Jailbreak Detection
Protection Module: JailbreakDetection
Available For
| Platform | Version | Status |
|---|---|---|
| iOS | 12.0+ | ✓ Full Support |
| iPadOS | 12.0+ | ✓ Full Support |
| tvOS | 12.0+ | ✓ Supported |
How It Works
The Jailbreak Detection module employs multiple detection techniques to identify compromised devices with elevated privileges. It checks for popular jailbreak tools and bypass methods:
Detection Techniques
- File Detection: Searches for jailbreak management applications and tools at common paths (
/Applications/Cydia.app,/usr/sbin/sshd,/etc/apt,/private/var/lib/apt/,/bin/bash,/usr/bin/ssh,/var/stash, and others). - URL Scheme Checks: Tests for jailbreak app URL schemes (
cydia://,sileo://,zbra://) that indicate presence of jailbreak package managers. - Fork Test: Attempts to fork() the process; jailbroken devices may allow this operation which is normally restricted.
- Dynamic Library Injection Detection: Enumerates loaded dylibs and checks for injected libraries that indicate hooking frameworks.
- Symbolic Link Checks: Verifies
/Applications,/var/stash, and other directories for symbolic links indicating system modifications. - System Integrity: Performs sandbox escape tests to verify sandbox confinement is intact.
Detection Confidence: Dynamic based on number and type of indicators detected
Sensitivity Options: High, Medium, Low
Default Interval: 300 seconds (5 minutes)
Caching: Cached until reboot
JSON Configuration
JSON
{
"protections": [
{
"type": "JailbreakDetection",
"action": "close",
"intervalMs": 300000,
"sensitivity": "high"
}
]
}{
"protections": [
{
"type": "JailbreakDetection",
"action": "close",
"intervalMs": 300000,
"sensitivity": "high"
}
]
}Code-Based Configuration
Swift
Swift
import ByteHideMonitor
BHMMonitor.configure { config in
config.enableProtection(.jailbreakDetection, action: .close, intervalMs: 300000)
}import ByteHideMonitor
BHMMonitor.configure { config in
config.enableProtection(.jailbreakDetection, action: .close, intervalMs: 300000)
}Objective-C
OBJC
#import <ByteHideMonitor/ByteHideMonitor.h>
[BHMMonitor configure:^(BHMMonitorConfiguration *config) {
[config enableProtection:BHMProtectionModuleTypeJailbreakDetection
action:BHMActionTypeClose
intervalMs:300000];
}];#import <ByteHideMonitor/ByteHideMonitor.h>
[BHMMonitor configure:^(BHMMonitorConfiguration *config) {
[config enableProtection:BHMProtectionModuleTypeJailbreakDetection
action:BHMActionTypeClose
intervalMs:300000];
}];Available Actions
| Action | Behavior | Recommended For |
|---|---|---|
| Close | Terminate application immediately | Production apps with critical IP |
| Log | Record incident and continue | Development, analytics |
| Erase | Securely delete data then terminate | Financial, healthcare apps |
| Custom | Execute custom handler | Enterprise integrations |
| None | Detect only, no action | Testing configurations |
See Actions for detailed action documentation.
When to Use
- Financial Apps: Prevent access on jailbroken devices to protect transactions
- Banking Applications: Enforce security policies and prevent credential theft
- DRM-Protected Content: Ensure app integrity on legitimate devices only
- Healthcare Apps: Comply with regulatory requirements (HIPAA, etc.)
- Streaming Services: Prevent content piracy and unauthorized access
- Enterprise Apps: Enforce device security policies for employees
- Development: Use
Logaction to monitor jailbreak prevalence
Code Examples
Swift Basic Configuration
Swift
import ByteHideMonitor
// In your AppDelegate or app initialization
BHMMonitor.configure { config in
config.enableProtection(.jailbreakDetection, action: .close, intervalMs: 300000)
}import ByteHideMonitor
// In your AppDelegate or app initialization
BHMMonitor.configure { config in
config.enableProtection(.jailbreakDetection, action: .close, intervalMs: 300000)
}Swift with Custom Action
Swift
import ByteHideMonitor
BHMMonitor.configure { config in
// Register custom handler for jailbreak detection
config.registerCustomAction("jailbreak-handler") { context in
let threatType = context.threatType
let description = context.threatDescription
let metadata = context.metadata
// Send security alert to backend
SecurityAPI.reportJailbreakAttempt(
threatType: threatType,
description: description,
metadata: metadata
)
// Lock sensitive features
FeatureManager.disableSensitiveFeatures()
// Log to analytics
Analytics.log(event: "jailbreak_detected", parameters: [
"threat_type": threatType,
"description": description,
"timestamp": ISO8601DateFormatter().string(from: Date())
])
}
config.enableProtection(.jailbreakDetection, customAction: "jailbreak-handler", intervalMs: 300000)
}import ByteHideMonitor
BHMMonitor.configure { config in
// Register custom handler for jailbreak detection
config.registerCustomAction("jailbreak-handler") { context in
let threatType = context.threatType
let description = context.threatDescription
let metadata = context.metadata
// Send security alert to backend
