Hacker News new | past | comments | ask | show | jobs | submit login
Unc0ver Jailbreak for iOS 11.0 to 13.5 (unc0ver.dev)
233 points by ValentineC on May 23, 2020 | hide | past | favorite | 212 comments



I absolutely support people's right to jailbreak devices they own and over the years I've jailbroken my phone or ipad for one reason or another.

Having said that, unless there's something specific you're looking for, it's not really worth the effort these days and has potential downsides.

The biggest downside is that you might find some existing apps on your phone can detect that the phone is jailbroken and refuse to start. There are obvious security reasons for apps like banking apps to do this but also many online gaming apps won't run if they detect that the device is jailbroken in order to deter cheating.

There's an ongoing arms-race between app developers and jailbreakers where jailbreakers try to avoid detection and app developers find new ways to detect jailbreaks. So a new jailbreak will probably not be detected until a few weeks or months later when the app is updated.

Source: I used to work for a company that makes phone software that needs to be secure and so would attempt to detect jailbreaks.


> There are obvious security reasons for apps like banking apps to do this

This is obviously wrong. It's possible to do the same banking things using the bank's website both from general purpose PCs and browsers on phones for which jailbreak detection is not possible in the browser.

Jailbreak detection is done by testing for the presence of common things that allow the device owner to control the device. The device owner controlling the device is not a problem for banking. Meanwhile a malicious third party wouldn't inherently need to make use of any of those and would have strong incentives to avoid using any that trigger jailbreak detection, so it's no help there either.

And for the same reason it's basically useless for detecting cheating. Because if you jailbreak your phone so you can install some apps from outside the store and then it breaks your games, you might grumble and decide you want to play the game more. But if you jailbreak your phone because you want to cheat at games, your next step is to thwart the jailbreak detection, which is not that hard when you have the game software to inspect to see how it's doing jailbreak detection. And you can also tell when the app is updated and then run the new version on a test machine to see how the new version is doing jailbreak detection.

It's hostile and a waste of time to do this when you're going to lose anyway. You only inconvenience the people who jailbreak their phones for completely unrelated reasons.


If banks could secure their web portals to the same degree as their mobile apps, they absolutely would. “Portal A (web) cant be as secure as Portal B (mobile), so don’t bother securing Portal B” isn’t an acceptable security model. The banks are naturally going to reduce their vectors of attack to the greatest degree possible, and that naturally means that some access points will be more secure than others.


> “Portal A (web) cant be as secure as Portal B (mobile), so don’t bother securing Portal B” isn’t an acceptable security model.

Which isn't the case here. A device controlled by the owner isn't less secure than one that isn't. It's only a device controlled by an attacker that is. But "jailbreak detection" only detects the former (when it even detects that) and not the latter.

The fact that you can do banking on the web only proves that banks admit that you don't need a device the owner doesn't control in order to do banking.


“A device controlled by the owner” is one way of putting it. “A device capable of installing unverified software with an increased potential to introduce security vulnerabilities into the OS” is another.


> “A device capable of installing unverified software with an increased potential to introduce security vulnerabilities into the OS” is another.

The jailbreak community is usually quick in introducing patches for security vulnerabilities.

The most recent Mail bug [1] had a patch released 29 days ago [2]. Apple only introduced a fix in a 13.4.5 beta, and it's unsure if the same fix was put into 13.5 [3].

Admittedly, it'll be even better if the community strongly encouraged the installation of such tweaks in Cydia et al.

[1] https://blog.zecops.com/vulnerabilities/youve-got-0-click-ma...

[2] https://www.reddit.com/r/jailbreak/comments/g7eujh/release_m...

[3] https://support.apple.com/en-us/HT210393#135


Clearly the fact that you can jailbreak a device really means that the non-jailbroken one wasn’t really preventing the installation of software that abuses vulnerabilities in the OS…


I am not sure where you come from, but around Europe banks are the worst when it comes to security audits, and they don’t give a damn about it.

From trying to roll their own crypto, to still using legacy ssl to support ie6...everything is shitty.

Even when they are forced by law [1] to integrate modern 2FA, they find ways to implement it in a shitty, proprietary way.

PSD2 is required since September 2019 and every single bank rolled it out in August and waited until the very last moment.

I mean, a photoTAN device with a 120x120 camera resolution? Seriously, what is this? 1999? Why not use RFC 4226 or RFC 6238 [2] [3]?

[1] https://ec.europa.eu/info/law/payment-services-psd-2-directi...

[2] https://tools.ietf.org/html/

[3] https://tools.ietf.org/html/rfc6238


Europe's banking is pretty diverse. Some countries have very competitive, modern and innovative banking markets.


Banks are usually following the currently "supported" versions. At least the big ones that are all compliance based nowadays.

Windows XP and IE6 have been out of support for quite a while. They've long been dropped in favor of windows 7 (LTS support until 2023) and 10 more recently, which comes with internet explorer 10 or 11.

SSL would be quite easier to keep up-to-date if Microsoft actually upgraded their operating system and applications to support TLS 1.2 by default, which they don't for retro compatibility reasons.

For reference, working at JP Morgan, I can tell you that the company has dropped support for Internet Explorer entirely. Half of the existing internal apps don't even load on IE. Would be nice of vendors to stop wasting their time praising IE support as a feature.


> They've long been dropped in favor of windows 7 (LTS support until 2023)

Windows 8.1 has support until 2023. Windows 7 support is over since January 14, 2020. https://support.microsoft.com/en-au/help/13853/windows-lifec...


There’s extended support to 2023 through a paid support program.


> I mean, a photoTAN device with a 120x120 camera resolution? Seriously, what is this? 1999? Why not use RFC 4226 or RFC 6238 [2] [3]?

TOTP (RFC 6238) or HOTP (RFC 4226) are less secure than photoTAN/chipTAN because they are phishable, as in you can think you authorize a 30€ transfer for an internet purchase while in reality it's a 30000€ transfer to some bad people. photoTAN/chipTAN on the other hand are challenge-response based and send data about the transaction to the second factor device so that you can verify it before confirming.


> photoTAN/chipTAN on the other hand are challenge-response based and send data about the transaction to the second factor device so that you can verify it before confirming.

Actually, this statement is not true, as those transactions and their payloads are not cryptographically signed and neither are they verified anyhow [1] [2]. Attackers or malicious activities on Android can easily modify the payload and still have a valid transaction for the end-user; showing up the wrong IBAN, wrong amount and wrong recipient. This applies to both the official banking apps and the photoTAN generator devices that Cronto is (re-)selling.

Note that the research was made public and reposted/printed in a _lot_ of newspapers in 2016. And of course, nothing got improved.

If you search the web for Uni Erlangen (FAU) and the "crypto" analysis, you'll find out that Cronto / CrontoSign is the software supplier for pretty much every major bank.

And yes, it's patented, and yes, other frameworks got taken down on GitHub for copyright infringements when they tried to reverse engineer it.

The only open implementation of the HBCI 2.2 / FinTS 3 [3] standard that I personally know of that hasn't been taken down already is libfintx [4].

[1] (German) https://www.fau.de/2016/10/header/phototan-banking-nicht-sic...

[2] https://faui1-files.cs.fau.de/filepool/projects/matrix-code/...

[3] https://www.hbci-zka.de/

[4] https://github.com/mrklintscher/libfintx


> those transactions and their payloads are not cryptographically signed and neither are they verified anyhow [1] [2]

Your linked sources [1] and [2] don't really cover that topic. They mainly cover the use of Android apps and highlight the danger that the Android devices might be hacked, recommending use of dedicated devices. From [2]:

> Last but not least, please note that the photoTAN procedure is not only available as a smartphone app but also as dedicated hardware (Cronto, 2011). Naturally, our statements about the security features of app-based authentication cannot be transferred to thephotoTAN hardware device. Quite the contrary, a dedicated photoTAN device — available for all three analyzed banks — offers excellent security properties largely similar to those of chipTAN.

