System and Security Info - Support - Description
Description of the Findings
File "/usr/lib/libmis.dylib" does not exist/exists
This test checks if the file "/usr/lib/libmis.dylib" exists in the filesystem. On a normal device this file does not exist. In case it exists it is likely that the device is jailbroken, because it is a known component of attacks against the user space codesigning functionality of iOS.
File "/pguntether" does not exist/exists
This test checks if the file "/pguntether" exists in the filesystem. On a normal device this file does not exist. In case it exists it is likely that the device is jailbroken, because the file belongs to the known "Pangu" jailbreak.
File "/System/Library/Caches/com.apple.xpcd/xpcd_cache.dylib" does not exist/exists
This test checks if the file "/System/Library/Caches/com.apple.xpcd/xpcd_cache.dylib" exists in the filesystem. On a normal device this file does not exist. In case it exists it is likely that the device is jailbroken, because it is a known component of previous jailbreaks to inject LaunchDaemons into the system.
File "/panguaxe" does not exist/exists
This test checks if the file "/panguaxe" exists in the filesystem. On a normal device this file does not exist. In case it exists it is likely that the device is jailbroken, because the file belongs to the known "Pangu" jailbreak.
File "/panguaxe.installed" does not exist/exists
This test checks if the file "/panguaxe.installed" exists in the filesystem. On a normal device this file does not exist. In case it exists it is likely that the device is jailbroken, because the file belongs to the known "Pangu" jailbreak.
File "/System/Library/LaunchDaemons/io.pangu.untether.plist" does not exist/exists
This test checks if the file "/System/Library/LaunchDaemons/io.pangu.untether.plist" exists in the filesystem. On a normal device this file does not exist. In case it exists it is likely that the device is jailbroken, because the file belongs to the known "Pangu" jailbreak.
File "/evasi0n7" does not exist/exists
This test checks if the file "/evasi0n7" exists in the filesystem. On a normal device this file does not exist. In case it exists it is likely that the device is jailbroken, because the file belongs to the known "evasi0n7" jailbreak.
File "/taig/taig" does not exist/exists
This test checks if the file "/taig/taig" exists in the filesystem. On a normal device this file does not exist. In case it exists it is likely that the device is jailbroken, because the file belongs to the known "taig" jailbreak.
File "/usr/lib/pangu_xpcd.dylib" does not exist/exists
This test checks if the file "/usr/lib/pangu_xpcd.dylib" exists in the filesystem. On a normal device this file does not exist. In case it exists it is likely that the device is jailbroken, because the file belongs to the known "Pangu" jailbreak.
File "/xuanyuansword" does not exist/exists
This test checks if the file "/xuanyuansword" exists in the filesystem. On a normal device this file does not exist. In case it exists it is likely that the device is jailbroken, because the file belongs to the known "Pangu" jailbreak.
File "/xuanyuansword.installed" does not exist/exists
This test checks if the file "/xuanyuansword.installed" exists in the filesystem. On a normal device this file does not exist. In case it exists it is likely that the device is jailbroken, because the file belongs to the known "Pangu" jailbreak.
File "/System/Library/LaunchDaemons/io.pangu.axe.untether.plist" does not exist/exists
This test checks if the file "/System/Library/LaunchDaemons/io.pangu.axe.untether.plist" exists in the filesystem. On a normal device this file does not exist. In case it exists it is likely that the device is jailbroken, because the file belongs to the known "Pangu" jailbreak.
File "/System/Library/LaunchDaemons/com.evad3rs.evasi0n7.untether.plist" does not exist/exists
This test checks if the file "/System/Library/LaunchDaemons/com.evad3rs.evasi0n7.untether.plist" exists in the filesystem. On a normal device this file does not exist. In case it exists it is likely that the device is jailbroken, because the file belongs to the known "evasi0n7" jailbreak.
File "/System/Library/Caches/com.apple.dyld/enable-dylibs-to-override-cache" does not exist/exists
This test checks if the file "/System/Library/Caches/com.apple.dyld/enable-dylibs-to-override-cache" exists in the filesystem. On a normal device this file does not exist. In case it exists it is likely that the device is jailbroken, because it is a known component of previous jailbreaks to achieve initial code execution after rebooting the system.
