49.8 Using the Jailbreak Detection Policy

Jailbreaking is the process of removing or circumventing the limitations that manufacturers impose on their mobile devices. While legal, jailbreaking can present a heightened security risk to protected resources. To counter this risk, Mobile and Social provides a preconfigured Jailbreak Detection Policy for iOS devices.

The Jailbreak Detection Policy consists of one or more statements that instruct a client application (built using the Mobile and Social SDK for iOS) to search for files that may indicate the device is jailbroken. The Mobile and Social server sends the Policy statements to the iOS client application. The client device then returns a true (jailbreaking is detected) or false value back to the Mobile and Social server. This value is forwarded to the Security Handler Plug-in and, depending on the security policies of the Security Handler Plug-in in use, Mobile and Social can allow access, deny access, or wipeout any Mobile and Social specific data from the application.

  • If the Default Security Handler Plug-in is active and the policy logic says the device is jail broken, the Plug-in can ALLOW or DENY access to the client device depending on how the allowJailBrokenDevices Plug-in attribute is set.

  • If the Oaam Security Handler Plug-in is active and the policy logic says the device is jail broken, the Plug-in can ALLOW or BLOCK access to the client device depending on how the OAAM policy rules are configured.

    Additionally, if a device is blacklisted, lost or stolen, this Plug-in can send a WIPEOUT command that will delete any Mobile and Social specific data from the device and block the device from future requests. If the user recovers the missing device, the device can be reset in OAAM.

See Defining Security Handler Plug-ins.

Note:

OAAM's BLOCK and Mobile and Social's DENY mean the same thing.

The following topics include additional information.

49.8.1 Creating a New Jailbreak Detection Policy with the Oracle Access Management Console

You can create a new Jailbreak Detection Policy with the Oracle Access Management Console from the Mobile and Social Services configuration page.

If you choose to create a new Jailbreak Detection Policy using XML, click the Load button to overwrite the default Policy completely. A schema file is available from customer support.

To create a new Jailbreak Detection Policy:

  1. Access the Mobile and Social Services configuration page.
  2. Click Jailbreak Detection Policy in the navigation pane.

    The Jailbreak Detection Policy page displays.

  3. Click Add to configure the Conditions and Detection Logic properties for a new Jailbreak Detection Policy.

    • Jailbreak Detection - Select Enabled to turn the Jailbreak Detection Policy on, or clear this option to turn it off for all client Application instances. If you enable the Jailbreak Detection Policy here, you can disable it on an application by application basis. If you disable the Policy here, you cannot enable or disable the feature on an application by application basis.

    • Min OS Version - The minimum iOS version to which the policy applies. If the value is 1.0, the policy will apply to iOS devices running at least version 1.0 of iOS.

    • Max OS Version - The maximum iOS version to which the policy applies. If the value is empty, a maximum iOS version number is not checked so the policy applies to any iOS version higher than the value specified for Min OS Version.

    • Min Client SDK Version - The minimum Mobile and Social Client SDK version number. For example, 11.1.2.0.0.

    • Max Client SDK Version - The maximum Mobile and Social Client SDK version number. For example, 11.1.2.3.0.

    • Policy Expiration Duration - Type the length of time in seconds that the SDK on the iOS client device should wait before expiring the local copy of the policy and retrieving a newer version.

    • Auto Check Period - Type the interval of time in minutes that the iOS client device should wait before executing the Jailbreak Detection Policy statements again.

    • Detection Location - The iOS client device uses a logical-OR operator to evaluate Policy statements. Add a Detection Location as follows:

      • File Path - Type the absolute path to the file or directory on the device for which the Detection Policy should search.

      • Action - Select Exists which instructs the Detection Policy to evaluate whether it can access a file path.

      • Success - Select if the Policy should flag the device as jail broken if the specified files or directories are found on the device. Use this option if the policy is checking for unauthorized files or directories. Clear this option if the Policy should flag the device as jail broken if the specified files or directories are not found. (Use this option if checking for required files or directories.)

49.8.2 Editing a Jailbreak Detection Policy

In most cases you can use the Policy Statements editor on the Jailbreak Detection Policy Configuration page to change a Jailbreak Detection Policy.

To edit a Jailbreak Detection Policy:

  1. Access the Mobile and Social Services configuration page.
  2. In the Jailbreak Detection Policy section, select one of the following:

    • To append changes to the Jailbreak Detection Policy, click Load in the tool bar, browse to the XML file that contains the Jailbreak Detection Policy statements that you want to append, choose Append after existing policy statements, and click OK. A schema file is available from customer support.

    • To overwrite the Jailbreak Detection Policy, click Load in the tool bar, browse to the XML file that contains the Jail-Breaking Detection Policy statements that you want to load, choose Overwrite existing policy statements, and click OK. A schema file is available from customer support.

    • To edit the Jailbreak Detection Policy, select it in the Policy Statements table to display its properties, make changes.

      See Creating a New Jailbreak Detection Policy with the Oracle Access Management Console.

  3. Click Apply.