Overcoming OS X and Jailbroken iOS private Apple entitlements - ios

This one is probably a lost cause, but I'll ask cause I'm honestly just curious...
We have a client that wants to create a replacement Messaging app for OS X. They basically want to use the same accounts, chat history, and everything, but provide a completely different UI (for people with certain disabilities) to the built-in Messages.app. Creating their very own messaging app would not fly given that the primary service in Messages.app, iMessage, is completely undocumented and so supporting that with 3rd party code would be nearly impossible.
Upon initial research, it became obvious that the well-documented AppleScript approach would provide a workable but crude solution, missing many features from the original app (such as an indication while typing, etc.), not to mention that it requires keeping the original Messages app running which is distracting to the user.
At that point we started digging a little deeper and found the IMCore.framework. IMCore is basically what Messages.app uses to communicate with the various services, and its engine is imagent, which is what appears to manage the data, and actually communicate with the various IM servers. IMCore is a private framework which obviously is somewhat risky to use (and automatically excludes their app from the App Store), but our assumption was that with OS X we should still be able to implement this and distribute the application outside of the App Store with not much difficulty.
We started experimenting with IMCore (while reverse-engineering Messages.app to see how it's used), and made some headway. We were able to successfully connect to the imagent process and perform several configuration operations, but then discovered that the data model is basically empty -- we're not able to see any of the user's data or communicate with any IM services even though we're running in the user's security context.
Then we noticed that the Messages.app has some very curious undocumented entitlements such as com.apple.private.imcore.imdpersistence.database-access and com.apple.imagent. At this point we're assuming that these entitlements are what we're missing in order to successfully communicate with imagent. We've tried adding those entitlements to our own app and were able to successfully build and codesign it, but when the program is launched it crashes on startup with the system message EXC_CRASH (Code Signature Invalid) (Xcode says Terminated due to code signing error).
Our fearful assumption is that Apple locked their private entitlements so that the system won't accept a binary that uses them unless it is signed directly by Apple, but this is obviously a theory. The other question is, how does imagent know whether our binary has these entitlements or not? Couldn't we somehow spoof these entitlements?
As I said, feels like a lost cause but who knows. I'm guessing people who have done hardcore jailbreak work on iOS might have an idea or two -- anyone?

I'm going to answer my own question to provide a bit more information in case anyone cares about this. At the end of the day we were able to cross this barrier by injecting into the imagent process and trapping the entitlement verification functions, adding functionality so that imagent will allow the XPC connection for our client.
This opened the door to full, unlimited communications with imagent through IMCore.framework, and I can confirm that full iMessage functionality was achieved. We we were able to see the user's iTunes account, send and receive messages, load messages from the user's database (to show the history for each chat), and pretty much everything else. The implementation included a tiny system daemon that injected imagent whenever it was restarted (or when the system booted up), so it was very easy for an end-user to install using a standard OS X installer program.
IMCore.framework is fairly easy to use and includes every tiny bit of metadata for iMessage, including notifications that the user on the other end is typing, the APIs for the sending and receiving of attachments, you name it! It seems to change a bit between OS X releases, but we were able to make it work across OS X versions (we tested 10.8 through 10.10).
The challenge came when El Capitan showed up. The new rootless feature (System Integrity Protection) in El Capitan prevents from injecting our little hack into imagent, which put an end to this solution. :-( The failure happens when we call task_for_pid on the imagent process. That fails and basically blocks us from injecting our code into that process.
So overall not a happy ending, but at least we got a taste of the promised land.


Does Apple accept iOS apps with statically linked OpenSSL in the app store?

