iOS Integrity Validator is an integrity validator for iOS devices capable of reliably detecting modifications such as malware and jailbreaks, without the use of signatures. It runs at boot-time to thoroughly inspect the device, identifying any changes and collecting relevant artifacts of these changes for offline analysis. This will let you know if the device has simply been jailbroken or if it has been modified in a much sneakier way.
To setup iOS Integrity Validator:
git clone https://github.com/trailofbits/ios-integrity-validator.git ios-integrity-validator
cd ios-integrity-validator
script/bootstrap
Then, plug your phone into your computer, put it in DFU mode, and run
bin/iiv DEVICE VERSION
If you're not comfortable putting the phone in DFU mode by yourself, run iOS Integrity Validator with the phone connected normally, and you will be walked through the process.
This open-source release of iOS Integrity Validator comes with slightly limited device support, since it relies on freely available tools like redsn0w and iphone-dataprotection.
- iPhone3,1 (5.0 - 6.1.3)
- iPhone3,2 (6.0 - 6.1.3)
- iPhone3,3 (5.0 - 6.1.3)
- iPod4,1 (5.0 - 6.1.3)
iOS Integrity Validator uses redsn0w to boot a custom kernel and ramdisk generated by
iphone-dataprotection. It then uses mtree to check the type, user ID, group
ID, mode, and SHA-1 digest of every file on the root filesystem against a
specification generated from the firmware image itself. If any files have
changed, or if any files have been added, the files are copied off the device
for further inspection and analysis by the user.
This project was initially called iVerify when it was released in 2013.
If you have not jailbroken your phone on purpose and iOS Integrity Validator finds evidence of modifications, send us an e-mail with your evidence file and we will take a look.