/

Jailbreak Detection

Protection Module: JailbreakDetection

Available For

Android API 21+ (Mobile) iOS (Planned)

How It Works

The Jailbreak Detection module identifies compromised mobile devices where security controls have been bypassed. It uses multiple detection indicators across device properties, processes, and filesystem artifacts to determine if the device has been rooted (Android) or jailbroken (iOS), with dynamic confidence scoring based on the number of indicators found.

Detection Techniques

Android Root Detection:

  • Superuser Binary Scanning: Checks for SU binary paths (/system/bin/su, /system/xbin/su, /data/local/su)
  • Root Management Apps: Detects presence of popular root managers (Magisk, SuperSU, KingRoot) via package scanning
  • Build Property Analysis: Checks for test-keys in fingerprint (indicator of custom builds), ro.debuggable=1 (debug mode enabled)
  • SELinux Permissive Mode: Detects ro.build.selinux=0 or permissive SELinux policies
  • System Partition Writable: Checks if /system partition is writable (sign of partition modification)
  • BusyBox Detection: Scans for BusyBox installation which is commonly used in rooted devices

iOS Jailbreak Detection (Planned):

  • Jailbreak App Detection: Checks for Cydia, Sileo, zbra package managers
  • Symbolic Link Verification: Identifies /Applications symlink modifications
  • Dynamic Library Injection: Detects injected dylibs and modified binary metadata
  • Fork Test: Executes fork test to detect sandbox restrictions

Dynamic Confidence Scoring:

  • Combines multiple detection indicators for increased reliability
  • Confidence ranges from 0.0 to 1.0
  • Adjustable sensitivity levels: strict (0.5), normal (0.7), lenient (0.9)

Default detection interval: 5 minutes Caching: Results cached until device reboot

JSON Configuration

JSON
{
  "protections": [
    {
      "type": "JailbreakDetection",
      "action": "close",
      "intervalMs": 300000
    }
  ]
}

Code-Based Configuration

Kotlin

Kotlin
import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType

Monitor.configure { config ->
    config.addProtection(
        ProtectionModuleType.JAILBREAK_DETECTION,
        ActionType.CLOSE,
        300000
    )
}

Java

Java
import com.bytehide.monitor.Monitor;
import com.bytehide.monitor.core.action.ActionType;
import com.bytehide.monitor.core.protection.ProtectionModuleType;

Monitor.configure(config -> {
    config.addProtection(
        ProtectionModuleType.JAILBREAK_DETECTION,
        ActionType.CLOSE,
        300000
    );
});

Available Actions

ActionBehaviorRecommended For
CloseTerminate application immediatelyProduction apps with critical IP
LogRecord incident and continueDevelopment, analytics
EraseSecurely delete data then terminateFinancial, healthcare apps
CustomExecute custom handlerEnterprise integrations
NoneDetect only, no actionTesting configurations

See Actions for detailed action documentation.

When to Use

Enable Jailbreak Detection when:

  • Protecting financial applications and banking systems
  • Securing healthcare applications storing patient data
  • Preventing unauthorized access to premium features
  • Enforcing compliance requirements (PCI DSS, HIPAA, SOC 2)
  • Protecting cryptocurrency wallets and trading apps
  • Detecting unauthorized device modifications
  • Preventing malware execution on compromised devices

Code Examples

Kotlin - Basic Integration

Kotlin
import com.bytehide.monitor.Monitor
import com.bytehide.monitor.core.action.ActionType
import com.bytehide.monitor.core.protection.ProtectionModuleType

class SecurityApplication : Application() {
    override fun onCreate() {
        super.onCreate()

        Monitor.configure { config ->
            config.addProtection(
                ProtectionModuleType.JAILBREAK_DETECTION,
                ActionType.CLOSE,
                300000
            )
        }
    }
}

Kotlin - Custom Action with Confidence-Based Response

Kotlin
Monitor.configure { config ->
    config.registerCustomAction("jailbreak-handler") { threat ->
        val threatType = threat.getThreatType()
        val confidence = threat.getConfidence()
        val metadata = threat.getMetadata()

