Chapter14FORENSIC-READYSECUREiOSAPPSFORJAILBROKENiPHONESJayaprakashGovindaraj,RashmiMata,RobinVermaandGauravGuptaAbstractAppleiOSisoneofthemostpopularsmartphoneoperatingsystems,butitrestrictstheinstallationofappsthatarenotfromtheAppleAppStore.
Asaresult,usersoftenjailbreaktheiriPhonestodefeatthisre-striction.
JailbrokeniPhonesaremakingtheirwayintoenterprisesthathaveaBringYourOwnDevice(BYOD)policy,butthesedevicesareof-tenbarredorrestrictedbymobiledevicemanagementsoftwarebecausetheyposesecurityrisks.
ThischapterdescribestheiSecureRingsolutionthatsecuresmobileappsandpreservesthedatesandtimestampsofeve-ntsinordertosupportforensicexaminationsofjailbrokeniPhones.
AnanalysisoftheliteraturerevealsthatiSecureRingistherstforensic-readymobileappsecuritysolutionforiOSapplicationsthatexecuteinunsecuredenterpriseenvironments.
Keywords:JailbrokeniPhones,enterpriseenvironments,forensicexaminations1.
IntroductionAccordingtoa2013Pewreport[19],40.
98%ofthesmartphonesusedbyadultAmericansareAppleiPhones.
Apple'siOSoperatingsystemdoesnotallowtheinstallationofapplications,extensionsandthemesthatarenotobtainedfromtheAppleAppStore.
Asaresult,usersfrequentlyjailbreaktheirdevicestoobtainrootaccessanddefeattheinstallationrestrictions[4].
AjailbrokeniPhoneallowstheretrievalofapplicationsandtheirassociateddata,potentiallycompromisingthesecurityoftheapplicationsandthecondentialityofthedata[4,16].
Sincejailbreakingisareality[8,11],itisincreasinglyimportanttodesignmobileapplicationsthatcanrunsecurelyonjailbrokeniPhones.
Therequirementofhavinganapplicationexecutesecurelyinanunse-cureenvironmentiscriticaltoscenarioswhereaproprietaryapplica-cIFIPInternationalFederationforInformationProcessing2015G.
Peterson,S.
Shenoi(Eds.
):AdvancesinDigitalForensicsXI,IFIPAICT462,pp.
235–249,2015.
DOI:10.
1001f20;BACKGROUND-COLOR:#4ae2f7">7/91f20;BACKGROUND-COLOR:#4ae2f7">78-3-319-24123-414236ADVANCESINDIGITALFORENSICSXItionshouldworkwithoutimpactingenterprisesecurity.
Atthistime,enterprisesthathaveaBringYourOwnDevice(BYOD)policygener-allydetectandrestrictjailbrokeniPhonesusingmobiledevicemanage-mentsoftwaresuchasCitrix'sXenMobileandIBM'sEndpointManager.
Thus,employeeshavetoun-jailbreaktheiriPhonesorinstallenterpriseapplicationsonotherapproveddevices.
Thesolutionproposedinthischapterenablesenterprisestoinstalltheirapplicationssecurelyonjail-brokeniPhones.
Newappsandexistingappscanbesecuredandbemadeforensic-ready.
Theforensicreadinessoftheappsenablesenter-prisestocheckiftheappsrunsecurelyandalsoensuresthatforensicartifactsareavailableintheeventofsecurityincidents.
2.
RelatedWorkD'Orazioetal.
[2]haveproposedaconcealmenttechniquethaten-hancesthesecurityofunprotected(classD)datathatisatrestiniOSdevices,alongwithadeletiontechniquetoreinforcedatadeletioniniOSdevices.
Hackersandmalicioususersresorttotechniquessuchasjailbreaking,runninganappinthedebugmode,reverseengineering,dy-namichookingortamperinginordertoaccessorcompromisesensitivedatastoredbyiOSapps:Jailbreaking:Attackersusejailbreakingtoobtainsystem-level(root)accesstoiOSdevices,potentiallycompromisingthesecurityofapplicationsandtheirassociateddata[15].
DebuggerMode:Attackersruntargetedapplicationsinthede-bugmode,obtainmemorydumpsandoverwritethememorywithmaliciouscode[9,13].
ReverseEngineering:AppsfromtheAppleStoreareencryptedusingApple'sFairplayDRM,whichcomplicatesthetaskofreverseengineeringbinaries.
