Detecting iOS Jailbroken Devices

iOS SDK version 2.3+ has enhanced functionality to detect jailbroken devices. When a device is jailbroken, it’s a good indication that purchases made by these devices may not be valid.

Reject Install / Events from Jailbroken Devices

Since a jailbroken device is a good indicator for an invalid user (for example, a user who did not actually purchase your app, but uses a pirated or cracked version), our Support team can enable a setting on your account that rejects installs and events from jailbroken devices. Once enabled, these rejected installs and events from jailbroken devices are logged as rejected in the install and event logs (and the aggregated mobile app and publisher reports do not include the information from these rejected installs and events).

Determining if Device is Jailbroken

The MAT iOS SDK uses three methods to determine if a device is jailbroken. When the SDK communicates with the MAT platform, it includes information about the jailbreak status of an iOS-based device. The following methods to detect jailbroken devices:

1. Presence of file paths of some commonly used hacks

If there are presence of any of the following file paths, it indicates a jailbroken device:

  • “/Applications/Cydia.app”
  • “/Applications/blackra1n.app”
  • “/Applications/FakeCarrier.app”
  • “/Applications/Icy.app”
  • “/Applications/IntelliScreen.app”
  • “/Applications/MxTube.app”
  • “/Applications/RockApp.app”
  • “/Applications/SBSettings.app”
  • “/Applications/WinterBoard.app”
  • “/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist”
  • “/Library/MobileSubstrate/DynamicLibraries/Veency.plist”
  • “/private/var/lib/apt”
  • “/private/var/lib/cydia”
  • “/private/var/mobile/Library/SBSettings/Themes”
  • “/private/var/stash”
  • “/private/var/tmp/cydia.log”
  • “/System/Library/LaunchDaemons/com.ikey.bbot.plist”
  • “/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist”
  • “/usr/bin/sshd”
  • “/usr/libexec/sftp-server”
  • “/usr/sbin/sshd”

 

2. Presence of shell access

Since non-jailbroken iOS devices do not have shell access, the presence of shell access indicates a jailbroken device.

 

3.Non-existence of standard framework at the expected file path

If the standard Foundation framework does not exist at the expected file path “/System/Library/Frameworks/Foundation.framework/Foundation“, then this absence indicates a jailbroken device.

 

OS Jailbroken in Reporting

In reporting, you can group, view, and filter by the jailbreak status of a device. In the Edit options on most reports, use the OS Jailbroke parameter as shown in the following screenshot. (the report returns Yes for Jailbroken devices, and No for non-jailbroken devices)

edit-jailbroke

 

In the Actuals and Cohort Report, you can group, view, and filter on the OS Jailbroke parameter. The following table shows installs and events from devices that are jailbroken. In general, the installs, events, and revenue associated with jailbroken devices is a good indication of fraud.

jail-agg

 

In the Installs, Updates, and Event Log Reports, you can also view and filter on the OS Jailbroke parameter as shown in the following screenshot.

Logs-installs

No Comments

Leave a reply