ios越狱检测

目前所用越狱检测判断

+ (BOOL)isRoot {
    static BOOL isRoot = NO;
    if (isRoot) {
        return isRoot;
    }
    @try {
        NSArray *paths = [NSArray arrayWithObjects:
                          @"/User/Applications/",
                          @"/Applications/Cydia.app",
                          @"/Library/MobileSubstrate/MobileSubstrate.dylib",
                          @"/bin/bash",
                          @"/usr/sbin/sshd",
                          @"/etc/apt",
                          nil];
        
        for (NSString *one in paths) {
            if ([[NSFileManager defaultManager] fileExistsAtPath:one]) {
                isRoot = YES;
            }
        }
        
        if ([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"cydia://package/com.example.package"]]) {
            isRoot = YES;
        }
    } @catch (NSException *exception) {
        NSLog(@"Jailbroken exception:%@",exception);
    }
    return isRoot;
}

判断手机越狱的几种方式:

  1. 通过手机越狱后增加的越狱文件判断
/// 通过越狱后增加的越狱文件判断
    class func isContainJailBreakFiles() -> Bool {
        let files = [
            "/Applications/Cydia.app",
            "/Applications/limera1n.app",
            "/Applications/greenpois0n.app",
            "/Applications/blackra1n.app",
            "/Applications/blacksn0w.app",
            "/Applications/redsn0w.app",
            "/Applications/Absinthe.app",
            "/Library/MobileSubstrate/MobileSubstrate.dylib",
            "/bin/bash",
            "/usr/sbin/sshd",
            "/etc/apt",
            "/private/var/lib/apt/"
        ]

        for file in files {
            if FileManager.default.fileExists(atPath: file) {
                return true
            }
        }
        return false
    }
  1. 根据是否能打开cydia判断
    /// 根据是否能打开cydia判断

    class func canOpenCydia() -> Bool {
        if let url = URL(string: "cydia://") {
            return UIApplication.shared.canOpenURL(url)
        } else {
            return false
        }
    }

3.根据是否能获取所有应用的名称判断,没有越狱的设备是没有读取所有应用名称的权限的

/// 读取应用列表

    class func canGetApplicationList() -> Bool {

        guard FileManager.default.fileExists(atPath: "/User/Applications/") else {
            return false
        }

        do {

            let appList = try FileManager.default.contentsOfDirectory(atPath: "/User/Applications/")
            return !appList.isEmpty
        } catch {
            print("get app list error \(error)")
            return false
        }
    }

4.根据使用stat方法来判断cydia是否存在来判断

攻击者可能会 hook NSFileManager 的方法,那么,你可以回避 NSFileManager,使用 stat 系列函数检测 Cydia 等工具.

bool checkCydia() {

    struct stat stat_info;
    return 0 == stat("/Applications/Cydia.app", &stat_info);
}
攻击者可能会利用 Fishhook 原理 hook 了 stat。
那么,你可以看看 stat 是不是出自系统库,有没有被攻击者换掉

bool checkInject() {
    int ret ;
    Dl_info dylib_info;
    char *dylib_name = "/usr/lib/system/libsystem_kernel.dylib";
    int (*func_stat)(const char *, struct stat *) = stat;
    if ((ret = dladdr(func_stat, &dylib_info))) {
        printf("lib :%s", dylib_info.dli_fname);
        return strcmp(dylib_info.dli_fname, dylib_name) != 0;
    }
    return false;
}
  1. 检索一下应用程序是否被链接了异常动态库
    通常情况下,会包含越狱机的输出结果会包含字符串:Library/MobileSubstrate/MobileSubstrate.dylib
bool checkDylibs() {
    uint32_t count = _dyld_image_count();
    for (uint32_t i = 0 ; i < count; ++i) {
        if (strcmp(_dyld_get_image_name(i), "Library/MobileSubstrate/MobileSubstrate.dylib") == 0) {
            return true;
        }
    }
    return false;
}
  1. 通过检测当前程序运行的环境变量
    攻击者可能会给 MobileSubstrate 改名,但是原理都是通过 DYLD_INSERT_LIBRARIES注入动态库。
bool checkEnv() {
    char *env = getenv("DYLD_INSERT_LIBRARIES");
    return env != nil;
}

你可能感兴趣的:(ios越狱检测)