But this wasn't your point. It might very well be that the transaction data is not verified by the generator devices and only displayed, but your sources don't state it.


related: bank fraud detection might be port-scanning your local network. https://www.theregister.co.uk/2018/08/07/halifax_bank_ports_...


> It's possible to do the same banking things using the bank's website both from general purpose PCs and browsers...

In my experience, this is not always the case. Some banks treat their mobile devices as more secure than website. For example, some actions would prompt an SMS MFA (I know, I know) if initiated from the website, but go right through if initiated from the app. It makes some sense, as on the app, they have access to things like location which they can use to make a better assessment on whether a request is fraudulent.


On a related note, the finance-related apps on my phone all offer me the option to sign in with a fingerprint sensor. Arguably you have two forms of authentication there: the presence of the physical device itself (using the secure element or whatever it is), as well as the biometric identifier (fingerprint scanner).

Neither of those are present when logging into your bank from its website, and I would also suspect that jailbreaking a phone significantly reduces the trust you can have in either.

Also, from a bank's perspective, all they care about is reducing their liability, without inconveniencing too many customers. In that context, it makes a lot of sense for banks to disallow their products from being used on jailbroken phones.


That's not actually letting you do something different. You can still do the thing on the website, it just requires SMS.

It implies they should at most only require SMS to use the app on a jailbroken phone. Or, you know, stop doing that entirely, since SMS-based authentication is horrifyingly insecure. It's literally less secure than email, and that's a pretty low bar. People should really stop using it.

Also, phones have no real way of authenticating their current location, so assuming that what the phone tells you is secure against intentional fraud is a pretty bad idea to begin with.


> It's hostile and a waste of time to do this when you're going to lose anyway. You only inconvenience the people who jailbreak their phones for completely unrelated reasons.

I'm pretty sure jailbreaking is bad for developers who want to sell nice, simple, pay up front no surveillance software, because that is primarily threatened by the very piracy jailbreaking enables.

You might imagine jailbreaking is all about giving people control or whatever. Ultimately it just means, due to piracy, that the only people that are allowed to make money off software is Google and Facebook, through ads, or other companies, which just routinely abuse the spirit of open source to monetize other people's work.

Unless you're of the frankly radical opinion that anything that costs money is bad, and everything that is free is automatically better, and that the whole app ecosystem, that pays out like billions a year to actual, bonafide human beings writing software, could be instead totally supplanted by free websites. Then of course what I'm saying makes no sense.


> all about giving people control or whatever

Yeah, whatever. Who wants to have control over their device anyway? Much better if Apple gets to decide what I do with my iDevice. Not sure why Microsoft hasn't started the same approach, at least Linux distributions discourage people from installing software outside of the repositories, but there is much work left to be done in actually making that impossible. At least the latest innovations in home computing, smart speakers, don't allow you to run anything at all other than what the makers intended. It's great for privacy if you can't do insecure things.

...

Privacy and control really are much more synonymous than at odds with each other. Sure, allowing someone to shoot themselves in the foot is something you'll want to minimize happening, but if they can't shoot themselves in the foot when they really try very hard, then how much control do they have over their private life really?

> jailbreaking is bad for developers who want to sell nice, simple, pay up front no surveillance software

I fail to see how this is explained by the "because" that comes after it. It just makes zero sense: why would a user taking control be bad for the developers if they don't want to surveil your device anyway? They already have the money up front, as you say. Wouldn't it make more sense to expect something to be mine after I paid for it up front?

> Unless you're of the frankly radical opinion that [something exaggerated to the point where it's clearly illogical]. Then of course what I'm saying makes no sense.

I'm not sure what you're trying to say here. Anyone who disagrees must be of this weird opinion and there can be no other viewpoints: either you're with you or you're illogical and "radical"?


If you’re someone who needs total control over your device then why are you buying an iPhone? Jailbreaks get patched in OS releases so it’s only a matter of time before you lose control again. If you really care about control why wouldn’t you buy an Android phone and flash a custom ROM on it?


> then why are you buying an iPhone

Heh, I suppose you've got me there: I indeed don't buy devices that don't allow taking control by design. But I know there are a lot of people that like other parts of the iOS ecosystem (apps are often more polished; they might be more used to the OS; etc.) and would prefer to keep those while still having having their four freedoms on the device.


Game piracy requires exactly one jailbroken device, and that’s just because nobody has publicly cracked FairPlay yet so the easiest way to pirate a game is to just dump it from RAM once it’s been loaded and is available completely decrypted (thus necessitating the jailbreak). After that point, anyone can pirate that app, jailbroken or not.


> This is obviously wrong. It's possible to do the same banking things using the bank's website both from general purpose PCs and browsers on phones for which jailbreak detection is not possible in the browser.

That's quite a bold statement, and also not correct in my experience. Take for example NFC payments. Both Apple and Google will disable the mobile wallet if they detect that the phone has been rooted / jailbroken.


> Take for example NFC payments. Both Apple and Google will disable the mobile wallet if they detect that the phone has been rooted / jailbroken.

Both Apple and Google have a conflict of interest there, so that proves nothing about the security and everything about their perverse incentives.

How does it even make sense? It's safe for me to use the website from a jailbroken phone to transfer thousands of dollars to the account of a foreign national but not safe to use a jailbroken phone to pay $3 for a cup of coffee in a restaurant I'm physically standing in?


I remember reading that card transactions have different costs aspects for the parties involved depending on if the card is actually physically present at the time of purchase. And iirc Apple managed to convince the banking sector that Apple Pay is equivalent to chip card security, so that they get better rates.

According to reddit, Apple Pay works on jailbroken devices, but still, something like this might be at play in all the other similar scenarios.


> According to reddit, Apple Pay works on jailbroken devices, but still, something like this might be at play in all the other similar scenarios.

I can confirm that Apple Pay works on my jailbroken devices, and as far as I can tell, no jailbreak has managed to affect the Secure Enclave.


   > And iirc Apple managed to convince the banking sector that Apple Pay is equivalent to chip card security, so that they get better rates.
As far as I aware that's because Apple actually have hardware-backed implementation so tokens (or signatures or whatever, I honestly have no idea how they called for NFC payments) are generated on iPhone itself. Google on other side just keep few tokens on Android device, but they are actually pre-generated on Google servers.


Interesting. In NZ about 5-10% of places seem to disable contactless payments in an effort to cut costs (most corner shops), while chip+pin works for as little as $1 payment.


Think about it more from the perspective of a jailbroken device being used as a wallet for "cloned" virtual credit cards, transit cards etc. and then using those on NFC readers.

It's not possible right now AFAIK but that doesn't mean it might not be possible later.

The main point I'm trying to make though is that mobile devices support NFC payments with virtual cards in wallets that are protected by Apple/Google. That's not a use case that is supported on regular PCs, so it's not unreasonable that the security requirements are different.


> Think about it more from the perspective of a jailbroken device being used as a wallet for "cloned" virtual credit cards, transit cards etc. and then using those on NFC readers.

Any reasonable system (i.e. one using public key cryptography) does not allow the attacker to "clone" your virtual cards at all, because they don't have your private key, which never leaves your device. And if they've compromised your device (not their own) sufficiently to extract your private key then the game is over and you've already lost.

Once they have the private key they don't need a jailbroken phone running the official app, they can just speak the NFC protocol directly to the reader and sign with the victim's private key.

> The main point I'm trying to make though is that mobile devices support NFC payments with virtual cards in wallets that are protected by Apple/Google. That's not a use case that is supported on regular PCs, so it's not unreasonable that the security requirements are different.

The difference is that the security requirements should be lower, since it's only used for in-person purchases. Even if the attacker somehow has your private key, to use NFC they would have to show up in person, smile for all the surveillance cameras and risk getting arrested on the spot if the card has already been reported stolen.


I'm more referring to an attacker cloning their own cards, not someone else's. Some smartcard systems assume that the state of the card is the source of truth, and not anything on the server. In that case you don't want people cloning their own cards and then using those to hop on the subway.

