Login
    Contents x
    Security Features on iOS
    • 28 Mar 2025
    • 5 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Security Features on iOS

    • Updated on 28 Mar 2025
    • 5 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    Jailbreak detection

    Jailbreaking is the process of circumventing security measures of the operating system. This is usually performed by the users of a device to customize the device beyond what the manufacturer allows.

    However, attackers can also jailbreak a stolen device by bypassing the device's protection mechanisms to gain access to the data stored on the device. Similarly, some of the available jailbreak techniques can be used by malware to gain extended permissions on a device.

    Since a jailbroken device has a higher risk of being compromised, it is important to know about it. Even if the vendor of an application chooses to allow execution on jailbroken devices, detecting whether the device is jailbroken or not is essential for further security measures to determine the threats to which an application may be exposed.

    Jailbreak detection can be performed in several ways. Simplistic approaches only test for the existence of files in the file-system that are associated with a jailbroken device. However, the existence of several 'jailbreak hider' tools that are available on iOS shows how easy it is to bypass these detection tools. Jailbreak detection is inherently a "cat-and-mouse" game between new jailbreak techniques and jailbreak detection methods.

    App Shielding, while also implementing these simplistic detection mechanisms performs detection on multiple levels ranging from these well-known approaches to cutting edge low-level mechanisms that are targeted more towards detecting the essence of a jailbreak.

    Emulator detection

    Emulators can be used to analyze an application to determine how it works and to extract sensitive information that is available while the application is being executed. App Shielding can detect that the application is being executed in an emulator or typical virtual environment.

    Repackaging detection

    Repackaging means that an attacker can obtain a copy of an application, add malicious functionality such as a keylogger, and then offer it to users who believe that they are using the original application.

    This type of attack is made possible since Apple has an alternative distribution mechanism apart from the App Store called enterprise distribution.

    The act of repackaging the application can also be used when attempting to reverse-engineer an application.

    App Shielding offers the possibility to detect and react when an application has been repackaged. Furthermore, App Shielding creates a strong binding between the app and App Shielding. With this, the security features provided by App Shielding cannot be disabled by simply removing App Shielding from the app.

    Code injection protection

    To gain control of an application, attackers may inject code into the application to control it from within its own process. This can, for example, be used to read encrypted SSL communication or intercept user input such as passwords.

    This type of threat is more common on jailbroken devices, as injecting code into another application would otherwise have been prevented by the operating system sandbox.

    On iOS, there are two known ways to inject code into an application: either during load time (which is done by tools like MobileSubstrate) or during runtime (which is done by tools like Cycript).

    Load-time injection is only prevented if the app is being shielded. This is because the feature will otherwise cause problems when running the app during development.

    Hooking framework detection

    In the rare case that the code injection protection can be bypassed by an attacker, App Shielding is also able to detect actions that the attacker performs inside the process (usually in form of a hooking framework).

    Debugger protection

    During application runtime, debuggers can be used to extract sensitive information, perform code injection, alter the program flow, and help attackers to reverse-engineer the application. By actively blocking debuggers, App Shielding can prevent them from attaching themselves to the application.

    Keylogger protection

    Most keyloggers on iOS are implemented using code injection. App Shielding protects against these with its code injection prevention feature. In addition, App Shielding also prevents the unwanted leak of data from the application in form of the keyboard cache that the iOS keyboard uses.

    Screenshot and screen recording protection

    Applications often display sensitive information that should not be easily extracted from the application. A screenshot or screen recording, however, would compromise this information.

    Screenshots are taken in different ways. They can be initiated by the user, taken by the system for various reasons (e.g., the task manager when changing between running apps), and captured by screen mirroring.

    App Shielding is able to block all three use cases. When enabled, this feature renders any screenshot of the protected app as a plain black image. If a screenshot is taken when switching between apps on the device, then only the window that contains the protected app is obscured.

    Similarly, a screen recording of the protected app results in a plain black video. Because screen sharing uses screen recording, this feature also blocks screen sharing apps like TeamViewer.

    Shielding

    Shielding an application with App Shielding renders the application useless if App Shielding is prevented from running. App Shielding provides an application that offers protection from various forms of attacks. Much of this protection is dependent on App Shielding itself running. For example, an attacker could try to circumvent some of the App Shielding protections by running the application without invoking App Shielding. Shielding the application will protect against such an attack.

    App Shielding does not currently support shielding on x86 architectures. When building for x86, shielding is automatically disabled. This is typically only used when building for a simulator, so normally it is not important, but it does mean that simulator builds are much easier to attack. We strongly recommend not to ship simulator builds to potential attackers.

    Static security features

    In addition to the security functions that result in a callback, App Shielding can be configured to provide the following supplementary security features:

    • Prevent user input made to the application from being recorded in the iOS keyboard cache.

    • Prevent iOS from saving a screenshot of the application when the application is no longer in foreground.

    • Prevent attachment of debuggers to the application. This feature will also prevent debugging using Xcode, so it should be deactivated during development/testing.

    • Prevent libraries from being injected when the application is loaded. This is the only feature which cannot be configured and is hardcoded into the static App Shielding library. Since this feature also hampers testing and debugging, it is deactivated in the Debug version of App Shielding.

    • Prevent external screens (connected through an adapter or AirPlay) from mirroring the application window.

    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, our interactive help assistant