File "/bin/bash" does not exist/exists
This test checks if the file "/bin/bash" exists in the filesystem. On a normal device this file does not exist. If this file exists the device was very likely jailbroken, because it is a command shell only useful on a jailbroken device.
File "/bin/sh" does not exist/exists
This test checks if the file "/bin/sh" exists in the filesystem. On a normal device this file does not exist. If this file exists the device was very likely jailbroken, because it is a command shell only useful on a jailbroken device.
File "/Applications/Cydia.app/Cydia" does not exist/exists
This test checks if the file "/Applications/Cydia.app/Cydia" exists in the filesystem. On a normal device this file does not exist. If this file exists the device was at least at some point jailbroken, because this is an alternative AppStore meant for jailbroken devices.
File "/usr/sbin/sshd" does not exist/exists
This test checks if the file "/usr/sbin/sshd" exists in the filesystem. On a normal device this file does not exist. If this file exists the device was very likely jailbroken, because it opens up a remote command shell only useful on a jailbroken or compromised device.
BootArgument "launchctl_enforce_codesign" is not set/is set
This test checks if the system believes it was rebooted with the kernel boot argument "launchctl_enforce_codesign". On a normal device the kernel is booted without any boot argument. If this boot argument is set the device is likely jailbroken because it is a trick used by previous jailbreaks to get around LaunchDaemon codesigning.
BootArgument "amfi" is not set/is set
This test checks if the system believes it was rebooted with the kernel boot argument "amfi". On a normal device the kernel is booted without any boot argument. If this boot argument is set the device is likely jailbroken because it is a trick used by previous jailbreaks to get codesigning checks.
BootArgument "cs_enforcement_disable" is not set/is set
This test checks if the system believes it was rebooted with the kernel boot argument "cs_enforcement_disable". On a normal device the kernel is booted without any boot argument. If this boot argument is set the device is likely jailbroken because it is a trick used by previous jailbreaks to get codesigning checks.
BootArguments are empty/not empty
This test checks if the system believes it was rebooted with any kernel boot argument. On a normal device the kernel is booted without any boot argument. If some boot argument is set the device is likely jailbroken because it is a trick used by previous jailbreaks to disable several security features inside the kernel.
SysCtl "security.mac.socket_enforce" is enabled/disabled
This test checks if a system variable called "security.mac.socket_enforce" claims to be activated or deactivated. On a normal device this variable should be activated, because it controls if SOCKET operations are security controlled or not. If this variable says it is deactivated the device is likely jailbroken, because earlier jailbreaks used these variables to disable security features. In modern kernels switching these variables has no effect on system security anymore.
SysCtl "security.mac.pipe_enforce" is enabled/disabled
This test checks if a system variable called "security.mac.pipe_enforce" claims to be activated or deactivated. On a normal device this variable should be activated, because it controls if PIPE operations are security controlled or not. If this variable says it is deactivated the device is likely jailbroken, because earlier jailbreaks used these variables to disable security features. In modern kernels switching these variables has no effect on system security anymore.
SysCtl "security.mac.system_enforce" is enabled/disabled
This test checks if a system variable called "security.mac.system_enforce" claims to be activated or deactivated. On a normal device this variable should be activated, because it controls if SYSTEM operations are security controlled or not. If this variable says it is deactivated the device is likely jailbroken, because earlier jailbreaks used these variables to disable security features. In modern kernels switching these variables has no effect on system security anymore.
SysCtl "security.mac.vm_enforce" is enabled/disabled
This test checks if a system variable called "security.mac.vm_enforce" claims to be activated or deactivated. On a normal device this variable should be activated, because it controls if VM operations are security controlled or not. If this variable says it is deactivated the device is likely jailbroken, because earlier jailbreaks used these variables to disable security features. In modern kernels switching these variables has no effect on system security anymore.
SysCtl "security.mac.vnode_enforce" is enabled/disabled
This test checks if a system variable called "security.mac.vnode_enforce" claims to be activated or deactivated. On a normal device this variable should be activated, because it controls if VNODE operations are security controlled or not. If this variable says it is deactivated the device is likely jailbroken, because earlier jailbreaks used these variables to disable security features. In modern kernels switching these variables has no effect on system security anymore.