However,anattackercanoverwritetheen-cryptioninformationofanapplicationinajailbrokendevicetoob-tainthememorydumpandanalyzeittocreatenewattacks[3,16].
DynamicCodeHooking:Afteradeviceisjailbroken,anat-tackercanhookmaliciouscodetoanappatruntimeinordertobypasssecuritychecks,potentiallycompromisingthesecurityoftheapplicationanditsdata[20].
Tampering:Attackerscanmodifythedatesandtimestampsofartifactsinordertocovertheirtracks.
Vermaetal.
[21]havere-centlyproposedamechanismforpreservingdatesandtimestampsinsupportofforensicexaminationsofAndroidsmartphones.
Govindaraj,Mata,Verma&Gupta231f20;BACKGROUND-COLOR:#4ae2f7">7ThischapterpresentsatechniqueforprotectingapplicationsanddatainjailbrokeniOSdevices.
Intheeventofasecurityincident,thetech-niquecanbeusedtosupportaforensicexaminationofajailbrokendevice.
3.
ImplementationMethodologyThesolutionhastwomodules:(i)astaticlibrarythatwrapsappsrunningonjailbrokendeviceswithanextralayerofprotection,makingthemdiculttocrackandpreventingaccesstotheirdata;and(ii)amodulethatpreservesauthenticdatesandtimestampsofeventsrelatedtothesecuredappstosupportforensicexaminations.
Thecaptureddatesandtimestampsarestoredoutsidethedeviceonasecureserverorinthecloud.
Themodulesarediscussedinfollowingsubsections.
3.
1SecuringAppsThestaticlibrary,whichisdesignedtosecureapps,incorporatesAPIsthatmaybeusedtoidentifyandmitigatesecurityvulnerabilitiesinjailbrokeniPhones[6].
Functionsinthelibraryinclude:isCheck1(),whichchecksifaniPhoneisjailbroken;isCheck2(),whichchecksifanapplicationisrunninginthedebugmode;enableDB(),whichdisablesthegdb(debugger)foraparticularapplication(process);isAppC(),whichchecksifanapplicationbinaryisencryptedandalsocheckstheintegrityofapplicationbundleles(Info.
Plist);initialize(),whichchecksifstaticlibraryfunctionsarehooked;CheckA(),whichchecksifcriticalmethods(functions)passedasargumentsarehooked;CheckS(),whichchecksifmethods(functions)relatedtoSSLcerticatevalidationarehooked;createCheck()andcreateCheckTest(),whichcheckifanapplicationhasbeentamperedwith;andresetZeroAll(),whichwipessensitivedatafrommemory.
3.
2PreservingDatesandTimestampsThedynamiclibraryhasbeencreatedusingtheMobileSubstrateframework.
ThisframeworkprovidesAPIsforaddingruntimepatchesorhookstosystemfunctionsinjailbrokeniOSdevices[18].
ThesolutionarchitectureshowninFigure1incorporatesthreecomponents:DynamicLibrary(dylib):Thiscomponenthookssystemopencallsandcaptureskernel-leveldatesandtimestampsofselectedlesandwritesthemtothelogle.
Itisloadedintorunningapplications.
Filtersareappliedsothatitisonlyloadedintospeciedapplications.
238ADVANCESINDIGITALFORENSICSXIFileModification/CreationProcessStartedDynamicLibraryHookedOpen()AppDBUpdateTimestampLogFileUploadLogFiletoSecureLocationOriginalOpen()FileAttributesGeneratedUserSpaceKernelSpaceiOSDeviceSecuredApp(UsingStaticLibrary)CydiaSubstrateDynamicLibraryLoadedFigure1.
Solutionarchitectureforpreservingdateandtimestamps.
TimestampLogFile:ThiscomponentisstoredintheinternalmemoryofaniPhone.
Itisnotdirectlyaccessibletoapplications,whichsecuresitfromunauthorizeddeletion.
LogFile:ThiscomponentisgeneratedbytheDLL.
Itisup-loadedatregularuser-denedintervalstoanexternalserverorcloudstoragebasedonnetworkconnectivity.
3.
3StaticLibraryThestaticlibraryisdesignedtosecureapplicationsandtheirassoci-ateddata.
Thelibrarywrapsappsinanadditionallayerofprotection,whichmakesthemmorediculttocrackinajailbrokeniOSdevice.
ThestaticlibrarycontainsseveralAPIs(Table1)thatcanbeusedtoidentifysecurityvulnerabilitiesinjailbrokendevices.
