Entitlement Keys in MobileSafari - iOS TaiG 8.4

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Entitlement Keys in MobileSafari - iOS TaiG 8.4

Postby rohitwas » Thu Dec 17, 2015 11:30 pm

Hey Jonathan,
I was recently playing around with iOS 8.4 with TaiG. Upon checking MobileSafari's entitlements like so-
Code: Select all
jtool --ent /Applications/MobileSafari.app/MobileSafari

The weird thing is i cant find the dynamic-codesigning entitlement key at all (?!)

Comparing this with the entitlements for MobileSafari from another device i have (iOS 8.1.2 with TaiG) I realized that exactly in place, and instead, of the
<key>dynamic-codesigning</key> there is the following weird key -
Code: Select all
<key>fairplay-client</key>
<integer>965772570</integer>


Seems like some Apple Fairplay DRM thing at work but beyond that i am kind of clueless. Wonder how the JIT engine is even functioning without the entitlement.
Not sure if i am missing something obvious here..? (I am reasonably confident the device is not 0wnd. TBH, one never knows for sure.)

thanks,
Rohit
rohitwas
 
Posts: 6
Joined: Thu Dec 17, 2015 11:06 pm

Re: Entitlement Keys in MobileSafari - iOS TaiG 8.4

Postby morpheus » Fri Dec 18, 2015 7:51 am

Hello Rohit,

One word, three letters - XPC:

Safari is actually the textbook example of the sandboxing model of XPC (Literally, I use it in the upcoming MOXiI 2):

Code: Select all
jtool --ent /System/Library/PrivateFrameworks/WebKit.framework/XPCServices/com.apple.WebKit.WebContent.xpc/com.apple.WebKit.WebContent
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
   <key>com.apple.locationd.authorizeapplications</key>
   <true/>
   <key>com.apple.locationd.effective_bundle</key>
   <true/>
   <key>com.apple.private.allow-explicit-graphics-priority</key>
   <true/>
   <key>com.apple.private.network.socket-delegate</key>
   <true/>
   <key>com.apple.private.webinspector.allow-remote-inspection</key>
   <true/>
   <key>com.apple.private.webinspector.proxy-application</key>
   <true/>
   <key>dynamic-codesigning</key>
   <true/>
   <key>seatbelt-profiles</key>
   <array>
      <string>com.apple.WebKit.WebContent</string>
   </array>
</dict>
</plist>


And so the WebKit Content XPC service is the one to utilize the dynamic-codesigning. That would be super dangerous, hence it has a different sandbox profile, whereas Safari (not really sandboxed), doesn't have the entitlement.

And once anew, order is restored in the iOS multiverse :-)

J
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Entitlement Keys in MobileSafari - iOS TaiG 8.4

Postby rohitwas » Fri Dec 18, 2015 8:06 am

Ah! That makes sense now,
I was getting freaked out over that.

So this is something that changed in iOS 8.4 and> i'm guessing? Cz as i mentioned in my original post, up until 8.1.2 at least(latest i could check), the entitlement for the actual MobileSafari binary itself contains a 'dynamic-codesigning' key set to true.

BTW-Thanks for the lightning fast response and really, for the incredibly amazing amount of work you are doing and sharing with everyone who is interested(Can't wait for MOXiI 2 ! ).

Cheers,
Rohit
rohitwas
 
Posts: 6
Joined: Thu Dec 17, 2015 11:06 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 1 guest

cron