I don't see the argument for why security requirements should be lower in that case. Security cameras are not always present and getting arrested "on the spot" for a virtual card theft seems unlikely given the nature of the crime (it seems doubtful police forces would have officers standing by for this purpose that are able to both detect and react quickly enough).


Pretty much the only thing I use my banking app for is for making purchases using my phone.

(something not done with a laptop)

There is no spending limit. Protection is important.

You're making a poor argument based on nothing more than a loose generalization.


General purpose PCs have a security model that takes into account that the end user has root access to the machine. OSes typically have methods to detect/mitigate exploits.

A jail broken/rooted device may not have the same protections since jail breaking is typically circumventing that sort of threat protection.


> A jail broken/rooted device may not have the same protections since jail breaking is typically circumventing that sort of threat protection.

So your argument is that walled garden devices are less secure assuming there exist methods to convert it into a general purpose computer, which they empirically do.

Shouldn't this be an argument for such devices to be less trusted? After all, you can't always tell when this has happened (so you better assume it has), whereas as you say the devices designed to be operated under that threat model would then be more secure.


That’s not my argument. All I’m saying is that a bank has good reason to be concerned about a phone being jail broken/rooted.

I absolute agree that a user, as the owner of the phone, should be able to do this, especially in a safe and official manner. Right now it’s an all or nothing and that is a problem.


> A jail broken/rooted device may not have the same protections since jail breaking is typically circumventing that sort of threat protection.

If it was jail-breakable, that security was never there in the first place.


Jail breaking is a deliberate and involved process, in some cases something that the manufacturer even allows for.

It’s not really the same as a random piece of JavaScript on a webpage jail breaking your phone. I think having a rootable device doesn’t inherently mean your device is insecure.


> It’s not really the same as a random piece of JavaScript on a webpage jail breaking your phone. I think having a rootable device doesn’t inherently mean your device is insecure.

Heh this was actually the case for a couple of Safari-based jailbreaks, all the way up to 9.3.4: https://en.wikipedia.org/wiki/JailbreakMe


You are the one who jail-breaks the phone, but now third party apps you install can have much more unprotected access and you cannot be certain what they are doing behind your back.


With all of the malware and ransomware that is constantly bringing down governments and organizations, the “security model” isn’t working.

Would you do banking on a random computer?


> With all of the malware and ransomware that is constantly bringing down governments and organizations, the “security model” isn’t working.

The three largest ransomware vectors are people leaving RDP exposed to the internet, phishing emails to get login credentials that are then used to gain access to internal systems, and vulnerabilities in existing software. None of those requires the user to install third party malicious software.

> Would you do banking on a random computer?

Would you do banking on a random iPhone? I wouldn't. There have been more than enough vulnerabilities that you have no way to know if it has already been compromised.


Citations?


I assume you're asking for the ransomware thing since the article this discussion is attached to describes several iOS vulnerabilities.

https://www.digitaldefense.com/blog/top-3-attack-vectors-ran...


Initially, the thesis was that ransomware doesn’t come from installing software that has unfettered access to the file system and that it comes from RDP. As far as I know RDP is not enabled by default on consumer PCs.

I just searched for “ransomware” on Google.

MalwareBytes

“One of the most common methods today is through malicious spam, or malspam, which is unsolicited email that is used to deliver malware. The email might include booby-trapped attachments, such as PDFs or Word documents. It might also contain links to malicious websites.”

PCs and Macs are “insecure by design”. Anything that the user runs has full access to the users files and applications - without administrator access. How could this possibly be more secure than your typical iOS device? We have over 30 years of evidence of what happens when the typical user is able to install software that has free reign on their computer.

“ Malvertising often uses an infected iframe, or invisible webpage element, to do its work. The iframe redirects to an exploit landing page, and malicious code attacks the system from the landing page via exploit kit. All this happens without the user’s knowledge, which is why it’s often referred to as a drive-by-download.”

The browser is also another application that is not sandboxed on personal computers. Any security vulnerability in the browser leaves the computer vulnerable.

Notice that most if not all mobile ransomware affects Android devices?

https://blog.malwarebytes.com/threats/mobile-ransomware/


> phone software that needs to be secure and so would attempt to detect jailbreaks

Ah, yes, the same kind of software that forbids pasting passwords, because, security.

Although, to be fair, I must admit, the comparison is not entirely accurate. It is true that it makes some sense. I don't know about iOS jailbreaks, but on Android an application may request superuser privileges. Given that a significant fraction of users do tend to grant arbitrary permissions to see the flying pigs (numerous Android flashlight apps are a good example), I can see how this could be a problem. I believe I've heard of malware that does this.

That's why my latest Android phones haven't had user-facing root access or Xposed. The idea was that there was nothing installable/programmable (that I could grant by fat-fingering or someone could borrow/steal my phone and exploit the elevated capabilities) - just a custom-built firmware with everything I needed. I haven't yet felt a particular necessity to jailbreak my iPhone (although apps get worse every year so I may eventually consider it), so no experience in that regard.


> a significant fraction of users do tend to grant arbitrary permissions [...] That's why my latest Android phones haven't had user-facing root access or Xposed

Wait, you're worried you'll give something root without noticing? I can understand if you're worried about your mom doing that if you rooted her phone, but yourself?

(About rooting one's mom's phone, anecdotally I wish I had done that. She keeps getting notifications from Sony, the manufacturer, and things are just not customizable to suit her. When my grandma got a new smartphone a bit more recently, I rooted hers and then just set the supersu default to deny so she'd never get the prompt, and she's much happier with her phone. I've been considering rooting my mom's but the device wipe is such a pain, especially since you can't do app data backups without root (another reason to root: make actual backups). Android really needs an Apple iTunes-like backup system.)


Not without noticing, but accidentally fat-fingering the “allow” button.

TBH, I just didn’t need root access “on the go” - so, when I’ve decided I wanted to build my own image, I just haven’t found a reason/use case to include it. I had the full flash backups, an adblocker, a patch for clipboard read permission and a few UI customizations. And ability to add more stuff. That was all I needed.

A shame I had no control over bootloader and wasn’t able to truly lock down the device to my own signing keys.


I'm not addressing this comment so much as the "there's no reason banks should do this" replies to it.

Detecting root and jailbreaks isn't something developers do just to prevent power-users from using their devices, or because they think power-users are shooting their security in the foot, it's about stopping malicious actors from attacking regular users.

For example a piece of malware could achieve root and use it to read sensitive data from memory and log the user's inputs, including passwords and PIN codes. Malware has achieved root in the past, see the CopyCat malware on Android from a few years ago.

This also applies to features like Secure Boot. It's not just there to make power-users' lives harder. Without it, a malicious party could, for example, buy a bunch of smartphones retail, flash them with a malicious ROM, sell them at a loss, then recover the loss by stealing money using the victims' information.

These things also just break the security model of the platform they're on. It's hard to write a secure application when all the building blocks you're using could collapse at any time. Imagine writing a secure messaging app where someone could just replace all your crypto primitives. Wouldn't be easy, would it?


This is of course the answer to why they're doing it: banks have no interest in making power users' lives harder, they just care about lining their pockets like every other business.

But we do have to wonder if the upsides outweigh the downsides. Someone surreptitiously stealing and replacing a smartphone to install malware on it can happen, but will that ever be common? Someone could also surreptitiously install malware on a laptop, but I don't hear of that happening a lot. I don't know of any banking trojan that is typically installed via physical access.

Do we want a world where people have no real ownership over their device anymore for this attack vector that has existed since day one but is rarely abused in the sort of attack that we're trying to prevent, or do we prefer a maker community to be able to exist? For example, F-Droid could not exist without Android allowing people to install software without needing Google's approval. A large part of the open source Android software is there and it's already fairly small due to the limitations that Android already put in place (F-Droid is large enough that I can replace nearly any apps with an open source alternative, but it's nothing like the community behind a Linux distribution).

