iOS Integrity Validator
iOS Integrity Validator is an integrity validator for iOS devices capable of reliably detecting modifications such as malware and jailbreaks, without the use of signatures. It runs at boot-time to thoroughly inspect the device, identifying any changes and collecting relevant artifacts of these changes for offline analysis. This will let you know if the device has simply been jailbroken or if it has been modified in a much sneakier way.
To setup iOS Integrity Validator:
git clone https://github.com/trailofbits/ios-integrity-validator.git ios-integrity-validator cd ios-integrity-validator script/bootstrap
Then, plug your phone into your computer, put it in DFU mode, and run
bin/iiv DEVICE VERSION
If you're not comfortable putting the phone in DFU mode by yourself, run iOS Integrity Validator with the phone connected normally, and you will be walked through the process.
- iPhone3,1 (5.0 - 6.1.3)
- iPhone3,2 (6.0 - 6.1.3)
- iPhone3,3 (5.0 - 6.1.3)
- iPod4,1 (5.0 - 6.1.3)
iOS Integrity Validator uses redsn0w to boot a custom kernel and ramdisk generated by
iphone-dataprotection. It then uses
mtree to check the type, user ID, group
ID, mode, and SHA-1 digest of every file on the root filesystem against a
specification generated from the firmware image itself. If any files have
changed, or if any files have been added, the files are copied off the device
for further inspection and analysis by the user.
This project was initially called iVerify when it was released in 2013.
If you have not jailbroken your phone on purpose and iOS Integrity Validator finds evidence of modifications, send us an e-mail with your evidence file and we will take a look.