17 00:00:00 2001 From: Alexey Kosov Date: Tue, 10 Sep 2024 18:04:19 +0700 Subject: [PATCH 2/8] SNP-1864 update brightside, fix logic, add more directories --- Utils/BrightSide/BrightSide.swift | 79 ++++++++++++++++++++++++------- 1 file changed, 61 insertions(+), 18 deletions(-) diff --git a/Utils/BrightSide/BrightSide.swift b/Utils/BrightSide/BrightSide.swift index 0fcc636..802ebe3 100644 --- a/Utils/BrightSide/BrightSide.swift +++ b/Utils/BrightSide/BrightSide.swift @@ -21,7 +21,7 @@ public final class BrightSide { } // Check 2 : existence of files that are common for jailbroken devices - if isJailbreakDirectoriesExist() || canOpenCydia() { + if isJailbreakDirectoriesExist() || suspiciousURLs.contains(where: { canOpenUrl(urlString: $0) }) { return false } @@ -46,31 +46,41 @@ private extension BrightSide { /// Method will return true, if any of the files or dir, typical for the jailbreak, exists static func isJailbreakDirectoriesExist() -> Bool { - let jailbreakRelativelyFilesAndPaths = suspiciousSystemFiles - + suspiciousAppsDir - + suspiciousSystemDir - return jailbreakRelativelyFilesAndPaths - .allSatisfy(FileManager.default.fileExists(atPath:)) + let jailbreakPaths = suspiciousSystemFiles + suspiciousAppsDir + suspiciousSystemDir + // These files can give false positive in the simulator + let deviceOnlyPaths = [ + "/bin/bash", + "/usr/sbin/sshd", + "/usr/libexec/ssh-keysign", + "/bin/sh", + "/etc/ssh/sshd_config", + "/usr/libexec/sftp-server", + "/usr/bin/ssh" + ] + + let pathsToCheck = isSimulator() ? jailbreakPaths : (jailbreakPaths + deviceOnlyPaths) + + return pathsToCheck.contains { FileManager.default.fileExists(atPath: $0) } } /// Method will return true if we can open cydia package - static func canOpenCydia() -> Bool { - guard let cydiaURL = URL(string: "cydia://package/com.example.package") else { + static func canOpenUrl(urlString: String) -> Bool { + guard let URL = URL(string: urlString) else { return false } - return UIApplication.shared.canOpenURL(cydiaURL) + return UIApplication.shared.canOpenURL(URL) } /// Method will return true if current device is simulator static func isSimulator() -> Bool { - return ProcessInfo.processInfo.environment["SIMULATOR_DEVICE_NAME"] != nil + return isSimulatorCompile() || isSimulatorRuntime() } } -// MARK: - Suspicious dir +// MARK: - Suspicious directories and files -extension BrightSide { +private extension BrightSide { static var suspiciousAppsDir: [String] { return [ @@ -84,22 +94,23 @@ extension BrightSide { "/Applications/MxTube.app", "/Applications/RockApp.app", "/Applications/SBSettings.app", - "/Applications/WinterBoard.app" + "/Applications/WinterBoard.app", + "/Applications/Activator.app", + "/Applications/BytaFont.app", + "/Applications/Filza.app" ] } static var suspiciousSystemDir: [String] { return [ "/private/var/lib/apt", - "/private/var/lib/apt/", "/private/var/lib/cydia", "/private/var/mobile/Library/SBSettings/Themes", "/private/var/stash", "/usr/bin/sshd", - "/usr/libexec/sftp-server", - "/usr/sbin/sshd", "/etc/apt", - "/bin/bash" + "/usr/libexec/cydia", + "/private/var/jb" ] } @@ -110,8 +121,40 @@ extension BrightSide { "/private/var/tmp/cydia.log", "/System/Library/LaunchDaemons/com.ikey.bbot.plist", "/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist", - "/Library/MobileSubstrate/MobileSubstrate.dylib" + "/Library/MobileSubstrate/MobileSubstrate.dylib", + "/private/var/db/crashreporter/LiveClock.plist", + "/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist", + "/usr/lib/libsubstitute.dylib", + "/private/var/lib/apt/periodic" + ] + } + + static var suspiciousURLs: [String] { + return [ + "cydia://package/com.example.package", + "filza://", + "undecimus://", + "zbra://", + "sileo://" ] } } + +// MARK: - Private Methods + +private extension BrightSide { + + static func isSimulatorRuntime() -> Bool { + return ProcessInfo.processInfo.environment["SIMULATOR_DEVICE_NAME"] != nil + } + + static func isSimulatorCompile() -> Bool { +#if targetEnvironment(simulator) + return true +#else + return false +#endif + } + +} From 788179cb4606f81c1609fe11336137e32274f51d Mon Sep 17 00:00:00 2001 From: Alexey Kosov Date: Tue, 10 Sep 2024 20:24:52 +0700 Subject: [PATCH 3/8] SNP-1864 add more sus directories --- Utils/BrightSide/BrightSide.swift | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/Utils/BrightSide/BrightSide.swift b/Utils/BrightSide/BrightSide.swift index 802ebe3..8130eef 100644 --- a/Utils/BrightSide/BrightSide.swift +++ b/Utils/BrightSide/BrightSide.swift @@ -97,7 +97,8 @@ private extension BrightSide { "/Applications/WinterBoard.app", "/Applications/Activator.app", "/Applications/BytaFont.app", - "/Applications/Filza.app" + "/Applications/Filza.app", + "/Applications/Sileo.app", ] } @@ -110,12 +111,34 @@ private extension BrightSide { "/usr/bin/sshd", "/etc/apt", "/usr/libexec/cydia", - "/private/var/jb" + "/private/var/jb", + "/var/mobile/Library/Preferences/ABPattern", // A-Bypass + "/usr/lib/ABDYLD.dylib", // A-Bypass, + "/usr/lib/ABSubLoader.dylib", // A-Bypass + "/usr/sbin/frida-server", // frida + "/etc/apt/sources.list.d/electra.list", // electra + "/etc/apt/sources.list.d/sileo.sources", // electra + "/.bootstrapped_electra", // electra + "/usr/lib/libjailbreak.dylib", // electra + "/jb/lzma", // electra + "/.cydia_no_stash", // unc0ver + "/.installed_unc0ver", // unc0ver + "/jb/offsets.plist", // unc0ver + "/usr/share/jailbreak/injectme.plist", // unc0ver + "/etc/apt/undecimus/undecimus.list", // unc0ver + "/var/lib/dpkg/info/mobilesubstrate.md5sums", // unc0ver + "/Library/MobileSubstrate/MobileSubstrate.dylib", + "/jb/jailbreakd.plist", // unc0ver + "/jb/amfid_payload.dylib", // unc0ver + "/jb/libjailbreak.dylib", // unc0ver ] } static var suspiciousSystemFiles: [String] { return [ + "/Library/MobileSubstrate/DynamicLibraries/SSLKillSwitch2.plist", + "/Library/MobileSubstrate/DynamicLibraries", + "/usr/sbin/frida-server", // frida "/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist", "/Library/MobileSubstrate/DynamicLibraries/Veency.plist", "/private/var/tmp/cydia.log", @@ -123,7 +146,6 @@ private extension BrightSide { "/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist", "/Library/MobileSubstrate/MobileSubstrate.dylib", "/private/var/db/crashreporter/LiveClock.plist", - "/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist", "/usr/lib/libsubstitute.dylib", "/private/var/lib/apt/periodic" ] From 78433e5dbf84cd7f90eaa5b20b039b65d144bd24 Mon Sep 17 00:00:00 2001 From: Alexey Kosov Date: Tue, 10 Sep 2024 21:11:29 +0700 Subject: [PATCH 4/8] SNP-1864 add more urls to writing checks --- Utils/BrightSide/BrightSide.swift | 85 +++++++++++++++++++++++-------- 1 file changed, 63 insertions(+), 22 deletions(-) diff --git a/Utils/BrightSide/BrightSide.swift b/Utils/BrightSide/BrightSide.swift index 8130eef..495b59f 100644 --- a/Utils/BrightSide/BrightSide.swift +++ b/Utils/BrightSide/BrightSide.swift @@ -20,21 +20,38 @@ public final class BrightSide { return true } - // Check 2 : existence of files that are common for jailbroken devices - if isJailbreakDirectoriesExist() || suspiciousURLs.contains(where: { canOpenUrl(urlString: $0) }) { + // Check 2 Suspicious URL Schemes: + ///Warning: Schemes should be added in Info.plist LSApplicationQueriesSchemes in other case check will always