Chapter14FORENSIC-READYSECUREiOSAPPSFORJAILBROKENiPHONESJayaprakashGovindaraj,RashmiMata,RobinVermaandGauravGuptaAbstractAppleiOSisoneofthemostpopularsmartphoneoperatingsystems,butitrestrictstheinstallationofappsthatarenotfromtheAppleAppStore.
Asaresult,usersoftenjailbreaktheiriPhonestodefeatthisre-striction.
JailbrokeniPhonesaremakingtheirwayintoenterprisesthathaveaBringYourOwnDevice(BYOD)policy,butthesedevicesareof-tenbarredorrestrictedbymobiledevicemanagementsoftwarebecausetheyposesecurityrisks.
ThischapterdescribestheiSecureRingsolutionthatsecuresmobileappsandpreservesthedatesandtimestampsofeve-ntsinordertosupportforensicexaminationsofjailbrokeniPhones.
AnanalysisoftheliteraturerevealsthatiSecureRingistherstforensic-readymobileappsecuritysolutionforiOSapplicationsthatexecuteinunsecuredenterpriseenvironments.
Keywords:JailbrokeniPhones,enterpriseenvironments,forensicexaminations1.
IntroductionAccordingtoa2013Pewreport[19],40.
98%ofthesmartphonesusedbyadultAmericansareAppleiPhones.
Apple'siOSoperatingsystemdoesnotallowtheinstallationofapplications,extensionsandthemesthatarenotobtainedfromtheAppleAppStore.
Asaresult,usersfrequentlyjailbreaktheirdevicestoobtainrootaccessanddefeattheinstallationrestrictions[4].
AjailbrokeniPhoneallowstheretrievalofapplicationsandtheirassociateddata,potentiallycompromisingthesecurityoftheapplicationsandthecondentialityofthedata[4,16].
Sincejailbreakingisareality[8,11],itisincreasinglyimportanttodesignmobileapplicationsthatcanrunsecurelyonjailbrokeniPhones.
Therequirementofhavinganapplicationexecutesecurelyinanunse-cureenvironmentiscriticaltoscenarioswhereaproprietaryapplica-cIFIPInternationalFederationforInformationProcessing2015G.
Peterson,S.
Shenoi(Eds.
):AdvancesinDigitalForensicsXI,IFIPAICT462,pp.
235–249,2015.
DOI:10.
1001f20;BACKGROUND-COLOR:#4ae2f7">7/91f20;BACKGROUND-COLOR:#4ae2f7">78-3-319-24123-414236ADVANCESINDIGITALFORENSICSXItionshouldworkwithoutimpactingenterprisesecurity.
Atthistime,enterprisesthathaveaBringYourOwnDevice(BYOD)policygener-allydetectandrestrictjailbrokeniPhonesusingmobiledevicemanage-mentsoftwaresuchasCitrix'sXenMobileandIBM'sEndpointManager.
Thus,employeeshavetoun-jailbreaktheiriPhonesorinstallenterpriseapplicationsonotherapproveddevices.
Thesolutionproposedinthischapterenablesenterprisestoinstalltheirapplicationssecurelyonjail-brokeniPhones.
Newappsandexistingappscanbesecuredandbemadeforensic-ready.
Theforensicreadinessoftheappsenablesenter-prisestocheckiftheappsrunsecurelyandalsoensuresthatforensicartifactsareavailableintheeventofsecurityincidents.
2.
RelatedWorkD'Orazioetal.
[2]haveproposedaconcealmenttechniquethaten-hancesthesecurityofunprotected(classD)datathatisatrestiniOSdevices,alongwithadeletiontechniquetoreinforcedatadeletioniniOSdevices.
Hackersandmalicioususersresorttotechniquessuchasjailbreaking,runninganappinthedebugmode,reverseengineering,dy-namichookingortamperinginordertoaccessorcompromisesensitivedatastoredbyiOSapps:Jailbreaking:Attackersusejailbreakingtoobtainsystem-level(root)accesstoiOSdevices,potentiallycompromisingthesecurityofapplicationsandtheirassociateddata[15].
DebuggerMode:Attackersruntargetedapplicationsinthede-bugmode,obtainmemorydumpsandoverwritethememorywithmaliciouscode[9,13].