SysCtl "security.mac.posixshm_enforce" is enabled/disabled
This test checks if a system variable called "security.mac.posixshm_enforce" claims to be activated or deactivated. On a normal device this variable should be activated, because it controls if POSIXSHM operations are security controlled or not. If this variable says it is deactivated the device is likely jailbroken, because earlier jailbreaks used these variables to disable security features. In modern kernels switching these variables has no effect on system security anymore.
SysCtl "security.mac.posixsem_enforce" is enabled/disabled
This test checks if a system variable called "security.mac.posixsem_enforce" claims to be activated or deactivated. On a normal device this variable should be activated, because it controls if POSIXSEM operations are security controlled or not. If this variable says it is deactivated the device is likely jailbroken, because earlier jailbreaks used these variables to disable security features. In modern kernels switching these variables has no effect on system security anymore.
SysCtl "security.mac.sysvmsg_enforce" is enabled/disabled
This test checks if a system variable called "security.mac.sysvmsg_enforce" claims to be activated or deactivated. On a normal device this variable should be activated, because it controls if SYSVMSH operations are security controlled or not. If this variable says it is deactivated the device is likely jailbroken, because earlier jailbreaks used these variables to disable security features. In modern kernels switching these variables has no effect on system security anymore.
SysCtl "security.mac.device_enforce" is enabled/disabled
This test checks if a system variable called "security.mac.device_enforce" claims to be activated or deactivated. On a normal device this variable should be activated, because it controls if DEVICE operations are security controlled or not. If this variable says it is deactivated the device is likely jailbroken, because earlier jailbreaks used these variables to disable security features. In modern kernels switching these variables has no effect on system security anymore.
SysCtl "security.mac.proc_enforce" is enabled/disabled
This test checks if a system variable called "security.mac.proc_enforce" claims to be activated or deactivated. On a normal device this variable should be activated, because it controls if PROC operations are security controlled or not. If this variable says it is deactivated the device is likely jailbroken, because earlier jailbreaks used these variables to disable security features. In modern kernels switching these variables has no effect on system security anymore.
SysCtl "security.mac.sysvshm_enforce" is enabled/disabled
This test checks if a system variable called "security.mac.sysvshm_enforce" claims to be activated or deactivated. On a normal device this variable should be activated, because it controls if SYSVSHM operations are security controlled or not. If this variable says it is deactivated the device is likely jailbroken, because earlier jailbreaks used these variables to disable security features. In modern kernels switching these variables has no effect on system security anymore.
SysCtl "security.mac.sysvsem_enforce" is enabled/disabled
This test checks if a system variable called "security.mac.sysvsem_enforce" claims to be activated or deactivated. On a normal device this variable should be activated, because it controls if SYSVSEM operations are security controlled or not. If this variable says it is deactivated the device is likely jailbroken, because earlier jailbreaks used these variables to disable security features. In modern kernels switching these variables has no effect on system security anymore.
/Applications is a symbolic link/is not a symbolic link
This test checks if the /Applications directory was replaced by a symbolic link to a different area of the file system. On a normal device this should not be the case. If this test says a symbolic link was detected the device is very likely jailbroken, because jailbreaks usually move all the built-in applications to another place in the filesystem and then make the /Applications directly into a so called symbolic link.
No fake signed application found/Found fake signed application
This test checks if any of the currently running processes/applications is fake signed by jailbreaking tools. If any such process is found it will be listed in the details. On a normal device no such process should be found. If however such a process is found the device is very likely jailbroken, because it currently runs applications/processes that have fake/invalid code signing information attached to them.
Fork disallowed/is allowed
This test checks if the system call fork() works or not. The purpose of this system call is to create child processes on a computer. On normal iOS devices this call is blocked by the sandbox applications run in. If this tests detects that fork() is usable this means the device is very likely jailbroken.
DataFS is NoSUID and NoDev mounted/not NoSUID or not NoDev mounted
This test checks if the part of the filesystem where iOS keeps user data is mounted with security restrictions called NoSUID and NoDev. On a normal device these security restrictions should be detected. If either of the two security restrictions is disabled this means the device is very likely jailbroken.
