CIR-01-001 WP1: Missing Jailbreak/Root Detection on Android & iOS (Info)

It was found that the Circulo Android and iOS apps do not implement any form of root or Jailbreak detection features at the time of writing. Hence, the applications fail to alert users about the security implications of running the app in such an environment. This issue can be confirmed by installing each application on a jailbroken/rooted device and validating the complete lack of application warnings.

It is recommended to implement a comprehensive Jailbreak and root detection solution to address this problem. Please note that, since the user has root access and the application does not, the application is always at a disadvantage. Mechanisms like these should always be considered bypassable when enough dedication and skill characterize the attacker.

Some freely available libraries for iOS are IOSSecuritySuite and DTTJailbreakDetection, although custom checks are also possible in Swift applications. Such solutions should be considered bypassable but sufficient to warn users about the dangers of running the application on a jailbroken device. For best results, it is recommended to test some commercial and open source solutions against well-known Cydia tweaks like LibertyLite, Shadow, tsProtector 8+ or A-Bypass. Based on this, the development team could determine the most solid approach.

The freely available rootbeer library for Android could be considered for the purpose of alerting users on rooted devices, while bypassable, this would be sufficient for alerting users of the dangers of running the app on rooted devices.