by @_r3ggi
ISS Description
What ISS detects:
- Jailbreak (even the iOS 11+ with brand new indicators!
๐ฅ ) - Attached debugger ๐จ๐ปโ๐
- If an app was run in an emulator
๐ฝ - Common reverse engineering tools running on the device
๐ญ
Setup
There are 4 ways you can start using IOSSecuritySuite
1. Add source
Add IOSSecuritySuite/*.swift files to your project
2. Setup with CocoaPods
pod 'IOSSecuritySuite'
3. Setup with Carthage
github "securing/IOSSecuritySuite"
4. Setup with Swift Package Manager
.package(url: "https://github.com/securing/IOSSecuritySuite.git", from: "1.5.0")Update Info.plist
After adding ISS to your project, you will also need to update your main Info.plist. There is a check in jailbreak detection module that uses canOpenURL(_:) method and requires specifying URLs that will be queried.
<key>LSApplicationQueriesSchemes</key>
<array>
<string>undecimus</string>
<string>sileo</string>
<string>zbra</string>
<string>filza</string>
<string>activator</string>
</array>Notice
iOS Security Suite is meant to be used on iOS/iPadOS. It should not be used on Macs with Apple Silicon.
How to use
Jailbreak detector module
- The simplest method returns True/False if you just want to know if the device is jailbroken or jailed
if IOSSecuritySuite.amIJailbroken() {
print("This device is jailbroken")
} else {
print("This device is not jailbroken")
}- Verbose, if you also want to know what indicators were identified
let jailbreakStatus = IOSSecuritySuite.amIJailbrokenWithFailMessage()
if jailbreakStatus.jailbroken {
print("This device is jailbroken")
print("Because: \(jailbreakStatus.failMessage)")
} else {
print("This device is not jailbroken")
}The failMessage is a String containing comma-separated indicators as shown on the example below:
sileo:// URL scheme detected, Suspicious file exists: /Library/MobileSubstrate/MobileSubstrate.dylib, Fork was able to create a new process
- Verbose & filterable, if you also want to for example identify devices that were jailbroken in the past, but now are jailed
let jailbreakStatus = IOSSecuritySuite.amIJailbrokenWithFailedChecks()
if jailbreakStatus.jailbroken {
if (jailbreakStatus.failedChecks.contains { $0.check == .existenceOfSuspiciousFiles }) && (jailbreakStatus.failedChecks.contains { $0.check == .suspiciousFilesCanBeOpened }) {
print("This is real jailbroken device")
}
}Debugger detector module
let amIDebugged: Bool = IOSSecuritySuite.amIDebugged()Deny debugger at all
IOSSecuritySuite.denyDebugger()Emulator detector module
let runInEmulator: Bool = IOSSecuritySuite.amIRunInEmulator()Reverse engineering tools detector module
- The simplest method returns True/False if you just want to know if the device has evidence of reverse engineering
if IOSSecuritySuite.amIReverseEngineered() {
print("This device has evidence of reverse engineering")
} else {
print("This device hasn't evidence of reverse engineering")
}- Verbose & filterable, if you also want the list of checks done
let reverseStatus = IOSSecuritySuite.amIReverseEngineeredWithFailedChecks()
if reverseStatus.reverseEngineered {
// check for reverseStatus.failedChecks for more details
}System proxy detector module
let amIProxied: Bool = IOSSecuritySuite.amIProxied()Experimental features
Runtime hook detector module
let amIRuntimeHooked: Bool = amIRuntimeHook(dyldWhiteList: dylds, detectionClass: SomeClass.self, selector: #selector(SomeClass.someFunction), isClassMethod: false)Symbol hook deny module
// If we want to deny symbol hook of Swift function, we have to pass mangled name of that function
denySymbolHook("$s10Foundation5NSLogyySS_s7CVarArg_pdtF") // denying hooking for the NSLog function
NSLog("Hello Symbol Hook")
denySymbolHook("abort")
abort()MSHook detector module
// Function declaration
func someFunction(takes: Int) -> Bool {
return false
}
// Defining FunctionType : @convention(thin) indicates a โthinโ function reference, which uses the Swift calling convention with no special โselfโ or โcontextโ parameters.
typealias FunctionType = @convention(thin) (Int) -> (Bool)
// Getting pointer address of function we want to verify
func getSwiftFunctionAddr(_ function: @escaping FunctionType) -> UnsafeMutableRawPointer {
return unsafeBitCast(function, to: UnsafeMutableRawPointer.self)
}
let funcAddr = getSwiftFunctionAddr(someFunction)
let amIMSHooked = IOSSecuritySuite.amIMSHooked(funcAddr)MSHook deny module
// Function declaration
func denyDebugger(value: Int) {
}
// Defining FunctionType : @convention(thin) indicates a โthinโ function reference, which uses the Swift calling convention with no special โselfโ or โcontextโ parameters.
