目前所用越狱检测判断
+ (BOOL)isRoot {
static BOOL isRoot = NO;
if (isRoot) {
return isRoot;
}
@try {
NSArray *paths = [NSArray arrayWithObjects:
@"/User/Applications/",
@"/Applications/Cydia.app",
@"/Library/MobileSubstrate/MobileSubstrate.dylib",
@"/bin/bash",
@"/usr/sbin/sshd",
@"/etc/apt",
nil];
for (NSString *one in paths) {
if ([[NSFileManager defaultManager] fileExistsAtPath:one]) {
isRoot = YES;
}
}
if ([[UIApplication sharedApplication] canOpenURL:[NSURL URLWithString:@"cydia://package/com.example.package"]]) {
isRoot = YES;
}
} @catch (NSException *exception) {
NSLog(@"Jailbroken exception:%@",exception);
}
return isRoot;
}
判断手机越狱的几种方式:
- 通过手机越狱后增加的越狱文件判断
/// 通过越狱后增加的越狱文件判断
class func isContainJailBreakFiles() -> Bool {
let files = [
"/Applications/Cydia.app",
"/Applications/limera1n.app",
"/Applications/greenpois0n.app",
"/Applications/blackra1n.app",
"/Applications/blacksn0w.app",
"/Applications/redsn0w.app",
"/Applications/Absinthe.app",
"/Library/MobileSubstrate/MobileSubstrate.dylib",
"/bin/bash",
"/usr/sbin/sshd",
"/etc/apt",
"/private/var/lib/apt/"
]
for file in files {
if FileManager.default.fileExists(atPath: file) {
return true
}
}
return false
}
- 根据是否能打开cydia判断
/// 根据是否能打开cydia判断
class func canOpenCydia() -> Bool {
if let url = URL(string: "cydia://") {
return UIApplication.shared.canOpenURL(url)
} else {
return false
}
}
3.根据是否能获取所有应用的名称判断,没有越狱的设备是没有读取所有应用名称的权限的
/// 读取应用列表
class func canGetApplicationList() -> Bool {
guard FileManager.default.fileExists(atPath: "/User/Applications/") else {
return false
}
do {
let appList = try FileManager.default.contentsOfDirectory(atPath: "/User/Applications/")
return !appList.isEmpty
} catch {
print("get app list error \(error)")
return false
}
}
4.根据使用stat方法来判断cydia是否存在来判断
攻击者可能会 hook NSFileManager 的方法,那么,你可以回避 NSFileManager,使用 stat 系列函数检测 Cydia 等工具.
bool checkCydia() {
struct stat stat_info;
return 0 == stat("/Applications/Cydia.app", &stat_info);
}
攻击者可能会利用 Fishhook 原理 hook 了 stat。
那么,你可以看看 stat 是不是出自系统库,有没有被攻击者换掉
bool checkInject() {
int ret ;
Dl_info dylib_info;
char *dylib_name = "/usr/lib/system/libsystem_kernel.dylib";
int (*func_stat)(const char *, struct stat *) = stat;
if ((ret = dladdr(func_stat, &dylib_info))) {
printf("lib :%s", dylib_info.dli_fname);
return strcmp(dylib_info.dli_fname, dylib_name) != 0;
}
return false;
}
- 检索一下应用程序是否被链接了异常动态库
通常情况下,会包含越狱机的输出结果会包含字符串:Library/MobileSubstrate/MobileSubstrate.dylib
bool checkDylibs() {
uint32_t count = _dyld_image_count();
for (uint32_t i = 0 ; i < count; ++i) {
if (strcmp(_dyld_get_image_name(i), "Library/MobileSubstrate/MobileSubstrate.dylib") == 0) {
return true;
}
}
return false;
}
- 通过检测当前程序运行的环境变量
攻击者可能会给 MobileSubstrate 改名,但是原理都是通过 DYLD_INSERT_LIBRARIES注入动态库。
bool checkEnv() {
char *env = getenv("DYLD_INSERT_LIBRARIES");
return env != nil;
}