It's also not just banks. Indeed, banks might not care about restricting users other than as a means to minimize risk, but Google certainly has an advantage if everything has to go through them. And I understand the developers agreeing to code it up: they're not evil people, they are themselves and they know they and their colleagues aren't evil. Of course they would allow any reasonable app in the app/play/whatever store and people can enjoy the platform without worry. I see their perspective, but there's a bit more to it than that ideal.


> Imagine writing a secure messaging app where someone could just replace all your crypto primitives. Wouldn't be easy, would it?

It’s kind of impossible, is it not? Why try futile efforts to “detect” this?


Theoretically, yes, it's impossible to detect this perfectly when the attacker can do whatever they want to your code and memory.

Practically though, it's exactly as we see here: a kind of arms race or cat and mouse game where the attackers circumvent the detection and the detection evades the circumvention.

So no, I don't think it's futile.


They're not detecting the thing malware does, they're detecting the thing ordinary users do when they want control over their phones. Malware is different code so it has a different signature -- purposefully, because it has a strong incentive to not have these naive jailbreak detection methods work against it.

So all they're doing is detecting false positives from innocent people and zero instances of real malware.


Why would that be impossible for malware with root privileges?


Impossible to detect.


Any app that refuses to run because I'm Jailbroken isn't worth my time. Full stop.

(If there's an app that's truly essential for you, I'm sorry, that's a shame. But I haven't encountered that in my many years of using Jailbroken iPhones.)


I agree. I have had rooted androids ever since I bought my first smart phone. I have never had an app refuse to load but that would piss me off. I want root access to my phone just like every other computer that I own. The root user is literally the owner of the device. If you don't have root access you don't own it as far as I'm concerned.


There isn't really enough that is appealing about jailbreaking iOS at this point where I would forego 50% of my banking apps for it.


You wouldn’t have to. I haven’t come across any app that doesn’t work with a jailbreak hider app.


I've come across a bunch. General there is a workaround, but I don't want to spend hours trying 3 different "jailbreak hiders" and finding a version of the app I can downgrade to using AppStore+ in order to use it normally.

And since these are all tethered jailbreaks, I don't want to completely re-install a banking app that locks itself up after I open it in unjailbroken mode (so the hider isn't working, but their jailbreak detection still does) after my phone dies and I forgot to re-jailbreak it.


Can you name a few that Liberty doesn’t get around?

They aren’t tethered completely. More semi tethered. I haven’t reconnected any device to a computer to re-jailbreak in many months. Most devices can use unc0ver. In which case you have to be Un-jailbroken for close to 7 days in a row for ReProvision to not renew unc0ver.

So that issue is a pretty big rarity.


Pretty late, came to this post from the post on the exploit unc0ver uses being patched, but Liberty does not work with the app "NemID", which is sort of a 2FA for all banking and public service apps in Denmark. Have yet to find a JB hider that does, and so had to un-jailbreak.


Yeah. I think I ran into an app too. It is Square Cash.app. Otherwise I don’t get why it still works with the debit card they give you but I can’t use the app any more. I was able to downgrade it because of jailbreak and use it again. However at some point they’ll likely force me to update.


The biggest downside is that you might find some existing apps on your phone can detect that the phone is jailbroken and refuse to start.

If you are truly root, and the apps are not, then it's theoretically always possible to give them "the reality they want to see".


And indeed there is a cottage industry of “jailbreak hider” tools available for exactly this.


> Having said that, unless there's something specific you're looking for, it's not really worth the effort these days and has potential downsides.

> The biggest downside is that you might find some existing apps on your phone can detect that the phone is jailbroken and refuse to start.

So the biggest downside is a problem completely caused by humans on purpose?

> There are obvious security reasons for apps like banking apps to do this but also many online gaming apps won't run if they detect that the device is jailbroken in order to deter cheating.

The gaming thing is irrelevant to me. I'm not going to sacrifice actually owning my device so that I can play games. As for banking it only matters if you lose your phone (if it's not encrypted) or if you give root access to a malicious piece of software. But even then, why should it matter? Your banking app should still be secure, but it allows the developers to be lazier. You can also log into your banking site through a web portal on your phone anyway even if you have root access so it's completely arbitrary to disallow access to an app on your phone. And the fact that it's checking for that anyway creeps me out.

Why is that everyone has has root/administrator access to their PCs but they are perfectly with using another computer that happens to be portable and not have root access. You supposedly own your phone, but if you don't have root access to it, I don't consider that as ownership. Whoever has root access to your phone owns it.

> There's an ongoing arms-race between app developers and jailbreakers where jailbreakers try to avoid detection and app developers find new ways to detect jailbreaks. So a new jailbreak will probably not be detected until a few weeks or months later when the app is updated.

That's great. A pointless arms race that's a waste of people's time. I'm glad the developments in a real Linux phone are picking up. I'd rather be in full control of the software that runs on my device instead of relying some corporate overlords babysitting me.


Why is that everyone has has root/administrator access to their PCs but they are perfectly with using another computer that happens to be portable and not have root access. You supposedly own your phone, but if you don't have root access to it, I don't consider that as ownership. Whoever has root access to your phone owns it.

How has that been working out for the last 20+ years for the average consumer? How much more careful are you about installing random crap on your computer compared to your typical iOS device?


> There are obvious security reasons for apps like banking apps to do this

There are exactly zero reasons why a bank should be doing this and I would be quite pleased if Apple instituted rules against doing this kind of fingerprinting.


That is not true at all. If an iOS device is jailbroken the bank has to assume the worst, which is that the device is compromised and has malware.

I don’t blame them, they’re mitigating another potential risk. Malware that’s essentially a rootkit could send your bank login details to a malicious third party in realtime, for example. 2FA codes and all.

Also remember there are lots of people out there that aren’t as tech savvy as the HN readership. A random person that just wants some springboard tweaks or similar may not verify where these tweaks came from & not understand the consequences of installing essentially untrusted software.


> If an iOS device is jailbroken the bank has to assume the worst, which is that the device is compromised and has malware.

This is 100x worse in browsers on desktops, where the percentage of people who install things like browser extensions or persistent malware is non-neglible. Yet banks largely accept that as OK, and if someone’s bank’s website decided to probe the filesystem for “evidence” of malware would 1. cause a huge scandal and 2. immediately cause malware to hide itself from the detection.


Is there a way to temporarily disable the jailbreak, then open/use the banking app, then re-enable jailbreak? Even if it required a reboot I'd be okay with it.


The short answer is sometimes yes sometimes no. Some jailbreaking detection works by attempting things that wouldn't succeed on a non-jailbroken device and some detection works by looking for signs of specific jailbreaks. It's a real cat-and-mouse game.


unc0ver isn't one, but a "rootless" jailbreak is usually undetectable. This one hasn't been updated with iOS 13 support but was popular for iOS 12: https://pangu8.com/jailbreak/rootless-jb/

I haven't used it myself, but two very similar kernel-level jailbreak detection bypasses were just released for unc0ver 13.x, FlyJB and KernBypass: https://github.com/akusio/KernBypass-Public

A couple of my banking apps detect my jailbreak but allow me to continue after hitting "Okay". The only app I ever wanted to use that refused to let me in was the Nintendo Switch Online app. Steam works fine. If you don't play games on your phone it isn't really a big deal imo.


“Rootless” Jailbreaks also severely limit what you can do, though.


Yep, never used one myself for that reason. I saw a lot of praise for it from Pokémon Go players though :)


yep. checkra1n for iOS 13.1 requires that you re-jailbreak every time you reboot your phone. Takes like 5 minutes to do.

One of those cases where a bug really is a feature


while warning part is valid, it's a little bit strange to see this on developing related website.

regarding the detection and added security - this is security through obscurity which has more downsides than protection it provides. not discussing the loss of privileges for device owner


There's a Jailbreak app called PermaFlex that I worked with a developer to get made about a year ago. It hasn't gotten a lot of attention, I suspect because it's not especially easy to wrap your head around.

