[TOCHILL]

My company uses Good for Enterprise which i believe uses iOS 4's built in jailbreak detection. Is there a plist i can edit to make it appear to not be jailbroken.

[x-bot]

[sbraidley]

TOCHILL, on 06 November 2010 - 11:25 AM, said:

My company uses Good for Enterprise which i believe uses iOS 4's built in jailbreak detection. Is there a plist i can edit to make it appear to not be jailbroken.

The software will probably look for the Cydia log files or some file created during jailbreak.

[fusen]

TOCHILL, on 06 November 2010 - 11:25 AM, said:

My company uses Good for Enterprise which i believe uses iOS 4's built in jailbreak detection. Is there a plist i can edit to make it appear to not be jailbroken.

are you just talking about the app itself?

[ghosty222]

umm u can always redirect it to something else and hope for the best or use sbsetting and hide cydia and all your other cydia apps in the Dock options and make sure you have activator and make it open a different way like volume up and then down to open SBSETTING that way nobody knows it jb

[junkylov]

i have same issue. how can we beat this detection!

there is a long log created while you install application and use your email ID and 12 digit pin to start the service... sitting at /var/mobile/applications/Good or "coded application name"/library/caches/gl-log.txt

but could not find what specific task ran to detect JB

any insight?

[XjSv]

i dont understand y the hell ur company would care or should care wtf u do with ur phone

besides that u should check what kind of requests r being sent in or out from ur phone, one way to do that is with firewall ip.

but a little bit more details would help such as

is this a company phone?

why do they care if its jailbroken?

and how r they finding this out remotely or when they get their hands on the phone?

This post has been edited by XjSv: 11 November 2010 - 12:43 PM

[cynikal]

bump, this has plagued me for a few months now.

some more info:

- personal phone, the software allows you to use your company email on your personal iphone/ipad (which is a boon especially if it means u don't have to carry around an extra device (e.g. blackberry)
- the software is freely downloadable from the app store, but to use it, you have to have your company "good server" set you up with a username/pin
- the software only cares about running on jailbroken phones IF YOUR COMPANY "GOOD ADMINISTRATOR" ENABLES THIS IN THEIR POLICY (i am tired of hearing about people who said they have no problem running it on their jailbroken phones, that's because your company doesn't enable this in their "good policy" security settings)
- for me, the app registered with the server the first time i ran it, sync'd with the server, then disabled itself saying it was running on a jailbroken phone.

i'm wondering if there's perhaps an LD_PRELOAD or something that it can be wrapped with to keep it from detecting it. PROBLEM is, in order to test this, you need to have your account unlocked on the company's server side each time you want to try something different to defeat it (so you'd need the people at your company to willingly help you defeat the jailbroken), which sometimes is a lot easier said than done (i work for a major banking firm and they care greatly about security).

My company's stance on running good on jailbroken phones is: "We cannot trust the phone if it's been jailbroken, since the sandbox the Good application runs has the potential to be customized and company information could be security-breached". But that's a load of BS in my opinion, since I am not your typical dumb iPhone user and am on top of my phone's security, i would rather decide for myself (and no way i'm giving up my jailbreak with all the work i put into it).

Please help

[Scavrage]

Hey did anyone have any luck with this? My friend is the IT guy looking after this at my company so it is easy enough to get a net pin each time I want to test something. I would love to get this working!
Thanks

cynikal, on 19 March 2011 - 05:43 PM, said:

bump, this has plagued me for a few months now.

some more info:

- personal phone, the software allows you to use your company email on your personal iphone/ipad (which is a boon especially if it means u don't have to carry around an extra device (e.g. blackberry)
- the software is freely downloadable from the app store, but to use it, you have to have your company "good server" set you up with a username/pin
- the software only cares about running on jailbroken phones IF YOUR COMPANY "GOOD ADMINISTRATOR" ENABLES THIS IN THEIR POLICY (i am tired of hearing about people who said they have no problem running it on their jailbroken phones, that's because your company doesn't enable this in their "good policy" security settings)
- for me, the app registered with the server the first time i ran it, sync'd with the server, then disabled itself saying it was running on a jailbroken phone.

i'm wondering if there's perhaps an LD_PRELOAD or something that it can be wrapped with to keep it from detecting it. PROBLEM is, in order to test this, you need to have your account unlocked on the company's server side each time you want to try something different to defeat it (so you'd need the people at your company to willingly help you defeat the jailbroken), which sometimes is a lot easier said than done (i work for a major banking firm and they care greatly about security).

