Mobile Jailbreak Detection (iOS)
What is Mobile Jailbreak Detection (iOS)?
Mobile Jailbreak Detection (iOS)Runtime checks an iOS app performs to determine whether the device has been jailbroken — looking for Cydia/Sileo/Zebra files, suspicious URL schemes, write access outside the sandbox, or App Attest disagreement.
Mobile jailbreak detection is the iOS counterpart to Android root detection. An iOS app inspects its running environment at sensitive moments to estimate whether the device has been jailbroken and therefore whether the app sandbox and Keychain assumptions still hold. Common heuristics include filesystem checks for `/Applications/Cydia.app`, `/Applications/Sileo.app`, `/Applications/Zebra.app`, `/usr/sbin/sshd`, and other Cydia Substrate paths; openURL probing for `cydia://`, `sileo://`, `filza://`; checking whether the app can write outside its sandbox (e.g. to `/private/foo.txt`); detecting suspicious dyld libraries (`MobileSubstrate`, `frida-gadget`); fork() returning success (jailbroken iOS allows it, sandboxed apps cannot); and signing-entitlement / signer-identity checks. As with Android root detection, all of these can be defeated by sophisticated tweak tools (Liberty, Shadow, A-Bypass, hideJB), so modern apps combine local heuristics with App Attest server-side verification — App Attest will not produce a valid attestation on a jailbroken or simulated device. OWASP MASVS resilience controls treat jailbreak detection as a defense-in-depth signal, not a perimeter.
● Examples
- 01
A payment app fails App Attest provisioning when run on a jailbroken iPhone, and its backend refuses to enrol the device — invisibly, without scaring the user.
- 02
An anti-fraud SDK reports a 'jailbreak likely' signal in its risk score after seeing both a Cydia file present and an unsigned dyld library loaded into the process.
● Frequently asked questions
What is Mobile Jailbreak Detection (iOS)?
Runtime checks an iOS app performs to determine whether the device has been jailbroken — looking for Cydia/Sileo/Zebra files, suspicious URL schemes, write access outside the sandbox, or App Attest disagreement. It belongs to the Mobile Security category of cybersecurity.
What does Mobile Jailbreak Detection (iOS) mean?
Runtime checks an iOS app performs to determine whether the device has been jailbroken — looking for Cydia/Sileo/Zebra files, suspicious URL schemes, write access outside the sandbox, or App Attest disagreement.
How does Mobile Jailbreak Detection (iOS) work?
Mobile jailbreak detection is the iOS counterpart to Android root detection. An iOS app inspects its running environment at sensitive moments to estimate whether the device has been jailbroken and therefore whether the app sandbox and Keychain assumptions still hold. Common heuristics include filesystem checks for `/Applications/Cydia.app`, `/Applications/Sileo.app`, `/Applications/Zebra.app`, `/usr/sbin/sshd`, and other Cydia Substrate paths; openURL probing for `cydia://`, `sileo://`, `filza://`; checking whether the app can write outside its sandbox (e.g. to `/private/foo.txt`); detecting suspicious dyld libraries (`MobileSubstrate`, `frida-gadget`); fork() returning success (jailbroken iOS allows it, sandboxed apps cannot); and signing-entitlement / signer-identity checks. As with Android root detection, all of these can be defeated by sophisticated tweak tools (Liberty, Shadow, A-Bypass, hideJB), so modern apps combine local heuristics with App Attest server-side verification — App Attest will not produce a valid attestation on a jailbroken or simulated device. OWASP MASVS resilience controls treat jailbreak detection as a defense-in-depth signal, not a perimeter.
How do you defend against Mobile Jailbreak Detection (iOS)?
Defences for Mobile Jailbreak Detection (iOS) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Mobile Jailbreak Detection (iOS)?
Common alternative names include: Jailbreak detection, iOS jailbreak check.
● Related terms
- mobile-security№ 630
Jailbreak (iOS)
The process of bypassing Apple's code-signing and sandbox restrictions on an iPhone or iPad so the user can install software that Apple has not approved.
- mobile-security№ 780
Mobile Root Detection (Android)
Defensive checks an Android app runs to determine whether it is executing on a rooted device — typically by probing for su binaries, Magisk files, busybox, dangerous build properties, or hardware-attested integrity verdicts.
- mobile-security№ 062
Apple App Attest
Apple's iOS / iPadOS / tvOS / watchOS attestation service that lets an app prove to its backend that it is the genuine, App-Store-signed binary running on a real Apple device with Secure Enclave protection.
- mobile-security№ 772
Mobile App Security
The practice of designing, building, and testing iOS and Android applications to protect user data, prevent reverse engineering, and resist runtime tampering.
- mobile-security№ 481
Frida Dynamic Instrumentation
An open-source dynamic instrumentation toolkit by Ole André Vadla Ravnås that lets researchers hook, trace, and rewrite functions inside running processes on Android, iOS, Windows, macOS, and Linux — the de facto tool for mobile app reverse engineering and bypass research.
- compliance№ 871
OWASP MASVS
The OWASP Mobile Application Security Verification Standard, a baseline of testable security requirements for iOS and Android mobile applications.