Last active
December 1, 2022 02:33
-
-
Save joncardasis/fab885f9ab241524800204126db1433d to your computer and use it in GitHub Desktop.
iOS - Prevent debugger attachment in a jailbroken environment. Obfuscated by assembly and symbol mangling.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // jailbreak_protect.c | |
| // | |
| // Created by Jonathan Cardasis (C) on 10/11/19. | |
| // Copyright © 2019 Jonathan Cardasis (C). All rights reserved. | |
| // | |
| // Source: https://medium.com/@joncardasis/mobile-security-jailbreak-protection-84aa0fbc7b23 | |
| // Simply include this file in your project and ensure the file's Target Membership | |
| // is set to your app. | |
| #if !defined (jailbreak_protect) && defined (__arm64__) | |
| #define jailbreak_protect | |
| #define IS_APP_STORE_BUILD !TARGET_IPHONE_SIMULATOR && !DEBUG | |
| #if IS_APP_STORE_BUILD | |
| #define prevent_debugger PfdVSCqqteGFWxmSPFAw // Obfuscate function name | |
| /** | |
| Prevent debugger attachment by invoking underlying syscalls ptrace uses. | |
| Most anti-debug code relies on libraries which are easy enough to hook | |
| the symbols and bypass these checks. This is an ARM64 assembly solution | |
| which requires much more effort to bypass. | |
| This code is executed by dyld (the dynamic linker) during the initialization phase, | |
| before the instruction pointer enters the program code. | |
| */ | |
| __attribute__((constructor)) static void prevent_debugger() { | |
| asm volatile ( | |
| "mov x0, #26\n" // ptrace syscall (26 in XNU) | |
| "mov x1, #31\n" // PT_DENY_ATTACH (0x1f) - first arg | |
| "mov x2, #0\n" | |
| "mov x3, #0\n" | |
| "mov x16, #0\n" | |
| "svc #128\n" // make syscall | |
| ); | |
| } | |
| #endif | |
| #endif /* jailbreak_protect */ |
Very nice! Highly impressed. This will definitely increase the workload of a would-be attacker. Is there any issue with App Store rejection? All they’d have to do is try to debug it...
Unfortunately this does not work on an Apple Watch. When compiling it it gives an error: “GNU-style inline assembly is disabled” it’s unfortunate because an Apple Watch is definitely where you’d like this debug-disable functionality. Not to mention the fact that bitcode has to be turned in if delivering an iPhone app with a companion WatchOS app. Bummer. :( great solution though.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you rustymagnet3000. I succeeded using ptrace(PT_DENY_ATTACH, 0, 0, 0) and a robust check on the CodeSign. Plus something else…