iOS User permissions

Question

On iphone, there are somethings that jailbreak phones can do while non-jailbreak ones can not. I think there must be a list of permissions configured for the user and that list is changed in the jailbreak progress.

Anyone can show me how to get that list of permissions (by code) or link me to any related documents?

Answer 1

Sandbox

Some permissions are enforced by seatbelt (sandbox) profile "container" - it's default profile for all apps inside /var/mobile/Applications (up to iOS 7.x) or /var/mobile/Containers (since iOS 8) directory ie AppStore apps. You can read about it here . It's probably outdated but should give you some idea about how it works.

As far as I know sandboxing is implemented as kernel extension. It uses hooks to various system calls in order to check whether calling process has permissions to make the call.

Jailbreak doesn't turn off sandbox, at least it shouldn't and it's not required for jailbreaking. Almost everything works as it is. There're some differences between jailbreaks, some versions clearly broke sandbox rules. For example, you could read files outside of your application directories that you would normally not able to.

Sandboxing doesn't care about whether process has root access or not. It's a completely different security layer. And it used not only for AppStore apps. Many system daemons and apps has their own very strict sandbox profiles even though they execute as root .

Entitlements

Entitlements are another way of granting permissions. Entitlements are like Android permissions but they are located inside app binary as binary property list and protected by code signature. So you can't add anything you want. For AppStore apps that works even on jailbroken phones unless you install AppSync tweak which turns off code signature checks and should (I didn't test it myself but it should be possible) allow you to sign AppStore apps with any entitlements.

For other processes code signature checks are disabled by default so that you could write your own cydia tweaks/apps and sign them with any entitlements you want as long as they are located outside of "container" sandbox profile directory.

Entitlements are different from sandboxing. Checks for specific entitlements are not done in the kernel or some system daemon - the actual code you are calling does the check. For example, when you want to send an SMS message. You can do this by sending an XPC message that will be received by CommCenter daemon which implements all baseband related stuff in userland (that's how private ChatKit.framework does it). CommCenter then checks whether calling process has required entitlements before proceeding with request or denying the access. Many APIs actually use IPC to some system daemon to get the data. CoreTelephony , for example, is just an IPC interface to CommCenter daemon. And to restrict the access the daemon checks entitlements of the process that intiated the request.

Code signature

The name says it all. You can't execute anything you want. AppStore apps must be signed with Apple certificate. All system apps are signed and their hashes stored inside kernel so that you couldn't alter them in any way.

Code signature of course means that when iOS is asked to execute something it will check binary code signature before executing any code. But iOS uses another feature - all code pages are also signed and their signature is checked at runtime. When there is a page fault interrupt kernel will check code signature.

Jailbreak turns off almost all code signature checks. There are no checks for non AppStore app processes. There are checks for AppStore apps which can be turned off with AppSync tweak from Cydia.

One could ask, how is then Safari works. It's JavaScript engine generates code at runtime. Safari is signed with very special entitlement dynamic-codesigning that allows you to do such a thing.

UNIX permissions

An there is that of course. Jailbreak doesn't turn it off or alter in any way. There are many users in iOS. They're used for various system processes to make iOS more secure by restricting access to the stuff that the process actually needs. So that when vulnerability is found in such a process hacker couldn't do anything it wants.