iOS 탈옥 탐지 방안(Jail Break)

1) 파일 기반 탈옥 탐지 
 - 탈옥 관련된 파일 및 디렉터리를 확인함

/Applications/Cydia.app
/Applications/FakeCarrier.app
/Applications/Icy.app
/Applications/IntelliScreen.app
/Applications/MxTube.app
/Applications/RockApp.app
/Applications/SBSettings.app
/Applications/WinterBoard.app
/Applications/blackra1n.app
/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist
/Library/MobileSubstrate/DynamicLibraries/Veency.plist
/Library/MobileSubstrate/MobileSubstrate.dylib
/System/Library/LaunchDaemons/com.ikey.bbot.plist
/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
/bin/bash
/bin/sh
/etc/apt
/etc/ssh/sshd_config
/private/var/lib/apt
/private/var/lib/cydia
/private/var/mobile/Library/SBSettings/Themes
/private/var/stash
/private/var/tmp/cydia.log
/var/tmp/cydia.log
/usr/bin/sshd
/usr/libexec/sftp-server
/usr/libexec/ssh-keysign
/usr/sbin/sshd
/var/cache/apt
/var/lib/apt
/var/lib/cydia
/usr/sbin/frida-server
/usr/bin/cycript
/usr/local/bin/cycript
/usr/lib/libcycript.dylib
/var/log/syslog

2) 파일 권한 확인
 - 애플리케이션의 샌드박스 외부에 파일 생성을 시도하는 것으로 확인 가능함
 - /private 디렉토리 경로에 파일을 생성하도록 함

do {
    let pathToFileInRestrictedDirectory = "/private/jailbreak.txt"
    try "This is a test.".write(toFile: pathToFileInRestrictedDirectory, atomically: true, encoding: String.Encoding.utf8)
    try FileManager.default.removeItem(atPath: pathToFileInRestrictedDirectory)
    // Device is jailbroken
} catch {
    // Device is not jailbroken
}

3) 프로토콜 핸들러 확인
 - 프로토콜 핸들러: 특별한 URL을 처리하는 프로그램으로 cydia:// 프로토콜 핸들러를 사용하여 cydia에서 설치 가능
 - Cydia URL을 열어 프로토콜 핸들러 확인 가능
 - 대부분의 탈옥 툴이 기본적으로 설치하는 cydia 앱은 cydia:// 프로토콜 핸들러를 설치함

if let url = URL(string: "cydia://package/com.example.package"), UIApplication.shared.canOpenURL(url) {
    // Device is jailbroken
}

 

4) 시스템 API 호출
 - 탈옥되지 않은 디바이스에서 NULL을 인수로 system 함수를 호출하면 0이 반환
 - 탈옥된 디바이스에서 NULL을 인수로 system 함수를 호출하면 1이 반환
 - 함수가 탈옥된 디바이스에서만 /bin/sh 에 대한 접근을 확인하기 때문에 위 방식으로 확인 가능