loadedios
netbios端口 时间:2021-02-12 阅读:()
Chapter14FORENSIC-READYSECUREiOSAPPSFORJAILBROKENiPHONESJayaprakashGovindaraj,RashmiMata,RobinVermaandGauravGuptaAbstractAppleiOSisoneofthemostpopularsmartphoneoperatingsystems,butitrestrictstheinstallationofappsthatarenotfromtheAppleAppStore.
Asaresult,usersoftenjailbreaktheiriPhonestodefeatthisre-striction.
JailbrokeniPhonesaremakingtheirwayintoenterprisesthathaveaBringYourOwnDevice(BYOD)policy,butthesedevicesareof-tenbarredorrestrictedbymobiledevicemanagementsoftwarebecausetheyposesecurityrisks.
ThischapterdescribestheiSecureRingsolutionthatsecuresmobileappsandpreservesthedatesandtimestampsofeve-ntsinordertosupportforensicexaminationsofjailbrokeniPhones.
AnanalysisoftheliteraturerevealsthatiSecureRingistherstforensic-readymobileappsecuritysolutionforiOSapplicationsthatexecuteinunsecuredenterpriseenvironments.
Keywords:JailbrokeniPhones,enterpriseenvironments,forensicexaminations1.
IntroductionAccordingtoa2013Pewreport[19],40.
98%ofthesmartphonesusedbyadultAmericansareAppleiPhones.
Apple'siOSoperatingsystemdoesnotallowtheinstallationofapplications,extensionsandthemesthatarenotobtainedfromtheAppleAppStore.
Asaresult,usersfrequentlyjailbreaktheirdevicestoobtainrootaccessanddefeattheinstallationrestrictions[4].
AjailbrokeniPhoneallowstheretrievalofapplicationsandtheirassociateddata,potentiallycompromisingthesecurityoftheapplicationsandthecondentialityofthedata[4,16].
Sincejailbreakingisareality[8,11],itisincreasinglyimportanttodesignmobileapplicationsthatcanrunsecurelyonjailbrokeniPhones.
Therequirementofhavinganapplicationexecutesecurelyinanunse-cureenvironmentiscriticaltoscenarioswhereaproprietaryapplica-cIFIPInternationalFederationforInformationProcessing2015G.
Peterson,S.
Shenoi(Eds.
):AdvancesinDigitalForensicsXI,IFIPAICT462,pp.
235–249,2015.
DOI:10.
1001f20;BACKGROUND-COLOR:#4ae2f7">7/91f20;BACKGROUND-COLOR:#4ae2f7">78-3-319-24123-414236ADVANCESINDIGITALFORENSICSXItionshouldworkwithoutimpactingenterprisesecurity.
Atthistime,enterprisesthathaveaBringYourOwnDevice(BYOD)policygener-allydetectandrestrictjailbrokeniPhonesusingmobiledevicemanage-mentsoftwaresuchasCitrix'sXenMobileandIBM'sEndpointManager.
Thus,employeeshavetoun-jailbreaktheiriPhonesorinstallenterpriseapplicationsonotherapproveddevices.
Thesolutionproposedinthischapterenablesenterprisestoinstalltheirapplicationssecurelyonjail-brokeniPhones.
Newappsandexistingappscanbesecuredandbemadeforensic-ready.
Theforensicreadinessoftheappsenablesenter-prisestocheckiftheappsrunsecurelyandalsoensuresthatforensicartifactsareavailableintheeventofsecurityincidents.
2.
RelatedWorkD'Orazioetal.
[2]haveproposedaconcealmenttechniquethaten-hancesthesecurityofunprotected(classD)datathatisatrestiniOSdevices,alongwithadeletiontechniquetoreinforcedatadeletioniniOSdevices.
Hackersandmalicioususersresorttotechniquessuchasjailbreaking,runninganappinthedebugmode,reverseengineering,dy-namichookingortamperinginordertoaccessorcompromisesensitivedatastoredbyiOSapps:Jailbreaking:Attackersusejailbreakingtoobtainsystem-level(root)accesstoiOSdevices,potentiallycompromisingthesecurityofapplicationsandtheirassociateddata[15].
DebuggerMode:Attackersruntargetedapplicationsinthede-bugmode,obtainmemorydumpsandoverwritethememorywithmaliciouscode[9,13].
ReverseEngineering:AppsfromtheAppleStoreareencryptedusingApple'sFairplayDRM,whichcomplicatesthetaskofreverseengineeringbinaries.
However,anattackercanoverwritetheen-cryptioninformationofanapplicationinajailbrokendevicetoob-tainthememorydumpandanalyzeittocreatenewattacks[3,16].
DynamicCodeHooking:Afteradeviceisjailbroken,anat-tackercanhookmaliciouscodetoanappatruntimeinordertobypasssecuritychecks,potentiallycompromisingthesecurityoftheapplicationanditsdata[20].
Tampering:Attackerscanmodifythedatesandtimestampsofartifactsinordertocovertheirtracks.
Vermaetal.
[21]havere-centlyproposedamechanismforpreservingdatesandtimestampsinsupportofforensicexaminationsofAndroidsmartphones.
Govindaraj,Mata,Verma&Gupta231f20;BACKGROUND-COLOR:#4ae2f7">7ThischapterpresentsatechniqueforprotectingapplicationsanddatainjailbrokeniOSdevices.
Intheeventofasecurityincident,thetech-niquecanbeusedtosupportaforensicexaminationofajailbrokendevice.
3.
ImplementationMethodologyThesolutionhastwomodules:(i)astaticlibrarythatwrapsappsrunningonjailbrokendeviceswithanextralayerofprotection,makingthemdiculttocrackandpreventingaccesstotheirdata;and(ii)amodulethatpreservesauthenticdatesandtimestampsofeventsrelatedtothesecuredappstosupportforensicexaminations.
Thecaptureddatesandtimestampsarestoredoutsidethedeviceonasecureserverorinthecloud.
Themodulesarediscussedinfollowingsubsections.
3.
1SecuringAppsThestaticlibrary,whichisdesignedtosecureapps,incorporatesAPIsthatmaybeusedtoidentifyandmitigatesecurityvulnerabilitiesinjailbrokeniPhones[6].
Functionsinthelibraryinclude:isCheck1(),whichchecksifaniPhoneisjailbroken;isCheck2(),whichchecksifanapplicationisrunninginthedebugmode;enableDB(),whichdisablesthegdb(debugger)foraparticularapplication(process);isAppC(),whichchecksifanapplicationbinaryisencryptedandalsocheckstheintegrityofapplicationbundleles(Info.
Plist);initialize(),whichchecksifstaticlibraryfunctionsarehooked;CheckA(),whichchecksifcriticalmethods(functions)passedasargumentsarehooked;CheckS(),whichchecksifmethods(functions)relatedtoSSLcerticatevalidationarehooked;createCheck()andcreateCheckTest(),whichcheckifanapplicationhasbeentamperedwith;andresetZeroAll(),whichwipessensitivedatafrommemory.
3.
2PreservingDatesandTimestampsThedynamiclibraryhasbeencreatedusingtheMobileSubstrateframework.
ThisframeworkprovidesAPIsforaddingruntimepatchesorhookstosystemfunctionsinjailbrokeniOSdevices[18].
ThesolutionarchitectureshowninFigure1incorporatesthreecomponents:DynamicLibrary(dylib):Thiscomponenthookssystemopencallsandcaptureskernel-leveldatesandtimestampsofselectedlesandwritesthemtothelogle.
Itisloadedintorunningapplications.
Filtersareappliedsothatitisonlyloadedintospeciedapplications.
238ADVANCESINDIGITALFORENSICSXIFileModification/CreationProcessStartedDynamicLibraryHookedOpen()AppDBUpdateTimestampLogFileUploadLogFiletoSecureLocationOriginalOpen()FileAttributesGeneratedUserSpaceKernelSpaceiOSDeviceSecuredApp(UsingStaticLibrary)CydiaSubstrateDynamicLibraryLoadedFigure1.
Solutionarchitectureforpreservingdateandtimestamps.
TimestampLogFile:ThiscomponentisstoredintheinternalmemoryofaniPhone.
Itisnotdirectlyaccessibletoapplications,whichsecuresitfromunauthorizeddeletion.
LogFile:ThiscomponentisgeneratedbytheDLL.
Itisup-loadedatregularuser-denedintervalstoanexternalserverorcloudstoragebasedonnetworkconnectivity.
