/iverify-oss

Integrity validator for iOS devices

Primary LanguageShellBSD 2-Clause "Simplified" LicenseBSD-2-Clause

iVerify

iVerify is an integrity validator for iOS devices capable of reliably detecting modifications such as malware and jailbreaks, without the use of signatures. It runs at boot-time to thoroughly inspect the device, identifying any changes and collecting relevant artifacts of these changes for offline analysis. This will let you know if the device has simply been jailbroken or if it has been modified in a much sneakier way.

Usage

To setup iVerify:

git clone https://github.com/trailofbits/iverify-oss.git iverify
cd iverify
script/bootstrap

Then, plug your phone into your computer, put it in DFU mode, and run

bin/iverify DEVICE VERSION

If you're not comfortable putting the phone in DFU mode by yourself, run iVerify with the phone connected normally, and you will be walked through the process.

Supported Devices

This open-source release of iVerify comes with slightly limited device support, since it relies on freely available tools like redsn0w and iphone-dataprotection.

  • iPhone3,1 (5.0 - 6.1.3)
  • iPhone3,2 (6.0 - 6.1.3)
  • iPhone3,3 (5.0 - 6.1.3)
  • iPod4,1 (5.0 - 6.1.3)

Technical Overview

iVerify uses redsn0w to boot a custom kernel and ramdisk generated by iphone-dataprotection. It then uses mtree to check the type, user ID, group ID, mode, and SHA-1 digest of every file on the root filesystem against a specification generated from the firmware image itself. If any files have changed, or if any files have been added, the files are copied off the device for further inspection and analysis by the user.