But it allows you to do something magical—permanently hide just about any icon, button, or other UI element in just about any iOS app, all on your phone and without writing code. There are some caveats you should read about at the link below, but overall it works well!

I'm an interface minimalist. Mobile apps are so cluttered these days, and it feels so good to hide all the random crap I don't need.

https://www.reddit.com/r/jailbreak/comments/bfpso0/release_p...


That's ~95% of what I jailbreak for. Just getting rid of (or hiding) junk I don't want to see/be able to get to.

I'll look into this. Thanks!


Does anyone know if there's an android version of this?


This looks like it shouldn't be too hard to do on Android (in native apps, you'd have problems with Unity3D and Flutter apps) with Xposed, but I don't think there's an Xposed module that does specifically this.

It's a nice idea though and I hope someone with experience in it will take an interest in writing this.


Remind me what I get for jailbreaking these days? Long ago I wanted to tether, but can’t think of what I need today.


For me: system wide speed up of apples obscenely slow animations and access to stored WiFi passwords.

Also theming icons is lots of fun. A fresh coat of paint can make iOS feel exciting and new again.


This just makes you see the app quicker, but it's still unusable until it loads.

The animations are a clever way to hide loading delay from the enduser.


Not every app needs that much time. Apple has done the equivalent of setting a 30mph speed limit on all roads.


The animation still plays even when the app is loaded and in the background. In that case it really does load instantly.


Wow. I've wanted both of those things so many times! I'm seriously interested now.


I disable the animations in accessibility. Is there a JB app that goes beyond that?


Yes. Reduced motion in accessibility still leaves you with a slow cross fade. With a jailbreak you can disable the animations entirely and apps will open instantly.


For me: I just want to be able to downgrade apps, if the app developer decides to break newer versions with "premium" features.


The removal of apps syncing and the removal of apps from iTunes have made this worse in the last few years. I get so frustrated by this often enough.

There’s a paid app called iMazing (look for sales before buying) that allows downloading apps from the App Store to a computer and also installing apps from the IPA files to the device. There may be some other paid apps too for this.


You can enable ECG on Apple Watch in non-approved countries.


I use it so I can have a full development environment natively on device. My iPad turned into a portable SSH or X server. Great for when I’m on the go and can even use my laptop to control it to avoid the bad keyboard and lack of mouse


> X Server

This wouldn't require a jailbreak. There's nothing stopping anyone from making a no-compromises X11 server as a fully-sandboxed iOS App Store app.

> SSH server (i.e. POSIX environment)

There's technically no reason that this should require a jailbreak, either, though an implementation of this that conforms to App Store policies would work a bit differently than people would intuitively expect from e.g. Linux. Rather than going in and installing packages through a package-manager, any additional executable binaries you wanted would have to ship embedded into some code-signed App Store app, (i.e. put Apple's auditors in the path those binaries take to client devices.)

The obvious way to structure it would be to have one "base" app that sets up the skeleton of the POSIX environment and which also acts as a terminal emulator; and then have other apps that are installed to serve as "plugins" for the environment, adding their embedded binaries into the "base" environment (similar to how XCode.app and Server.app integrate their utilities into macOS's $PATH—but in a Shared Container rather than in the host filesystem.)

Compiling things and running them doesn't seem to be restricted completely any more, either, given that Swift Playgrounds exists. (I think it's just custom runtime JITs that are disallowed. Seemingly, if you have a compiler that writes an executable to storage and then fork(2)+exec(2)s it into a new process running under your app, that's fine.)


There’s already iSH[1] that emulates an x86 Alpine Shell and UTM[2] which provides x86 emulation with a full GUI.

You can either join their Test Flight to install (until Apple takes it down), build and install yourself (good for 90 days and then you have to rebuild), or Jailbreak and install with no hassle.

So, jailbreaking is definitely not necessary, but would be easier due to Apples code signing policies.

[1] https://ish.app/ [2] https://getutm.app/


UTM is not available via TestFlight because it requires entitlements that cannot be used for apps submitted to Apple. UTM also does a lot more than just x86.


> good for 90 days and then you have to rebuild

s/90 days/1 year/ per:

https://getutm.app/install/


There's nothing stopping people except the time and effort required. For fontconfig and some other nice to have programs (X itself builds fine) you need to either patch them or modify the SDK you're building against to remove the compiler attributes. Apple won't allow the latter on the app store, and the former would be a significant amount of work.

There are terminal emulators and X servers on the app store now, but the problem is the limitations of the sandbox and performance. Alpine and an X server can be run on Qemu, but performance is far better with the native server.

And, Swift Playgrounds is an Apple product. They don't hold themselves to the same limitations as 3rd party app developers.


> Compiling things and running them doesn't seem to be restricted completely any more, either, given that Swift Playgrounds exists. (I think it's just custom runtime JITs that are disallowed. Seemingly, if you have a compiler that writes an executable to storage and then fork(2)+exec(2)s it into a new process running under your app, that's fine.)

If this is allowed then anybody could blow a hole through the "walled garden" the size of an interstate highway just by providing a compiler that does this, which would allow arbitrary third parties to distribute their apps as source code anybody could compile and run. Somehow I suspect if you actually did this they would shut it down, otherwise why isn't everybody already doing it?

But if you can't then you hardly have anything like a POSIX environment, which is all about creating and running your own scripts and other code.


iOS apps cannot fork. (I have not tried to see if they can exec.)


You’re missing a major difference between jailbroken X/SSH server and sandboxed:

In jailbroken you don’t need the app open (or even the sreen unlocked) in order to connect to it.


Swift Playgrounds are not something that a third party could publish to the app store.


This turned into way, way too big of a comment, but I'm on jailbroken iOS 13.3 right now and love it. It's not like the Old Days where tweaks often added huge new pieces of functionality, and that seems to make many people say jailbreaking is no longer worth it. For me it's more like a bunch of very small usability improvements that add up to make my phone much much more pleasant, polishing its usability to perfection. My favorite iOS 13 tweaks are, in no particular order:

- "powerlogHelperdFix": Listing this first because it's the only workaround I needed for a bug in the jailbreak, to fix the Battery stats Settings pane.

- "AlarmVolume": Custom (read: very loud) volume for my wake-up alarm, separate from the normal volume setting that I like to leave low or muted. Similar to how Android allows separate volume settings for calls / notifs / alarms: https://i.imgur.com/dV4URQT.jpg

- "Mega-Untrusted-Hosts-Blocker IPv4+IPv6": Adblocking hosts file for web content in all apps that works on mobile data or any random Wi-Fi network where you don't have an adblocking DNS server.

- "TwitterNoAds" + "AlwaysLatestTimelineTwitter": Blocking promoted tweets and forcing reverse-chronological feed (as opposed to algorithmically-sorted-feed) in the Twitter app.

- "AlwaysLow": Make my phone willing to always stay in Low Power Mode instead of turning LPM off once charged past 80%: https://i.imgur.com/wgn7Lj9.jpg

- "A-Font", "Noctis Neo", "ColorBadges", "iPadStatusBar13", "Cuboid": System UI customization. No real need; just to keep things fresh by changing up every once in a while. https://i.imgur.com/7Iy0gUs.jpg

Currently: https://i.imgur.com/1lbe3I2.jpg

- "Jellyfish": Customizable replacement for the standard lock screen. https://i.imgur.com/oQSaSl9.jpg

Currently: https://i.imgur.com/kQ0ITWC.jpg

- "Clean Home Screen" + "FDots": Hide tiny UI annoyances like the blue Recently-updated-app dots, the text reminding me that I have to unlock my phone to use it, the text reminding me of what the Notification Center is, etc: https://i.imgur.com/x34If3d.jpg

- "StopPlayin12'": Stops the Apple Music app from auto-playing any time a bluetooth device (like my car) reconnects to my phone. I usually use a third-party music app, but iOS only ever wants to start the built in player. I still have to go manually start the app I want, but at least I get to do it in silence: https://i.imgur.com/90JPuqa.jpg

- "System Sound Disabler": Truly disable excessive UI sound effects so I can leave my volume up and not have to hear them: https://i.imgur.com/nTOrgH1.jpg

- "AskBeforeCalling Too 13": Prevent accidental pocket-dials by adding a confirmation dialog to any action that would initiate a call/text/whatever: https://i.imgur.com/3vw5fkw.jpg

- "NoAutoStraighten", "NoDNDBanner", "NoLowPowerAlert", "NoMoreSuggestions", "NoMoreSkinToneSuggestions", "NoNCHeaderView", "NoYellowBattery", "AppStoreUpdatesTab13", "Ultrasound", etc: Lots of small single-purpose UI tweaks that often don't even need settings panes.