My company's stance on running good on jailbroken phones is: "We cannot trust the phone if it's been jailbroken, since the sandbox the Good application runs has the potential to be customized and company information could be security-breached". But that's a load of BS in my opinion, since I am not your typical dumb iPhone user and am on top of my phone's security, i would rather decide for myself (and no way i'm giving up my jailbreak with all the work i put into it).

Please help

[cynikal]

So here is what i would try (and am planning to, this would be my attack vector):

a.) make sure your phone is not jailbroken (at least temporarily)
b.) remove/re-install good app
c.) run it, register with your company's good for enterprise service
d.) exit the program (reboot your phone even, tho this will happen in the next step)
e.) jailbreak your phone, DO NOT RUN THE GOOD APP YET
f.) ssh onto your phone, backup the application directory in /private/var/mobile/Applications (i would tar it to /var/tmp and then scp it off the iphone)
g.) turn on airplane mode (or go somewhere where you abolustely dont/won't have reception, this includes wifi).. basically make sure your phone is completely cut off the network and can't communicate
h.) run good, it WONT be able to connect, but see if it complains about jailbreak.. at this point, your phone should have your company's policies downloaded
i.) analyze what may have changed since your backup (take another snapshot of the directory for analysis while we're at it)
j.) never run good while your phone is jailbroken (until we figure out a way to defeat the detection), as the moment the app realizes that a.) your company's jailbreak policy forbids good to work on it and b.) your phone is jailbroken, the app "phones home" and disables your account on the company's servers (so your attempts to defeat it will be for nothing since they need to be re-enabled by the good admin.. if you can get them to re-enable it easily w/o any fuss (or you are the admin), then you can skip the above steps about airplane mode (this is MAINLY to prevent yourself from being locked out).

Until the jailbreak detection is defeated (or you're lucky enough to work somewhere where their policy doesn't enforce jailbreak detection), you can only use good in a non-jailbroken environment (after restoring the backup from F.)

i am up to step B :-P i'll post here if/when i make any progress

Scavrage, on 21 March 2011 - 09:20 AM, said:

Hey did anyone have any luck with this? My friend is the IT guy looking after this at my company so it is easy enough to get a net pin each time I want to test something. I would love to get this working!
Thanks

This post has been edited by cynikal: 12 April 2011 - 11:50 PM

[TOCHILL]

Please let us know if it works!

[cynikal]

well a quick look through the app's com.good.gmmiphone.plist shows a number key named 'JailbreakPolicyAction'.. it's currently set to 1.. i'll also be taking a hexeditor to the binary and trying to see where/if this is referenced anywhere else (i also saw in the log file:

2011-04-12 19:25:33(1066)[3e088868] checkCompilianceEarlyViolated: Jailbreak check
2011-04-12 19:25:34(2051)[3e088868] checkCompilianceEarlyViolated: Jailbreak check

so far just to test things, i only ran the app once but haven't synced to my company's server yet.. waiting for them to re-set the pin they initially gave me (which i immediately lost after i tried running it on my phone whlie jailbroken..).. once i get the pin, i'll be re-installing my phone to a non-jailbroken state (and getting to try 4.3.1) and then continuing at step c..

This post has been edited by cynikal: 12 April 2011 - 11:51 PM

[badgcoupe]

Our company is currently testing apps like Good, MobileIron and some others. We have been trying to figure it out but have gotten nowhere.

[cynikal]

badgcoupe, on 13 April 2011 - 04:34 PM, said:

Our company is currently testing apps like Good, MobileIron and some others. We have been trying to figure it out but have gotten nowhere.