RootFS mounted read-only/read-write
This test checks if the part of the filesystem where iOS keeps the operating system (also called "root filesystem") is mounted with a write protection (read-only) or not. On a normal device this part of the filesystem should be write protected. If this test says the root filesystem is read-write mounted than the device is very likely jailbroken.
TaskForPidZero not available/is available
This test checks if the operating system seems to have been patched to allow the task_for_pid system call to give access to the operating system's kernel. On a normal iOS device this is strictly forbidden. If this test shows that task_for_pid0 is available this means the device is very likely jailbroken. However there is the slight possibility this test returns incorrect results because it works by timing how fast the error is returned in case an application tries to access the kernel. So if this is the only test failing on your system further checks would be required.
No non Apple daemon found/Found non Apple daemon
This test checks if there is currently a process running in the system that has elevated privileges but does not seem to be Apple software. On a normal iOS device this should never be the case. If this test finds such a process it will report its name in the details. Unless the finding is a false positive this is a strong indicator that the iOS device currently runs code that it should not. Further more detailed checking of this issue is highly suggested and you should contact us.
It has been reported that a mysterious "com.apple" process has been found on various devices in the wild. It is likely that this happens due to a glitch in the test that will be fixed in a future version.
Because jailbreaks install non Apple software on a device the test should always find some non apple daemons on jailbroken devices.
Debugger not attached/Debugger attached
This test checks if our application can detect signs it is currently being debugged. Unless you are us you should never see this test fail on a normal non compromised iOS device. If you see this test fail it is likely that some malicious process is running on your device that attaches to other process. In this case further more detailed checking of this issue is highly suggested and you should contact us.
AppStore binary encryption missing/present
This test checks if our application currently runs with AppStore encryption applied to it. Unless you are running one of our Testflight installs this should never happened on a non compromised iOS device.
If this test fails it means the installed version of our app does not come from the Apple AppStore. You either installed our application from a piracy store or the software was sideloaded by means of developer/test/enterprise certificates on your device. If any of this is not the case and you are NOT aware that your device is jailbroken further more detailed checking of this issue is highly suggested and you should contact us.
CodeSigning validation seems to be okay/CodeSigning was tampered with/unexpected error
This test checks if system correctly identifies manipulated code signing information being passed to it. On a normal iOS device tampered code signing information should be detected by the system. If this test fails on your device than the security is compromised and your device is very likely jailbroken.
If you were previously NOT aware that your device is jailbroken it is strongly suggested that you contact us.
Found Application with manipulated CS flags/No application with manipulated CS flags found
This test checks if there is currently one or more process running on the system that has abnormal CS (codesigning) flags attached to it. On a normal non compromised iOS device this test should not fail. If the test fails it is very likely that your system got compromised or secretly jailbroken.
If you were previously NOT aware that your device is jailbroken it is strongly suggested that you contact us.
Found injected libraries/No injected libraries found
This test checks if something on the system has injected a non expected library into our process. This should normally not happen and usually is a sign of a system compromise. However there is currently an error in the version of the application in the AppStore that falsely identifies some Apple libraries as injected. A bugfixed version for this issue is stuck in Apple's review since Monday 9th of May 2016. We are sorry for this, but as an iOS app developer we unfortunately cannot issue bugfixes to you directly and only Apple is to blame for this unnecessary delay. You can try contacting them about this issue. It might speed up the review process.
Anyway if the test shows injected libraries on your device you most probably have discovered a speciality about the accessibility functions of iOS and a few other features that can be activated. These features work by injecting libraries into processes that are not loaded on iOS if these features are not activated. The app therefore works as designed and expected: it notifies you about these injected libraries.
We have however received a lot of questions about this and therefore we have submitted a version (>= 1.0.3) of the application to Apple that will no longer consider these libraries injected. In the future only really unknown libraries will be reacted on. The new version is already in the state "in review" at Apple and hopefully will be out soon.