- "NoYTNo" + "Youtube Tools": Automatically dismiss the constant Youtube Premium upsells when you open the app, re-enable background playback support, block ads in Youtube videos, etc.

- "NXBoot": Jailbreak my exploitable Nintendo Switch with any boot code using Apple's USB3 Lightning Camera Adapter: https://i.imgur.com/pySTOVO.jpg

- "RealCC": Reverts the Control Center Wi-Fi/BT toggles to their pre-iOS-11 functionality of fully disabling the associated radios instead of merely disconnecting your WiFi until 3AM the next morning like it does now.

- "DNDMyRecording": Automatically enables Do Not Disturb mode when taking a screen recording so unwanted notifications don't end up in your video.

- "GoodWifi": Display saved passwords for known Wi-Fi networks, display base station MAC, display true signal values, etc: https://i.imgur.com/xSVLhFU.jpg

- "DLEasy": Video downloader for all social media apps, including Reddit-style DASH/HLS segmented videos: https://i.imgur.com/IU1ZFWf.jpg

- "CopyLyrics" + "YTCopyDescription": Allows you to copy the plain text from the lyrics pane in Apple Music or the description of a video in the YouTube app.

- "Keyboard Accio": Makes the 'Globe' button on the keyboard only switch between the first two keyboards in my list of enabled keyboards, so I can leave several enabled without making it a tedious process to get through them all back to QWERTY. The full list is still available via a long press.

- "iKeyWi 4": Total layout customization for the standard keyboard without having to replace it with a third-party keyboard. I keep the layout pretty much the same aside from adding a fifth row of keys up top for a permanent number row: https://i.imgur.com/OQ0ITve.jpg https://i.imgur.com/Nj2UMQ7.jpg

- "Filza" + "Safari Plus": A fully-fledged graphical file manager that makes a great pairing with a tweak that gives Safari a native download manager: https://i.imgur.com/IoWrHKn.jpg

I'm sure most (if not all) of these probably sound unnecessary to many people, but I love feeling in control of my own phone instead of the other way around :)


Thanks for the list. My favorite has to be mikoto by angelxwind. I will have to test it on 13.5.

https://cydia.akemi.ai/?page/net.angelxwind.mikoto

Another great one is Flex 3, which allows you to sort of disassemble functions of installed apps and patch the functionality. It even has a simple community sharing/cloud aspect to find cool patches for a selected installed app.

https://www.reddit.com/r/flextweak/comments/17z57c/mod_what_...

Old repo, but has description:

http://cydia.saurik.com/package/com.johncoates.flex3/

New repo:

http://getdelta.co/


Karen is great, but I've come to dislike and avoid "kitchen-sink" type bundles of tweaks like mikoto. I find it way more straightforward to back up and reinstall a "NoWhateverAnnoyance"-type single-use tweak that needs no settings, and it lets me avoid situations like when I first jailbroke iOS 11 and half of mikoto's features were broken on it.


I understand that. I think mikoto is fully configurable, with sensible defaults, so any feature can be disabled independently of others. Of course, there is something to be said for single purpose tools which I also like. That’s what I like about jailbreaking. It allows people to have a preference. Stock iOS is just not for power users.


Sorry to double post, but I'm past the edit time and should add that not all of these will be on the default handful of repositories that come stock in Cydia on a fresh jailbreak. You might have to search and find the correct repo to add before you can search and find the package to install. Many packages are hosted on large centralized repos like BigBoss or Packix but just as many are hosted on devs' personal repos.


Thanks for a few of these! You should try Choicy, which lets you prevent tweak from loading in certain apps or daemons. Specifically, you can disable tweaks for the daemon "powerloghelperd" (which is what powerlogHelperdFix does) but it also becomes super useful to load certain apps without the substitute engine. It adds a "launch without tweaks" option to the 3D touch menu of each app!


Is there an alternate YouTube client like newpipewon Androïd? I block ads everywhere on my iPhone with nextdns but YouTube does its own thing and I get 15–20 seconds of ads before most videos which made me never watch YT videos on my phone.


I'm not aware of an alternative client like on Android, but there are two tweaks that can get you what you want:

- Youtube Tools from this repo: https://jpet26.yourepo.com/pack/youtubetools1

- Cercube from this repo: https://apt.alfhaily.me/depiction/FDXO5R

You will have to manually add either of these repos to your Sources list in Cydia. Try Youtube Tools first since it's free. I use Cercube myself, but I have a grandfathered account from when it was significantly cheaper and that's why I don't recommend it by default any more: https://old.reddit.com/r/jailbreak/comments/bsd9cy/question_...

Cercube does support downloading videos where Youtube Tools does not, but you can pair YTT with DLEasy to get feature parity for just a couple dollars instead of the full price of Cercube.



That's a great list!! I hadn't heard of half these tweaks, nor did I realize there were so many that work on iOS 13. Maybe it's time to jailbreak again!


Give it a shot! A complete restore ("Set up as new iPhone") will remove 100% of any trace of any jailbreak should you decide to go back to stock. Unfortunately restoring an iTunes/iCloud backup can restore files to a non-jailbroken phone that can trigger certain apps' jailbreak detection. I've never had a problem with that, but so I've read.


I just switched from android to iphone, and there are a couple things I miss. I wonder if they are possible with a jailbreak:

- one-click open a goo.gl/maps link in google maps (right now I need to click the link, then click open)

- copying text auto-opens a google translate bubble on the side I can use to view the translation (does not appear to be possible on iphone)

- change the default browser that opens from safari to chrome (right now I need to open it in safari, click share, select chrome, then hit "open in chrome". Those 4 clicks could be reduced to 1)


For any one click look at shortcuts. You can also add web links to the home screen. That is how the ft.com “app” worked for awhile.

https://support.apple.com/en-us/HT208309


Speaking of Shortcuts, here’s a bunch to get started.

https://www.reddit.com/r/shortcuts/comments/9ha09t/comment/e...


> You can also add web links to the home screen

Bookmarks, great, I was wondering how to do that. A bit strange that it needs to visibly flick open the shortcuts app first before proceeding to Chrome..


The default browser (or default app) setting has been rumored to be coming in iOS 14, which is set to have public beta releases starting in July (after WWDC in the end of June).


- goo.gl/maps

I don't think I ever encounter those in my world, and always end up in google maps exclusively. I'm not saying you should change your behavior, but I bet the conveniences you look for exist in a different funnel that you might find just as fun.

- copying text auto-opens a google translate bubble

thats kind of cool, there might be an additional keyboard you can install that gets you the same result? But yes to translate I typically just have the google translate app open in the background and quick swap over to it.


I get maps.app.goo.gl shares from friends about where to meet up.

For the translate bubble, maybe there's a shortcut, I don't know. If anyone knows of a way to do this, please let me know.


I don't know if jailbreaking would solve this, but if iPads could have multiple users I'd have bought one by now. Since schools and now businesses have this option it's probably possible.


This is why I stopped buying new iPads. These are usually used by multiple people and there’s no good reason for Apple to withhold multiuser after introducing it to the education market some years ago. With current hardware and memory, it should be easier and quicker than before to switch users.


This actually used to be possible (and may still be?) with the iUsers app in Cydia. That was maybe 10 years ago, though.

