Once an iOS device is jailbroken, we can build jailbreak apps (with theos) and it gets installed in the /Applications
directory where the preloaded apps run with root privileges. If an app is built with Xcode, once it is installed, it gets into the /private/var/mobile/Applications/
folder, which is supposed to have Apple sandbox enforced (before jailbreak).
So, the questions I have are:
For a jailbroken device, will the apps in /private/var/mobile/Applications/
execute with root privileges or with mobile
user privileges?
In case of Android, once rooted, the apps will have to gain root privileges by executing the su
command. Is it the case when it comes to iOS as well?
I would like to understand the difference between these two development options (Theos / Xcode) and how it affects what operations my app can perform.
Not disagreeing with anything H2CO3 said, but to add some further clarification ...
Apps installed in /private/var/mobile/Applications/
(†) with Xcode will run with user mobile
privileges, even on jailbroken phones.
Even on a jailbroken phone, apps installed to /private/var/mobile/Applications/
(†) will be sandboxed almost (‡) like apps on a jailed phone. So, no reading other (normal) apps' data, even if those files are owned by user mobile
.
For a good description of the process that apps like Cydia use to run as root, see this answer. Or, just ssh into your phone, and take a look inside /Applications/Cydia.app/
yourself.
If you simply copy/install an app (without doing what H2CO3 suggested) to /Applications/
, it won't be sandboxed, but it will still run with mobile
(UID=501) privileges:
iPhone5:~ root# cd /Applications
iPhone5:/Applications root# ls -altr ./HelloJB.app/
total 220
-rw-r--r-- 1 root wheel 711 Apr 3 20:36 entitlements.xml
-rw-r--r-- 1 root wheel 297 Apr 3 20:36 entitlements-daemon.xml
-rw-r--r-- 1 root wheel 7972 Apr 3 20:36 embedded.mobileprovision
-rw-r--r-- 1 root wheel 58755 Apr 3 20:36 date.zip
-rw-r--r-- 1 root wheel 485 Apr 3 20:36 ResourceRules.plist
-rw-r--r-- 1 root wheel 8 Apr 3 20:36 PkgInfo
-rw-r--r-- 1 root wheel 1226 Apr 3 20:36 Info.plist
-rw-r--r-- 1 root wheel 10960 Apr 3 20:36 Icon\@2x.png
-rw-r--r-- 1 root wheel 8328 Apr 3 20:36 Icon.png
-rw-r--r-- 1 root wheel 451 Apr 3 20:36 HelloJB.plist
-rwxr-xr-x 1 root wheel 61088 Apr 3 20:36 HelloJB*
-rwxr-xr-x 1 root wheel 42688 Apr 3 20:36 HelloDaemon*
drwxr-xr-x 2 root wheel 136 Apr 3 20:36 en.lproj/
drwxr-xr-x 2 root wheel 102 Apr 3 20:36 _CodeSignature/
drwxr-xr-x 4 root wheel 544 Apr 3 20:36 ./
drwxrwxr-x 54 root admin 1904 Apr 5 02:14 ../
iPhone5:/Applications root# ps -Aef | grep HelloJB
501 9412 1 0 0:00.00 ?? 0:00.33 /Applications/HelloJB.app/HelloJB
iPhone5:/Applications root# grep mobile /etc/passwd
mobile:*:501:501:Mobile User:/var/mobile:/bin/sh
(‡) Here's a good discussion, with input from Saurik, about how different jailbreaks may affect the sandbox. Long story short: it depends.
(†) Update: in recent versions of iOS, the location of 3rd-party apps has been moved to /var/mobile/Containers
, and later to /var/containers/
, but the same basic sandbox issues remain.
Long story short: no.
Jailbreaking is a necessary but not sufficient condition for gaining root. Apps will still be sandboxed by default.
What you can do for making your app run with root privileges is creating a startup shell script that has root:wheel
ownership and 755
permissions, then create your actual executable with the same ownership, 7555
as permissions (i. e. set its "setuid" bit), then call setuid(0);
from within main()
, before calling UIApplicationMain()
.