It would be helpful if you told us what you've tried so far that has gotten you no where

[cynikal]

things i've learned so far:

when your iphone has been jailbroken, even if you upgrade to a new ios (and hence, lose your jailbreak capabilities), the act of the phone having formerly jailbroken, leaves "residue" on the iphone filesystem, which good picks up (i know because i've done this and when i went to 4.3.1 w/o jailbreaking, the Good app swore my phone was still jailbroken.. hence, it's likely to guess that the jailbreak compliance checks are enforced by testing for the existance of this "residue".. what this residue is going to be the focus of my hunt.. this is good to know in any event, e.g. if you take your iphone to the apple store and think that just by updating it to a non-jailbroken ios version, they won't be able to tell you've ever jailbroken your iphone (and have grounds for voiding your warranty, tho i'm not sure if this has ever happened before).. if you think it's that simple, NU-UH.. gotta wipe the entire device to clear your tracks (unless there's some cydia app that does this).

it wasn't until i totally wiped the device (which was painful, given all my icons end up getting spewed onto 7 pages worth since i lose my neat folder organization at least for the cracked apps (the majority), thus ensuring all "residue" jailbroken remants have been eliminated, that i was able to pass the compliance check, and use the app (on my non-jailbroken phone).

after step H in my previous post, i've learned my company's policy is to wipe all the good-related files from the device (found out by doing a simple diff -ru on an archived before/after tarball wrt step H, which itself is what i talked about in step i).

i'm also experimenting with the different JailbreakPolicyAction settings in the com.good.gmmiphone.plist, but i think it's a safer bet to defeat the check, than try to mitigate its effect (which is what tinkering with the settings in the plist would be equivalent to).

if only my gdb/disassembler foo was stronger, i'd step through the binary as it runs, to try to figure out where in the object-code-stream it's performing the check, and patch the binary with a NOOP or something... i've done this on a powerpc binary (and know some x86 assembly too), but the tools on this arm platform are lacking (or i just don't have very good ones).

This post has been edited by cynikal: 17 April 2011 - 06:10 PM

[cynikal]

update so far, i've learned that the binary was crypted, so trying to disassemble it was fruitless, i gotten it decrypted, disassembled it, and patched the binary (changed a BEQ op code to a BNE).. gotten past the jailbreak check, only to find the app has some sort of checksum that then got tripped and the app erased its data anyway (what my company's policy say it should do if running on jailbroken devices).

so then i took another approach, i noticed that the plist i mentioned above has a ComplianceJailbreakRules array, with 6 strings (that looks crypted themselves).. and it looks like the -(BOOL)checkCompilianceEarlyViolated; method i patched above, was using this before performing that branch (the original branched past the 'errors' that normally get thrown on jailbroken phones when the no-jb-policy is in effect).. so i tried to modify the values of those crypted strings so they don't match.

unfortunately the app once again realized somethings been modified and threw the error message.

but hopefully i can call on people more knowledgeable than me to help me figure out what is containe din those strings? My guess is path names:


<string>JHypE7BUmi3FpYATdZnOQo1ouZM9FTwklTrzJLwArpN7pWs3GfFIuwp4lNoGG6cHe7OUjijO2NVlYjgzfV4baA==</string>
<string>+Xj/g22QJ9AUqTKcgEGjBBTKYNsxu3qb2HwZw+lGPoOVaHPQPZVU7iS/5UN7/z19</string>
<string>WDHzk8x1qdSVOoSDxgbZNMWz6Rapj3gs</string>
<string>WDHzk8x1qdSVOv0OxgagucXBGdDgvqOBcVAKJ1RXUIM=</string>
<string>Inj1hbZ/uUBFyvWT0XFkwqw2bPoEy7M4</string>
<string>RfPXFtHYD6E=</string>
<string>Inj1hbZ/uUBFC2tr0bD6OmViODPxH2Jo</string>

Notice how the 3rd and 4th begin the same? Probably a common path name component..

