Testing iVerify

This post is going to focus on the automatic capabilities of iVerify detect whether your device is compromised. This part of iVerify is a small part of the application, the application also includes a lot of useful advice for helping users either manually detecting a compromise or increase the security of their device.

In my testing I found iVerify device scanning had some limitations. iVerify was unable to detect a low impact rooting of the device. The rooting of the device involved running a kernel exploit which spawned a frida process with high privileges and a background process that gave the Frida process access to privileges that required TFP0 access. Since this does not modify anything that a sandboxed application can access it is impossible to detect from a sandboxed application.

The threat that iVerify device scan protects against is malware installed by first loading a commercial jailbreak tool. I’m guessing there might be some stalkerware/spouseware that does this. Getting a low impact root working on many devices across many iOS versions is a lot of work. It would make economic sense for malware authors to reuse the existing public jailbreaks as a first stage. iVerify device scan will not protect you against sophisticated adversaries who don’t leave stuff in the filesystem, remount the filesystem or blindly inject and modify every process on the system.

In my testing I also injected iVerify with the Frida agent in order to decrypt the IPA. iVerify was not able to detect that it had been injected by Frida. I believe this may be a bug within iVerify because reversing the iVerify binary shows it has code that checks the task ports and did another check [which I don’t want to publicize] which should have flagged Frida as well. It could also be these two checks are dormant code and not actually used. It is my experience that jailbreak detection code tends to have a high number of bugs because it is both difficult to test and the ‘bad’ code path is often not taken.

I also tested iVerify while the uncover jailbreak was active. iVerify was able to successfully detect the device had been compromised.

Rhett Trickett picture

I read about iVerify's release the other day and wondered how effective it could be for iOS, so thanks for sharing your findings.

Do you think pursuing vulnerability detection as an app on iOS is a worthwile pursuit or would it not be too constrained from the limited access that apps to the device?