Thelibraryimplementsthedetectionofjailbrokendevices,thedisablingofapplicationdebuggers,thecheckingofapplicationencryption(forAppStorebinaries)andthedetectionofdynamiccodehooking.
Notethatthefunctionnamesareintentionallynotverydescriptiveinordertoenhancecodeobfuscationandhindermaliciousreverseengineeringeorts.
Govindaraj,Mata,Verma&Gupta239Table1.
StaticlibraryAPIs.
APIDescriptionisCheck1()ChecksifadevicehasbeenjailbrokenisAppC()ChecksiftheapplicationencryptionprovidedbytheAppStoreisintactenableDB()DisablestheapplicationdebuggerisCheck2()ChecksifanappisrunninginthedebugmodeInitialize()ChecksiflibraryAPIsarehookedbymethodswizzlingtech-niquescheckA()Checksifafunctionishookedbyamethodswizzlingtech-niquecheckS()ChecksiftheSSLvalidationmethodsprovidedbytheiOSSDKarehookedmakeZero()FindsthedataportionofobjectmemoryandzeroesitoutencPwd()EncryptsobjectdatainmemoryusingasecretdecPwd()Decryptsobjectdatainmemoryusingasecretlisted()AddsanobjecttothepointerlistusedbytheAPIsunlisted()RemovesanobjectfromthepointerlistresetAllZero()WipesalltrackedobjectscreateCheck()Providesandstaticallystoresastringofallthetrackedmem-oryaddressesandobjectchecksumscreateCheckTest()ChecksifthecurrentmemorystatesofallthetrackedobjectsmatchtheirstateswhenchecksumMem()wascalled3.
4DynamicLibraryThedynamiclibrarywascreatedusingtheMobileSubstrateframe-work,nowknownastheCydiaSubstrate[18].
TheframeworkprovidesaplatformandAPIsforaddingruntimepatchesorhookstosystemfunctionsaswellasotherapplicationsonjailbrokeniOSandrootedAndroiddevices.
TheMobileSubstrateframeworkincorporatesthreecomponents:(i)Mobilehooker;(ii)Mobileloader;and(iii)Safemode.
Mobilehooker:Thiscomponentreplacestheoriginalfunctionwiththehookedfunction.
TwoAPIsmaybeusedforiOSdevices:(i)MSHookMessage(),whichismainlyusedtoreplaceObjective-Cmethodsatruntime;and(ii)MSHookFunction(),whichisusedtoreplacesystemfunctions,mainlynativecodewritteninC,C++orassembly.
Mobileloader:CydiaSubstratecodeiscompiledtocreatethedynamiclibrary,whichisplacedinthedirectory/Library/MobileSubstrate/DynamicLibraries/injailbrokeniOSdevices.
ThemaintaskofMobileloaderistoloadthedynamiclibraryintorunning240ADVANCESINDIGITALFORENSICSXIapplications.
TheMobileloaderinitiallyloadsitselfandthenin-vokesdlopenonallthedynamiclibrariesinthedirectoryandloadsthematruntime.
ThedynamiclibrariesareconguredusingPropertyList(PList)les,whichactaslters,controllingifalibraryshouldbeloadedornot.
ThePListleshouldhavethesamenameasthatofdylibandshouldbestoredinthesamedirectoryasdylib.
ThePListshouldcontainasetofarraysinadictionarywiththekeyFilter.
Theotherkeysusedare:(i)Bundles(array)–theBundleIDofarunningapplicationismatchedagainstthelist,ifamatchoccurs,thendylibisloaded;(ii)Classes(array)–thedylibisloadedifoneofthespeciedObjective-Cclassesinthelistisimplementedintherunningapplication;and(iii)Executables(array)–dylibisloadedifanexecutablenameinthelistmatchestheexecutablenameoftherunningapplication.
Anexampleis:Filter=Executables=("mediaserverd");Bundles=("com.
apple.
MobileSlideShow");Mode="Any";;Intheexample,thelterensuresthatdylibisloadedonlyfortheiOSbuilt-inapplicationPhotos,whoseexecutablenamematchesmediaserverdorBundleIDiscom.
apple.
MobileSlideShow.
TheModekeyisusedwhentherearemorethanonelters.
Byspecify-ingMode=Any,dylibisloadedifoneoftheltershasamatch.
Safemode:Inthismode,allthird-partytweaksandextensionsaredisabled,preventingtheiOSdevicefromenteringthecrashmode.
