苹果拒绝越狱检测的应用程序 [英] App with jailbreak detection rejected by Apple

问题描述

我们正在开发的 App 被拒绝，因为审查过程中的设备被检测为越狱 ^^

the App we are working on was rejected because the Device in the Review Process was detected as jailbroken ^^

为了检测越狱设备，我们进行了多项测试:

To detect a jailbroken Device, several Tests were performed:

NSString* bundlePath = [[NSBundle mainBundle] bundlePath];

// scan for itunes metadata
BOOL isDirectory = NO;
NSString* directoryPath = [bundlePath stringByAppendingPathComponent:@"SC_Info/"];
BOOL directoryIsAvailable = [[NSFileManager defaultManager] fileExistsAtPath:directoryPath isDirectory:&isDirectory];
BOOL contentSeemsValid = ([[[NSFileManager defaultManager] contentsOfDirectoryAtPath:directoryPath error:NULL] count] == 2);
if (directoryIsAvailable && contentSeemsValid) {
    return YES;
}
contentSeemsValid = [[NSFileManager defaultManager] fileExistsAtPath:[NSString stringWithFormat:@"%@/iTunesMetadata.​plist", bundlePath]];
if (contentSeemsValid) {
    return YES;
}

// scan for cydia app
NSURL* testURL = [NSURL URLWithString:@"cydia://"];
if ([[UIApplication sharedApplication] canOpenURL:testURL]) {
    return YES;
}

// scan for paths available
NSArray* paths = @[@"/Applications/Cydia.app", @"/Applications/RockApp.app", @"/Applications/Icy.app", @"/usr/sbin/sshd", @"/usr/bin/sshd", @"/private/var/lib/apt", @"/private/var/lib/cydia", @"/private/var/stash", @"/usr/libexec/sftp-server"];
for (NSString* string in paths) {
    if ([[NSFileManager defaultManager] fileExistsAtPath:string]) {
        return YES;
    }
}

// scan for forking
int forkValue = fork();
if (forkValue >= 0) {
    return YES;
}

// try to write in private space
NSString* testString = @"test";
NSError* error = nil;
[testString writeToFile:@"/private/test.txt" atomically:YES encoding:NSUTF8StringEncoding error:&error];
if (error == nil) {
    return YES;
}

// seems not jailbroken
return NO;

这些测试中的一个(或多个)在 Apple 用于审核的设备上返回 YES，但在我们的 DevDevices 上没有.可能是哪一个?有没有人知道有关 Apple 用于审查的设备的更多详细信息?任何提示或其他猜测?(App 的上下文是医院的 HealthCare，因此我们需要确保保存了患者数据)

One (or more) of these Tests return YES on the Devices Apple use for Review, but none of our DevDevices. Which one could it be? Does anybody know more Details about the Devices Apple use for the Review? Any Hints or other Guesses? (The Context from the App is HealthCare in Hospitals, so we need to be sure that the Patient Data were save)

最好的问候，
齐克

Best Regards,
Zeek

推荐答案

来自 https://www.theiphonewiki.com/wiki/Bypassing_Jailbreak_Detection

虽然应用可以通过多种方式对越狱设备进行检查，但它们通常可归结为以下几种:

目录的存在 - 检查您的文件系统中是否有诸如 /Applications/Cydia.app/ 和 /private/var/stash 等路径别人的.大多数情况下，这些是使用 NSFileManager 中的 -(BOOL)fileExistsAtPath:(NSString*)path 方法检查的，但更多偷偷摸摸的应用程序喜欢使用较低级别的 C 函数，例如fopen()、stat() 或 access().

目录权限 - 使用NSFileManager 方法以及statfs() 等C 函数检查特定文件和目录的Unix 文件权限.在越狱设备上拥有写访问权限的目录比仍在监狱中的目录多得多.

进程分叉 - sandboxd 不否认 App Store 应用程序使用 fork()、popen() 的能力，或任何其他 C 函数在非越狱设备上创建子进程.sandboxd 明确拒绝在监狱中的设备上进行进程分叉.如果您在 fork() 上检查返回的 pid，您的应用程序可以判断它是否已成功分叉，此时它可以确定设备的越狱状态.

SSH 环回连接* - 由于安装了 OpenSSH 的大部分越狱设备，一些应用程序将尝试在端口 22 上连接到 127.0.0.1.如果连接成功，则表示已安装 OpenSSH 并且在设备上运行，因此它已越狱.

system() - 在 jail 中的设备上使用 NULL 参数调用 system() 函数将返回 0；在越狱设备上执行相同操作将返回 1.这是因为该函数将检查 /bin/sh 是否存在，而这仅在越狱设备上如此.[1]

dyld 函数 - 迄今为止最难解决的问题.调用诸如 _dyld_image_count() 和 _dyld_get_image_name() 之类的函数来查看当前加载了哪些 dylib.很难打补丁，因为补丁本身就是 dylibs 的一部分.

*只有极少数应用程序实现了这一点(因为它不如其他应用程序有效)

While there are countless ways apps can implement checks for jailbroken devices, they typically boil down to the following:

Existence of directories - Check your file system for paths like /Applications/Cydia.app/ and /private/var/stash, amongst a handful of others. Most often, these are checked using the -(BOOL)fileExistsAtPath:(NSString*)path method in NSFileManager, but more sneaky apps like to use lower-level C functions like fopen(), stat(), or access().

Directory permissions - Check the Unix file permissions of specific files and directories using NSFileManager methods as well as C functions like statfs(). Far more directories have write access on a jailbroken device than on one still in jail.

Process forking - sandboxd does not deny App Store applications the ability to use fork(), popen(), or any other C functions to create child processes on non-jailbroken devices. sandboxd explicitly denies process forking on devices in jail. if you check the returned pid on fork(), your app can tell if it has successfully forked or not, at which point it can determine a device's jailbreak status.

SSH loopback connections* - Due to the large portion of jailbroken devices that have OpenSSH installed, some apps will attempt to connect to 127.0.0.1 on port 22. If the connection succeeds, it means OpenSSH is installed and running on the device, therefore it is jailbroken.

system() - Calling the system() function with a NULL argument on a device in jail will return 0; doing the same on a jailbroken device will return 1. This is since the function will check whether /bin/sh exists, and this is only the case on jailbroken devices.[1]

dyld functions - By far the hardest to get around. Calling functions like _dyld_image_count() and _dyld_get_image_name() to see which dylibs are currently loaded. Very difficult to patch, as patches are themselves part of dylibs.

*Only a very small number of applications implement this (as it is not nearly as effective as the others)

这些方法看起来被苹果拒绝的可能性较小，而且使用起来非常简单.

These methods seem like they would be less likely to be rejected by apple and are very simple to use.

为简洁起见，对以上段落进行了编辑

The above passage has been edited for brevity

这篇关于苹果拒绝越狱检测的应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！