Ready the Anti-BEAM Beam! Breaking the Virgin BEAM app in 12 minutes

I’ve been travelling on Virgin trains a lot recently and finally decided to take a look at their free movie-streaming app “BEAM”.
Super-excited to  be about to watch Forest Gump on my journey, I found that whenever I hit play, the app’s custom video-player decided to freeze and eventually crash the app on my device of choice; an iPhone 6s.
Determined to watch Hanks’ award-winning performance, this is how I figured out the problem and patched it in 12 minutes.

I looked at the devices’s system-log for clues. This revealed that, while the BEAM app’s process was in its final moments in this world, the words “Jailbreak Detected” were logged… interdasting 🧐.

Throwing the app into Hopper and searching for “Jailbreak Detected” shows the following line:

This indicates that the method handleNotification of class CapmediaDrmVideoViewController1 is likely responsible for creating the sys-log entry.  “DRM”? yeah, that sounds about right. On the off-chance this method is also responsible for the jailbreak-detection routine, lets just swizzle that method and null it using a Theos tweak:

compiling. compiling… compiling…
open BEAM -> click Forest Gump -> click play ->

Yep, that works. Bypass done 🤠 stop the clock.
Looking at the network traffic for the app afterwards, I noticed that a virgin-owned domain was being POST’d to with a “errorid” parameter, every time I opened a video. This didn’t stop the app from working but was clearly updating Virgin about my jailbreak. This told me that, actually, handleNotification didn’t do the detection routine itself… but was probably responsible for causing the purposeful crash afterwards. So while the app knew it was jailbroken and was able to dial-home and tell mom… it wasn’t able to force-quit. We hadn’t zapped the problem at its root, just kinda circumvented it.
In theory, some 31337 virgin… employee (I couldn’t help myself) would be able to put two and two together, noticing that my phone had purportedly crashed, but was still able to successfully stream the entirety of Tom Hanks’ back-catalogue, and infer a bypass had been made; potentially leading to a revised security mechanism in a future update. We can’t have that!
A cheeky class-dump reveals that the CapmediaDrmVideoController1 class also has a sendPostRequestForPlaybackError method. Honestly people, it doesn’t get any easier than this. Lets null this guy too:

compiling. compiling… compiling…
So now the app is both bypassed and flying under the radar 🙌
This really isn’t good enough Virgin.
Lessons for your developers:

  • Don’t log things that don’t need logging. (“Jailbreak Detected” 🤦)
  • Ideally, don’t detect a jailbreak with one routine and do something about it in another.
  • Do your JB detection at the start of application launch! The biggest deterrent for me trying to bypass an app’s JB-detection, is repeatedly watching the app crash before the app’s launch-screen has even ended. I’ll give up if it happens enough.
  • Don’t just force-crash/exit() when you detect a jailbreak… start crippling the app from the inside. Delete critical app files so it wont work again, set flags which force the app into a code-path that prevents it from working and store it somewhere that’ll persist even if the app is deleted and re-downloaded (ala keychain). Be sneaky. Very sneaky.