Followingthis,thebrokendylibcanbeuninstalledfromthedevice.
CompilationProcedure.
TheTheos[10]developmentsuitewasusedtoedit,compileandinstallthedynamiclibraryonadevice.
ItprovidesacomponentnamedLogos,whichisabuilt-inpre-processor-basedlibrarydesignedtosimplifythedevelopmentofMobileSubstrateextensions.
Inordertocompilethedynamiclibrary,TheosmustbeinstalledonaMacmachine.
AMacOSXhasmostofthetoolsrequiredbyTheos;however,Xcodecommandlinetoolsmustbeinstallediftheyarenotpresent.
Ad-ditionally,itisnecessarytoinstalltheldidtool,whichisusedtosignappsortweakssothattheycanbeinstalledonjailbrokeniOSdevices.
Tostarttheproject,itisnecessarytoobtainalltheiOSprivatehead-ersofthefunctionsintendedtobehooked.
TheheaderscanbedumpedGovindaraj,Mata,Verma&Gupta241usingtheClass-Dump-Zcommandlinetool[5].
Thisreverseengineer-ingtoolprovidescompleteheaderinformationoftheObjective-CcodeofaniOSapplication.
Dumpingtheheaderscantakesometimebecauseheadersfromalltheframeworks,includingprivateframeworks,arealsocollected.
Thedumpedheadersaresavedinafolderwiththecorre-spondingframeworkname.
Insteadofdumpingtheheaders,headerscollectedbyotherresearcherscanbeused(e.
g.
,headersfromGitHub).
Alltheheadersaresavedat/opt/theos/include.
ThenextstepistocreatetheTheosproject.
Thisinvolvesexecutingthele/opt/theos/bin/nic.
plfromthecommandlineandchoosingtheprojecttemplate,name,etc.
Theprojecttypeshouldbelibrarybecausethegoalistohookasystemfunction.
Aftertheprojecthasbeencreated,anewlenamedtweak.
xmisfoundintheprojectdirectory;thisleisusedtostorethehookingcode.
Thefollowingpseudocodeforhookinganopen()systemcallisaddedinthetweak.
xmle:extern"C"{intorig\_open(constchar*path,intoflags);}inthijacked\_open(constchar*path,intoflags){//dosomething,thenreturnorig\_open(path,oflags);}\%ctor{NSAutoreleasePool*pool=[[NSAutoreleasePoolalloc]init];MSHookFunction(open(),\&hijacked\_open,\&orig\_open);[pooldrain];}TheMSHookFunction()APIisusedtohooktheopen()systemcall.
Thereplacementfunctionishijackedopen().
Themakefileisthenmodiedtoaddtherequiredframeworks.
NotethattheFoundationframeworkisusedtocreatethehookingcode.
ThetargetSDKversionandthearchitectureneededtosupportitarealsoadded:TARGET:=iPhone:1f20;BACKGROUND-COLOR:#4ae2f7">7.
0ARCHS:=armv1f20;BACKGROUND-COLOR:#4ae2f7">7arm64ProjectName\_FRAMEWORKS=FoundationOncedone,callmakefromcommandlineasbelow.
xyz:testxyzmakeMakingallforapplicationtest.
.
.
Copyingresourcedirectoriesintotheapplicationwrapper.
.
.
Signingtest.
.
.
TheprojectisthencompiledandaDLLiscreatedintheobjfolder.
242ADVANCESINDIGITALFORENSICSXIDLLLoading.
AftertheDLLiscreated,itcanbeinstalledonadevicebytheTheossuiteusingthecommandmakepackageinstall.
ThiscommandcreatesaDebianpackageoftheDLLandinstallsitintheproperlocationonthedevice.
Beforethisisdone,theenvironmentvariablemustbesettoexportTHEOSDEVICEIP=iPhoneDeviceIP.
Next,thepackageistransferredtothedeviceforinstallationviaSFTP.
TheiOSdeviceshouldbeonthesamenetworkasthecomputerusedfordevelopment[20].
4.
PreventingAttacksandAnti-ForensicsThesectiondiscusseshowattacksandanti-forensicapproachescanbemitigatedusingthestaticanddynamiclibraries.
4.
1UsingtheStaticLibraryBOOLisCheck1():ThisfunctionisusedtocheckifaniOSdeviceisjailbroken.
ItreturnsyesiftheiOSdeviceisjailbro-ken;otherwiseno.
Thisfunctioncanbecalledbeforeapplicationlaunch.
