Things to not do on Apple OSes: disabling AMFI

On a side note, a jailbroken iOS device has security protections equivalent to a macOS system with SIP off and AMFI off. That’s not a good place to be security-wise. A complete AMFI disable is used there instead of a more complex mechanism to not give private entitlements to everyone.

The state of the iOS tweaks ecosystem today even forces the system partition to be remounted as R/W, with no alternative if you want Cydia or currently existing alternatives.

amfi_get_out_of_my_way=0x1 as a boot argument disables the entitlements checking subsystem on Apple OSes. This means that any process can get any entitlement, without signature checking.

A random not-too-severe example on macOS: com.apple.vm.networking allow a program to monitor all the network activity on the machine.

There are also other entitlements and private entitlements (as in, Apple-only, not accessible from the outside), that can break the macOS security model in various other ways.

As such, do not do this on your primary machine. I wish that a mechanism to grant arbitrary entitlements to just a certain predefined users instead of all the machine existed though.

There is a mechanism to add non-Apple signing certificates from NVRAM to the AMFI trust store, but it is undocumented today.

Leave a comment

Your email address will not be published. Required fields are marked *