3.
3StaticLibraryThestaticlibraryisdesignedtosecureapplicationsandtheirassoci-ateddata.
Thelibrarywrapsappsinanadditionallayerofprotection,whichmakesthemmorediculttocrackinajailbrokeniOSdevice.
ThestaticlibrarycontainsseveralAPIs(Table1)thatcanbeusedtoidentifysecurityvulnerabilitiesinjailbrokendevices.
Thelibraryimplementsthedetectionofjailbrokendevices,thedisablingofapplicationdebuggers,thecheckingofapplicationencryption(forAppStorebinaries)andthedetectionofdynamiccodehooking.
Notethatthefunctionnamesareintentionallynotverydescriptiveinordertoenhancecodeobfuscationandhindermaliciousreverseengineeringeorts.
Govindaraj,Mata,Verma&Gupta239Table1.
StaticlibraryAPIs.
APIDescriptionisCheck1()ChecksifadevicehasbeenjailbrokenisAppC()ChecksiftheapplicationencryptionprovidedbytheAppStoreisintactenableDB()DisablestheapplicationdebuggerisCheck2()ChecksifanappisrunninginthedebugmodeInitialize()ChecksiflibraryAPIsarehookedbymethodswizzlingtech-niquescheckA()Checksifafunctionishookedbyamethodswizzlingtech-niquecheckS()ChecksiftheSSLvalidationmethodsprovidedbytheiOSSDKarehookedmakeZero()FindsthedataportionofobjectmemoryandzeroesitoutencPwd()EncryptsobjectdatainmemoryusingasecretdecPwd()Decryptsobjectdatainmemoryusingasecretlisted()AddsanobjecttothepointerlistusedbytheAPIsunlisted()RemovesanobjectfromthepointerlistresetAllZero()WipesalltrackedobjectscreateCheck()Providesandstaticallystoresastringofallthetrackedmem-oryaddressesandobjectchecksumscreateCheckTest()ChecksifthecurrentmemorystatesofallthetrackedobjectsmatchtheirstateswhenchecksumMem()wascalled3.
4DynamicLibraryThedynamiclibrarywascreatedusingtheMobileSubstrateframe-work,nowknownastheCydiaSubstrate[18].
TheframeworkprovidesaplatformandAPIsforaddingruntimepatchesorhookstosystemfunctionsaswellasotherapplicationsonjailbrokeniOSandrootedAndroiddevices.
TheMobileSubstrateframeworkincorporatesthreecomponents:(i)Mobilehooker;(ii)Mobileloader;and(iii)Safemode.
Mobilehooker:Thiscomponentreplacestheoriginalfunctionwiththehookedfunction.
TwoAPIsmaybeusedforiOSdevices:(i)MSHookMessage(),whichismainlyusedtoreplaceObjective-Cmethodsatruntime;and(ii)MSHookFunction(),whichisusedtoreplacesystemfunctions,mainlynativecodewritteninC,C++orassembly.
Mobileloader:CydiaSubstratecodeiscompiledtocreatethedynamiclibrary,whichisplacedinthedirectory/Library/MobileSubstrate/DynamicLibraries/injailbrokeniOSdevices.
ThemaintaskofMobileloaderistoloadthedynamiclibraryintorunning240ADVANCESINDIGITALFORENSICSXIapplications.
TheMobileloaderinitiallyloadsitselfandthenin-vokesdlopenonallthedynamiclibrariesinthedirectoryandloadsthematruntime.
ThedynamiclibrariesareconguredusingPropertyList(PList)les,whichactaslters,controllingifalibraryshouldbeloadedornot.
ThePListleshouldhavethesamenameasthatofdylibandshouldbestoredinthesamedirectoryasdylib.
ThePListshouldcontainasetofarraysinadictionarywiththekeyFilter.
Theotherkeysusedare:(i)Bundles(array)–theBundleIDofarunningapplicationismatchedagainstthelist,ifamatchoccurs,thendylibisloaded;(ii)Classes(array)–thedylibisloadedifoneofthespeciedObjective-Cclassesinthelistisimplementedintherunningapplication;and(iii)Executables(array)–dylibisloadedifanexecutablenameinthelistmatchestheexecutablenameoftherunningapplication.
Anexampleis:Filter=Executables=("mediaserverd");Bundles=("com.
apple.
MobileSlideShow");Mode="Any";;Intheexample,thelterensuresthatdylibisloadedonlyfortheiOSbuilt-inapplicationPhotos,whoseexecutablenamematchesmediaserverdorBundleIDiscom.
apple.
MobileSlideShow.
TheModekeyisusedwhentherearemorethanonelters.
Byspecify-ingMode=Any,dylibisloadedifoneoftheltershasamatch.
Safemode:Inthismode,allthird-partytweaksandextensionsaredisabled,preventingtheiOSdevicefromenteringthecrashmode.
Followingthis,thebrokendylibcanbeuninstalledfromthedevice.
CompilationProcedure.
TheTheos[10]developmentsuitewasusedtoedit,compileandinstallthedynamiclibraryonadevice.
ItprovidesacomponentnamedLogos,whichisabuilt-inpre-processor-basedlibrarydesignedtosimplifythedevelopmentofMobileSubstrateextensions.
Inordertocompilethedynamiclibrary,TheosmustbeinstalledonaMacmachine.
AMacOSXhasmostofthetoolsrequiredbyTheos;however,Xcodecommandlinetoolsmustbeinstallediftheyarenotpresent.
Ad-ditionally,itisnecessarytoinstalltheldidtool,whichisusedtosignappsortweakssothattheycanbeinstalledonjailbrokeniOSdevices.
Tostarttheproject,itisnecessarytoobtainalltheiOSprivatehead-ersofthefunctionsintendedtobehooked.
TheheaderscanbedumpedGovindaraj,Mata,Verma&Gupta241usingtheClass-Dump-Zcommandlinetool[5].
Thisreverseengineer-ingtoolprovidescompleteheaderinformationoftheObjective-CcodeofaniOSapplication.
Dumpingtheheaderscantakesometimebecauseheadersfromalltheframeworks,includingprivateframeworks,arealsocollected.
Thedumpedheadersaresavedinafolderwiththecorre-spondingframeworkname.
Insteadofdumpingtheheaders,headerscollectedbyotherresearcherscanbeused(e.
g.
,headersfromGitHub).
Alltheheadersaresavedat/opt/theos/include.
ThenextstepistocreatetheTheosproject.
Thisinvolvesexecutingthele/opt/theos/bin/nic.
plfromthecommandlineandchoosingtheprojecttemplate,name,etc.
Theprojecttypeshouldbelibrarybecausethegoalistohookasystemfunction.
Aftertheprojecthasbeencreated,anewlenamedtweak.
xmisfoundintheprojectdirectory;thisleisusedtostorethehookingcode.
Thefollowingpseudocodeforhookinganopen()systemcallisaddedinthetweak.
xmle:extern"C"{intorig\_open(constchar*path,intoflags);}inthijacked\_open(constchar*path,intoflags){//dosomething,thenreturnorig\_open(path,oflags);}\%ctor{NSAutoreleasePool*pool=[[NSAutoreleasePoolalloc]init];MSHookFunction(open(),\&hijacked\_open,\&orig\_open);[pooldrain];}TheMSHookFunction()APIisusedtohooktheopen()systemcall.
Thereplacementfunctionishijackedopen().
Themakefileisthenmodiedtoaddtherequiredframeworks.
NotethattheFoundationframeworkisusedtocreatethehookingcode.
ThetargetSDKversionandthearchitectureneededtosupportitarealsoadded:TARGET:=iPhone:1f20;BACKGROUND-COLOR:#4ae2f7">7.
0ARCHS:=armv1f20;BACKGROUND-COLOR:#4ae2f7">7arm64ProjectName\_FRAMEWORKS=FoundationOncedone,callmakefromcommandlineasbelow.
xyz:testxyzmakeMakingallforapplicationtest.
.
.
Copyingresourcedirectoriesintotheapplicationwrapper.
.
.
Signingtest.
.
.
TheprojectisthencompiledandaDLLiscreatedintheobjfolder.
242ADVANCESINDIGITALFORENSICSXIDLLLoading.
AftertheDLLiscreated,itcanbeinstalledonadevicebytheTheossuiteusingthecommandmakepackageinstall.
ThiscommandcreatesaDebianpackageoftheDLLandinstallsitintheproperlocationonthedevice.