APIforCheckingDebugMode:TheapplicationexitswhenlaunchedinthedebugmodeusingtheenableDB()function.
Thisfunctioncanbecalledfrommain()andfromelsewhereintheprojecttodisabledebuggingatanystage.
BycallingenabledDB()inmain()orbeforeapplaunch,theapplicationcanbepreventedfromrunninginthedebugmode.
Therefore,thefunctionshouldbecalledinthereleasemode.
isCheck2():Thisfunctiongivesinformationabouthowtheap-plicationisrunning.
Iftheapplicationwasstartedinthedebugmode,thenavalueofoneisreturned;otherwisezeroisreturned.
BOOLisAppC(char*inBundlePath):Thisfunctionchecksiftheapplicationhasbeenhacked.
TheparameterinBundlePathcanbeanycharacterpointer;itisonlyaddedforobfuscationandisnotusedinsidethefunction.
Itincludesanappencryptioncheck(iftheAppStoreencryptionisbroken),signeridentitychecks,etc.
Iftheappiscracked,thefunctionreturnsyes;otherwiseno.
ThefunctionisprimarilyusedtocheckifAppStorebinariesarecracked.
intInitialize():ThisfunctionchecksiftheAPIsinthestaticlibraryarethemselveshooked.
Thefunctionhastobecalledini-tially,preferablyduringapplaunch,tocheckifthelibraryAPIsGovindaraj,Mata,Verma&Gupta243arehookedbymethodswizzling,afterwhichtheappropriateac-tionsmustbetaken.
Ifthefunctionsarehooked,thenitmakesnosensetousetheAPIstoprotectapplications.
intcheckA(constchar*MCl,constchar*MFr,constchar*MFn,void*funcPTR):Thisfunctionchecksifanyhookingisdoneforacriticalmethodwithinanapplicationpassedasanar-gumenttothefunction.
Thefunctionreturnsoneifnohookingisdiscoveredandzeroifafunctionishooked.
Itrequiresthemethodname,methodclassandthepathoftheframework(foraframe-workmethod)orappbundlepath(foranapplicationmethod).
intcheckS():ThisfunctionchecksifSSLcerticatevalidationmethodsprovidedbytheiOSSDKarehooked.
ThisfunctionisinvokedwithinanapplicationbeforecallingSSLvalidationmeth-odssothattheproperactionscanbetaken.
Thefunctionreturnsoneifthereisnohookingandzeroifafunctionishooked.
makeZero(obj):Thisfunctionisusedtozerothevalueofasensitivevariableafteritsuse.
encPwd()anddecPwd():TheseAPIsareusedforencryptingsensitivedataimmediatelyafterthedataiscreatedanddecryptingthedataonlyduringitsuse.
Afterthesensitivedatahasbeenused,itshouldbeclearedfrommemorypermanently.
listed()andunlisted():Thesefunctionstrackseveralobjectsinordertoclearthemfrommemorysimultaneously.
Sensitiveobjectsareaddedtothelisttokeeptrackofthem;theyareallclearedatonetimeusinganAPI.
Forexample,whenadeviceislockedand/oranappisclosed(hiddenorterminated),itmaybenec-essarytowipeallthesensitivedata.
Inthiscase,itisnecessarytoaddresetZeroAll()tothestate-changenotifyfunctionsinAppDelegate.
Severaltoolsareavailableforattackerstomodifythevaluesofcriticaldataandchangethebehaviorofanappli-cationatruntime.
SuchmodicationscanbetrackedusingthecreateCheck()andcreateCheckTest()APIstocreateacheck-sumofthecriticaldataandcheckitperiodicallytoensurethatthedataisnotmodiedbyanattacker.
4.
2UsingtheDynamicLibraryWheneverlesaremodied,accessedorcreated,thehijackedopen()callisinvokedandthemodied,accessed,createddatesandtimestamps(MACDTS)arecapturedandstoredinthelogle.
Thelogleisstored244ADVANCESINDIGITALFORENSICSXIiSecureRing.
.
.
JailbreakingEncryptionCheckCodeTamperingSimulatingAttacksTimestampTamperingConfidentialDataStealingDebugModeHookingFigure2.
Simulatingattacksondevices.
outsidetheiPhoneatasecurelocationsuchasaserverorinthecloud.
Theinformationintheloglecanbeusedinaforensicinvestigationofthesmartphoneintheeventofasecurityincident.
5.
