How Can Mobile Developers Detect Jailbroken Devices?
Detecting a jailbroken device is an important part of jailbreak protection for apps. Developers have devised various methods to check if the device their app is running on has been compromised. There is no single foolproof indicator, so effective iOS jailbreak detection often combines multiple checks. Below are some common techniques mobile developers use to detect a jailbreak:
Checking for File System Artifacts
Jailbreaking usually leaves behind certain files, directories, or apps that are not present on a normal iOS device. By attempting to locate these, an app can infer a jailbreak. Classic examples include checking for the existence of Cydia or other installer apps on the system. For instance, one can check if the path /Applications/Cydia.app exists, or if directories like /private/var/lib/apt/ (which indicates the presence of the APT package manager used by Cydia) are present.
Many jailbreak tools install files in known locations; the presence of any of those “known jailbreak files” is a strong indicator. (Developers often maintain a list of known file paths to check, including Cydia, Substrate, SSH daemons, etc.)
Checking for Sandbox Violation (Write Test)
Under normal conditions, an app is confined to its sandbox and cannot write to system directories. On a jailbroken device, the sandbox restrictions can be lifted for apps running with root. A common detection trick is to attempt to create or write to a file in a restricted location, such as the root of the file system or /private directory. If the write operation succeeds when it should have failed, the device is jailbroken
For example, writing a dummy file to /private/jailbreak_test.txt and then checking if it was created is a simple test – on a non-jailbroken device this operation will be denied, whereas on a jailbroken device it may succeed because the app might be running with higher privileges or outside the normal sandbox.
Looking for Suspicious Processes or Libraries
Many jailbreaks run background processes (like SSH daemons) or load additional dynamic libraries into apps. Developers can check the process list or loaded DYLIBs for known jailbreak components. One approach is to use the dyld (dynamic linker) APIs to enumerate loaded libraries in the app’s process and scan for names associated with jailbreak tools (e.g., substratelibrary.dylib, libhooker.dylib, Frida libraries, etc.)
if your app finds a library with a name like “frida” or “cydia substrate” loaded into itself, that’s a red flag the environment is compromised. However, this method can get complex and might be considered an advanced technique (since it involves low-level C APIs and string matching).
Detecting Root Access or Elevated Permissions
This is more of a generic principle behind several of the above methods. If your app suddenly has access to things it shouldn’t, something is wrong. For example, try to list files in /. If you get a directory listing of the device’s root filesystem, that means the app is not properly sandboxed (indicative of a jailbreak). Apple’s security model would normally prevent that. Another indicator is the presence of symbolic links where they shouldn’t be. Some jailbreaks relocate certain folders and create symlinks (for instance, a jailbreak might symlink /Applications to a different location to make more space). Checking for known symlinks (like /Applications being a symlink instead of a real directory) can also tip you off
Each of these detection methods can be implemented in Swift/Objective-C and run at app startup or at strategic points. Keep in mind that none of them are 100% foolproof on their own. Thus, combining multiple checks will strengthen your jailbroken device detection. Also, be aware of false positives and ensure you’re not violating any App Store guidelines (Apple doesn’t forbid jailbreak detection, but be careful with private API usage).
Last updated