Beforethisisdone,theenvironmentvariablemustbesettoexportTHEOSDEVICEIP=iPhoneDeviceIP.
Next,thepackageistransferredtothedeviceforinstallationviaSFTP.
TheiOSdeviceshouldbeonthesamenetworkasthecomputerusedfordevelopment[20].
4.
PreventingAttacksandAnti-ForensicsThesectiondiscusseshowattacksandanti-forensicapproachescanbemitigatedusingthestaticanddynamiclibraries.
4.
1UsingtheStaticLibraryBOOLisCheck1():ThisfunctionisusedtocheckifaniOSdeviceisjailbroken.
ItreturnsyesiftheiOSdeviceisjailbro-ken;otherwiseno.
Thisfunctioncanbecalledbeforeapplicationlaunch.
APIforCheckingDebugMode:TheapplicationexitswhenlaunchedinthedebugmodeusingtheenableDB()function.
Thisfunctioncanbecalledfrommain()andfromelsewhereintheprojecttodisabledebuggingatanystage.
BycallingenabledDB()inmain()orbeforeapplaunch,theapplicationcanbepreventedfromrunninginthedebugmode.
Therefore,thefunctionshouldbecalledinthereleasemode.
isCheck2():Thisfunctiongivesinformationabouthowtheap-plicationisrunning.
Iftheapplicationwasstartedinthedebugmode,thenavalueofoneisreturned;otherwisezeroisreturned.
BOOLisAppC(char*inBundlePath):Thisfunctionchecksiftheapplicationhasbeenhacked.
TheparameterinBundlePathcanbeanycharacterpointer;itisonlyaddedforobfuscationandisnotusedinsidethefunction.
Itincludesanappencryptioncheck(iftheAppStoreencryptionisbroken),signeridentitychecks,etc.
Iftheappiscracked,thefunctionreturnsyes;otherwiseno.
ThefunctionisprimarilyusedtocheckifAppStorebinariesarecracked.
intInitialize():ThisfunctionchecksiftheAPIsinthestaticlibraryarethemselveshooked.
Thefunctionhastobecalledini-tially,preferablyduringapplaunch,tocheckifthelibraryAPIsGovindaraj,Mata,Verma&Gupta243arehookedbymethodswizzling,afterwhichtheappropriateac-tionsmustbetaken.
Ifthefunctionsarehooked,thenitmakesnosensetousetheAPIstoprotectapplications.
intcheckA(constchar*MCl,constchar*MFr,constchar*MFn,void*funcPTR):Thisfunctionchecksifanyhookingisdoneforacriticalmethodwithinanapplicationpassedasanar-gumenttothefunction.
Thefunctionreturnsoneifnohookingisdiscoveredandzeroifafunctionishooked.
Itrequiresthemethodname,methodclassandthepathoftheframework(foraframe-workmethod)orappbundlepath(foranapplicationmethod).
intcheckS():ThisfunctionchecksifSSLcerticatevalidationmethodsprovidedbytheiOSSDKarehooked.
ThisfunctionisinvokedwithinanapplicationbeforecallingSSLvalidationmeth-odssothattheproperactionscanbetaken.
Thefunctionreturnsoneifthereisnohookingandzeroifafunctionishooked.
makeZero(obj):Thisfunctionisusedtozerothevalueofasensitivevariableafteritsuse.
encPwd()anddecPwd():TheseAPIsareusedforencryptingsensitivedataimmediatelyafterthedataiscreatedanddecryptingthedataonlyduringitsuse.
Afterthesensitivedatahasbeenused,itshouldbeclearedfrommemorypermanently.
listed()andunlisted():Thesefunctionstrackseveralobjectsinordertoclearthemfrommemorysimultaneously.
Sensitiveobjectsareaddedtothelisttokeeptrackofthem;theyareallclearedatonetimeusinganAPI.
Forexample,whenadeviceislockedand/oranappisclosed(hiddenorterminated),itmaybenec-essarytowipeallthesensitivedata.
Inthiscase,itisnecessarytoaddresetZeroAll()tothestate-changenotifyfunctionsinAppDelegate.
Severaltoolsareavailableforattackerstomodifythevaluesofcriticaldataandchangethebehaviorofanappli-cationatruntime.
SuchmodicationscanbetrackedusingthecreateCheck()andcreateCheckTest()APIstocreateacheck-sumofthecriticaldataandcheckitperiodicallytoensurethatthedataisnotmodiedbyanattacker.
4.
2UsingtheDynamicLibraryWheneverlesaremodied,accessedorcreated,thehijackedopen()callisinvokedandthemodied,accessed,createddatesandtimestamps(MACDTS)arecapturedandstoredinthelogle.
Thelogleisstored244ADVANCESINDIGITALFORENSICSXIiSecureRing.
.
.
JailbreakingEncryptionCheckCodeTamperingSimulatingAttacksTimestampTamperingConfidentialDataStealingDebugModeHookingFigure2.
Simulatingattacksondevices.
outsidetheiPhoneatasecurelocationsuchasaserverorinthecloud.
Theinformationintheloglecanbeusedinaforensicinvestigationofthesmartphoneintheeventofasecurityincident.
5.
ExperimentalResultsTheexperimentsinvolvedthecreationoftwoapps,onewithoutanyprotectionandtheotherprotectedbyiSecureRing.
TheappswerethendeployedonajailbrokeniPhone4(iOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
0.
6).
Aseriesofattacksweresimulatedontheappsandtheirdatatovalidatetheproposedsolution(Figure2).
Attheapplicationlevel,theappsweresubjectedtovariousattackstoexploitthelackofbinaryprotection[2].
TheresultsinTable2demonstratethatanappwithiSecureRingrunningonajailbrokeniPhone(Row3)isjustassecureasanormalapprunningonanon-jailbrokeniPhone(Row1).
Performancebenchmarkingwasconductedforthethreecasesconsid-eredintheexperiments.
Figure3summarizestheresultsoftheinitialtests(veruns).
Theresultsshownosignicantdierencesindeviceperformance.
Govindaraj,Mata,Verma&Gupta245Table2.
Attacksandresults.
iPhone4Jail-DebugEncryptionHookingCode(iOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
0.
6)brokenModeCheckTamperingNotJailbrokenYesNoNoNoNo(Appwithoutprotection)JailbrokenN/AYesYesYesYes(Appwithoutprotection)JailbrokenN/ANoNoNoNo(AppwithiSecureRing)02004006008001,0001,2001,4001,6001,800CPUIntegermathCPUFloatingpointmathStoragewriteStoragereadMemorywriteMemoryread2D-Complexvectors2D-Imagerendering3D-ComplextestJailbrokenwithiSecureRingJailbrokenwithoutiSecureRingNotJailbrokenFigure3.
Performancebenchmarkresults.
Figure4.
MACDTSlogsforanimagele.
iSecureRingalsohelpsdetectattemptstoexploitknownorunknownvulnerabilitiesbycapturingthetimestampsofactivitiesassociatedwithasecuredapp.
OneexperimentinvolvedtimestamptamperingattemptsonimagesfromApple'sPhotoapp.
iSecureRingsuccessfullycapturedalltheeventsinthelog.
Ananalysisofthelogclearlyrevealedthetamperingattempts.
Figure4showstheMACDTSlogsforoneoftheimages.
246ADVANCESINDIGITALFORENSICSXIFigure5.
Preventingadebugmodeattack.
DebugModeAttack.
Figure5showsascreenshotofanXcodeap-plicationrunninginthedebugmode[11f20;BACKGROUND-COLOR:#4ae2f7">7]whileitwasbeingprotectedbyiSecureRing.
EncryptionAttack.
Clutch[11f20;BACKGROUND-COLOR:#4ae2f7">7]wasusedtosimulateanencryptionattack(Clutchmaybedownloadedfromcydia.
iphonecake.
com).
iSe-cureRingincludesachecktodetermineifapplicationencryptionisintactbyanalyzingencryptioninformationinthebinaryandalsothecryptidagvalue.
Iftheapplicationencryptionisfoundtobebroken,thentheuserisalertedandtheapplicationbehaviorcanbechangedatruntime.
Hooking.
AhookingattackwassimulatedbyhookingSSLvalidationmethods.
Itispossibletolaunchaman-in-the-middleattackonevenHTTPSrequeststounderstand,stealandmodifytherequesteddata.
iSecureRingincorporatesseveralcheckstoidentifythehookingofcriticalmethodssuchasSSLvalidationandauthentication.