SecurityAPI.reportJailbreakAttempt(
threatType: threatType,
description: description,
metadata: metadata
)
// Lock sensitive features
FeatureManager.disableSensitiveFeatures()
// Log to analytics
Analytics.log(event: "jailbreak_detected", parameters: [
"threat_type": threatType,
"description": description,
"timestamp": ISO8601DateFormatter().string(from: Date())
])
}
config.enableProtection(.jailbreakDetection, customAction: "jailbreak-handler", intervalMs: 300000)
}Objective-C Basic Configuration
OBJC
#import <ByteHideMonitor/ByteHideMonitor.h>
[BHMMonitor configure:^(BHMMonitorConfiguration *config) {
[config enableProtection:BHMProtectionModuleTypeJailbreakDetection
action:BHMActionTypeClose
intervalMs:300000];
}];#import <ByteHideMonitor/ByteHideMonitor.h>
[BHMMonitor configure:^(BHMMonitorConfiguration *config) {
[config enableProtection:BHMProtectionModuleTypeJailbreakDetection
action:BHMActionTypeClose
intervalMs:300000];
}];Objective-C with Custom Action
OBJC
#import <ByteHideMonitor/ByteHideMonitor.h>
[BHMMonitor configure:^(BHMMonitorConfiguration *config) {
[config registerCustomAction:@"jailbreak-handler" handler:^(BHMThreatContext *context) {
NSString *threatType = context.threatType;
NSString *description = context.threatDescription;
NSDictionary *metadata = context.metadata;
// Report to security backend
[SecurityAPI reportJailbreakAttemptWithThreatType:threatType
description:description
metadata:metadata];
// Disable sensitive operations
[FeatureManager disableSensitiveFeatures];
// Log event
[Analytics logEvent:@"jailbreak_detected"
parameters:@{
@"threat_type": threatType,
@"description": description
}];
}];
[config enableProtection:BHMProtectionModuleTypeJailbreakDetection
customAction:@"jailbreak-handler"
intervalMs:300000];
}];#import <ByteHideMonitor/ByteHideMonitor.h>
[BHMMonitor configure:^(BHMMonitorConfiguration *config) {
[config registerCustomAction:@"jailbreak-handler" handler:^(BHMThreatContext *context) {
NSString *threatType = context.threatType;
NSString *description = context.threatDescription;
NSDictionary *metadata = context.metadata;
// Report to security backend
[SecurityAPI reportJailbreakAttemptWithThreatType:threatType
description:description
metadata:metadata];
// Disable sensitive operations
[FeatureManager disableSensitiveFeatures];
// Log event
[Analytics logEvent:@"jailbreak_detected"
parameters:@{
@"threat_type": threatType,
@"description": description
}];
}];
[config enableProtection:BHMProtectionModuleTypeJailbreakDetection
customAction:@"jailbreak-handler"
intervalMs:300000];
}];Platform Compatibility
| Feature | iOS 12-13 | iOS 14-15 | iOS 16+ |
|---|---|---|---|
| File Detection | ✓ | ✓ | ✓ |
| URL Scheme Checks | ✓ | ✓ | ✓ |
| Fork Test | ✓ | ✓ | ✓ Limited |
| Dylib Detection | ✓ | ✓ | ✓ |
| Symbolic Link Checks | ✓ | ✓ | ✓ |
| System Integrity Tests | ✓ | ✓ | ✓ |
| Continuous Monitoring | ✓ | ✓ | ✓ |
Performance Impact
- CPU Usage: ~0.5-1.0% per check cycle (varies by sensitivity)
- Memory Overhead: <1 MB (cached results)
- Battery Impact: Low with 5-minute intervals
- First Detection: <100ms for most jailbreak tools
- I/O Impact: Minimal file system access (cached)
Threat Detection Details
JSON
{
"threat": {
"moduleType": "JailbreakDetection",
"threatType": "JailbreakDetected",
"threatDescription": "Device appears to be jailbroken - multiple indicators detected",
"detectionResult": {
"isThreat": true,
"category": "DeviceSecurity",
"threatDescription": "Jailbreak tools and system modifications detected",
"confidence": 0.98,
"evidence": {
"files_found": [
"/Applications/Cydia.app",
"/usr/sbin/sshd"
],
"url_schemes_detected": ["cydia"],
"dylib_injection": true,
"fork_test": "restricted_but_suspicious"
},
"timestamp": "2026-03-03T10:30:45.123Z"
},
"metadata": {
"sensitivity": "high",
"indicators_count": 4,
"cache_status": "hit",
"check_duration_ms": 45,
"interval_ms": 300000
}
}
}{
"threat": {
"moduleType": "JailbreakDetection",
"threatType": "JailbreakDetected",
"threatDescription": "Device appears to be jailbroken - multiple indicators detected",
"detectionResult": {
"isThreat": true,
"category": "DeviceSecurity",
"threatDescription": "Jailbreak tools and system modifications detected",
"confidence": 0.98,
"evidence": {
"files_found": [
"/Applications/Cydia.app",
"/usr/sbin/sshd"
],
"url_schemes_detected": ["cydia"],
"dylib_injection": true,
"fork_test": "restricted_but_suspicious"
},
"timestamp": "2026-03-03T10:30:45.123Z"
},
"metadata": {
"sensitivity": "high",
"indicators_count": 4,
"cache_status": "hit",
"check_duration_ms": 45,
"interval_ms": 300000
}
}
}Related Protections
- Debugger Detection - Detect attached debuggers
- Simulator Detection - Detect simulator environments
- Tampering Detection - Verify app integrity
- Process Injection - Detect code injection
Next Steps
- Actions Documentation - Learn about available response actions
- Custom Actions - Build custom threat handlers
- Configuration API - Full API reference
- Getting Started - Monitor setup guide