        Log.e("Security", "Jailbreak detected: $threatType (confidence: $confidence)")

        when {
            confidence >= 0.9 -> {
                // High confidence: immediate action
                Log.e("Security", "High confidence jailbreak. Shutting down.")
                secureDataAndExit()
            }
            confidence >= 0.7 -> {
                // Medium confidence: restricted mode
                Log.w("Security", "Medium confidence jailbreak. Enabling restricted mode.")
                enableRestrictedMode()
                reportToSecurityBackend(threatType, confidence, metadata)
            }
            confidence >= 0.5 -> {
                // Low confidence: log only
                Log.i("Security", "Low confidence indicator: $threatType")
                logSecurityEvent(threatType, confidence, metadata)
            }
        }
    }

    config.addProtection(
        ProtectionModuleType.JAILBREAK_DETECTION,
        "jailbreak-handler",
        300000
    )
}

private fun enableRestrictedMode() {
    // Disable sensitive features
    // Disable payment processing
    // Reduce data access
}

private fun reportToSecurityBackend(threatType: String, confidence: Double, metadata: Map<String, Any>) {
    // Send to backend
}

private fun secureDataAndExit() {
    // Wipe sensitive data
    System.exit(1)
}

private fun logSecurityEvent(threatType: String, confidence: Double, metadata: Map<String, Any>) {
    // Local logging
}

Java - Multi-Indicator Analysis

Java
Monitor.configure(config -> {
    config.registerCustomAction("multi-indicator-check", threat -> {
        Map<String, Object> metadata = threat.getMetadata();

        // Analyze individual indicators
        @SuppressWarnings("unchecked")
        List<String> detectedIndicators = (List<String>) metadata.get("detected_indicators");

        int indicatorCount = detectedIndicators != null ? detectedIndicators.size() : 0;
        double confidence = threat.getConfidence();

        Log.e("Security", "Detected " + indicatorCount + " jailbreak indicators");
        Log.d("Details", "Indicators: " + detectedIndicators);

        if (indicatorCount >= 3) {
            Log.e("Security", "Multiple indicators found. Device is likely compromised.");
            System.exit(1);
        }
    });

    config.addProtection(
        ProtectionModuleType.JAILBREAK_DETECTION,
        "multi-indicator-check",
        300000
    );
});

Java - Production vs Development Handling

Java
Monitor.configure(config -> {
    config.registerCustomAction("env-aware-handler", threat -> {
        double confidence = threat.getConfidence();
        String threatType = threat.getThreatType();

        if (isProduction()) {
            // Production: zero tolerance
            if (confidence > 0.5) {
                Log.e("Security", "Production mode: terminating due to " + threatType);
                System.exit(1);
            }
        } else {
            // Development: warn only
            if (confidence > 0.8) {
                Log.w("Security", "Development mode: jailbreak detected but allowed");
            }
        }
    });

    config.addProtection(
        ProtectionModuleType.JAILBREAK_DETECTION,
        "env-aware-handler",
        300000
    );
});

private static boolean isProduction() {
    return !BuildConfig.DEBUG;
}

Platform Compatibility

PlatformStatusNotes
Android 5.0+✓ Fully SupportedAPI Level 21+ with multi-indicator detection
Android 8.0+✓ OptimizedEnhanced package enumeration and property access
Android 12+✓ OptimizedImproved permissions model handling
iOS◐ PlannedJailbreak detection coming in future release

Performance Impact

  • CPU Impact: < 1% increase during detection cycles
  • Memory Overhead: ~300 KB for process and package cache
  • Detection Latency: 100-300 ms per cycle
  • Battery Impact: Minimal (one-time detection with caching until reboot)

Threat Detection Details

When a jailbreak is detected, the module generates a detection result:

JSON
{
  "threatType": "rooted_device",
  "description": "Android device root detected via multiple indicators",
  "confidence": 0.85,
  "timestamp": "2026-03-02T16:10:44.521Z",
  "metadata": {
    "detectionMethod": "multi_indicator_analysis",
    "detected_indicators": [
      "su_binary_found_system_xbin",
      "magisk_app_detected",
      "system_partition_writable",
      "ro_debuggable_enabled"
    ],
    "indicator_count": 4,
    "su_binary_paths": ["/system/xbin/su"],
    "root_management_apps": ["com.topjohnwu.magisk"],
    "debuggable_property": "1",
    "selinux_status": "enforcing",
    "api_level": 33,
    "device_manufacturer": "Samsung"
  }
}
JSON
{
  "threatType": "low_confidence_indicator",
  "description": "Single jailbreak indicator detected",
  "confidence": 0.52,
  "timestamp": "2026-03-02T16:10:44.521Z",
  "metadata": {
    "detectionMethod": "single_indicator",
    "detected_indicators": ["busybox_installed"],
    "indicator_count": 1,
    "sensitivity_level": "normal"
  }
}

Next Steps

Previous
Emulator Detection
Next
Clock Tampering