Once jailbroken, will iOS apps run with root privilege?
Not disagreeing with anything H2CO3 said, but to add some further clarification ...
Apps installed in
/private/var/mobile/Applications/
(†) with Xcode will run with usermobile
privileges, even on jailbroken phones.Even on a jailbroken phone, apps installed to
/private/var/mobile/Applications/
(†) will be sandboxed almost (‡) like apps on a jailed phone. So, no reading other (normal) apps' data, even if those files are owned by usermobile
.For a good description of the process that apps like Cydia use to run as root, see this answer. Or, just ssh into your phone, and take a look inside
/Applications/Cydia.app/
yourself.If you simply copy/install an app (without doing what H2CO3 suggested) to
/Applications/
, it won't be sandboxed, but it will still run withmobile
(UID=501) privileges:
iPhone5:~ root# cd /Applications
iPhone5:/Applications root# ls -altr ./HelloJB.app/
total 220
-rw-r--r-- 1 root wheel 711 Apr 3 20:36 entitlements.xml
-rw-r--r-- 1 root wheel 297 Apr 3 20:36 entitlements-daemon.xml
-rw-r--r-- 1 root wheel 7972 Apr 3 20:36 embedded.mobileprovision
-rw-r--r-- 1 root wheel 58755 Apr 3 20:36 date.zip
-rw-r--r-- 1 root wheel 485 Apr 3 20:36 ResourceRules.plist
-rw-r--r-- 1 root wheel 8 Apr 3 20:36 PkgInfo
-rw-r--r-- 1 root wheel 1226 Apr 3 20:36 Info.plist
-rw-r--r-- 1 root wheel 10960 Apr 3 20:36 Icon\@2x.png
-rw-r--r-- 1 root wheel 8328 Apr 3 20:36 Icon.png
-rw-r--r-- 1 root wheel 451 Apr 3 20:36 HelloJB.plist
-rwxr-xr-x 1 root wheel 61088 Apr 3 20:36 HelloJB*
-rwxr-xr-x 1 root wheel 42688 Apr 3 20:36 HelloDaemon*
drwxr-xr-x 2 root wheel 136 Apr 3 20:36 en.lproj/
drwxr-xr-x 2 root wheel 102 Apr 3 20:36 _CodeSignature/
drwxr-xr-x 4 root wheel 544 Apr 3 20:36 ./
drwxrwxr-x 54 root admin 1904 Apr 5 02:14 ../
iPhone5:/Applications root# ps -Aef | grep HelloJB
501 9412 1 0 0:00.00 ?? 0:00.33 /Applications/HelloJB.app/HelloJB
iPhone5:/Applications root# grep mobile /etc/passwd
mobile:*:501:501:Mobile User:/var/mobile:/bin/sh
(‡) Here's a good discussion, with input from Saurik, about how different jailbreaks may affect the sandbox. Long story short: it depends.
(†) Update: in recent versions of iOS, the location of 3rd-party apps has been moved to /var/mobile/Containers
, and later to /var/containers/
, but the same basic sandbox issues remain.
How to gain root privileges for iOS app?
What step 4 is telling you:
Open the original executable file and delete its contents (the contents are now stored in the previously copied and renamed binary).
is simply that you have moved the executable file for your app to a new filename, and you should replace it with a script with the name of the original executable.
Example
If you build an app named HelloWorld, Xcode will create a
HelloWorld.app
directory, with a file namedHelloWorld
inside it, which is executable.The answer you link to suggests basically renaming the executable to something like
MobileHelloWorld
.Once you've done that, create a new file in the
HelloWorld.app
directory calledHelloWorld
, and edit it with a text editor to give it this content:
#!/bin/bash
dir=$(dirname "$0")
exec "${dir}"/MobileHelloWorld "$@"
That script will then be run when you tap the app's icon, because in the app's Info.plist file, the name of the executable is
<key>CFBundleExecutable</key>
<string>HelloWorld</string>
and HelloWorld
is now a shell script, which invokes MobileHelloWorld
, the renamed binary executable file.
Gaining root permissions on iOS for NSFileManager (Jailbreak)
It is true, the app has to run as root to access non mobile directories. After discussing this with Optimo and Saurik I finally found the right way to get root privileges.
- In the main() function add
setuid(0);
andsetgid(0);
- Build the app normally.
- Create a copy of the executable file in the app bundle.
