Can you hook into system function calls in iOS using private APIs?

Question

Is it possible to hook into system function calls in iOS using private APIs on a non-jailbroken device? From what I've seen it's doable on jailbroken devices using MobileSubstrate's MSHook.

What I'd like to accomplish is to have an app that would intercept a system call upon toggling the device orientation lock in the Control Center (https://i.stack.imgur.com/NfbGw.png) and invoke CTRegistrationSetCellularDataIsEnabled in order to toggle usage of cellular data.

So far, I managed to create an iOS 8 Notification Center widget that does just that, but wouldn't it be nice to have a way of toggling 3G from the Control Center?

Obviously, the app would be for my personal use only.

Answer 1

In terms of accomplishing this task in the way you're describing it ... no, I don't think there's any way to do that without jailbreaking.

You are free to use method swizzling to hook iOS methods in personal-use, non-jailbroken apps. But, that limits you to hooking code that's called from your app. In other words, if your app calls down to an iOS framework, you can swizzle methods that way.

But, the Control Center, and SpringBoard, are not part of your app. The beauty of Mobile Substrate (Cydia Substrate) is that it does allow you to inject hooks into code that's not running inside your app's process. But, it's not available without jailbreaking.

Interposition is also a similar technique for hooking C APIs, but again, requires jailbreaking.

In terms of whether you can successfully invoke CTRegistrationSetCellularDataIsEnabled, that's probably worthy of its own question. I would guess that you can call it by dynamically opening CoreTelephony.framework, as is the case with many private APIs. (See here for what looks to be a sample)

However, even if you can invoke it, the call may not succeed if it's protected by an entitlement, which is another thing you can't get without jailbreaking.

Note: I also tried looking into whether iOS generates any Darwin notifications that you could intercept when the orientation lock toggles, and whether there was any property that you could key-value-observe for changes in the lock status ... but, didn't find anything that would be an alternative solution to your problem.