ApplicationsthatuseiSecureRingareprotectedagainsttheattacksbecausetheuserisalertedandtheappbehaviorcanbechanged.
CodeTampering.
AcodetamperingattackwassimulatedusingCy-cript[1f20;BACKGROUND-COLOR:#4ae2f7">7],aJavaScriptinterpreter.
ThetoolwasusedtomodifyiOSapplicationbehavioratruntime(e.
g.
,bypassingsomeauthenticationchecksandaccessingcriticalinformationfrommemory).
AnapplicationcompiledwithiSecureRingprovidesAPIsforidentifyingcodetamper-ingofcriticalinstancevariablesandclassobjectsusingCRCchecksums.
Also,APIsareprovidedforwipingsensitivedatafrommemory.
6.
CaseStudyTheiSecureRingimplementationwassuccessfullyusedtosecureaniPhonemobileappforaleadingbankinIndia.
ProblemStatement.
Thebankhadasecurityincidentinwhichtheapplicationrunningonajailbrokendevicerevealedsensitivedata.
JailbreakingAttack.
TheattackerhadusedthelatestjailbreakingtoolforiOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
1.
2Pangu[1].
Theattackeralsousedcertaintweakstode-Govindaraj,Mata,Verma&Gupta241f20;BACKGROUND-COLOR:#4ae2f7">7featjailbreakdetection.
SometweakswithinCydiabypassthejailbreakdetectioncheckofanapplicationandmaketheapplicationrunnormallyevenonjailbrokendevices.
OnesuchtweakisxCon[12],whichhookslow-levelAPIsusedforjailbreakdetectionsuchasle-relatedAPIsandothersystemcalls,thusbypassingthejailbreakdetectionfunctionsusedintheapplication.
NocongurationisrequiredforxCon,aMobileSub-stratedynamiclibrarythatcanbeinstalledfromCydia.
iSecureRingResults.
ThebankappwassecuredusingiSecureRing.
Thejailbreakdetectionfunctionwasrobustenoughtocheckifthede-vicewasjailbrokenandifanyjailbreakdetectionbypassingfunctionswerepresent.
ThesolutionwastestedwithxCon39beta1f20;BACKGROUND-COLOR:#4ae2f7">7oniPhone4deviceswithiOSversion1f20;BACKGROUND-COLOR:#4ae2f7">7.
1.
2.
xConwasunabletobypassthejailbreakdetectiontechniquesusedbyiSecureRing.
TheiSecureRingsolutionchecksfortheexistenceofle-relatedsystemfunctionhooking,render-ingxCon-liketweaksuseless.
ThesolutionalsomitigatesthejailbreakdetectionbypassingmechanismprovidedbythexCondynamiclibrary.
1f20;BACKGROUND-COLOR:#4ae2f7">7.
ConclusionsTheiSecureRingsolutionsecuresappsonjailbrokeniOSdevices.
Thestaticlibraryhelpsdetectsecurityvulnerabilitiesandalertsuserstotakeappropriateactions.
Thedynamiclibraryhelpsdetectmalicioustam-peringofdatabystoringauthenticcopiesofMACDTSvaluesonalocalserverorinthecloud;thisalsosupportsoinedigitalforensicinvestigationsaftersecurityincidents.
Thus,iSecureRingenablesexist-ingandnewappstobesecuredandmadeforensic-readyeveniftheiOSdevicehasbeenjailbroken.
WithenterprisesimplementingBYODpoliciesandjailbrokendevicesmakingtheirwayintoenterprises,theiSecureRingsolutionhelpsenterprisesmitigatethesecurityriskswhileenablingemployeestouseonedeviceforocialandpersonalactivities.
Futureresearchwillfocusonanalyzinganomalousinteractionswithsecuredapps,blockingattacksandraisingalerts.
EortswillalsobemadetocreatesimilarsolutionsforAndroidandWindowssmartphones.
References[1]J.
Benjamin,HowtojailbreakiOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
1.
xwithPangu1.
1onWin-dows,iDownloadBlog,June29,2014.
[2]C.
D'Orazio,A.
ArinandK.
Choo,iOSanti-forensics:Howcanwesecurelyconceal,deleteandinsertdataProceedingsoftheForty-SeventhHawaiiInternationalConferenceonSystemSciences,pp.
4838–4841f20;BACKGROUND-COLOR:#4ae2f7">7,2014.
248ADVANCESINDIGITALFORENSICSXI[3]D.
Ertel,DecryptingiOSapps(www.
infointox.
net/p=114),2013.
[4]S.
Esser,ExploitingtheiOSkernel,presentedatBlackHatUSA,2011.
[5]P.
Gianchandani,iOSApplicationSecurityPart2–GettingClassInformationofiOSApps,InfosecInstitute,ElmwoodPark,Illinois,2014.
[6]GitHub,ToolsforsecurelyclearingandvalidatingiOSapplicationmemory,SanFrancisco,California(github.
com/project-imas/memory-security),2014.
[1f20;BACKGROUND-COLOR:#4ae2f7">7]S.
GuerreroSelma,HackingiOSontherun:UsingCycript,pre-sentedattheRSAConference,2014.
[8]A.
HoogandK.
Strzempka,iPhoneandiOSForensics:Investiga-tion,AnalysisandMobileSecurityforAppleiPhone,iPadandiOSDevices,Syngress,Waltham,Massachusetts,2011.
[9]iPhoneDevWiki,debugserver(iphonedevwiki.
net/index.
php/Debugserver),2015.
[10]iPhoneDevWiki,Theos(iphonedevwiki.
net/index.
php/Theos),2015.
[11]iPhoneHacks,JailbreakingyouriPhoneremainslegalinUS,butitisillegaltojailbreakyouriPadandunlockyouriPhoneunderDMCA,October26,2012.
[12]iPhoneWiki,xCon(theiphonewiki.
com/wiki/XCon),2014.
[13]C.
Miller,Owningthefanboys:HackingMacOSX,presentedatBlackHatJapan,2008.
[14]C.
Miller,Mobileattacksanddefense,IEEESecurityandPrivacy,vol.
9(4),pp.
68–1f20;BACKGROUND-COLOR:#4ae2f7">70,2011.
[15]S.
Morrissey,iOSForensicAnalysisforiPhone,iPadandiPodTouch,Apress,NewYork,2010.
[16]M.
Renard,PracticaliOSappshacking,ProceedingsoftheFirstInternationalSymposiumonGrey-HatHacking,pp.
14–26,2012.
[11f20;BACKGROUND-COLOR:#4ae2f7">7]B.
Satish,PenetrationTestingforiPhoneApplications–Part5,InfosecInstitute,ElmwoodPark,Illinois,2013.
[18]SaurikIT,CydiaSubstrate,IslaVista,California(www.
cydiasubstrate.
com),2014.
[19]A.
Smith,SmartphoneOwnership2013,PewResearchCenter,Washington,DC,June5,2013.
Govindaraj,Mata,Verma&Gupta249[20]B.
Trebitowski,BeginningJailbrokeniOSDevelopment–BuildingandDeployment,Pixegon,Albuquerque,NewMexico(brandontreb.
com/beginning-jailbroken-ios-development-building-and-deployment),2011.
[21]R.
Verma,J.
GovindarajandG.
Gupta,Preservingdateandtime-stampsforincidenthandlinginAndroidsmartphones,inAdvancesinDigitalForensicsX,G.
PetersonandS.
Shenoi(Eds.
),Springer,Heidelberg,Germany,pp.
209–225,2014.
Asaresult,usersoftenjailbreaktheiriPhonestodefeatthisre-striction.
JailbrokeniPhonesaremakingtheirwayintoenterprisesthathaveaBringYourOwnDevice(BYOD)policy,butthesedevicesareof-tenbarredorrestrictedbymobiledevicemanagementsoftwarebecausetheyposesecurityrisks.
ThischapterdescribestheiSecureRingsolutionthatsecuresmobileappsandpreservesthedatesandtimestampsofeve-ntsinordertosupportforensicexaminationsofjailbrokeniPhones.
AnanalysisoftheliteraturerevealsthatiSecureRingistherstforensic-readymobileappsecuritysolutionforiOSapplicationsthatexecuteinunsecuredenterpriseenvironments.
Keywords:JailbrokeniPhones,enterpriseenvironments,forensicexaminations1.
IntroductionAccordingtoa2013Pewreport[19],40.