return false + if suspiciousURLs.contains(where: { canOpenUrl(urlString: $0) }) { return false } - // Check 3 : Reading and writing in system directories (sandbox violation) - let stringToWrite = "Jailbreak Test" - do { - try stringToWrite.write(toFile: "/private/JailbreakTest.txt", - atomically: true, - encoding: String.Encoding.utf8) - //Device is jailbroken + // Check 3 : existence of files that are common for jailbroken devices + if isJailbreakDirectoriesExist() || isSuspiciousFilesCanBeOpened() { return false - } catch { - return true + } + + // Check 4 : Reading and writing in system directories (sandbox violation) + + let paths = [ + "/", + "/root/", + "/private/", + "/jb/" + ] + + for path in paths { + let someRandomRestrictedPath = path + UUID().uuidString + let stringToWrite = "Jailbreak Test" + do { + try stringToWrite.write(toFile: someRandomRestrictedPath, + atomically: true, + encoding: String.Encoding.utf8) + //Device is jailbroken + return false + } catch { + return true + } } } @@ -46,21 +63,45 @@ private extension BrightSide { /// Method will return true, if any of the files or dir, typical for the jailbreak, exists static func isJailbreakDirectoriesExist() -> Bool { - let jailbreakPaths = suspiciousSystemFiles + suspiciousAppsDir + suspiciousSystemDir + var jailbreakPaths = suspiciousSystemFiles + suspiciousAppsDir + suspiciousSystemDir + // These files can give false positive in the simulator - let deviceOnlyPaths = [ - "/bin/bash", - "/usr/sbin/sshd", - "/usr/libexec/ssh-keysign", - "/bin/sh", - "/etc/ssh/sshd_config", - "/usr/libexec/sftp-server", - "/usr/bin/ssh" + if !isSimulator() { + jailbreakPaths += [ + "/bin/bash", + "/usr/sbin/sshd", + "/usr/libexec/ssh-keysign", + "/bin/sh", + "/etc/ssh/sshd_config", + "/usr/libexec/sftp-server", + "/usr/bin/ssh" + ] + } + + return jailbreakPaths.contains { FileManager.default.fileExists(atPath: $0) } + } + + /// Method will return true, if any of the files or dir, typical for the jailbreak, openable + static func isSuspiciousFilesCanBeOpened() -> Bool { + var jailbreakPaths = [ + "/.installed_unc0ver", + "/.bootstrapped_electra", + "/Applications/Cydia.app", + "/Library/MobileSubstrate/MobileSubstrate.dylib", + "/etc/apt", + "/var/log/apt" ] - let pathsToCheck = isSimulator() ? jailbreakPaths : (jailbreakPaths + deviceOnlyPaths) + // These files can give false positive in the emulator + if !isSimulator() { + jailbreakPaths += [ + "/bin/bash", + "/usr/sbin/sshd", + "/usr/bin/ssh" + ] + } - return pathsToCheck.contains { FileManager.default.fileExists(atPath: $0) } + return jailbreakPaths.contains { FileManager.default.isReadableFile(atPath: $0) } } /// Method will return true if we can open cydia package From ca4a25bf38de47760ac058f641d55e2d6eabe436 Mon Sep 17 00:00:00 2001 From: Alexey Kosov Date: Wed, 11 Sep 2024 13:09:22 +0700 Subject: [PATCH 5/8] SNP-1864 refactor check 4 --- Utils/BrightSide/BrightSide.swift | 50 +++++++++++++++++++------------ 1 file changed, 31 insertions(+), 19 deletions(-) diff --git a/Utils/BrightSide/BrightSide.swift b/Utils/BrightSide/BrightSide.swift index 495b59f..6815e41 100644 --- a/Utils/BrightSide/BrightSide.swift +++ b/Utils/BrightSide/BrightSide.swift @@ -32,27 +32,12 @@ public final class BrightSide { } // Check 4 : Reading and writing in system directories (sandbox violation) + if canWriteToRestrictedPaths() { + return false + } - let paths = [ - "/", - "/root/", - "/private/", - "/jb/" - ] + return true - for path in paths { - let someRandomRestrictedPath = path + UUID().uuidString - let stringToWrite = "Jailbreak Test" - do { - try stringToWrite.write(toFile: someRandomRestrictedPath, - atomically: true, - encoding: String.Encoding.utf8) - //Device is jailbroken - return false - } catch { - return true - } - } } } @@ -117,6 +102,33 @@ private extension BrightSide { return isSimulatorCompile() || isSimulatorRuntime() } + /// Check if writing to restricted paths is possible + static func canWriteToRestrictedPaths() -> Bool { + let restrictedPaths = [ + "/", + "/root/", + "/private/", + "/jb/" + ] + + let stringToWrite = "Jailbreak Test" + for path in restrictedPaths { + let someRandomRestrictedPath = path + UUID().uuidString + do { + try stringToWrite.write(toFile: someRandomRestrictedPath, + atomically: true, + encoding: .utf8) + // If writing succeeds, the device is jailbroken + return true + } catch { + // Continue trying other paths + continue + } + } + // If no restricted paths could be written to, return false (not jailbroken) + return false + } + } // MARK: - Suspicious directories and files From 66741a6655f558845273e9f4f380a4a116c89f42 Mon Sep 17 00:00:00 2001 From: Alexey Kosov Date: Wed, 11 Sep 2024 14:58:40 +0700 Subject: [PATCH 6/8] SNP-1864 refactor imports --- Utils/BrightSide/BrightSide.swift | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Utils/BrightSide/BrightSide.swift b/Utils/BrightSide/BrightSide.swift index 6815e41..248528e 100644 --- a/Utils/BrightSide/BrightSide.swift +++ b/Utils/BrightSide/BrightSide.swift @@ -6,7 +6,6 @@ // Copyright © 2018 Surf. All rights reserved. // -import Foundation import class UIKit.UIApplication public final class BrightSide { @@ -20,7 +19,7 @@ public final class BrightSide { return true } - // Check 2 Suspicious URL Schemes: + // Check 2 : Suspicious URL Schemes: ///Warning: Schemes should be added in Info.plist LSApplicationQueriesSchemes in other case check will always return false if suspiciousURLs.contains(where: { canOpenUrl(urlString: $0) }) { return false From 569155dde12d455c3024b200ff8ea8f2c9b2cab1 Mon Sep 17 00:00:00 2001 From: Alexey Kosov Date: Wed, 11 Sep 2024 15:02:29 +0700 Subject: [PATCH 7/8] SNP-1864 refactor import --- Utils/BrightSide/BrightSide.swift | 1 + 1 file changed, 1 insertion(+) diff --git a/Utils/BrightSide/BrightSide.swift b/Utils/BrightSide/BrightSide.swift index 248528e..249e77e 100644 --- a/Utils/BrightSide/BrightSide.swift +++ b/Utils/BrightSide/BrightSide.swift @@ -6,6 +6,7 @@ // Copyright © 2018 Surf. All rights reserved. // +import Foundation import class UIKit.UIApplication public final class BrightSide { From 29b5a3bcca52393a6688975ce7a955e90fdffe6d Mon Sep 17 00:00:00 2001 From: Alexey Kosov Date: Wed, 11 Sep 2024 16:11:47 +0700 Subject: [PATCH 8/8] SNP-1864 move simulator checks from first to last --- Utils/BrightSide/BrightSide.swift | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/Utils/BrightSide/BrightSide.swift b/Utils/BrightSide/BrightSide.swift index 249e77e..80f6e0c 100644 --- a/Utils/BrightSide/BrightSide.swift +++ b/Utils/BrightSide/BrightSide.swift @@ -15,12 +15,8 @@ public final class BrightSide { /// Method return false, if we can detect some common for jailbroken deivce files or can write to device public static func isBright() -> Bool { - // Check 1 : check if current device is simulator - if isSimulator() { - return true - } - // Check 2 : Suspicious URL Schemes: + // Check 1 : Suspicious URL Schemes: ///Warning: Schemes should be added in Info.plist LSApplicationQueriesSchemes in other case check will always return false if suspiciousURLs.contains(where: { canOpenUrl(urlString: $0) }) { return false @@ -36,6 +32,11 @@ public final class BrightSide { return false } + // Check 4 : check if current device is simulator + if isSimulator() { + return true + } + return true }