skip to Main Content

We have developed a corporate-level mobile app in React Native for both Android and iOS. During a VAPT (Vulnerability Assessment and Penetration Testing), our client discovered that they could bypass our iOS jailbreak detection using the Hestia tweak app.

Without the Hestia tweak, our app successfully detects when a device is jailbroken and prevents usage. However, when Hestia is applied, it bypasses our jailbreak status check, allowing the app to function on a jailbroken device undetected.

Has anyone encountered this issue with Hestia or other similar jailbreak bypass tools? What are some best practices or advanced methods we can implement to strengthen our jailbreak detection in React Native, specifically against bypass apps like Hestia?

These are the methods I have used so far:

 private func checkCydia() -> Bool {
    return UIApplication.shared.canOpenURL(URL(string: "cydia://package/com.example.package")!)
}

private func isFridaDetected() -> Bool {
    let fridaLibs = ["frida-gadget", "libfrida.dylib"]

    for lib in fridaLibs {
        if dlopen(lib, RTLD_NOW | RTLD_NOLOAD) != nil {
            // Frida library detected
            return true
        }
    }

    // Check all loaded libraries
    let count = _dyld_image_count()
    for i in 0..<count {
        if let dyld = _dyld_get_image_name(i) {
            let dyldStr = String(cString: dyld)
            if dyldStr.contains("frida") || dyldStr.contains("libfrida") {
                // Frida-related library detected
                return true
            }
        }
    }

    // Frida not detected
    return false
}

private func checkSuspiciousPaths() -> Bool {
    let paths = [
        "/Applications/Cydia.app",
        "/Library/MobileSubstrate/MobileSubstrate.dylib",
        "/bin/bash",
        "/usr/sbin/sshd",
        "/etc/apt",
        "/usr/bin/ssh",
        "/private/var/lib/apt/",
        "/private/var/stash"
    ]

    for path in paths {
        if FileManager.default.fileExists(atPath: path) {
            return true
        }
    }
    return false
}

private func canOpenSuspiciousApps() -> Bool {
    let paths = [
        "/Applications/Cydia.app",
        "/Applications/blackra1n.app",
        "/Applications/FakeCarrier.app",
        "/Applications/Icy.app",
        "/Applications/IntelliScreen.app",
        "/Applications/MxTube.app",
        "/Applications/RockApp.app",
        "/Applications/SBSettings.app",
        "/Applications/WinterBoard.app",
        "/Applications/LibertyLite.app",  // Liberty Lite
        "/Applications/PicaHide.app",     // PicaHide
        "/Applications/KernBypass.app",   // KernBypass
        "/Applications/JailProtect.app",  // Jailprotect
        "/Applications/Shadow.app",       // Shadow
        "/Applications/TweaksManager.app", // Tweaks Manager
        "/Applications/TsProtector.app",  // TsProtector
        "/Applications/FlyJB.app",        // FlyJB X
        "/Applications/VnodeBypass.app",  // VnodeBypass
        "/Applications/AJB.app",          // AJB
        "/Applications/xCon.app",         // xCon
        "/Applications/DeBypass.app",     // De-Bypass
        "/Applications/Hestia.app"        // Hestia
    ]

    for path in paths {
        if FileManager.default.fileExists(atPath: path) {
            return true
        }
    }
    return false
}

private func checkEnvironment() -> Bool {
    return getenv("DYLD_INSERT_LIBRARIES") != nil
}

// New function to check paths using stat64/stat
private func checkStatPaths() -> Bool {
    let suspiciousPaths = [
        "/Applications/blackra1n.app",
        "/Applications/Cydia.app",
        "/Applications/FakeCarrier.app",
        "/Applications/Icy.app",
        "/Applications/IntelliScreen.app",
        "/Applications/MxTube.app",
        "/Applications/RockApp.app",
        "/Applications/SBSettings.app",
        "/Applications/WinterBoard.app",
        "/bin/bash",
        "/bin/sh",
        "/bin/su",
        "/etc/apt",
        "/etc/ssh/sshd_config",
        "/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist",
        "/Library/MobileSubstrate/DynamicLibraries/Veency.plist",
        "/Library/MobileSubstrate/MobileSubstrate.dylib",
        "/pguntether",
        "/private/var/lib/cydia",
        "/private/var/mobile/Library/SBSettings/Themes",
        "/private/var/stash",
        "/private/var/tmp/cydia.log",
        "/System/Library/LaunchDaemons/com.ikey.bbot.plist",
        "/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist",
        "/usr/bin/cycript",
        "/usr/bin/ssh",
        "/usr/bin/sshd",
        "/usr/libexec/sftp-server",
        "/usr/libexec/ssh-keysign",
        "/usr/sbin/frida-server",
        "/usr/sbin/sshd",
        "/var/cache/apt",
        "/var/lib/cydia",
        "/var/log/syslog",
        "/var/mobile/Media/.evasi0n7_installed",
        "/var/tmp/cydia.log"
    ]

    for path in suspiciousPaths {
        if checkStat(path) {
            return true
        }
    }
    return false
}

2

Answers


  1. add below too (bring list from your canOpenSuspiciousApps function)

    // Check for Cydia & other app presence
    let appsToCheckJB = [
        "cydia",
        "dopamine",
        "trollstore",
        "trollinstallerx",
        "sileo",
        "Zebra",
        "AptBackup"
    ]
    
    for appPath in appsToCheckJB {
        let urlString = "(appPath)://"
        if let url = URL(string: urlString), UIApplication.shared.canOpenURL(url) {
            isJailbroken = true
            break
        }
    }
    

    make sure to add them in info.plist under Queried URL Schemes

    Login or Signup to reply.
  2. Your checks are not wrong, the big problem here is that is like a cat and mouse chase.

    So the applications to jailbreak a device are always evolving and we must evolve our protections. It’s important to check if certain files exists on the device to detect if some applications are installed. Take a look at this lib:

    https://github.com/securing/IOSSecuritySuite/blob/master/IOSSecuritySuite/JailbreakChecker.swift

    Also check the IntegrityChecker.swift file.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search