├── IOSSecuritySuite ├── README.md ├── flutter-jb-bypass-ios-short.js └── flutter-jb-bypass-ios.js /IOSSecuritySuite: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/CyberCX-STA/flutter-jailbreak-root-detection-bypass/561f65a1ebaaba610949d33890531d1b9fa1ffca/IOSSecuritySuite -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Jailbreak/Root Detection Bypass in Flutter 2 | 3 | This script is designed to bypass security checks that are implemented using the IOSSecuritySuite module in iOS applications and Rootbear in Android Application. For iOS, it intercepts two exported functions, one that checks if the device is jailbroken and the other that checks if the code is running in an emulator, and modifies in the runtime to bypass these checks. 4 | 5 | ## How to Use 6 | 7 | **Prerequisites** 8 | 9 | - Frida needs to be installed on the device or emulator where the application is running. 10 | 11 | **Steps** 12 | 13 | 1. Start the application on the device or emulator where Frida is installed. 14 | 2. Launch the terminal on your computer and navigate to the directory where the script is located. 15 | 3. Ensure frida can communicate with the device by running the following command:`frida-ps -Uai` 16 | 4. Load the script by running the following command:`frida -U -l flutter-jb-bypass-ios-short.js ` 17 | 5. Wait for the script to intercept the exported functions and modify in the runtime. A success message will be displayed once bypassed. 18 | 19 | **To-Do** 20 | 21 | - [ ] Frida script to bypass Rootbeer root detection checks in Android (Work in progress) 22 | -------------------------------------------------------------------------------- /flutter-jb-bypass-ios-short.js: -------------------------------------------------------------------------------- 1 | Interceptor.attach(Module.findExportByName("IOSSecuritySuite", "$s16IOSSecuritySuiteAAC13amIJailbrokenSbyFZ"), { 2 | onLeave: function(retval) { 3 | retval.replace(0x0); 4 | } 5 | }); 6 | 7 | Interceptor.attach(Module.findExportByName("IOSSecuritySuite", "$s16IOSSecuritySuiteAAC16amIRunInEmulatorSbyFZ"), { 8 | onLeave: function(retval) { 9 | retval.replace(0x0); 10 | } 11 | }); 12 | -------------------------------------------------------------------------------- /flutter-jb-bypass-ios.js: -------------------------------------------------------------------------------- 1 | Interceptor.attach(Module.findExportByName("IOSSecuritySuite", "$s16IOSSecuritySuiteAAC13amIJailbrokenSbyFZ"), { 2 | onEnter: function(args) { 3 | // Print out the function name and arguments 4 | console.log("$s16IOSSecuritySuiteAAC13amIJailbrokenSbyFZ has been called with arguments:"); 5 | console.log("arg0: " + args[0] + " (context)"); 6 | 7 | // Print out the call stack 8 | console.log("$s16IOSSecuritySuiteAAC13amIJailbrokenSbyFZ called from:\n" + 9 | Thread.backtrace(this.context, Backtracer.ACCURATE) 10 | .map(DebugSymbol.fromAddress).join("\n") + "\n"); 11 | }, 12 | onLeave: function(retval) { 13 | // Print out the return value 14 | console.log("$s16IOSSecuritySuiteAAC13amIJailbrokenSbyFZ returned: " + retval); 15 | console.log("Setting JB check results to False"); 16 | // Set the return value to 0x0 (False) 17 | retval.replace(0x0); 18 | } 19 | }); 20 | --------------------------------------------------------------------------------