98%ofthesmartphonesusedbyadultAmericansareAppleiPhones.
Apple'siOSoperatingsystemdoesnotallowtheinstallationofapplications,extensionsandthemesthatarenotobtainedfromtheAppleAppStore.
Asaresult,usersfrequentlyjailbreaktheirdevicestoobtainrootaccessanddefeattheinstallationrestrictions[4].
AjailbrokeniPhoneallowstheretrievalofapplicationsandtheirassociateddata,potentiallycompromisingthesecurityoftheapplicationsandthecondentialityofthedata[4,16].
Sincejailbreakingisareality[8,11],itisincreasinglyimportanttodesignmobileapplicationsthatcanrunsecurelyonjailbrokeniPhones.
Therequirementofhavinganapplicationexecutesecurelyinanunse-cureenvironmentiscriticaltoscenarioswhereaproprietaryapplica-cIFIPInternationalFederationforInformationProcessing2015G.
Peterson,S.
Shenoi(Eds.
):AdvancesinDigitalForensicsXI,IFIPAICT462,pp.
235–249,2015.
DOI:10.
1001f20;BACKGROUND-COLOR:#4ae2f7">7/91f20;BACKGROUND-COLOR:#4ae2f7">78-3-319-24123-414236ADVANCESINDIGITALFORENSICSXItionshouldworkwithoutimpactingenterprisesecurity.
Atthistime,enterprisesthathaveaBringYourOwnDevice(BYOD)policygener-allydetectandrestrictjailbrokeniPhonesusingmobiledevicemanage-mentsoftwaresuchasCitrix'sXenMobileandIBM'sEndpointManager.
Thus,employeeshavetoun-jailbreaktheiriPhonesorinstallenterpriseapplicationsonotherapproveddevices.
Thesolutionproposedinthischapterenablesenterprisestoinstalltheirapplicationssecurelyonjail-brokeniPhones.
Newappsandexistingappscanbesecuredandbemadeforensic-ready.
Theforensicreadinessoftheappsenablesenter-prisestocheckiftheappsrunsecurelyandalsoensuresthatforensicartifactsareavailableintheeventofsecurityincidents.
2.
RelatedWorkD'Orazioetal.
[2]haveproposedaconcealmenttechniquethaten-hancesthesecurityofunprotected(classD)datathatisatrestiniOSdevices,alongwithadeletiontechniquetoreinforcedatadeletioniniOSdevices.
Hackersandmalicioususersresorttotechniquessuchasjailbreaking,runninganappinthedebugmode,reverseengineering,dy-namichookingortamperinginordertoaccessorcompromisesensitivedatastoredbyiOSapps:Jailbreaking:Attackersusejailbreakingtoobtainsystem-level(root)accesstoiOSdevices,potentiallycompromisingthesecurityofapplicationsandtheirassociateddata[15].
DebuggerMode:Attackersruntargetedapplicationsinthede-bugmode,obtainmemorydumpsandoverwritethememorywithmaliciouscode[9,13].
ReverseEngineering:AppsfromtheAppleStoreareencryptedusingApple'sFairplayDRM,whichcomplicatesthetaskofreverseengineeringbinaries.
However,anattackercanoverwritetheen-cryptioninformationofanapplicationinajailbrokendevicetoob-tainthememorydumpandanalyzeittocreatenewattacks[3,16].
DynamicCodeHooking:Afteradeviceisjailbroken,anat-tackercanhookmaliciouscodetoanappatruntimeinordertobypasssecuritychecks,potentiallycompromisingthesecurityoftheapplicationanditsdata[20].
Tampering:Attackerscanmodifythedatesandtimestampsofartifactsinordertocovertheirtracks.
Vermaetal.
[21]havere-centlyproposedamechanismforpreservingdatesandtimestampsinsupportofforensicexaminationsofAndroidsmartphones.
Govindaraj,Mata,Verma&Gupta231f20;BACKGROUND-COLOR:#4ae2f7">7ThischapterpresentsatechniqueforprotectingapplicationsanddatainjailbrokeniOSdevices.
Intheeventofasecurityincident,thetech-niquecanbeusedtosupportaforensicexaminationofajailbrokendevice.
3.
ImplementationMethodologyThesolutionhastwomodules:(i)astaticlibrarythatwrapsappsrunningonjailbrokendeviceswithanextralayerofprotection,makingthemdiculttocrackandpreventingaccesstotheirdata;and(ii)amodulethatpreservesauthenticdatesandtimestampsofeventsrelatedtothesecuredappstosupportforensicexaminations.
Thecaptureddatesandtimestampsarestoredoutsidethedeviceonasecureserverorinthecloud.
Themodulesarediscussedinfollowingsubsections.
3.
1SecuringAppsThestaticlibrary,whichisdesignedtosecureapps,incorporatesAPIsthatmaybeusedtoidentifyandmitigatesecurityvulnerabilitiesinjailbrokeniPhones[6].
Functionsinthelibraryinclude:isCheck1(),whichchecksifaniPhoneisjailbroken;isCheck2(),whichchecksifanapplicationisrunninginthedebugmode;enableDB(),whichdisablesthegdb(debugger)foraparticularapplication(process);isAppC(),whichchecksifanapplicationbinaryisencryptedandalsocheckstheintegrityofapplicationbundleles(Info.
Plist);initialize(),whichchecksifstaticlibraryfunctionsarehooked;CheckA(),whichchecksifcriticalmethods(functions)passedasargumentsarehooked;CheckS(),whichchecksifmethods(functions)relatedtoSSLcerticatevalidationarehooked;createCheck()andcreateCheckTest(),whichcheckifanapplicationhasbeentamperedwith;andresetZeroAll(),whichwipessensitivedatafrommemory.
3.
2PreservingDatesandTimestampsThedynamiclibraryhasbeencreatedusingtheMobileSubstrateframework.
ThisframeworkprovidesAPIsforaddingruntimepatchesorhookstosystemfunctionsinjailbrokeniOSdevices[18].
ThesolutionarchitectureshowninFigure1incorporatesthreecomponents:DynamicLibrary(dylib):Thiscomponenthookssystemopencallsandcaptureskernel-leveldatesandtimestampsofselectedlesandwritesthemtothelogle.
Itisloadedintorunningapplications.
Filtersareappliedsothatitisonlyloadedintospeciedapplications.
238ADVANCESINDIGITALFORENSICSXIFileModification/CreationProcessStartedDynamicLibraryHookedOpen()AppDBUpdateTimestampLogFileUploadLogFiletoSecureLocationOriginalOpen()FileAttributesGeneratedUserSpaceKernelSpaceiOSDeviceSecuredApp(UsingStaticLibrary)CydiaSubstrateDynamicLibraryLoadedFigure1.
Solutionarchitectureforpreservingdateandtimestamps.
TimestampLogFile:ThiscomponentisstoredintheinternalmemoryofaniPhone.
Itisnotdirectlyaccessibletoapplications,whichsecuresitfromunauthorizeddeletion.
LogFile:ThiscomponentisgeneratedbytheDLL.
Itisup-loadedatregularuser-denedintervalstoanexternalserverorcloudstoragebasedonnetworkconnectivity.
3.
3StaticLibraryThestaticlibraryisdesignedtosecureapplicationsandtheirassoci-ateddata.
Thelibrarywrapsappsinanadditionallayerofprotection,whichmakesthemmorediculttocrackinajailbrokeniOSdevice.
ThestaticlibrarycontainsseveralAPIs(Table1)thatcanbeusedtoidentifysecurityvulnerabilitiesinjailbrokendevices.
Thelibraryimplementsthedetectionofjailbrokendevices,thedisablingofapplicationdebuggers,thecheckingofapplicationencryption(forAppStorebinaries)andthedetectionofdynamiccodehooking.
Notethatthefunctionnamesareintentionallynotverydescriptiveinordertoenhancecodeobfuscationandhindermaliciousreverseengineeringeorts.
Govindaraj,Mata,Verma&Gupta239Table1.
StaticlibraryAPIs.