Open the original executable file and replace its content with this script:
#!/bin/bash
dir=$(dirname "$0")
exec "${dir}"/COPIED_EXECUTABLE_NAME "$@"Directly launching a root app fails on iOS. Therefore we replace the app's main executable with a script that launches the root executable.
In terminal, navigate to the app bundle.
chmod 0775
the original executable file andchmod 6775
the copied executable file.
- Copy the app bundle to /Applications to a device. Restart SpringBoard and you should be good to go. If the app doesn't launch then repeat step 5 & 6 on the device.
iOS: Access to root directory in a jailbroken iPhone
I answered here in a similar question How to get inbox all SMS on iphonse sdk?
It is possible if you have a jailbroken device. You may use jailcoder to fake code signing and then move your app to /Applications folder. This way you can access to any database in your iOS device jailbroken.
How to get Root privileges developing iPhone app using Xcode
3 . Create a copy of the executable file in the app bundle.
When you build a project in Xcode, it will produce an output directory. This varies by machine, so you'll have to search your filesystem. However, if your app is named HelloWorld
, normally, you'd have a directory named HelloWorld.app
. This is what the answer is referring to as the app bundle. From the command line (or using your Mac's Finder), go inside HelloWorld.app
and make a copy of the HelloWorld
executable file. Normally, I name the copy MobileHelloWorld
.
4 . Open the original executable file and replace its content with this script:
#!/bin/bash
dir=$(dirname "$0")
exec "${dir}"/COPIED_EXECUTABLE_NAME "$@"Directly launching a root app fails on iOS. Therefore we replace the app's main
executable with a script that launches the root executable.
I guess I would have described this step differently. You can delete the file. Create a new script with the same filename (HelloWorld
) and edit it to include the lines above, starting with #!/bin/bash
. Of course, COPIED_EXECUTABLE_NAME would be replaced with MobileHelloWorld in my example.
So, iOS will launch your script directly, instead of your executable. However, your script will then launch your executable and because of the permissions you've given those files, your running executable will have root privileges.
5 . In terminal, navigate to the app bundle.
You're probably already in this "bundle" directory. (HelloWorld.app
)
6 . chmod 0775 the original executable file and chmod 6775 the copied executable file.
Issue the chmod
command so that the HelloWorld
file has 775 permissions (rwxrwxr-x
). The MobileHelloWorld
file should then have 6775 permissions (rwsrwsr-x
).
7 . Copy the app bundle to /Applications to a device. Restart SpringBoard
and you should be good to go. If the app doesn't launch then repeat step 5 & 6
on the device.
Using whatever tool you like (I just use scp
since my device is jailbroken with openssh installed), copy the entire HelloWorld.app
folder to the iOS device. So, you would have a folder named: /Applications/HelloWorld.app/
which contains the bash script, the copied/renamed executable, and any other bundle resources (.png files, .xib files, etc.) your app contains.
Example
If you have a jailbroken device, install openssh and ssh into the phone, then check out how the Cydia app itself accomplishes this. You can view the /Applications/Cydia.app/Cydia
script file, which launches the MobileCydia
executable with root privileges.
Another Way
Actually, if you only want to access /var/mobile/Library
, that doesn't require root access. That directory is owned by the mobile
user, so root isn't necessary. What is necessary is escaping the normal iOS 3rd-party app sandbox. To do that, simply copy your HelloWorld.app
folder and its contents to the /Applications/
folder on your device. Apps installed there, as opposed to /var/mobile/Applications
won't have such tight sandbox restrictions.
So, none of that copying of the executable, inserting a bash script, are necessary. Steps 3 through 6 can be skipped.
Hope that helps. Sorry for my snarky comment.
Related Topics
Firebase Cloud Messaging - Send Message to All Users
Libraries Not Found When Using Cocoapods with iOS Logic Tests
iPhone Read Uiimage (Frames) from Video with Avfoundation
How to Check Internet Connection in Alamofire
Screenshot for Avplayer and Video
What Are the Options for Saving Data in iOS
Ios: Custom Permission Alert View Text
How to Convert a Nib-Based Project to a Storyboard-Based
Swift:How to Change Language Inside App
Enable Application Cache in Wkwebview
How to Disable Rotation in React Native
Why Does My Programmatically Created Screenshot Look So Bad on iOS 7
Disabling Automatic Scrolling of Uitableview When Editing Uitextfield Inside Uitableviewcell
How to Authenticate the Gklocalplayer on My 'Third Party Server'