{"id":188,"date":"2021-02-03T22:15:12","date_gmt":"2021-02-03T21:15:12","guid":{"rendered":"https:\/\/threedots.ovh\/blog\/?p=188"},"modified":"2021-02-03T22:15:12","modified_gmt":"2021-02-03T21:15:12","slug":"things-to-not-do-on-apple-oses-disabling-amfi","status":"publish","type":"post","link":"https:\/\/threedots.ovh\/blog\/2021\/02\/things-to-not-do-on-apple-oses-disabling-amfi\/","title":{"rendered":"Things to not do on Apple OSes: disabling AMFI"},"content":{"rendered":"\n

On a side note, a jailbroken iOS device has security protections equivalent to a macOS system with SIP off and<\/strong> AMFI off. That’s not a good place to be security-wise. A complete AMFI disable is used there instead of a more complex mechanism to not give private entitlements to everyone. <\/em><\/p>\n\n\n\n

The state of the iOS tweaks ecosystem today even forces the system partition to be remounted as R\/W, with no alternative if you want Cydia or currently existing alternatives. <\/em><\/p>\n\n\n\n

amfi_get_out_of_my_way=0x1 as a boot argument disables the entitlements checking subsystem on Apple OSes. This means that any process can get any<\/em> entitlement, without signature checking.<\/p>\n\n\n\n

A random not-too-severe example on macOS: com.apple.vm.networking<\/code><\/a> allow a program to monitor all the network activity on the machine. <\/p>\n\n\n\n

There are also other entitlements and private entitlements (as in, Apple-only, not accessible from the outside), that can break the macOS security model in various other ways.<\/p>\n\n\n\n

As such, do not do this<\/em> on your primary machine. I wish that a mechanism to grant arbitrary entitlements to just a certain predefined users instead of all the machine existed though.<\/p>\n\n\n\n

There is a mechanism to add non-Apple signing certificates from NVRAM to the AMFI trust store, but it is undocumented today. <\/p>\n","protected":false},"excerpt":{"rendered":"

On a side note, a jailbroken iOS device has security protections equivalent to a macOS system with SIP off and AMFI off. That’s not a good place to be security-wise. A complete AMFI disable is used there instead of a more complex mechanism to not give private entitlements to everyone. The state of the iOS… Read More »Things to not do on Apple OSes: disabling AMFI<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-188","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/posts\/188","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/comments?post=188"}],"version-history":[{"count":1,"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/posts\/188\/revisions"}],"predecessor-version":[{"id":200,"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/posts\/188\/revisions\/200"}],"wp:attachment":[{"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/media?parent=188"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/categories?post=188"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/threedots.ovh\/blog\/wp-json\/wp\/v2\/tags?post=188"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}