[cynikal]

Here's the ASM of the portion of the program that does something with those strings:

0001927e            4478        add      r0, pc                         		;   5e2b08 = CFSTR("checkCompilianceEarlyViolated: Jailbreak check")
00019280        ee9af340        blx      0x359fb8                       		;   359fb8 = &0xe51ff004 -> ?
00019284            48aa        ldr      r0, [pc, #680]                 		;   602b9c = &0x602a84 -> &0x14 -> ?
00019286            49ab        ldr      r1, [pc, #684]                 		;   5ff35e = ?
00019288            4478        add      r0, pc                         		;   61be28 = _OBJC_CLASS_$_NSArray
0001928a            4479        add      r1, pc                         		;   6185ec = &0x585c03 -> @selector(arrayWithArray:)
0001928c            6805        ldr      r5, [r0, #0]                   		;        0 = 
0001928e            680c        ldr      r4, [r1, #0]                   		;   585c03 = @selector(arrayWithArray:)
00019290            48a9        ldr      r0, [pc, #676]                 		;   602b80 = ?
00019292            49aa        ldr      r1, [pc, #680]                 		;   5ff3c6 = &0x43b9005f -> ?
00019294            4478        add      r0, pc                         		;   61be18 = &0x61ce0c -> (Class)GmmDefaults
00019296            4479        add      r1, pc                         		;   618660 = &0x585d2a -> @selector(secureUserDefaults)
00019298            6800        ldr      r0, [r0, #0]                   		;   61ce0c = (Class)GmmDefaults
0001929a            6809        ldr      r1, [r1, #0]                   		;   585d2a = @selector(secureUserDefaults)
0001929c            9002        str      r0, [sp, #8]                   		;   61ce0c = (Class)GmmDefaults
0001929e            468b        mov      fp, r1                         		;   585d2a = @selector(secureUserDefaults)
000192a0        ee60f340        blx      0x359f64                       		;   359f64 = &0xea04d1e5 -> ?
000192a4            49a6        ldr      r1, [pc, #664]                 		;   5ff3b0 = &0x10 -> ?
000192a6            4aa7        ldr      r2, [pc, #668]                 		;   5c986a = &0x16640001 -> ?
000192a8            4479        add      r1, pc                         		;   61865c = &0x585d1c -> @selector(objectForKey:)
000192aa            447a        add      r2, pc                         		;   5e2b18 = CFSTR("ComplianceJailbreakRules")
000192ac            6809        ldr      r1, [r1, #0]                   		;   585d1c = @selector(objectForKey:)
000192ae            9103        str      r1, [sp, #12]                          ;   585d1c = @selector(objectForKey:)
000192b0        ee58f340        blx      0x359f64                       		;   359f64 = &0xea04d1e5 -> ?
000192b4            1c21        add      r1, r4, #0                     		;   585c03 = @selector(arrayWithArray:)
000192b6            1c02        add      r2, r0, #0                     		;        0 = 
000192b8            1c28        add      r0, r5, #0                     		;        0 = 
000192ba        ee54f340        blx      0x359f64                       		;   359f64 = &0xea04d1e5 -> ?
000192be            49a2        ldr      r1, [pc, #648]                 		;   5fef20 = &0x5913ee -> @selector(sectionTitle)
000192c0            2300        mov      r3, #0                         		;        0 = 
000192c2            9316        str      r3, [sp, #88]                          ;        0 = 
000192c4            4479        add      r1, pc                         		;   6181e8 = &0x584661 -> @selector(countByEnumeratingWithState:objects:count:)
000192c6            9317        str      r3, [sp, #92]                          ;        0 = 
000192c8            6809        ldr      r1, [r1, #0]                   		;   584661 = @selector(countByEnumeratingWithState:objects:count:)
000192ca            9318        str      r3, [sp, #96]                          ;        0 = 
000192cc            9319        str      r3, [sp, #100]                 		;        0 = 
000192ce            931a        str      r3, [sp, #104]                 		;        0 = 
000192d0            931b        str      r3, [sp, #108]                 		;        0 = 
000192d2            931c        str      r3, [sp, #112]                 		;        0 = 
000192d4            931d        str      r3, [sp, #116]                 		;        0 = 
000192d6            2310        mov      r3, #16                                ;   	10 = ?
000192d8            9300        str      r3, [sp, #0]                   		;   	10 = ?
000192da            aa16        add      r2, sp, #88                            ; fffffd08 = ?
000192dc            ab06        add      r3, sp, #24                            ; fffffcc8 = ?
000192de            9104        str      r1, [sp, #16]                          ;   584661 = @selector(countByEnumeratingWithState:objects:count:)
000192e0            4680        mov      r8, r0                         		;        0 = 
000192e2        ee40f340        blx      0x359f64                       		;   359f64 = &0xea04d1e5 -> ?
000192e6            2800        cmp      r0, #0                         		;        0 = 
000192e8            d061        beq      0x193ae                                ;    193ae = &0x92052200 -> ?
000192ea            9b18        ldr      r3, [sp, #96]                          ;        0 = 
000192ec            4997        ldr      r1, [pc, #604]                 		;   5ff330 = &0x14 -> ?
000192ee            1c05        add      r5, r0, #0                     		;        0 = 
000192f0            4479        add      r1, pc                         		;   618624 = &0x585cab -> @selector(UTF8String)
000192f2            681a        ldr      r2, [r3, #0]                   		; ffffff00 = ?
000192f4            680e        ldr      r6, [r1, #0]                   		;   585cab = @selector(UTF8String)
000192f6            4692        mov      sl, r2                         		; ffffff00 = ?
000192f8            e000        b        0x192fc                                ;    192fc = &0xe0002400 -> ?
000192fa            9b18        ldr      r3, [sp, #96]                          ;        0 = 
000192fc            2400        mov      r4, #0                         		;        0 = 
000192fe            e000        b        0x19302                                ;    19302 = &0x4553681b -> ?
00019300            9b18        ldr      r3, [sp, #96]                          ;        0 = 
00019302            681b        ldr      r3, [r3, #0]                   		; ffffff00 = ?
00019304            4553        cmp      r3, sl                         		; ffffff00 = ?
00019306            d002        beq      0x1930e                                ;    1930e = &0xa39a17 -> ?
00019308            4640        mov      r0, r8                         		;        0 = 
0001930a        ee78f340        blx      0x359ffc                       		;   359ffc = &0xea04d1b9 -> ?
0001930e            9a17        ldr      r2, [sp, #92]                          ;        0 = 
00019310            00a3        lsl      r3, r4, #2                     		;        0 = 
00019312            5898        ldr      r0, [r3, r2]                   		; ffffff00 = ?
00019314        fe3ef278        bl   	0x291f94                       		;   291f94 = &0x465eb5f0 -> ?
00019318            1c31        add      r1, r6, #0                     		;   585cab = @selector(UTF8String)
0001931a        ee24f340        blx      0x359f64                       		;   359f64 = &0xea04d1e5 -> ?
0001931e            2101        mov      r1, #1                         		;        1 = ?
00019320            2200        mov      r2, #0                         		;        0 = 
00019322        fbc1f7f3        bl   	0xcaa8                         		; 	caa8 = &0xaf00b580 -> ?
00019326            2800        cmp      r0, #0                         		;        0 = 
00019328            d033        beq      0x19392                                ;    19392 = &0x42a53401 -> ?
0001932a            4889        ldr      r0, [pc, #548]                 		;   5c97f8 = ___umodsi3
0001932c            4478        add      r0, pc                         		;   5e2b28 = CFSTR("checkCompilianceEarlyViolated: Jailbreak check - positive")