ReverseEngineering:AppsfromtheAppleStoreareencryptedusingApple'sFairplayDRM,whichcomplicatesthetaskofreverseengineeringbinaries.
However,anattackercanoverwritetheen-cryptioninformationofanapplicationinajailbrokendevicetoob-tainthememorydumpandanalyzeittocreatenewattacks[3,16].
DynamicCodeHooking:Afteradeviceisjailbroken,anat-tackercanhookmaliciouscodetoanappatruntimeinordertobypasssecuritychecks,potentiallycompromisingthesecurityoftheapplicationanditsdata[20].
Tampering:Attackerscanmodifythedatesandtimestampsofartifactsinordertocovertheirtracks.
Vermaetal.
[21]havere-centlyproposedamechanismforpreservingdatesandtimestampsinsupportofforensicexaminationsofAndroidsmartphones.
Govindaraj,Mata,Verma&Gupta231f20;BACKGROUND-COLOR:#4ae2f7">7ThischapterpresentsatechniqueforprotectingapplicationsanddatainjailbrokeniOSdevices.
Intheeventofasecurityincident,thetech-niquecanbeusedtosupportaforensicexaminationofajailbrokendevice.
3.
ImplementationMethodologyThesolutionhastwomodules:(i)astaticlibrarythatwrapsappsrunningonjailbrokendeviceswithanextralayerofprotection,makingthemdiculttocrackandpreventingaccesstotheirdata;and(ii)amodulethatpreservesauthenticdatesandtimestampsofeventsrelatedtothesecuredappstosupportforensicexaminations.
Thecaptureddatesandtimestampsarestoredoutsidethedeviceonasecureserverorinthecloud.
Themodulesarediscussedinfollowingsubsections.
3.
1SecuringAppsThestaticlibrary,whichisdesignedtosecureapps,incorporatesAPIsthatmaybeusedtoidentifyandmitigatesecurityvulnerabilitiesinjailbrokeniPhones[6].
Functionsinthelibraryinclude:isCheck1(),whichchecksifaniPhoneisjailbroken;isCheck2(),whichchecksifanapplicationisrunninginthedebugmode;enableDB(),whichdisablesthegdb(debugger)foraparticularapplication(process);isAppC(),whichchecksifanapplicationbinaryisencryptedandalsocheckstheintegrityofapplicationbundleles(Info.
Plist);initialize(),whichchecksifstaticlibraryfunctionsarehooked;CheckA(),whichchecksifcriticalmethods(functions)passedasargumentsarehooked;CheckS(),whichchecksifmethods(functions)relatedtoSSLcerticatevalidationarehooked;createCheck()andcreateCheckTest(),whichcheckifanapplicationhasbeentamperedwith;andresetZeroAll(),whichwipessensitivedatafrommemory.
3.
2PreservingDatesandTimestampsThedynamiclibraryhasbeencreatedusingtheMobileSubstrateframework.
ThisframeworkprovidesAPIsforaddingruntimepatchesorhookstosystemfunctionsinjailbrokeniOSdevices[18].
ThesolutionarchitectureshowninFigure1incorporatesthreecomponents:DynamicLibrary(dylib):Thiscomponenthookssystemopencallsandcaptureskernel-leveldatesandtimestampsofselectedlesandwritesthemtothelogle.
Itisloadedintorunningapplications.
Filtersareappliedsothatitisonlyloadedintospeciedapplications.
238ADVANCESINDIGITALFORENSICSXIFileModification/CreationProcessStartedDynamicLibraryHookedOpen()AppDBUpdateTimestampLogFileUploadLogFiletoSecureLocationOriginalOpen()FileAttributesGeneratedUserSpaceKernelSpaceiOSDeviceSecuredApp(UsingStaticLibrary)CydiaSubstrateDynamicLibraryLoadedFigure1.
Solutionarchitectureforpreservingdateandtimestamps.
TimestampLogFile:ThiscomponentisstoredintheinternalmemoryofaniPhone.
Itisnotdirectlyaccessibletoapplications,whichsecuresitfromunauthorizeddeletion.
