undefined | Better HN

0 pointsjs26y ago0 comments

A jailbroken device allows apps to do things that a non-jailbroken device does not.

I maintain my company's in-house mobile app crash reporting system and I had to remove jailbreak checks from our iOS SDK. It turned out that some of the checks were causing crashes themselves due to buggy anti-jailbreak-detection code some jailbroken devices had in place. e.g. checking whether a file could be accessed that normally iOS disallows would end up causing a crash instead of just a permission error.

Instead, I just do some basic server-side detection. Basically, looking for libraries loaded into the app (e.g. cydia) that are only present on jailbroken devices. Some jailbreaks don't even try to hide their presence.

I don't know what iVerify does. I hadn't heard of it before. I'm curious how it avoids crashes though... perhaps it avoids invoking any dynamic system calls.

0 comments

12 comments · 3 top-level

Bnshsysjab6y ago· 6 in thread

Out of interest, why do you care if your users run your application on a jailbroken device? It’s been a question I’ve had for a while..

js2OP6y ago

We don’t care but when a crash occurs we collect diagnostic data that we think will help us narrow down the source of the crash. Sometimes a crash happens only on jailbroken devices in which case we usually don’t spend time on it.

benbristow6y ago

Same reason as why rooted Android devices get blocked by certain applications. Security for the user's sake. Usually it's financial applications (banking etc.) and stuff with sensitive user information.

yjftsjthsd-h6y ago

As an Android user, this is super annoying: I rooted the device because I want to control it. Now some stupid app comes along and claims that, for my own protection (supposedly), they're going to break for me. It's insulting, really.

Mindwipe6y ago

Jailbroken devices can attack application logic to cheat in multiplayer games, somewhat attack DRM systems for video content (though Fairplay isn't especially vulnerable here), gain access to chargeable features without paying for them (decompiled Spotify APKs that do not feature advertising without having to pay exist on Android and are a non-trivial revenue risk) etc etc.

In more open systems you are usually more able to run detection software for the above without sandboxing.

moftz6y ago

Piracy for Android doesn't require a jailbroken/rooted device.

1 more reply

ESultanik6y ago

Companies (particularly financial institutions) that have enterprise apps deployed only to their employees care because a jailbroken phone imposes the risk of attackers MITMing traffic.

azinman26y ago· 2 in thread

They also get tripped up by Apple internal devices, which as an Apple employee is quite annoying when I get locked out of a financial app.

dannyw6y ago

I feel like Apple employees shouldn't be using special iPhones for personal use (out of good engineering practice; nothing special.

azinman26y ago

Who else would be the best to test new phones, software and features, and understand how they may create bugs with 3rd party apps?

In fact it’s critical to do so.

1 more reply

baroffoos6y ago· 1 in thread

The proper way of doing things should be that an app controls access to jailbreak features. By default nothing gets them and you can whitelist the ones which need it. I'm not sure if anything like this exists for ios but it should.

saagarjha6y ago

Depending on how much access you have, it's always possible for jailbreaks to hide their presence from applications (which are running at a lower privilege level). There are a couple of "jailbreak hider" implementations out there.

j / k navigate · click thread line to collapse

0 comments

12 comments · 3 top-level

Bnshsysjab6y ago· 6 in thread

Out of interest, why do you care if your users run your application on a jailbroken device? It’s been a question I’ve had for a while..

js2OP6y ago

benbristow6y ago

yjftsjthsd-h6y ago

Mindwipe6y ago

In more open systems you are usually more able to run detection software for the above without sandboxing.

moftz6y ago

Piracy for Android doesn't require a jailbroken/rooted device.

1 more reply

ESultanik6y ago

Companies (particularly financial institutions) that have enterprise apps deployed only to their employees care because a jailbroken phone imposes the risk of attackers MITMing traffic.

azinman26y ago· 2 in thread

They also get tripped up by Apple internal devices, which as an Apple employee is quite annoying when I get locked out of a financial app.

dannyw6y ago

I feel like Apple employees shouldn't be using special iPhones for personal use (out of good engineering practice; nothing special.

azinman26y ago

Who else would be the best to test new phones, software and features, and understand how they may create bugs with 3rd party apps?

In fact it’s critical to do so.

1 more reply

baroffoos6y ago· 1 in thread

saagarjha6y ago

j / k navigate · click thread line to collapse