I’d jailbreak my iPad Pro immediately if I could get multiuser support. I really hope the multiuser stuff from tvOS 13 or Apple’s implementation for education accounts make it into iPad OS.


Also curious about this. The only thing I can think of emulators and other forbidden apps - you sign them with Xcode, but it only lasts a limited time (a week?)


There’s now a clever tool for getting around Apples signing, AltStore, which uses a server application on your computer to periodically sign the app (and has some trick to bypass not requiring a developer account that involves an Apple Mail extension)


As it turns out, this is used as one of the listed bootstrap methods for getting the jailbreak going.

It's a very different era for jailbreaking, these days. We don't actually need an ACE exploit as a bootstrap any more; we can just rely on various pseudo-officially-sanctioned methods of running arbitrary code (e.g. an XCode development provisioning profile.) A jailbreak is now just a privilege-escalation exploit. Interesting times.


The crazy thing is that it used to be even easier, but Apple broke some of the sideloading mechanisms.

AltStore and its mods seem to be one of the few sideloading methods left for people who aren't paying $99/year for the Apple Developer Program.


Orion tweak from Packix repo restores iOS 12 3d-touch gestures for keyboard (hard-press anywhere to move cursor around, press even harder to select text). This, with RealKeys (adds haptic feedback to the keyboard) are the only tweaks I use, and they are truly a game changer when it comes to typing.


A system-wide parametric equalizer (EQE) that makes music while running inspirational in a way I derive a large amount of value. I’ve also been interested to see all the spyware Apple allows in App Store apps. Very happy to have a bootrom exploit now.


It's so you can treat your phone like that computer it actually is. I don't know about iPhones but on Android for example, I can edit the hosts file.


Does anyone have any technical information about the (0day?) exploits used by this new jailbreak? The source code on github seems to be very out of date.

Will Apple delay the release of macOS 10.15.5, which is expected this week? (Curious to know if the same exploit applies to macOS).


Remember when Comex released JailbreakMe 2.0, when jailbreaking was only a webpage + "slide to jailbreak" away?

Those were the days.


Went to do this for extra iPhone X I have. Made me download an app, supply Apple ID credentials, and provide my system login/password to a dialog. I want to use it, but I won't touch it without a VM and a six foot stick.


You don't need unc0ver at all to jailbreak your phone! Everything older than and including the iPhone X has a hardware-level bootloader exploit known as "checkm8". You can use a jailbreak called "checkra1n" via that hardware-level exploit with just a USB/Lightning cable and any computer running macOS or Linux (Windows support Real Soon Now™): https://checkra.in/

unc0ver is necessary for newer phones that need a software entry point to jailbreak. It should work just the same on your phone too, but the hardware exploit is way way easier and should automatically* work with any new iOS updates as they are released.

[*] Any tweaks you have installed may of course be incompatible with a major OS update


Doesn't checkm8 require re-jailbreaking on every boot?


To stay jailbroken, yes. The phone will still boot fine by itself, however, just in the normal unjailbroken state. Same limitation as unc0ver except without the conveniently-portable app entry point. I prefer using the hardware entry point that doesn't depend on Apple's goodwill to let me sideload since I usually get at least a month or two of uptime anyway. My recent record has been 66 days, then I rebooted intentionally for something: https://i.imgur.com/l9tL9dw.png


Asking for your Apple ID credentials appears to be trying to automatically set up your Apple ID for sideloading, i.e. obtaining certificates etc. You should be able to do this step manually.


Adding on: you can also create a new Apple ID, and provide those credentials just for sideloading.


I remember the JB scene during the early days, iOS 3-6. Those were good times...


Yep. I loved rooting droids and jailbreaking iPhones back then. It almost seems like it ain’t worth it these days. I can’t think of much I can get in JB that I can’t have anyway


at one point i had the original iphone running android. it was a hot mess usability wise but still kinda marvelous in a way.


Have you tried any of the Project Sandcastle builds?

https://projectsandcastle.org


Thanks for sharing this! I just decommissioned an iPhone 7 and I think this is the perfect project for it.


It’s definitely interesting! I think the iPhone hardware is amazing, and Android is the only alternate OS I would consider running so it’s just a great match. Fun project.


When the first web based jailbreak[1] dropped I felt like something important had happened among the mundane. Rooting the HTC G1 and jailbreaking pre-App Store iOS was a PC-assisted complicated revelation; being able to JB straight from the browser doubly so.

[1] https://en.wikipedia.org/wiki/JailbreakMe


> Rooting the HTC G1 […] was a PC-assisted complicated revelation

Well, aside from the early versions of Android that ran all your keyboard input through a root shell: https://web.archive.org/web/20081206090335/http://blogs.zdne...


I’m having flashbacks of mistyped commands on a G1 keyboard leading to restoring my nandroid backups. It took a couple tries but was well worth it for the decent overclock I was able to get out of it. With an extended battery it was a pretty decent two or three day charge phone with some battery management. Still love that phone.


So it sounds like sometimes jailbreaks use known vulnerabilities, but this one uses a 0day

https://twitter.com/Pwn20wnd/status/1264258454610259968


> Utilizing native system sandbox exceptions, security remains intact while enabling access to jailbreak files.

This is not very clear to me. Does this only mean that other security protections remain for apps that respect the restrictions? After jailbreaking, any malicious apps (even the ones that get through App Store reviews, not just the apps from Cydia) can get wider access to resources, right?


Isn't a theoretical large reason for jailbreaking (not your main phone) to be able to read the contents of all installed apps, say, via SSH? I don't know of another way to do this.


Jailbreaking can be invaluable for legitimate security research. For example, frida is a powerful reverse engineering tool that allowing all sorts of scripting and dynamic instrumentation. It's functionality is very limited without jailbreaking.

https://frida.re/docs/ios


Looks a lot like dtrace


It is! Though DTrace doesn't really work on iOS... Apparently Apple ported it over but they've certainly never released it publicly. https://twitter.com/ahl/status/311883517820809216


Some tools you may want to look into. They're used for piracy 99% of the time, but interesting stuff all the same:

https://github.com/KJCracks/Clutch

https://forum.iphonecake.com/index.php?/topic/363020-cracker...


Yes, this is one of the things I use Linux Deploy (requires root) on my Android phone for. I do backups of all data this way and randomly browsing photos from Linux (nemo specifically) is also easy:

1. Open file manager

2. Click a bookmark that points to "sftp://tel"

3. I can now browse my phone, e.g. to view pictures or copy a previously taken screenshot. No need to take the phone out of your pocket and connect it over USB or anything.

"tel" is configured in ~/.ssh/config to point to the static IP of my phone. I have another ssh host called "hotspot" which points to the IP it uses when it functions as hotspot.

(Of course, this occasional convenience and full backups aren't the only things I would want root for.)


It doesn't install OpenSSH by default, but it does set up a root user with a default password "alpine". It's recommended that you change this.


I believe that the root user already exists with that password.


It looks like you're right. I guess I don't really understand then why we can't just log in as root in vanilla iOS


It technically is, but iOS apps are compiled ARM64 so decompiling them isn't trivial. It's often easier to find the app's config files and mess around, or to use an app like Flex that allows you to override return values for an app's methods.

https://twitter.com/flextweak


but iOS apps are compiled ARM64 so decompiling them isn't trivial

One of the fun things about Android is the ease of decompiling and recompiling Java, but if you're used to RE'ing native code for Windows or Linux, then I don't think it would be all that different?


Super interesting. I suspect Ghidra might support reasonably well.


Ghidra doesn't do a great job of decompiling Swift and ObjC which most most iOS apps would be written in now days. You are better off with something like Hopper. Hopper does a better job of decompiling Swift and ObjC but its decompiler output is no where near as good unfortunately.