LogFile:ThiscomponentisgeneratedbytheDLL.
Itisup-loadedatregularuser-denedintervalstoanexternalserverorcloudstoragebasedonnetworkconnectivity.
3.
3StaticLibraryThestaticlibraryisdesignedtosecureapplicationsandtheirassoci-ateddata.
Thelibrarywrapsappsinanadditionallayerofprotection,whichmakesthemmorediculttocrackinajailbrokeniOSdevice.
ThestaticlibrarycontainsseveralAPIs(Table1)thatcanbeusedtoidentifysecurityvulnerabilitiesinjailbrokendevices.
Thelibraryimplementsthedetectionofjailbrokendevices,thedisablingofapplicationdebuggers,thecheckingofapplicationencryption(forAppStorebinaries)andthedetectionofdynamiccodehooking.
Notethatthefunctionnamesareintentionallynotverydescriptiveinordertoenhancecodeobfuscationandhindermaliciousreverseengineeringeorts.
Govindaraj,Mata,Verma&Gupta239Table1.
StaticlibraryAPIs.
APIDescriptionisCheck1()ChecksifadevicehasbeenjailbrokenisAppC()ChecksiftheapplicationencryptionprovidedbytheAppStoreisintactenableDB()DisablestheapplicationdebuggerisCheck2()ChecksifanappisrunninginthedebugmodeInitialize()ChecksiflibraryAPIsarehookedbymethodswizzlingtech-niquescheckA()Checksifafunctionishookedbyamethodswizzlingtech-niquecheckS()ChecksiftheSSLvalidationmethodsprovidedbytheiOSSDKarehookedmakeZero()FindsthedataportionofobjectmemoryandzeroesitoutencPwd()EncryptsobjectdatainmemoryusingasecretdecPwd()Decryptsobjectdatainmemoryusingasecretlisted()AddsanobjecttothepointerlistusedbytheAPIsunlisted()RemovesanobjectfromthepointerlistresetAllZero()WipesalltrackedobjectscreateCheck()Providesandstaticallystoresastringofallthetrackedmem-oryaddressesandobjectchecksumscreateCheckTest()ChecksifthecurrentmemorystatesofallthetrackedobjectsmatchtheirstateswhenchecksumMem()wascalled3.
4DynamicLibraryThedynamiclibrarywascreatedusingtheMobileSubstrateframe-work,nowknownastheCydiaSubstrate[18].
TheframeworkprovidesaplatformandAPIsforaddingruntimepatchesorhookstosystemfunctionsaswellasotherapplicationsonjailbrokeniOSandrootedAndroiddevices.
TheMobileSubstrateframeworkincorporatesthreecomponents:(i)Mobilehooker;(ii)Mobileloader;and(iii)Safemode.
Mobilehooker:Thiscomponentreplacestheoriginalfunctionwiththehookedfunction.
TwoAPIsmaybeusedforiOSdevices:(i)MSHookMessage(),whichismainlyusedtoreplaceObjective-Cmethodsatruntime;and(ii)MSHookFunction(),whichisusedtoreplacesystemfunctions,mainlynativecodewritteninC,C++orassembly.
Mobileloader:CydiaSubstratecodeiscompiledtocreatethedynamiclibrary,whichisplacedinthedirectory/Library/MobileSubstrate/DynamicLibraries/injailbrokeniOSdevices.
ThemaintaskofMobileloaderistoloadthedynamiclibraryintorunning240ADVANCESINDIGITALFORENSICSXIapplications.
TheMobileloaderinitiallyloadsitselfandthenin-vokesdlopenonallthedynamiclibrariesinthedirectoryandloadsthematruntime.
ThedynamiclibrariesareconguredusingPropertyList(PList)les,whichactaslters,controllingifalibraryshouldbeloadedornot.
ThePListleshouldhavethesamenameasthatofdylibandshouldbestoredinthesamedirectoryasdylib.
ThePListshouldcontainasetofarraysinadictionarywiththekeyFilter.
Theotherkeysusedare:(i)Bundles(array)–theBundleIDofarunningapplicationismatchedagainstthelist,ifamatchoccurs,thendylibisloaded;(ii)Classes(array)–thedylibisloadedifoneofthespeciedObjective-Cclassesinthelistisimplementedintherunningapplication;and(iii)Executables(array)–dylibisloadedifanexecutablenameinthelistmatchestheexecutablenameoftherunningapplication.