This question is not really technical in nature but it is clearly answerable with yes/no and so I hope its fine if I ask it here on StackOverflow.
My scenario is as follows: In order to share code between iOS and Android I'm using C++ for much of the app's logic. I'm about to start writing network code for both platforms and I plan to utilize OpenSSL or one of its derivates (LibreSSL / BoringSSL) to be able to do HTTPS calls.
OpenSSL/LibreSSL/BoringSSL would be statically linked into my app and periodically be updated by releasing a new app version.
However, I'm unsure about whether Apple would accept such an app in its app store or not. As far as I know they take a closer look at what is inside the app and I want to prevent a situation where all code is written but eventually rejected when attempting to publish the app to the app store.
I'm looking for a clear yes/no answer whether Apple accepts such apps nowadays (2019). Preferably this answer is coming from someone who actually knows the answer i.e. from someone having done the same recently (2018/2019).
Did anyone recently succeed in publishing such an app into Apple's app store?
Not only does Apple allow this, that's exactly how one is supposed to use OpenSSL in an iOS app. The operating system doesn't provide OpenSSL for the apps, so the apps need to bring their own one.
You'll probably need to declare the use of encryption to comply with encryption export regulations. It is, however, required even when using the system encryption like TLS.

iOS - Security concerns installing a self-signed 3rd party app via Cydia Impactor

Pretty much what the title says.
I would like to install a 3rd party app on my iOS 11 device, but the only way to do so is by self-signing the .ipa and installing it via Cydia Impactor.
What are the possible security concerns in doing so?
How much control and access would said app have over my device once trusted?
There's no way of saying for certain.
Private APIs
iOS 11 fixed a number of vulnerabilities that allowed access to personal info such as SMS messages without user knowing. There might be other vulnerabilities but it looks like iOS 11 is pretty good in regards to private API access. Pretty much every known personal info leak was fixed.
The problem here is you can't do anything about it. Only way is to disassemble the application and see for yourself.
Of course, there're many ways third-party app can steal your personal info if you give it the access. For example, contacts, calendar, call history (without phone number but still), microphone, photo library - once given permission to access, can be accessed at any point even when running in the background without you knowing it. Application can run in the background indefinitely, it's still not fixed by Apple.
Accessing location will always display an icon in the status bar so that's fine. But there're ways you can fool iOS to access location once and not display the icon. It's not reliable but it works.
If application is running in the foreground then it can access camera, microphone, location and iOS will not tell you anything about it. Recently there was an article about camera specifically. You can't tell when it's recording and that's a real problem.
Solution here is simple - don't give the permission.
Jailbreaking relies on a number of vulnerabilities to modify kernel to disable security measures. No one is stopping you from using these exploits to be executed from a third-party app not meant for jailbreaking. In fact, all recent jailbreaks are done by installing an application using Cydia Impactor. And there's an actual example of that - Filza. It's a file manager that can access root file system. It does that by executing exploits used in jailbreak.
Solution here is to make sure your iOS is up to date and has no jailbreak for it. Of course there's a possibility of unknown exploits. Serious vulnerabilities found regularly in iOS. You can disassemble the application to see what it's actually doing but I don't think you would asking this question if you knew how do that.

How do I accurately detect the presence and/or absence of a jailbreak in iOS?