typealias FunctionType = @convention(thin) (Int)->()
// Getting original function address
let funcDenyDebugger: FunctionType = denyDebugger
let funcAddr = unsafeBitCast(funcDenyDebugger, to: UnsafeMutableRawPointer.self)
if let originalDenyDebugger = denyMSHook(funcAddr) {
// Call the original function with 1337 as Int argument
unsafeBitCast(originalDenyDebugger, to: FunctionType.self)(1337)
} else {
denyDebugger()
}File integrity verifier module
// Determine if application has been tampered with
if IOSSecuritySuite.amITampered([.bundleID("biz.securing.FrameworkClientApp"),
.mobileProvision("2976c70b56e9ae1e2c8e8b231bf6b0cff12bbbd0a593f21846d9a004dd181be3"),
.machO("IOSSecuritySuite", "6d8d460b9a4ee6c0f378e30f137cebaf2ce12bf31a2eef3729c36889158aa7fc")]).result {
print("I have been Tampered.")
}
else {
print("I have not been Tampered.")
}
// Manually verify SHA256 hash value of a loaded dylib
if let hashValue = IOSSecuritySuite.getMachOFileHashValue(.custom("IOSSecuritySuite")), hashValue == "6d8d460b9a4ee6c0f378e30f137cebaf2ce12bf31a2eef3729c36889158aa7fc" {
print("I have not been Tampered.")
}
else {
print("I have been Tampered.")
}
// Check SHA256 hash value of the main executable
// Tip: Your application may retrieve this value from the server
if let hashValue = IOSSecuritySuite.getMachOFileHashValue(.default), hashValue == "your-application-executable-hash-value" {
print("I have not been Tampered.")
}
else {
print("I have been Tampered.")
}Breakpoint detection module
func denyDebugger() {
// Set breakpoint here
}
typealias FunctionType = @convention(thin) ()->()
let func_denyDebugger: FunctionType = denyDebugger // `: FunctionType` is a must
let func_addr = unsafeBitCast(func_denyDebugger, to: UnsafeMutableRawPointer.self)
let hasBreakpoint = IOSSecuritySuite.hasBreakpointAt(func_addr, functionSize: nil)
if hasBreakpoint {
print("Breakpoint found in the specified function")
} else {
print("Breakpoint not found in the specified function")
}Watchpoint detection module
// Set a breakpoint at the testWatchpoint function
func testWatchpoint() -> Bool{
// lldb: watchpoint set expression ptr
var ptr = malloc(9)
// lldb: watchpoint set variable count
var count = 3
return IOSSecuritySuite.hasWatchpoint()
}Security considerations
Before using this and other platform security checkers, you have to understand that:
- Including this tool in your project is not the only thing you should do in order to improve your app security! You can read a general mobile security whitepaper here.
- Detecting if a device is jailbroken is done locally on the device. It means that every jailbreak detector may be bypassed (even this)!
- Swift code is considered to be harder to manipulate dynamically than Objective-C. Since this library was written in pure Swift, the IOSSecuritySuite methods shouldn't be exposed to Objective-C runtime (which makes it more difficult to bypass
โ ). You have to know that attacker is still able to MSHookFunction/MSFindSymbol Swift symbols and dynamically change Swift code execution flow. - It's also a good idea to obfuscate the whole project code, including this library. See Swiftshield
Contribution โค๏ธ
Yes, please! If you have a better idea or you just want to improve this project, please text me on Twitter or Linkedin. Pull requests are more than welcome!
Special thanks: ๐๐ป
- kubajakowski for pointing out the problem with
canOpenURL(_:)method - olbartek for code review and pull request
- benbahrenburg for various ISS improvements
- fotiDim for adding new file paths to check
- gcharita for adding the Swift Package Manager support
- rynaardb for creating the
amIJailbrokenWithFailedChecks()method - undeaDD for various ISS improvements
- fnxpt for adding multiple JB detections
- TannerJin for MSHook, RuntimeHook, SymbolHook and Watchpoint Detection modules
- NikoXu for adding file integrity module
- hellpf for fixing a dangling socket problem
- Ant-tree for improving hooking resistence
- izmcm for implementing the
amIReverseEngineeredWithFailedChecks()method - sanu for new providing new file checks
TODO
- Research Installer5 and Zebra Package Manager detection ( Cydia Alternatives )
License
See the LICENSE file.
References
While creating this tool I used:
๐ https://github.com/TheSwiftyCoder/JailBreak-Detection๐ https://github.com/abhinashjain/jailbreakdetection๐ https://gist.github.com/ddrccw/8412847๐ https://gist.github.com/bugaevc/4307eaf045e4b4264d8e395b5878a63b๐ "iOS Application Security" by David Thiel