I by-passed the result of the check by changing the BEQ to BNE at 0x192e8, but there's additional checks that can tell the app's been modified.. so the best way would be to figure out what those strings represent and make sure the program doesn't find them

This post has been edited by cynikal: 26 April 2011 - 11:18 PM

[badgcoupe]

Thanks for keeping up on this!

[TOCHILL]

Wow, you are making serious progress... I tapped out after changing TE plist didn't work

[cynikal]

thanks i'm determined to get this to work, i really really want access to my work email on my iphone, damn it!! having to carry a blackberry JUST for email (and calendar) is just such a waste, when the iphone is fully capable of using email (even via activesync, which they've half a year disabled and i've been pissed off to no end since then)..

but i could really use your help (who-ever is more familiar with objective c than I, and i'm pretty noob at objc).. what i've figured out, is after the first line pasted where it's logging that, it's loading a class called GmmDefaults, defined as:

@interface GmmDefaults : NSUserDefaults {
        NSMutableDictionary* valueStore;
        BOOL pendingUpdates;
        BOOL deriveKeyFailure;
        NSString* initialChecksum;
}
+(id)secureUserDefaults;
@end

This is referenced at 0x19298 and 0x1929c, and then an instance is also created in the app delegate:

@interface gmmAppDelegate : NSObject <UIApplicationDelegate, UITabBarControllerDelegate, UIAlertViewDelegate> {
....