APIDescriptionisCheck1()ChecksifadevicehasbeenjailbrokenisAppC()ChecksiftheapplicationencryptionprovidedbytheAppStoreisintactenableDB()DisablestheapplicationdebuggerisCheck2()ChecksifanappisrunninginthedebugmodeInitialize()ChecksiflibraryAPIsarehookedbymethodswizzlingtech-niquescheckA()Checksifafunctionishookedbyamethodswizzlingtech-niquecheckS()ChecksiftheSSLvalidationmethodsprovidedbytheiOSSDKarehookedmakeZero()FindsthedataportionofobjectmemoryandzeroesitoutencPwd()EncryptsobjectdatainmemoryusingasecretdecPwd()Decryptsobjectdatainmemoryusingasecretlisted()AddsanobjecttothepointerlistusedbytheAPIsunlisted()RemovesanobjectfromthepointerlistresetAllZero()WipesalltrackedobjectscreateCheck()Providesandstaticallystoresastringofallthetrackedmem-oryaddressesandobjectchecksumscreateCheckTest()ChecksifthecurrentmemorystatesofallthetrackedobjectsmatchtheirstateswhenchecksumMem()wascalled3.
4DynamicLibraryThedynamiclibrarywascreatedusingtheMobileSubstrateframe-work,nowknownastheCydiaSubstrate[18].
TheframeworkprovidesaplatformandAPIsforaddingruntimepatchesorhookstosystemfunctionsaswellasotherapplicationsonjailbrokeniOSandrootedAndroiddevices.
TheMobileSubstrateframeworkincorporatesthreecomponents:(i)Mobilehooker;(ii)Mobileloader;and(iii)Safemode.
Mobilehooker:Thiscomponentreplacestheoriginalfunctionwiththehookedfunction.
TwoAPIsmaybeusedforiOSdevices:(i)MSHookMessage(),whichismainlyusedtoreplaceObjective-Cmethodsatruntime;and(ii)MSHookFunction(),whichisusedtoreplacesystemfunctions,mainlynativecodewritteninC,C++orassembly.
Mobileloader:CydiaSubstratecodeiscompiledtocreatethedynamiclibrary,whichisplacedinthedirectory/Library/MobileSubstrate/DynamicLibraries/injailbrokeniOSdevices.
ThemaintaskofMobileloaderistoloadthedynamiclibraryintorunning240ADVANCESINDIGITALFORENSICSXIapplications.
TheMobileloaderinitiallyloadsitselfandthenin-vokesdlopenonallthedynamiclibrariesinthedirectoryandloadsthematruntime.
ThedynamiclibrariesareconguredusingPropertyList(PList)les,whichactaslters,controllingifalibraryshouldbeloadedornot.
ThePListleshouldhavethesamenameasthatofdylibandshouldbestoredinthesamedirectoryasdylib.
ThePListshouldcontainasetofarraysinadictionarywiththekeyFilter.
Theotherkeysusedare:(i)Bundles(array)–theBundleIDofarunningapplicationismatchedagainstthelist,ifamatchoccurs,thendylibisloaded;(ii)Classes(array)–thedylibisloadedifoneofthespeciedObjective-Cclassesinthelistisimplementedintherunningapplication;and(iii)Executables(array)–dylibisloadedifanexecutablenameinthelistmatchestheexecutablenameoftherunningapplication.
Anexampleis:Filter=Executables=("mediaserverd");Bundles=("com.
apple.
MobileSlideShow");Mode="Any";;Intheexample,thelterensuresthatdylibisloadedonlyfortheiOSbuilt-inapplicationPhotos,whoseexecutablenamematchesmediaserverdorBundleIDiscom.
apple.
MobileSlideShow.
TheModekeyisusedwhentherearemorethanonelters.
Byspecify-ingMode=Any,dylibisloadedifoneoftheltershasamatch.
Safemode:Inthismode,allthird-partytweaksandextensionsaredisabled,preventingtheiOSdevicefromenteringthecrashmode.
Followingthis,thebrokendylibcanbeuninstalledfromthedevice.
CompilationProcedure.
TheTheos[10]developmentsuitewasusedtoedit,compileandinstallthedynamiclibraryonadevice.
ItprovidesacomponentnamedLogos,whichisabuilt-inpre-processor-basedlibrarydesignedtosimplifythedevelopmentofMobileSubstrateextensions.
Inordertocompilethedynamiclibrary,TheosmustbeinstalledonaMacmachine.
AMacOSXhasmostofthetoolsrequiredbyTheos;however,Xcodecommandlinetoolsmustbeinstallediftheyarenotpresent.
Ad-ditionally,itisnecessarytoinstalltheldidtool,whichisusedtosignappsortweakssothattheycanbeinstalledonjailbrokeniOSdevices.
Tostarttheproject,itisnecessarytoobtainalltheiOSprivatehead-ersofthefunctionsintendedtobehooked.
TheheaderscanbedumpedGovindaraj,Mata,Verma&Gupta241usingtheClass-Dump-Zcommandlinetool[5].
Thisreverseengineer-ingtoolprovidescompleteheaderinformationoftheObjective-CcodeofaniOSapplication.
Dumpingtheheaderscantakesometimebecauseheadersfromalltheframeworks,includingprivateframeworks,arealsocollected.
Thedumpedheadersaresavedinafolderwiththecorre-spondingframeworkname.
Insteadofdumpingtheheaders,headerscollectedbyotherresearcherscanbeused(e.
g.
,headersfromGitHub).
Alltheheadersaresavedat/opt/theos/include.
ThenextstepistocreatetheTheosproject.
Thisinvolvesexecutingthele/opt/theos/bin/nic.
plfromthecommandlineandchoosingtheprojecttemplate,name,etc.
Theprojecttypeshouldbelibrarybecausethegoalistohookasystemfunction.
Aftertheprojecthasbeencreated,anewlenamedtweak.
xmisfoundintheprojectdirectory;thisleisusedtostorethehookingcode.
Thefollowingpseudocodeforhookinganopen()systemcallisaddedinthetweak.
xmle:extern"C"{intorig\_open(constchar*path,intoflags);}inthijacked\_open(constchar*path,intoflags){//dosomething,thenreturnorig\_open(path,oflags);}\%ctor{NSAutoreleasePool*pool=[[NSAutoreleasePoolalloc]init];MSHookFunction(open(),\&hijacked\_open,\&orig\_open);[pooldrain];}TheMSHookFunction()APIisusedtohooktheopen()systemcall.
Thereplacementfunctionishijackedopen().
Themakefileisthenmodiedtoaddtherequiredframeworks.
NotethattheFoundationframeworkisusedtocreatethehookingcode.
ThetargetSDKversionandthearchitectureneededtosupportitarealsoadded:TARGET:=iPhone:1f20;BACKGROUND-COLOR:#4ae2f7">7.
0ARCHS:=armv1f20;BACKGROUND-COLOR:#4ae2f7">7arm64ProjectName\_FRAMEWORKS=FoundationOncedone,callmakefromcommandlineasbelow.
xyz:testxyzmakeMakingallforapplicationtest.
.
.
Copyingresourcedirectoriesintotheapplicationwrapper.
.
.
Signingtest.
.
.
TheprojectisthencompiledandaDLLiscreatedintheobjfolder.
242ADVANCESINDIGITALFORENSICSXIDLLLoading.
AftertheDLLiscreated,itcanbeinstalledonadevicebytheTheossuiteusingthecommandmakepackageinstall.
ThiscommandcreatesaDebianpackageoftheDLLandinstallsitintheproperlocationonthedevice.
Beforethisisdone,theenvironmentvariablemustbesettoexportTHEOSDEVICEIP=iPhoneDeviceIP.
Next,thepackageistransferredtothedeviceforinstallationviaSFTP.
TheiOSdeviceshouldbeonthesamenetworkasthecomputerusedfordevelopment[20].
4.
PreventingAttacksandAnti-ForensicsThesectiondiscusseshowattacksandanti-forensicapproachescanbemitigatedusingthestaticanddynamiclibraries.
4.
1UsingtheStaticLibraryBOOLisCheck1():ThisfunctionisusedtocheckifaniOSdeviceisjailbroken.
ItreturnsyesiftheiOSdeviceisjailbro-ken;otherwiseno.
Thisfunctioncanbecalledbeforeapplicationlaunch.
APIforCheckingDebugMode:TheapplicationexitswhenlaunchedinthedebugmodeusingtheenableDB()function.
Thisfunctioncanbecalledfrommain()andfromelsewhereintheprojecttodisabledebuggingatanystage.
BycallingenabledDB()inmain()orbeforeapplaunch,theapplicationcanbepreventedfromrunninginthedebugmode.
Therefore,thefunctionshouldbecalledinthereleasemode.
isCheck2():Thisfunctiongivesinformationabouthowtheap-plicationisrunning.