After I attended a programming class, one of my friends showed me an app that would not allow him get past the first screen due to his jailbroken iPhone.
Since then I have been intrigued as to how the app was able to detect the jailbreak without being blocked by apple and, being the anti-jailbreak advocate that I am, I kept fruitlessly trying to find a reliable way to detect a jailbroken iOS device to prevent people from cheating if I ever decided to release a game on the App Store.
Does anyone know of a reliable method(s) to detect a device's jailbreak status that cannot be easily bypassed by said jailbroken device?
EDIT: based on recent comments, I would just like to clarify that the intention of this post is to share the knowledge I gained from finding that article, and to provide a place where other users can contribute their methods of jailbreak detection.
The other day I stumbled across an article containing the exact answer I was looking for.
From https://www.theiphonewiki.com/wiki/Bypassing_Jailbreak_Detection
While there are countless ways apps can implement checks for jailbroken devices, they typically boil down to the following:
Existence of directories - Check your file system for paths like /Applications/Cydia.app/ and /private/var/stash, amongst a handful of others. Most often, these are checked using the -(BOOL)fileExistsAtPath:(NSString*)path method in NSFileManager, but more sneaky apps like to use lower-level C functions like fopen(), stat(), or access().
Directory permissions - Check the Unix file permissions of specific files and directories using NSFileManager methods as well as C functions like statfs(). Far more directories have write access on a jailbroken device than on one still in jail.
Process forking - sandboxd does not deny App Store applications the ability to use fork(), popen(), or any other C functions to create child processes on non-jailbroken devices. sandboxd explicitly denies process forking on devices in jail. if you check the returned pid on fork(), your app can tell if it has successfully forked or not, at which point it can determine a device's jailbreak status.
SSH loopback connections* - Due to the large portion of jailbroken devices that have OpenSSH installed, some apps will attempt to connect to on port 22. If the connection succeeds, it means OpenSSH is installed and running on the device, therefore it is jailbroken.
system() - Calling the system() function with a NULL argument on a device in jail will return 0; doing the same on a jailbroken device will return 1. This is since the function will check whether /bin/sh exists, and this is only the case on jailbroken devices.[1]
dyld functions - By far the hardest to get around. Calling functions like _dyld_image_count() and _dyld_get_image_name() to see which dylibs are currently loaded. Very difficult to patch, as patches are themselves part of dylibs.
*Only a very small number of applications implement this (as it is not nearly as effective as the others)
the above passage was edited for brevity
I figured I'd post this here as a knowledge-share for those app developers wondering how that one app was able to successfully implement jailbreak detection when all other attempts at detecting jailbreak get rejected by Apple.
Blocking all jailbroken users probably wouldn't help you fight app piracy if you released a game on the App Store because it would force them to get a pirated version of the game to be able to play (instead of giving them the possibility to pay to play the game).
What you'd want is to check if the game is a legit version off the App Store. But even that could be potentially patched by the guys who crack games to release them...
You can check if the currently running executable is encrypted, which is a good way to know if the app has been pirated by looking at this answer.
Otherwise if it's a free game with in-app purchase, doing receipt validation helps block out most tweaks that get around paying for in-app purchases.
But there's definitely no way to absolutely block out app piracy.
You could always mention how had you worked on that game within the game... That could convince a few persons to pay for the legit version of the game.

ios read sms and call logs as mspy does

I went though lot of questions about tracking sms and call logs in non-jailbroken ios device. I came to conclusion that it is not possible.
But then I came across this
So I wonder how mspy does this. I am looking to built this functionality for enterprise app, so no problem of itunes rejection.
Can some one please help.
Please check these features description notes:
mSpy runs on jailbroken/non-jailbroken iOS devices. In the former
case, you need physical access for installation. In the latter case,
you need no access if you have iCloud credentials, but you get fewer
monitoring features. Still, the access may become necessary if iCloud
backup isn’t activated on the device.
I guess they are getting info from iCloud account but not the device itself. Moreover they have said fewer monitoring features , i dont know what they exactly mean by fewer and what info do they actually gets in that case. But they are sure getting info from already synced data over iCloud.

Can I sign iOS apps on Linux? (Using maybe a port of codesign?)

I'd like to sign my iOS apps on a Linux box (Debian 5 if it matters). Does anyone know if this is possible? (Let's not get into why I'd want to do this since it's specific to my environment.)
I see source code to codesign on Apple's site but before I get into the weeds pulling it over and trying to build it myself, I wondered if anyone knows of an existing port.
I'd heard that codesign is not really OSX-specific and may exist on other OS's but there's always a chance Apple has tweaked it to their own needs. I wonder if an app signed by something other than Apple's codesign will run on an iOS device.
If it matters, the signed apps are meant for enterprise users and will not go in the iTunes App Store.
Saurik wrote a codesigning utility called ldid, I think for OS X and iOS. It also might be available for Linux though.
Check out JTool.
Code signing is considered to be the second most useful feature of JTool. With iOS security revolving around code signatures and entitlements, it's important to have a way to quickly determine what given entitlements a binary possesses and how it is signed. OS X has codesign(1), but I find it crude (at best) - and what more there's no port to iOS, where it's really necessary.