ExperimentalResultsTheexperimentsinvolvedthecreationoftwoapps,onewithoutanyprotectionandtheotherprotectedbyiSecureRing.
TheappswerethendeployedonajailbrokeniPhone4(iOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
0.
6).
Aseriesofattacksweresimulatedontheappsandtheirdatatovalidatetheproposedsolution(Figure2).
Attheapplicationlevel,theappsweresubjectedtovariousattackstoexploitthelackofbinaryprotection[2].
TheresultsinTable2demonstratethatanappwithiSecureRingrunningonajailbrokeniPhone(Row3)isjustassecureasanormalapprunningonanon-jailbrokeniPhone(Row1).
Performancebenchmarkingwasconductedforthethreecasesconsid-eredintheexperiments.
Figure3summarizestheresultsoftheinitialtests(veruns).
Theresultsshownosignicantdierencesindeviceperformance.
Govindaraj,Mata,Verma&Gupta245Table2.
Attacksandresults.
iPhone4Jail-DebugEncryptionHookingCode(iOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
0.
6)brokenModeCheckTamperingNotJailbrokenYesNoNoNoNo(Appwithoutprotection)JailbrokenN/AYesYesYesYes(Appwithoutprotection)JailbrokenN/ANoNoNoNo(AppwithiSecureRing)02004006008001,0001,2001,4001,6001,800CPUIntegermathCPUFloatingpointmathStoragewriteStoragereadMemorywriteMemoryread2D-Complexvectors2D-Imagerendering3D-ComplextestJailbrokenwithiSecureRingJailbrokenwithoutiSecureRingNotJailbrokenFigure3.
Performancebenchmarkresults.
Figure4.
MACDTSlogsforanimagele.
iSecureRingalsohelpsdetectattemptstoexploitknownorunknownvulnerabilitiesbycapturingthetimestampsofactivitiesassociatedwithasecuredapp.
OneexperimentinvolvedtimestamptamperingattemptsonimagesfromApple'sPhotoapp.
iSecureRingsuccessfullycapturedalltheeventsinthelog.
Ananalysisofthelogclearlyrevealedthetamperingattempts.
Figure4showstheMACDTSlogsforoneoftheimages.
246ADVANCESINDIGITALFORENSICSXIFigure5.
Preventingadebugmodeattack.
DebugModeAttack.
Figure5showsascreenshotofanXcodeap-plicationrunninginthedebugmode[11f20;BACKGROUND-COLOR:#4ae2f7">7]whileitwasbeingprotectedbyiSecureRing.
EncryptionAttack.
Clutch[11f20;BACKGROUND-COLOR:#4ae2f7">7]wasusedtosimulateanencryptionattack(Clutchmaybedownloadedfromcydia.
iphonecake.
com).
iSe-cureRingincludesachecktodetermineifapplicationencryptionisintactbyanalyzingencryptioninformationinthebinaryandalsothecryptidagvalue.
Iftheapplicationencryptionisfoundtobebroken,thentheuserisalertedandtheapplicationbehaviorcanbechangedatruntime.
Hooking.
AhookingattackwassimulatedbyhookingSSLvalidationmethods.
Itispossibletolaunchaman-in-the-middleattackonevenHTTPSrequeststounderstand,stealandmodifytherequesteddata.
iSecureRingincorporatesseveralcheckstoidentifythehookingofcriticalmethodssuchasSSLvalidationandauthentication.
ApplicationsthatuseiSecureRingareprotectedagainsttheattacksbecausetheuserisalertedandtheappbehaviorcanbechanged.
CodeTampering.
AcodetamperingattackwassimulatedusingCy-cript[1f20;BACKGROUND-COLOR:#4ae2f7">7],aJavaScriptinterpreter.
ThetoolwasusedtomodifyiOSapplicationbehavioratruntime(e.
g.
,bypassingsomeauthenticationchecksandaccessingcriticalinformationfrommemory).
AnapplicationcompiledwithiSecureRingprovidesAPIsforidentifyingcodetamper-ingofcriticalinstancevariablesandclassobjectsusingCRCchecksums.
Also,APIsareprovidedforwipingsensitivedatafrommemory.
6.
CaseStudyTheiSecureRingimplementationwassuccessfullyusedtosecureaniPhonemobileappforaleadingbankinIndia.
ProblemStatement.
Thebankhadasecurityincidentinwhichtheapplicationrunningonajailbrokendevicerevealedsensitivedata.
JailbreakingAttack.
TheattackerhadusedthelatestjailbreakingtoolforiOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
1.
2Pangu[1].
Theattackeralsousedcertaintweakstode-Govindaraj,Mata,Verma&Gupta241f20;BACKGROUND-COLOR:#4ae2f7">7featjailbreakdetection.
SometweakswithinCydiabypassthejailbreakdetectioncheckofanapplicationandmaketheapplicationrunnormallyevenonjailbrokendevices.
OnesuchtweakisxCon[12],whichhookslow-levelAPIsusedforjailbreakdetectionsuchasle-relatedAPIsandothersystemcalls,thusbypassingthejailbreakdetectionfunctionsusedintheapplication.
NocongurationisrequiredforxCon,aMobileSub-stratedynamiclibrarythatcanbeinstalledfromCydia.
iSecureRingResults.
ThebankappwassecuredusingiSecureRing.
Thejailbreakdetectionfunctionwasrobustenoughtocheckifthede-vicewasjailbrokenandifanyjailbreakdetectionbypassingfunctionswerepresent.
ThesolutionwastestedwithxCon39beta1f20;BACKGROUND-COLOR:#4ae2f7">7oniPhone4deviceswithiOSversion1f20;BACKGROUND-COLOR:#4ae2f7">7.
1.
2.
xConwasunabletobypassthejailbreakdetectiontechniquesusedbyiSecureRing.
TheiSecureRingsolutionchecksfortheexistenceofle-relatedsystemfunctionhooking,render-ingxCon-liketweaksuseless.
ThesolutionalsomitigatesthejailbreakdetectionbypassingmechanismprovidedbythexCondynamiclibrary.
1f20;BACKGROUND-COLOR:#4ae2f7">7.
ConclusionsTheiSecureRingsolutionsecuresappsonjailbrokeniOSdevices.
Thestaticlibraryhelpsdetectsecurityvulnerabilitiesandalertsuserstotakeappropriateactions.
Thedynamiclibraryhelpsdetectmalicioustam-peringofdatabystoringauthenticcopiesofMACDTSvaluesonalocalserverorinthecloud;thisalsosupportsoinedigitalforensicinvestigationsaftersecurityincidents.
Thus,iSecureRingenablesexist-ingandnewappstobesecuredandmadeforensic-readyeveniftheiOSdevicehasbeenjailbroken.
WithenterprisesimplementingBYODpoliciesandjailbrokendevicesmakingtheirwayintoenterprises,theiSecureRingsolutionhelpsenterprisesmitigatethesecurityriskswhileenablingemployeestouseonedeviceforocialandpersonalactivities.
Futureresearchwillfocusonanalyzinganomalousinteractionswithsecuredapps,blockingattacksandraisingalerts.
EortswillalsobemadetocreatesimilarsolutionsforAndroidandWindowssmartphones.
References[1]J.
Benjamin,HowtojailbreakiOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
1.
xwithPangu1.
1onWin-dows,iDownloadBlog,June29,2014.
[2]C.
D'Orazio,A.
ArinandK.
Choo,iOSanti-forensics:Howcanwesecurelyconceal,deleteandinsertdataProceedingsoftheForty-SeventhHawaiiInternationalConferenceonSystemSciences,pp.
4838–4841f20;BACKGROUND-COLOR:#4ae2f7">7,2014.
248ADVANCESINDIGITALFORENSICSXI[3]D.
Ertel,DecryptingiOSapps(www.
infointox.
net/p=114),2013.
[4]S.
Esser,ExploitingtheiOSkernel,presentedatBlackHatUSA,2011.
[5]P.
Gianchandani,iOSApplicationSecurityPart2–GettingClassInformationofiOSApps,InfosecInstitute,ElmwoodPark,Illinois,2014.
[6]GitHub,ToolsforsecurelyclearingandvalidatingiOSapplicationmemory,SanFrancisco,California(github.
com/project-imas/memory-security),2014.
[1f20;BACKGROUND-COLOR:#4ae2f7">7]S.
GuerreroSelma,HackingiOSontherun:UsingCycript,pre-sentedattheRSAConference,2014.
[8]A.
HoogandK.
Strzempka,iPhoneandiOSForensics:Investiga-tion,AnalysisandMobileSecurityforAppleiPhone,iPadandiOSDevices,Syngress,Waltham,Massachusetts,2011.
[9]iPhoneDevWiki,debugserver(iphonedevwiki.
net/index.
php/Debugserver),2015.