Iftheapplicationwasstartedinthedebugmode,thenavalueofoneisreturned;otherwisezeroisreturned.
BOOLisAppC(char*inBundlePath):Thisfunctionchecksiftheapplicationhasbeenhacked.
TheparameterinBundlePathcanbeanycharacterpointer;itisonlyaddedforobfuscationandisnotusedinsidethefunction.
Itincludesanappencryptioncheck(iftheAppStoreencryptionisbroken),signeridentitychecks,etc.
Iftheappiscracked,thefunctionreturnsyes;otherwiseno.
ThefunctionisprimarilyusedtocheckifAppStorebinariesarecracked.
intInitialize():ThisfunctionchecksiftheAPIsinthestaticlibraryarethemselveshooked.
Thefunctionhastobecalledini-tially,preferablyduringapplaunch,tocheckifthelibraryAPIsGovindaraj,Mata,Verma&Gupta243arehookedbymethodswizzling,afterwhichtheappropriateac-tionsmustbetaken.
Ifthefunctionsarehooked,thenitmakesnosensetousetheAPIstoprotectapplications.
intcheckA(constchar*MCl,constchar*MFr,constchar*MFn,void*funcPTR):Thisfunctionchecksifanyhookingisdoneforacriticalmethodwithinanapplicationpassedasanar-gumenttothefunction.
Thefunctionreturnsoneifnohookingisdiscoveredandzeroifafunctionishooked.
Itrequiresthemethodname,methodclassandthepathoftheframework(foraframe-workmethod)orappbundlepath(foranapplicationmethod).
intcheckS():ThisfunctionchecksifSSLcerticatevalidationmethodsprovidedbytheiOSSDKarehooked.
ThisfunctionisinvokedwithinanapplicationbeforecallingSSLvalidationmeth-odssothattheproperactionscanbetaken.
Thefunctionreturnsoneifthereisnohookingandzeroifafunctionishooked.
makeZero(obj):Thisfunctionisusedtozerothevalueofasensitivevariableafteritsuse.
encPwd()anddecPwd():TheseAPIsareusedforencryptingsensitivedataimmediatelyafterthedataiscreatedanddecryptingthedataonlyduringitsuse.
Afterthesensitivedatahasbeenused,itshouldbeclearedfrommemorypermanently.
listed()andunlisted():Thesefunctionstrackseveralobjectsinordertoclearthemfrommemorysimultaneously.
Sensitiveobjectsareaddedtothelisttokeeptrackofthem;theyareallclearedatonetimeusinganAPI.
Forexample,whenadeviceislockedand/oranappisclosed(hiddenorterminated),itmaybenec-essarytowipeallthesensitivedata.
Inthiscase,itisnecessarytoaddresetZeroAll()tothestate-changenotifyfunctionsinAppDelegate.
Severaltoolsareavailableforattackerstomodifythevaluesofcriticaldataandchangethebehaviorofanappli-cationatruntime.
SuchmodicationscanbetrackedusingthecreateCheck()andcreateCheckTest()APIstocreateacheck-sumofthecriticaldataandcheckitperiodicallytoensurethatthedataisnotmodiedbyanattacker.
4.
2UsingtheDynamicLibraryWheneverlesaremodied,accessedorcreated,thehijackedopen()callisinvokedandthemodied,accessed,createddatesandtimestamps(MACDTS)arecapturedandstoredinthelogle.
Thelogleisstored244ADVANCESINDIGITALFORENSICSXIiSecureRing.
.
.
JailbreakingEncryptionCheckCodeTamperingSimulatingAttacksTimestampTamperingConfidentialDataStealingDebugModeHookingFigure2.
Simulatingattacksondevices.
outsidetheiPhoneatasecurelocationsuchasaserverorinthecloud.
Theinformationintheloglecanbeusedinaforensicinvestigationofthesmartphoneintheeventofasecurityincident.
5.
ExperimentalResultsTheexperimentsinvolvedthecreationoftwoapps,onewithoutanyprotectionandtheotherprotectedbyiSecureRing.
TheappswerethendeployedonajailbrokeniPhone4(iOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
0.
6).
Aseriesofattacksweresimulatedontheappsandtheirdatatovalidatetheproposedsolution(Figure2).
Attheapplicationlevel,theappsweresubjectedtovariousattackstoexploitthelackofbinaryprotection[2].
TheresultsinTable2demonstratethatanappwithiSecureRingrunningonajailbrokeniPhone(Row3)isjustassecureasanormalapprunningonanon-jailbrokeniPhone(Row1).
Performancebenchmarkingwasconductedforthethreecasesconsid-eredintheexperiments.
Figure3summarizestheresultsoftheinitialtests(veruns).
Theresultsshownosignicantdierencesindeviceperformance.
Govindaraj,Mata,Verma&Gupta245Table2.
Attacksandresults.
iPhone4Jail-DebugEncryptionHookingCode(iOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
0.
6)brokenModeCheckTamperingNotJailbrokenYesNoNoNoNo(Appwithoutprotection)JailbrokenN/AYesYesYesYes(Appwithoutprotection)JailbrokenN/ANoNoNoNo(AppwithiSecureRing)02004006008001,0001,2001,4001,6001,800CPUIntegermathCPUFloatingpointmathStoragewriteStoragereadMemorywriteMemoryread2D-Complexvectors2D-Imagerendering3D-ComplextestJailbrokenwithiSecureRingJailbrokenwithoutiSecureRingNotJailbrokenFigure3.
Performancebenchmarkresults.
Figure4.
MACDTSlogsforanimagele.
iSecureRingalsohelpsdetectattemptstoexploitknownorunknownvulnerabilitiesbycapturingthetimestampsofactivitiesassociatedwithasecuredapp.
OneexperimentinvolvedtimestamptamperingattemptsonimagesfromApple'sPhotoapp.
iSecureRingsuccessfullycapturedalltheeventsinthelog.
Ananalysisofthelogclearlyrevealedthetamperingattempts.
Figure4showstheMACDTSlogsforoneoftheimages.
246ADVANCESINDIGITALFORENSICSXIFigure5.
Preventingadebugmodeattack.
DebugModeAttack.
Figure5showsascreenshotofanXcodeap-plicationrunninginthedebugmode[11f20;BACKGROUND-COLOR:#4ae2f7">7]whileitwasbeingprotectedbyiSecureRing.
EncryptionAttack.
Clutch[11f20;BACKGROUND-COLOR:#4ae2f7">7]wasusedtosimulateanencryptionattack(Clutchmaybedownloadedfromcydia.
iphonecake.
com).
iSe-cureRingincludesachecktodetermineifapplicationencryptionisintactbyanalyzingencryptioninformationinthebinaryandalsothecryptidagvalue.
Iftheapplicationencryptionisfoundtobebroken,thentheuserisalertedandtheapplicationbehaviorcanbechangedatruntime.
Hooking.
AhookingattackwassimulatedbyhookingSSLvalidationmethods.
Itispossibletolaunchaman-in-the-middleattackonevenHTTPSrequeststounderstand,stealandmodifytherequesteddata.
iSecureRingincorporatesseveralcheckstoidentifythehookingofcriticalmethodssuchasSSLvalidationandauthentication.
ApplicationsthatuseiSecureRingareprotectedagainsttheattacksbecausetheuserisalertedandtheappbehaviorcanbechanged.
CodeTampering.
AcodetamperingattackwassimulatedusingCy-cript[1f20;BACKGROUND-COLOR:#4ae2f7">7],aJavaScriptinterpreter.
ThetoolwasusedtomodifyiOSapplicationbehavioratruntime(e.
g.
,bypassingsomeauthenticationchecksandaccessingcriticalinformationfrommemory).
AnapplicationcompiledwithiSecureRingprovidesAPIsforidentifyingcodetamper-ingofcriticalinstancevariablesandclassobjectsusingCRCchecksums.
Also,APIsareprovidedforwipingsensitivedatafrommemory.
6.
CaseStudyTheiSecureRingimplementationwassuccessfullyusedtosecureaniPhonemobileappforaleadingbankinIndia.
ProblemStatement.
Thebankhadasecurityincidentinwhichtheapplicationrunningonajailbrokendevicerevealedsensitivedata.
JailbreakingAttack.
TheattackerhadusedthelatestjailbreakingtoolforiOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
1.
2Pangu[1].
Theattackeralsousedcertaintweakstode-Govindaraj,Mata,Verma&Gupta241f20;BACKGROUND-COLOR:#4ae2f7">7featjailbreakdetection.