It’s no unobfuscated Java, but it’s far from being complicated.


are there any good firewall apps for jailbroken iphones? something that works more holistically than at the dns level (like IP addresses, stateful packet inspection, etc). there used to be "firewall iP" but that seems long abandoned now.

that's the one thing i'd love to jailbreak for. and a UI tweak or two can be nice too.


iOS has PF, just like the base macOS. No UI, but it works if you just create your PF rules and OS fingerprint files, then create the launchd config: https://gist.github.com/pwnsdx/cc82feb97f451f26c24b


I would so eagerly jailbreak for something like Little Snitch for iOS.


You definitely don't need too! Charles Proxy is really impressive on iOS.


How does it compare to Little Snitch, which on the Mac asks the user to check the connection attempt and allow/disallow each one based on some patterns (domain, port, etc.)? I don’t think such a functionality is possible on non-jailbroken iOS. Charles Proxy seems to be targeted at just examining traffic, and not prompting the user for connection attempts and controlling them.


You can’t ask dynamically, but setting up filtering rules is not out of the question.


I wish Android had such a hope for it. Getting root to do basic kernel level tasks like working with networking or uhid is some extreme bizarre exploit special to most every device. It's so detestable.

This device is my device. It needs to be trusted & manipulable by me. But these manufacturers, they look on users & what they would do as the enemy, as power they grant only to themselves. It's sad being in this post-general-purpose computing age, maligned by my own machines.


I’ve had an iPad that’s been locked for at least a year (forgot pin) and I don’t have a computer that runs iTunes to plug it in to and unlock it. Would this get past that?


> I’ve had an iPad that’s been locked for at least a year (forgot pin) and I don’t have a computer that runs iTunes to plug it in to and unlock it.

If you have the proof of purchase, an Apple Store should be able to unlock it for you.


I’m 7hrs away from a apple store... pretty remote, but do have proof of purchase. I’ll take that as a no? Someday I’ll have a usable iPad again.


I had to get a laptop fixed and Apple shipped me a box. 10 days later (and this was a few weeks ago during height of Covid lockdown in US) I got it back. I recommend looking into something like that.


Are you serious? People are okay with this? What's the point of encryption if Apple can unlock it? If the same thing happens on an encrypted computer you won't be able to access the data, but at least the device isn't bricked.


You misunderstand. Apple can erase the device and let a new user set it up from scratch, but they can't read the data off it. The feature is called Activation Lock and it exists to discourage theft.


Thanks for clarifying. The only part missing is being able to do this yourself instead of having to involve a third party.


Activation Lock is only enabled when you have the "Find My" service enabled. I'm pretty sure the device asks you during setup whether you want it on or off. You can toggle it in settings whenever you want.

Users only need to get Apple involved if they forget their iCloud credentials.


Not true. You can have your iCloud credentials but no device that runs iTunes. The iTunes requirement is the catch here for me personally.


Kinda nullifies the whole “deter theft” thing then.


I'm not sure what "the whole 'deter theft'" thing is but 'deter theft' sounds like a marketing gimmick to me. You give some corporation your keys to hold for you because you can't trust yourself. Why can't you unlock your own damn phone?


That's not what is happening. Please look some of this stuff up before assuming the worst. Apple does not have the ability to decrypt the device, nor do users depend on Apple to unlock the device.

Users can choose to enable Activation Lock, which means that only the owner or Apple can allow someone else to erase the device and set it up from scratch. Users can disable Activation Lock at any time. The only time that users can't disable it is if they forget their iCloud credentials. That's when they have to go to an Apple store and prove that they own the device.


So that a stolen phone is useless? That’s a pretty big deterrent.

And you still hold the private key, from what parent said having the store unlock the phone means that it will be factory reset so they still can’t access the data on the phone.


If you want to get into the specifics...neither Apple nor the user holds the real private key.

The key needed to decrypt the phone contents is generated and stored in the Secure Enclave, a separate piece of hardware+firmware on the phone. When the user providers their password/pin, the Secure Enclave checks to make sure it's correct and then it will decrypt the phone contents and make them available but the actual decryption key never leaves the secure enclave and isn't accessible by the main OS.


They can't unlock it.


To clarify, this jailbreak (using cydia impactor) requires you "trust" the computer you plug into and click a button within the app, so no.


You can do it if your iPad is one of the models vulnerable to the "checkm8" bootloader exploit. Sorry I'm not going to name any tools or link to any tutorials, though, RE https://github.com/axi0mX/ipwndfu/issues/100


He likely wouldn't be able to get past an unknown pass code with checkm8. Whilst it would jailbreak the device the flash is encrypted with a derived key thats stored in the secure enclave and can only be unlocked with the PIN.


It's 2020 and ppl are still forced to jb their own phones.


You're going to hate 2030...

I think by then macOS will need a jailbreak if you want to disable SIP and have genuine root access.


Can you downgrade iOS if you jailbreak?


Downgrades are possible on certain older models, but as far as I know it requires a bootloader exploit and the boot may be tethered i.e. requires a PC to poke it before it will boot.

32 bit devices can use coolbooter: https://coolbooter.com/

And I've not used this tool but am aware of it: https://github.com/MatthewPierson/Vieux


Yes, If you were jailbroken on the older version, and took steps to roll it back.

To be honest, I still have the ability to roll back to anything from 11.4+, but I have not even used it once. Apple is putting a lot of effort in to pulling people forward. (Some compelling apps just don’t launch on older versions, for example)


This doesn't work without a $99 developer certificate when you get to the Cydia Impactor step


You can use AltStore to sideload it for free: https://altstore.io/

And if you have an iPhone X or older (iPhone 8, 7, etc) you have a hardware exploit and can jailbreak using checkra1n with just a computer and a USB Lightning cable: https://checkra.in/


I tried this, it doesn't seem to work, unless I am missing the obvious somewhere along the line.


Tried which one, sorry? I haven't used AltStore much myself since I have an older model with the hardware exploit, but it did work the one time I tried it. It's just a heck of a lot jankier than the old method of using Cydia Impactor (Computer-based) or ReProvision (iOS-based) to sign the app for seven days with your personal free dev account. Apple changed something on their end and broke those apps.

Here's a video demo (not mine) of how the AltServer method should work for you: https://twitter.com/InvoxiPlayGames/status/12129681066095656...


Cydia Impactor is a method, not a step.

You can jailbreak with unc0ver in 3 different ways, one of which requires an Apple Developer account, yes.


Can one unlock carrier locked phone with that tool?


In the past carrier unlocking was always a separate ordeal that jailbreaking didn’t seem to help. But I haven’t tried in many years.


No. Different chip.


I believe the carrier lock is now handled in software. The modem itself is never carrier locked and the lock is enforced at the activation step by sending the SIM details to Apple for validation, so I believe once you're jailbroken you should be able to bypass that behavior.


Anyone know what the best ad blockers are for iOS?


I use 1Blocker. Granted, it doesn't require a jailbreak and therefore doesn't work in non-WebViews. But it has tremendous customizability that I really enjoy. In addition to the default rules, I set up custom rules to block cookies on specific sites, and to block scripts on other specific sites.


I use AdGuard, mostly because it’s free and the desktop version has a decent reputation. Works well.


I use NextDNS, works pretty well.


Any recommendations on the block list(s) to use? I just realized I totally missed this config in NextDNS so cheers for clueing me in


To start with:

someonewhocares

Dan Pollock’s list

All the Fanboy blocking lists

Any “annoyances” list you’re interested in


Does this block ads in apps?

It looks like I may have not had to jailbreak after all. I assumed it was a necessary prerequisite.


Yes. I only still see ads in the YouTube app (stopped using YT on my phone for that reason), and some websites that do some clever ads reinjection after the page ha aliases still have ads too (but that’s really a minority of websites and they’re not very good anyway son or using them much)

Otherwise it blocks all ads in every other app (especially free to play games that are unusable with ads)

Nextdns will also work on your tv and block all ads (hello Samsung) and telemetry too (there is a smarttv block list you can select at the end of the choices on nextdns)


Yes, it’s great and works across all apps. You have to setup an account on the website, then choose filters just like you would with uBlock Origin. Then you enter your configuration code in the app (to connect to the right settings). The filters get applied to every DNS request.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: