1. Detect if the system is jailbroken (supports iOS 11+);
2. Detect if a debugger is attached;
3. Determine if the application is running on a simulator;
4. Detect common reverse engineering tools running on the device;
Tool installation
Firstly, researchers need to use the following command to clone the source code of this project locally:
git clone https://github.com/securing/IOSSecuritySuite.git
We provide four methods to help researchers run and use IOSSecuritySuite.
1. Add source code
Directly add the 'IOSSecuritySuite/*.swift’ file to your project.
2. Configure using CocoaPods
pod 'IOSSecuritySuite'
3. Configure using Carthage
github "securing/IOSSecuritySuite"
4. Configure using Swift package management tools
.package(url: "https://github.com/securing/IOSSecuritySuite.git", from: "1.5.0")
Update Info.plist
After adding IOSSecuritySuite to your project, we still need to update the main Info.plist file. It contains the detection code for jailbreak detection mode, which uses the 'canOpenURL(_:)’ method and requires specifying the query URL address:
<key>LSApplicationQueriesSchemes</key> <array> <string>cydia</string> <string>undecimus</string> <string>sileo</string> <string>zbra</string> <string>filza</string> <string>activator</string> </array>
Tool Usage
Jailbreak Detection Module
The following methods will determine if the device is jailbroken and return a True or False value:
if IOSSecuritySuite.amIJailbroken() {
print("This device is jailbroken")
}
print("This device is not jailbroken")
}Verbose Mode:
let jailbreakStatus = IOSSecuritySuite.amIJailbrokenWithFailMessage()
if jailbreakStatus.jailbroken {
print("This device is jailbroken")
print("Because: \(jailbreakStatus.failMessage)")
}
print("This device is not jailbroken")
}The 'failMessage' is a string that contains indicators separated by commas:
Cydia URL scheme detected, Suspicious file exists: /Library/MobileSubstrate/MobileSubstrate.dylib, Fork was able to create a new process
Verbose & Data Filtering:
let jailbreakStatus = IOSSecuritySuite.amIJailbrokenWithFailedChecks()
if jailbreakStatus.jailbroken {
if (jailbreakStatus.failedChecks.contains { $0.check == .existenceOfSuspiciousFiles }) && (jailbreakStatus.failedChecks.contains { $0.check == .suspiciousFilesCanBeOpened }) {
print("This is a real jailbroken device")
}
}调试器检测模块
let amIDebugged: Bool = IOSSecuritySuite.amIDebugged()
禁用调试器
IOSSecuritySuite.denyDebugger()
模拟器检测模块
let runInEmulator: Bool = IOSSecuritySuite.amIRunInEmulator()
逆向工程工具检测模块
let amIReverseEngineered: Bool = IOSSecuritySuite.amIReverseEngineered()
系统代理检测模块
let amIProxied: Bool = IOSSecuritySuite.amIProxied()
运行时钩子检测模块
let amIRuntimeHooked: Bool = amIRuntimeHook(dyldWhiteList: dylds, detectionClass: SomeClass.self, selector: #selector(SomeClass.someFunction), isClassMethod: false)
禁用符号钩子模块
denySymbolHook("$s10Foundation5NSLogyySS_s7CVarArg_pdtF") // 禁止对NSLog函数进行钩子操作
NSLog("Hello Symbol Hook")
denySymbolHook("abort")
abort()MSHook检测模块
// 函数声明
func someFunction(takes: Int) -> Bool {
return false
}
// 定义函数类型:@convention(thin) 表示一个“thin”函数引用,它使用Swift调用约定,没有特殊的“self”或“context”参数。
typealias FunctionType = @convention(thin) (Int) -> (Bool)
// Getting pointer address of the function we want to verify
func getSwiftFunctionAddr(_ function: @escaping FunctionType) -> UnsafeMutableRawPointer {
return unsafeBitCast(function, to: UnsafeMutableRawPointer.self)
}
let funcAddr = getSwiftFunctionAddr(someFunction)
let amIMSHooked = IOSSecuritySuite.amIMSHooked(funcAddr)License Agreement
The development and release of this project followBSD-2-ClauseOpen Source License Agreement.
Project address
IOSSecuritySuite:【GitHub link】
Reference materials
https://github.com/OWASP/owasp-masvs
https://developer.apple.com/documentation/uikit/uiapplication/1622952-canopenurl
https://www.securing.biz/en/mobile-application-security-best-practices/index.html
https://github.com/rockbruno/swiftshield
https://github.com/TheSwiftyCoder/JailBreak-Detection
评论已关闭