SometweakswithinCydiabypassthejailbreakdetectioncheckofanapplicationandmaketheapplicationrunnormallyevenonjailbrokendevices.
OnesuchtweakisxCon[12],whichhookslow-levelAPIsusedforjailbreakdetectionsuchasle-relatedAPIsandothersystemcalls,thusbypassingthejailbreakdetectionfunctionsusedintheapplication.
NocongurationisrequiredforxCon,aMobileSub-stratedynamiclibrarythatcanbeinstalledfromCydia.
iSecureRingResults.
ThebankappwassecuredusingiSecureRing.
Thejailbreakdetectionfunctionwasrobustenoughtocheckifthede-vicewasjailbrokenandifanyjailbreakdetectionbypassingfunctionswerepresent.
ThesolutionwastestedwithxCon39beta1f20;BACKGROUND-COLOR:#4ae2f7">7oniPhone4deviceswithiOSversion1f20;BACKGROUND-COLOR:#4ae2f7">7.
1.
2.
xConwasunabletobypassthejailbreakdetectiontechniquesusedbyiSecureRing.
TheiSecureRingsolutionchecksfortheexistenceofle-relatedsystemfunctionhooking,render-ingxCon-liketweaksuseless.
ThesolutionalsomitigatesthejailbreakdetectionbypassingmechanismprovidedbythexCondynamiclibrary.
1f20;BACKGROUND-COLOR:#4ae2f7">7.
ConclusionsTheiSecureRingsolutionsecuresappsonjailbrokeniOSdevices.
Thestaticlibraryhelpsdetectsecurityvulnerabilitiesandalertsuserstotakeappropriateactions.
Thedynamiclibraryhelpsdetectmalicioustam-peringofdatabystoringauthenticcopiesofMACDTSvaluesonalocalserverorinthecloud;thisalsosupportsoinedigitalforensicinvestigationsaftersecurityincidents.
Thus,iSecureRingenablesexist-ingandnewappstobesecuredandmadeforensic-readyeveniftheiOSdevicehasbeenjailbroken.
WithenterprisesimplementingBYODpoliciesandjailbrokendevicesmakingtheirwayintoenterprises,theiSecureRingsolutionhelpsenterprisesmitigatethesecurityriskswhileenablingemployeestouseonedeviceforocialandpersonalactivities.
Futureresearchwillfocusonanalyzinganomalousinteractionswithsecuredapps,blockingattacksandraisingalerts.
EortswillalsobemadetocreatesimilarsolutionsforAndroidandWindowssmartphones.
References[1]J.
Benjamin,HowtojailbreakiOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
1.
xwithPangu1.
1onWin-dows,iDownloadBlog,June29,2014.
[2]C.
D'Orazio,A.
ArinandK.
Choo,iOSanti-forensics:Howcanwesecurelyconceal,deleteandinsertdataProceedingsoftheForty-SeventhHawaiiInternationalConferenceonSystemSciences,pp.
4838–4841f20;BACKGROUND-COLOR:#4ae2f7">7,2014.
248ADVANCESINDIGITALFORENSICSXI[3]D.
Ertel,DecryptingiOSapps(www.
infointox.
net/p=114),2013.
[4]S.
Esser,ExploitingtheiOSkernel,presentedatBlackHatUSA,2011.
[5]P.
Gianchandani,iOSApplicationSecurityPart2–GettingClassInformationofiOSApps,InfosecInstitute,ElmwoodPark,Illinois,2014.
[6]GitHub,ToolsforsecurelyclearingandvalidatingiOSapplicationmemory,SanFrancisco,California(github.
com/project-imas/memory-security),2014.
[1f20;BACKGROUND-COLOR:#4ae2f7">7]S.
GuerreroSelma,HackingiOSontherun:UsingCycript,pre-sentedattheRSAConference,2014.
[8]A.
HoogandK.
Strzempka,iPhoneandiOSForensics:Investiga-tion,AnalysisandMobileSecurityforAppleiPhone,iPadandiOSDevices,Syngress,Waltham,Massachusetts,2011.
[9]iPhoneDevWiki,debugserver(iphonedevwiki.
net/index.
php/Debugserver),2015.
[10]iPhoneDevWiki,Theos(iphonedevwiki.
net/index.
php/Theos),2015.
[11]iPhoneHacks,JailbreakingyouriPhoneremainslegalinUS,butitisillegaltojailbreakyouriPadandunlockyouriPhoneunderDMCA,October26,2012.
[12]iPhoneWiki,xCon(theiphonewiki.
com/wiki/XCon),2014.
[13]C.
Miller,Owningthefanboys:HackingMacOSX,presentedatBlackHatJapan,2008.
[14]C.
Miller,Mobileattacksanddefense,IEEESecurityandPrivacy,vol.
9(4),pp.
68–1f20;BACKGROUND-COLOR:#4ae2f7">70,2011.
[15]S.
Morrissey,iOSForensicAnalysisforiPhone,iPadandiPodTouch,Apress,NewYork,2010.
[16]M.
Renard,PracticaliOSappshacking,ProceedingsoftheFirstInternationalSymposiumonGrey-HatHacking,pp.
14–26,2012.
[11f20;BACKGROUND-COLOR:#4ae2f7">7]B.
Satish,PenetrationTestingforiPhoneApplications–Part5,InfosecInstitute,ElmwoodPark,Illinois,2013.
[18]SaurikIT,CydiaSubstrate,IslaVista,California(www.
cydiasubstrate.
com),2014.
[19]A.
Smith,SmartphoneOwnership2013,PewResearchCenter,Washington,DC,June5,2013.
Govindaraj,Mata,Verma&Gupta249[20]B.
Trebitowski,BeginningJailbrokeniOSDevelopment–BuildingandDeployment,Pixegon,Albuquerque,NewMexico(brandontreb.
com/beginning-jailbroken-ios-development-building-and-deployment),2011.
[21]R.
Verma,J.
GovindarajandG.
Gupta,Preservingdateandtime-stampsforincidenthandlinginAndroidsmartphones,inAdvancesinDigitalForensicsX,G.
PetersonandS.
Shenoi(Eds.
),Springer,Heidelberg,Germany,pp.
209–225,2014.
TabbyCloud周年庆&七夕节活动 美國INAP 香港CN2
TabbyCloud迎来一周岁的生日啦!在这一年里,感谢您包容我们的不足和缺点,在您的理解与建议下我们也在不断改变与成长。为庆祝TabbyCloud运营一周年和七夕节,TabbyCloud推出以下活动。TabbyCloud周年庆&七夕节活动官方网站:https://tabbycloud.com/香港CN2: https://tabbycloud.com/cart.php?gid=16购买链...
域名注册需要哪些条件(新手注册域名考虑的问题)
今天下午遇到一个网友聊到他昨天新注册的一个域名,今天在去使用的时候发现域名居然不见。开始怀疑他昨天是否付款扣费,以及是否有实名认证过,毕竟我们在国内域名注册平台注册域名是需要实名认证的,大概3-5天内如果不验证那是不可以使用的。但是如果注册完毕的域名找不到那也是奇怪。同时我也有怀疑他是不是忘记记错账户。毕竟我们有很多朋友在某个商家注册很多账户,有时候自己都忘记是用哪个账户的。但是我们去找账户也不办...
ATCLOUD-KVM架构的VPS产品$4.5,杜绝DDoS攻击
ATCLOUD.NET怎么样?ATCLOUD.NET主要提供KVM架构的VPS产品、LXC容器化产品、权威DNS智能解析、域名注册、SSL证书等海外网站建设服务。 其大部分数据中心是由OVH机房提供,其节点包括美国(俄勒冈、弗吉尼亚)、加拿大、英国、法国、德国以及新加坡。 提供超过480Gbps的DDoS高防保护,杜绝DDoS攻击骚扰,比较适合海外建站等业务。官方网站:点击访问ATCLOUD官网活...
netbios端口为你推荐
-
支出127支持ipad支持ipad支持ipad支持ipad重庆宽带测速重庆云阳电信宽带测速网址谁知道,帮个忙?ipad连不上wifiipad2 wifi连接不上,刚连上就弹出一个 success页面勒索病毒win7补丁我的电脑是windows7系统,为什么打不了针对勒索病毒的补丁(杀毒软件显iexplore.exe应用程序错误iexplore.exe应用程序错误win7如何关闭445端口如何关闭445端口,禁用smb协议