We have developed a corporate-level mobile app in React Native for both Android and iOS. During a VAPT (Vulnerability Assessment and Penetration Testing), our client discovered that they could bypass our iOS jailbreak detection using the Hestia tweak app.
Without the Hestia tweak, our app successfully detects when a device is jailbroken and prevents usage. However, when Hestia is applied, it bypasses our jailbreak status check, allowing the app to function on a jailbroken device undetected.
Has anyone encountered this issue with Hestia or other similar jailbreak bypass tools? What are some best practices or advanced methods we can implement to strengthen our jailbreak detection in React Native, specifically against bypass apps like Hestia?
These are the methods I have used so far:
private func checkCydia() -> Bool {
return UIApplication.shared.canOpenURL(URL(string: "cydia://package/com.example.package")!)
}
private func isFridaDetected() -> Bool {
let fridaLibs = ["frida-gadget", "libfrida.dylib"]
for lib in fridaLibs {
if dlopen(lib, RTLD_NOW | RTLD_NOLOAD) != nil {
// Frida library detected
return true
}
}
// Check all loaded libraries
let count = _dyld_image_count()
for i in 0..<count {
if let dyld = _dyld_get_image_name(i) {
let dyldStr = String(cString: dyld)
if dyldStr.contains("frida") || dyldStr.contains("libfrida") {
// Frida-related library detected
return true
}
}
}
// Frida not detected
return false
}
private func checkSuspiciousPaths() -> Bool {
let paths = [
"/Applications/Cydia.app",
"/Library/MobileSubstrate/MobileSubstrate.dylib",
"/bin/bash",
"/usr/sbin/sshd",
"/etc/apt",
"/usr/bin/ssh",
"/private/var/lib/apt/",
"/private/var/stash"
]
for path in paths {
if FileManager.default.fileExists(atPath: path) {
return true
}
}
return false
}
private func canOpenSuspiciousApps() -> Bool {
let paths = [
"/Applications/Cydia.app",
"/Applications/blackra1n.app",
"/Applications/FakeCarrier.app",
"/Applications/Icy.app",
"/Applications/IntelliScreen.app",
"/Applications/MxTube.app",
"/Applications/RockApp.app",
"/Applications/SBSettings.app",
"/Applications/WinterBoard.app",
"/Applications/LibertyLite.app", // Liberty Lite
"/Applications/PicaHide.app", // PicaHide
"/Applications/KernBypass.app", // KernBypass
"/Applications/JailProtect.app", // Jailprotect
"/Applications/Shadow.app", // Shadow
"/Applications/TweaksManager.app", // Tweaks Manager
"/Applications/TsProtector.app", // TsProtector
"/Applications/FlyJB.app", // FlyJB X
"/Applications/VnodeBypass.app", // VnodeBypass
"/Applications/AJB.app", // AJB
"/Applications/xCon.app", // xCon
"/Applications/DeBypass.app", // De-Bypass
"/Applications/Hestia.app" // Hestia
]
for path in paths {
if FileManager.default.fileExists(atPath: path) {
return true
}
}
return false
}
private func checkEnvironment() -> Bool {
return getenv("DYLD_INSERT_LIBRARIES") != nil
}
// New function to check paths using stat64/stat
private func checkStatPaths() -> Bool {
let suspiciousPaths = [
"/Applications/blackra1n.app",
"/Applications/Cydia.app",
"/Applications/FakeCarrier.app",
"/Applications/Icy.app",
"/Applications/IntelliScreen.app",
"/Applications/MxTube.app",
"/Applications/RockApp.app",
"/Applications/SBSettings.app",
"/Applications/WinterBoard.app",
"/bin/bash",
"/bin/sh",
"/bin/su",
"/etc/apt",
"/etc/ssh/sshd_config",
"/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist",
"/Library/MobileSubstrate/DynamicLibraries/Veency.plist",
"/Library/MobileSubstrate/MobileSubstrate.dylib",
"/pguntether",
"/private/var/lib/cydia",
"/private/var/mobile/Library/SBSettings/Themes",
"/private/var/stash",
"/private/var/tmp/cydia.log",
"/System/Library/LaunchDaemons/com.ikey.bbot.plist",
"/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist",
"/usr/bin/cycript",
"/usr/bin/ssh",
"/usr/bin/sshd",
"/usr/libexec/sftp-server",
"/usr/libexec/ssh-keysign",
"/usr/sbin/frida-server",
"/usr/sbin/sshd",
"/var/cache/apt",
"/var/lib/cydia",
"/var/log/syslog",
"/var/mobile/Media/.evasi0n7_installed",
"/var/tmp/cydia.log"
]
for path in suspiciousPaths {
if checkStat(path) {
return true
}
}
return false
}
2
Answers
add below too (bring list from your
canOpenSuspiciousApps
function)make sure to add them in info.plist under
Queried URL Schemes
Your checks are not wrong, the big problem here is that is like a cat and mouse chase.
So the applications to jailbreak a device are always evolving and we must evolve our protections. It’s important to check if certain files exists on the device to detect if some applications are installed. Take a look at this lib:
https://github.com/securing/IOSSecuritySuite/blob/master/IOSSecuritySuite/JailbreakChecker.swift
Also check the IntegrityChecker.swift file.