Apple injected libraries include, but are not limited to this list:
Extensions
/System/Library/Extensions/AGXGLDriver.bundle/AGXGLDriver
AccessibilityBundles
/System/Library/AccessibilityBundles/
/System/Library/AccessibilityBundles/AXSpeechImplementation.bundle/AXSpeechImplementation
/System/Library/AccessibilityBundles/AccessibilitySettingsLoader.bundle/AccessibilitySettingsLoader
/System/Library/AccessibilityBundles/AccountsUI.axbundle/AccountsUI
/System/Library/AccessibilityBundles/AddressBookUIFramework.axbundle/AddressBookUIFramework
/System/Library/AccessibilityBundles/CameraKit.axbundle/CameraKit
/System/Library/AccessibilityBundles/CameraUI.axbundle/CameraUI
/System/Library/AccessibilityBundles/GAXClient.bundle/GAXClient
/System/Library/AccessibilityBundles/HearingAidUIServer.axuiservice/HearingAidUIServer
/System/Library/AccessibilityBundles/MapKitFramework.axbundle/MapKitFramework
/System/Library/AccessibilityBundles/MediaPlayerFramework.axbundle/MediaPlayerFramework
/System/Library/AccessibilityBundles/MediaPlayerUIFramework.axbundle/MediaPlayerUIFramework
/System/Library/AccessibilityBundles/MessageUIFramework.axbundle/MessageUIFramework
/System/Library/AccessibilityBundles/PassKitFramework.axbundle/PassKitFramework
/System/Library/AccessibilityBundles/PhotoLibraryFramework.axbundle/PhotoLibraryFramework
/System/Library/AccessibilityBundles/PhotoLibraryServices.axbundle/PhotoLibraryServices
/System/Library/AccessibilityBundles/PhotosFramework.axbundle/PhotosFramework
/System/Library/AccessibilityBundles/PhotosUIFramework.axbundle/PhotosUIFramework
/System/Library/AccessibilityBundles/QuickLook.axbundle/QuickLook
/System/Library/AccessibilityBundles/QuickSpeak.bundle/QuickSpeak
/System/Library/AccessibilityBundles/RemoteUIFramework.axbundle/RemoteUIFramework
/System/Library/AccessibilityBundles/SocialFramework.axbundle/SocialFramework
/System/Library/AccessibilityBundles/StoreKitFramework.axbundle/StoreKitFramework
/System/Library/AccessibilityBundles/StoreKitUI.axbundle/StoreKitUI
/System/Library/AccessibilityBundles/UIKit.axbundle/UIKit
/System/Library/AccessibilityBundles/VoiceMemosFramework.axbundle/VoiceMemosFramework
/System/Library/AccessibilityBundles/WebCore.axbundle/WebCore
/System/Library/AccessibilityBundles/WebKit.axbundle/WebKit
/System/Library/AccessibilityBundles/WebKitLegacy.axbundle/WebKitLegacy
/System/Library/AccessibilityBundles/WebProcess.axbundle/WebProcess
/System/Library/AccessibilityBundles/WebProcessLoader.axbundle/WebProcessLoader
/System/Library/AccessibilityBundles/iTunesStoreFramework.axbundle/iTunesStoreFramework
Encodings
/System/Library/CoreServices/Encodings/libArabicConverter.dylib
/System/Library/CoreServices/Encodings/libCyrillicConverter.dylib
/System/Library/CoreServices/Encodings/libGreekConverter.dylib
/System/Library/CoreServices/Encodings/libHebrewConverter.dylib
/System/Library/CoreServices/Encodings/libJapaneseConverter.dylib
/System/Library/CoreServices/Encodings/libKoreanConverter.dylib
/System/Library/CoreServices/Encodings/libLatin2Converter.dylib
/System/Library/CoreServices/Encodings/libLatin5Converter.dylib
/System/Library/CoreServices/Encodings/libLatinSuppConverter.dylib
/System/Library/CoreServices/Encodings/libSimplifiedChineseConverter.dylib
/System/Library/CoreServices/Encodings/libSymbolConverter.dylib
/System/Library/CoreServices/Encodings/libThaiConverter.dylib
/System/Library/CoreServices/Encodings/libTraditionalChineseConverter.dylib
/System/Library/CoreServices/Encodings/libVietnameseConverter.dylib