Anexampleis:Filter=Executables=("mediaserverd");Bundles=("com.
apple.
MobileSlideShow");Mode="Any";;Intheexample,thelterensuresthatdylibisloadedonlyfortheiOSbuilt-inapplicationPhotos,whoseexecutablenamematchesmediaserverdorBundleIDiscom.
apple.
MobileSlideShow.
TheModekeyisusedwhentherearemorethanonelters.
Byspecify-ingMode=Any,dylibisloadedifoneoftheltershasamatch.
Safemode:Inthismode,allthird-partytweaksandextensionsaredisabled,preventingtheiOSdevicefromenteringthecrashmode.
Followingthis,thebrokendylibcanbeuninstalledfromthedevice.
CompilationProcedure.
TheTheos[10]developmentsuitewasusedtoedit,compileandinstallthedynamiclibraryonadevice.
ItprovidesacomponentnamedLogos,whichisabuilt-inpre-processor-basedlibrarydesignedtosimplifythedevelopmentofMobileSubstrateextensions.
Inordertocompilethedynamiclibrary,TheosmustbeinstalledonaMacmachine.
AMacOSXhasmostofthetoolsrequiredbyTheos;however,Xcodecommandlinetoolsmustbeinstallediftheyarenotpresent.
Ad-ditionally,itisnecessarytoinstalltheldidtool,whichisusedtosignappsortweakssothattheycanbeinstalledonjailbrokeniOSdevices.
Tostarttheproject,itisnecessarytoobtainalltheiOSprivatehead-ersofthefunctionsintendedtobehooked.
TheheaderscanbedumpedGovindaraj,Mata,Verma&Gupta241usingtheClass-Dump-Zcommandlinetool[5].
Thisreverseengineer-ingtoolprovidescompleteheaderinformationoftheObjective-CcodeofaniOSapplication.
Dumpingtheheaderscantakesometimebecauseheadersfromalltheframeworks,includingprivateframeworks,arealsocollected.
Thedumpedheadersaresavedinafolderwiththecorre-spondingframeworkname.
Insteadofdumpingtheheaders,headerscollectedbyotherresearcherscanbeused(e.
g.
,headersfromGitHub).
Alltheheadersaresavedat/opt/theos/include.
ThenextstepistocreatetheTheosproject.
Thisinvolvesexecutingthele/opt/theos/bin/nic.
plfromthecommandlineandchoosingtheprojecttemplate,name,etc.
Theprojecttypeshouldbelibrarybecausethegoalistohookasystemfunction.
Aftertheprojecthasbeencreated,anewlenamedtweak.
xmisfoundintheprojectdirectory;thisleisusedtostorethehookingcode.
Thefollowingpseudocodeforhookinganopen()systemcallisaddedinthetweak.
xmle:extern"C"{intorig\_open(constchar*path,intoflags);}inthijacked\_open(constchar*path,intoflags){//dosomething,thenreturnorig\_open(path,oflags);}\%ctor{NSAutoreleasePool*pool=[[NSAutoreleasePoolalloc]init];MSHookFunction(open(),\&hijacked\_open,\&orig\_open);[pooldrain];}TheMSHookFunction()APIisusedtohooktheopen()systemcall.
Thereplacementfunctionishijackedopen().
Themakefileisthenmodiedtoaddtherequiredframeworks.
NotethattheFoundationframeworkisusedtocreatethehookingcode.
ThetargetSDKversionandthearchitectureneededtosupportitarealsoadded:TARGET:=iPhone:1f20;BACKGROUND-COLOR:#4ae2f7">7.
0ARCHS:=armv1f20;BACKGROUND-COLOR:#4ae2f7">7arm64ProjectName\_FRAMEWORKS=FoundationOncedone,callmakefromcommandlineasbelow.
xyz:testxyzmakeMakingallforapplicationtest.
.
.
Copyingresourcedirectoriesintotheapplicationwrapper.
.
.
Signingtest.
.
.