        GmmDefaults* secureUserDefaults;
....

Referenced at 0x0001929a and 0x0001929e.. this likely contains the values in the com.good.gmmiphone.plist.. and from there they pull out the array named, ComplianceJailbreakRules.. and make a copy of it (initWithArray seen earlier).. but what is happening with the value of that array i am at a loss!

They are (again for emphasis :-)

<string>JHypE7BUmi3FpYATdZnOQo1ouZM9FTwklTrzJLwArpN7pWs3GfFIuwp4lNoGG6cHe7OUjijO2NVlYjgzfV4baA==</string>
<string>+Xj/g22QJ9AUqTKcgEGjBBTKYNsxu3qb2HwZw+lGPoOVaHPQPZVU7iS/5UN7/z19</string>
<string>WDHzk8x1qdSVOoSDxgbZNMWz6Rapj3gs</string>
<string>WDHzk8x1qdSVOv0OxgagucXBGdDgvqOBcVAKJ1RXUIM=</string>
<string>Inj1hbZ/uUBFyvWT0XFkwqw2bPoEy7M4</string>
<string>RfPXFtHYD6E=</string>
<string>Inj1hbZ/uUBFC2tr0bD6OmViODPxH2Jo</string>

the app does something with it, because eventually they call countByEnumeratingWithState:objects:count on that array (or a new array rather), and the branch if equal (BEQ) right after a compare (CMP) with zero means if zero cases of the conditions (somehow?!?!!?) defined by the ComplianceJailbreakRules array are found, they'll branch past the error message you normally get on jailbroken phones in the rest of the opcodes i pasted.. and while i can by-pass that by swapping in a branch if not equal (BNE) opcode, (so this would mean this app would now only complain of being ran on a jailbroken device only if it WASNT jailbroken lol).. the app check routine later has more rules that i'm not sure where they are defined (none of the local files, i think these extra rules are part of the initial profile loaded onto the phone by your company (the same profile that says whether you can or CANNOT (in our case) run on a jailbroken phone).. that profile information is encrypted and is signed, so trying to tamper with that is not as simple if we could just figure out what those strings mean/represent (my theory is they're file system paths, since the app complained about a jailbroken device even after i upgraded a formerly jailbroken device to a new ios (meaning it wasn't technically jailbroken, due to file system "residuals").

This post has been edited by cynikal: 27 April 2011 - 03:31 AM

[FlightRisk]

cynikal,

I've been looking into this the last couple of days too.

I've made a bit of progress against the ComplianceJailbreakRules. First I edited this section in the prefs file to be blank - no strings. Segfault / crash.
Then I edited the section to contain a single blank string (""). Segfault / crash.
Then, I figured that the array probably represented a number of different jailbreak checks. So I tried removing all but one of the strings in turn until I found one that 'worked' - in my case "WDHzk8x1qdSVOgAkxgZdk4Z46Y6jTHzf+H0nrm6zsyc=".
Leaving just that in the array, the initial compliance check passes and I get the password dialog.

However, after decrypting the databases, the client runs another compliance check, and this time it fails (and the ComplianceJailbreakRules array gets refreshed to the original values.)

At first, I thought that it was refreshing the policy from the server, so I took the client's default route away - not exactly a long term solution. Still the jailbreak compliance check got re-run, so the re-check is coming from somewhere local.
Next, I changed ownership on the prefs file to root and gave the mobile user only read access. The overwriting problem has gone away, but the compliance re-check is still there.

The strings in ComplianceJailbreakRules are base64 encoded, but they don't decode to anything useful. Like you said, I think that they represent paths to files that are leftover from the jailbreak process. I've tried using lsof to spot what files the client is trying to access, but that is the wrong tool for the job. We really need something like dtrace, but I've yet to find anything like this for iOS. I think that the best approach is to find out what files the client is looking for, then remove / rename them.

I've also tried gdb'ing the client, but this is not happening on my version of iOS (4.3.3).
My next steps are to get hold of something that I can run Xcode and the iPhone simulator on - hopefully once I have some debugging capability I'll be able to work out what files it is looking for. Either that, or I'll try and build dtrace for iOS.