[10]iPhoneDevWiki,Theos(iphonedevwiki.
net/index.
php/Theos),2015.
[11]iPhoneHacks,JailbreakingyouriPhoneremainslegalinUS,butitisillegaltojailbreakyouriPadandunlockyouriPhoneunderDMCA,October26,2012.
[12]iPhoneWiki,xCon(theiphonewiki.
com/wiki/XCon),2014.
[13]C.
Miller,Owningthefanboys:HackingMacOSX,presentedatBlackHatJapan,2008.
[14]C.
Miller,Mobileattacksanddefense,IEEESecurityandPrivacy,vol.
9(4),pp.
68–1f20;BACKGROUND-COLOR:#4ae2f7">70,2011.
[15]S.
Morrissey,iOSForensicAnalysisforiPhone,iPadandiPodTouch,Apress,NewYork,2010.
[16]M.
Renard,PracticaliOSappshacking,ProceedingsoftheFirstInternationalSymposiumonGrey-HatHacking,pp.
14–26,2012.
[11f20;BACKGROUND-COLOR:#4ae2f7">7]B.
Satish,PenetrationTestingforiPhoneApplications–Part5,InfosecInstitute,ElmwoodPark,Illinois,2013.
[18]SaurikIT,CydiaSubstrate,IslaVista,California(www.
cydiasubstrate.
com),2014.
[19]A.
Smith,SmartphoneOwnership2013,PewResearchCenter,Washington,DC,June5,2013.
Govindaraj,Mata,Verma&Gupta249[20]B.
Trebitowski,BeginningJailbrokeniOSDevelopment–BuildingandDeployment,Pixegon,Albuquerque,NewMexico(brandontreb.
com/beginning-jailbroken-ios-development-building-and-deployment),2011.
[21]R.
Verma,J.
GovindarajandG.
Gupta,Preservingdateandtime-stampsforincidenthandlinginAndroidsmartphones,inAdvancesinDigitalForensicsX,G.
PetersonandS.
Shenoi(Eds.
),Springer,Heidelberg,Germany,pp.
209–225,2014.
VirMach,成立于2014年的美国IDC商家,知名的低价便宜VPS销售商,支持支付宝、微信、PayPal等方式付款购买,主打美国、欧洲暑假中心产品,拥有包括洛杉矶、西雅图、圣何塞、凤凰城在内的11个数据中心可以选择,可以自由搭配1Gbps、2Gbps、10Gbps带宽端口,有Voxility DDoS高防IP可以选择(500Gbps以上的防御能力),并且支持在控制面板付费切换机房和更换IP(带...
近日Friendhosting发布了最新的消息,新上线了美国迈阿密的云产品,之前的夏季优惠活动还在进行中,全场一次性45折优惠,最高可购买半年,超过半年优惠力度就不高了,Friendhosting商家的优势就是100Mbps带宽不限流量,有需要的朋友可以尝试一下。Friendhosting怎么样?Friendhosting服务器好不好?Friendhosting服务器值不值得购买?Friendho...
快云科技怎么样?快云科技是一家成立于2020年的新起国内主机商,资质齐全 持有IDC ICP ISP等正规商家。我们秉承着服务于客户服务于大众的理念运营,机器线路优价格低。目前已注册用户达到5000+!主营产品有:香港弹性云服务器,美国vps和日本vps,香港物理机,国内高防物理机以及美国日本高防物理机!产品特色:全配置均20M带宽,架构采用KVM虚拟化技术,全盘SSD硬盘,RAID10阵列, 国...
netbios端口为你推荐
签约xp支出127Anthemmywin10445端口windows server2008怎么开放4443端口联通版iphone4s怎样看苹果4S是联通版还是电信版联通iphone4联通iphone4跟苹果的iphone4有什么不一样? 比如少了什么功能? 还是什么的?win7关闭135端口win7系统 怎么关闭135 445 端口 修改注册表 创建IP安全策略 也试过 就是关不了 还望高手指教micromediaMacromedia翻译成中文是什么?googleadsensegoogle adsense 和google adwords有什么区别?适合什么样的人群?chromeframe谷歌浏览器(Chrome) 与(Chromium) 有什么区别?哪个更快?
移动服务器租用 企业主机 国外永久服务器 樊云 linkcloud wdcp 北京主机 丹弗 嘟牛 免费全能空间 个人空间申请 空间论坛 中国网通测速 paypal注册教程 银盘服务是什么 域名与空间 supercache 空间申请 亿库 htaccess 更多