The jailbroken environment: Bypassing iOS sandbox controls

iOS apps run inside secure sandboxes that block other applications from reading their data files. However, if a user jailbreaks their device, this sandbox is bypassed.

During a penetration test, we install the target application on a jailbroken iPhone. This allows us to access the application's local directory (inside /var/mobile/Containers/Data/Application/) to inspect:

Pentest finding

Session tokens exposed in local iOS plist file

During an audit of an iOS wealth app, we analyzed the local directory on a jailbroken test device. We found that the user's active API authorization token was stored in a plaintext preference file (com.company.app.plist). By copying this token, we successfully logged into their web dashboard from an external browser.

Auditing Keychain access and security settings

The iOS Keychain is the correct place to store cryptographic keys and session tokens. But developers sometimes write to the Keychain using insecure accessibility flags.

If your application uses the kSecAttrAccessibleAfterFirstUnlock flag, the data is readable even when the device is locked. We check if your application specifies kSecAttrAccessibleWhenUnlockedThisDeviceOnly, which restricts reading to when the device is active and blocks the keys from being copied to iCloud backups.

// SECURE: Keychain write query in Swift
let query: [String: Any] = [
    kSecClass as String: kSecClassGenericPassword,
    kSecAttrAccount as String: "authToken",
    kSecValueData as String: tokenData,
    // Restrict read access to when the device is unlocked and active
    kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlockedThisDeviceOnly
]
SecItemAdd(query as CFDictionary, nil)

iOS Security Checklist

If you are developing for iOS and Swift, apply these controls:

  1. Use Keychain properly: Never store secrets, passwords, or active session tokens in plists, CoreData, or user defaults.
  2. Jailbreak detection: Implement checks inside your app to detect jailbreak indicators (such as the presence of Cydia or the ability to write to system folders) and exit the app.
  3. Disable screen caching: Configure the app to obscure the screen buffer when backgrounded to prevent sensitive banking screens from being captured in snapshots.

Let Simpa Labs audit your iOS application

Auditing native iOS apps requires specialized hardware and deep knowledge of Apple's security framework. We will test your application on jailbroken test devices, check your Keychain settings, and audit your API communication.

Book an iOS Pentest