Lack of Jailbreak Detections
Lack of Jailbreak Detections
Overview of the Vulnerability
A lack of jailbreak (iOS) or root access (Android) detections in an application increases its attack surface and leaves it open to code analysis, reverse engineering, or modification of the application. An attacker could abuse the lack of jailbreak (iOS) or root access (Android) detections to access the internal file system of the application, or inject unauthorized code into the application.
Business Impact
This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure.
Steps to Reproduce
Jailbreak (iOS) or gain root access (Android) to a mobile device
Install the application on the mobile device
Open the application and observe that the application does not prevent access or acknowledge that the mobile device has been jailbroken (iOS) or that root access (Android) has been gained, indicating it lacks a detection mechanism
Proof of Concept (PoC)
The screenshot below shows the lack of jailbreak (iOS) or root access (Android) detections:
{{screenshot}}
Recommendation(s)
It is recommended that the application have exploit mitigation controls which prevent an attacker from analyzing, reverse engineering, or performing unauthorized code modifications. This can include jailbreak detections, source-code obfuscation, binary hardening, and runtime detection.
For further information, please refer to: https://owasp.org/www-project-mobile-top-10/2014-risks/m10-lack-of-binary-protections
Last updated