Enhanced jailbreak-detection using app server
Necessity of Enhanced Jailbreak Detection Method
Section titled “Necessity of Enhanced Jailbreak Detection Method”One of the main functions within AppSealing SDK is detecting the environment of the jailbroken device and forcibly closes the app. However, there is a possibility that these detection functions will be bypassed by more sophisticated attack methods. This is because, due to the characteristics of the iOS operating system, the code of the loaded dynamic library (dylib) is executed first when the app is launched. An attacker may distribute the code to patch a specific area of the executable file in such a dynamic library.
Since the characteristic of this attack method is to change the code of the running app in advance, no matter how strong detection logic is added to the AppSealing library itself, the situation in which the code is patched by the dynamic library is unavoidable. Therefore, the newly provided jailbreak detection function does not detect in the app, but in a way that rejects all services and actions, such as log-in in or accepting API calls, in the case of a terminal suspected of being jailbroken in the server linked to the app.
iOS App Code
Section titled “iOS App Code”Additional process of your app needs verify the server credentials is to call a function in the AppSealing SDK to get the server credential string and send it to the server along with the existing authentication parameters.
Sample credential acquire code for Xamarin project:
public async Task<bool> AuthenticateWithServer(string userID, string password){ try { // Get encrypted credential from AppSealing SDK var credential = AppSealingInterface.GetEncryptedCredential();
Console.WriteLine($"AppSealing Credential: {credential}");
// Send credential along with login data to server var loginRequest = new LoginRequest { UserID = userID, Password = password, AppSealingCredential = credential };
var result = await apiClient.LoginAsync(loginRequest); return result.IsSuccess; } catch (Exception ex) { Console.WriteLine($"Authentication error: {ex.Message}"); return false; }}Usage Example
Section titled “Usage Example”private async void LoginButton_TouchUpInside(object sender, EventArgs e){ var userID = userIDTextField.Text; var password = passwordTextField.Text;
var isAuthenticated = await AuthenticateWithServer(userID, password);
if (isAuthenticated) { // Proceed with app flow NavigateToMainView(); } else { // Show error and potentially exit app ShowAuthenticationError(); }}
private void ShowAuthenticationError(){ var alertController = UIAlertController.Create( "Authentication Failed", "Unable to verify device security. Please contact support.", UIAlertControllerStyle.Alert );
var okAction = UIAlertAction.Create("OK", UIAlertActionStyle.Default, (action) => { // Optionally exit the app for security Environment.Exit(0); });
alertController.AddAction(okAction); PresentViewController(alertController, true, null);}Verification at app server
Section titled “Verification at app server”The credential data (hex string) returned from the interface call to the AppSealing module is only valid when the security logic inside AppSealing is normally performed and no dangerous situation is detected in the device.
If code patch attack is made through the dynamic library or the security logic is bypassed by other methods, valid credential data will not be generated, so the server should verify this value and blocks the attack situation of the device.
The app server must check whether the credential value sent by the client (app) is correct, and if it is not correct, it must deny authentication (login) and then deny any services (API call) requested by that client.
For complete server-side verification examples in various programming languages, please refer to the AppSealing SDK documentation.