TheprojectisthencompiledandaDLLiscreatedintheobjfolder.
242ADVANCESINDIGITALFORENSICSXIDLLLoading.
AftertheDLLiscreated,itcanbeinstalledonadevicebytheTheossuiteusingthecommandmakepackageinstall.
ThiscommandcreatesaDebianpackageoftheDLLandinstallsitintheproperlocationonthedevice.
Beforethisisdone,theenvironmentvariablemustbesettoexportTHEOSDEVICEIP=iPhoneDeviceIP.
Next,thepackageistransferredtothedeviceforinstallationviaSFTP.
TheiOSdeviceshouldbeonthesamenetworkasthecomputerusedfordevelopment[20].
4.
PreventingAttacksandAnti-ForensicsThesectiondiscusseshowattacksandanti-forensicapproachescanbemitigatedusingthestaticanddynamiclibraries.
4.
1UsingtheStaticLibraryBOOLisCheck1():ThisfunctionisusedtocheckifaniOSdeviceisjailbroken.
ItreturnsyesiftheiOSdeviceisjailbro-ken;otherwiseno.
Thisfunctioncanbecalledbeforeapplicationlaunch.
APIforCheckingDebugMode:TheapplicationexitswhenlaunchedinthedebugmodeusingtheenableDB()function.
Thisfunctioncanbecalledfrommain()andfromelsewhereintheprojecttodisabledebuggingatanystage.
BycallingenabledDB()inmain()orbeforeapplaunch,theapplicationcanbepreventedfromrunninginthedebugmode.
Therefore,thefunctionshouldbecalledinthereleasemode.
isCheck2():Thisfunctiongivesinformationabouthowtheap-plicationisrunning.
Iftheapplicationwasstartedinthedebugmode,thenavalueofoneisreturned;otherwisezeroisreturned.
BOOLisAppC(char*inBundlePath):Thisfunctionchecksiftheapplicationhasbeenhacked.
TheparameterinBundlePathcanbeanycharacterpointer;itisonlyaddedforobfuscationandisnotusedinsidethefunction.
Itincludesanappencryptioncheck(iftheAppStoreencryptionisbroken),signeridentitychecks,etc.
Iftheappiscracked,thefunctionreturnsyes;otherwiseno.
ThefunctionisprimarilyusedtocheckifAppStorebinariesarecracked.
intInitialize():ThisfunctionchecksiftheAPIsinthestaticlibraryarethemselveshooked.
Thefunctionhastobecalledini-tially,preferablyduringapplaunch,tocheckifthelibraryAPIsGovindaraj,Mata,Verma&Gupta243arehookedbymethodswizzling,afterwhichtheappropriateac-tionsmustbetaken.
Ifthefunctionsarehooked,thenitmakesnosensetousetheAPIstoprotectapplications.
intcheckA(constchar*MCl,constchar*MFr,constchar*MFn,void*funcPTR):Thisfunctionchecksifanyhookingisdoneforacriticalmethodwithinanapplicationpassedasanar-gumenttothefunction.
Thefunctionreturnsoneifnohookingisdiscoveredandzeroifafunctionishooked.
Itrequiresthemethodname,methodclassandthepathoftheframework(foraframe-workmethod)orappbundlepath(foranapplicationmethod).
intcheckS():ThisfunctionchecksifSSLcerticatevalidationmethodsprovidedbytheiOSSDKarehooked.
ThisfunctionisinvokedwithinanapplicationbeforecallingSSLvalidationmeth-odssothattheproperactionscanbetaken.
Thefunctionreturnsoneifthereisnohookingandzeroifafunctionishooked.
makeZero(obj):Thisfunctionisusedtozerothevalueofasensitivevariableafteritsuse.
encPwd()anddecPwd():TheseAPIsareusedforencryptingsensitivedataimmediatelyafterthedataiscreatedanddecryptingthedataonlyduringitsuse.
Afterthesensitivedatahasbeenused,itshouldbeclearedfrommemorypermanently.
listed()andunlisted():Thesefunctionstrackseveralobjectsinordertoclearthemfrommemorysimultaneously.
Sensitiveobjectsareaddedtothelisttokeeptrackofthem;theyareallclearedatonetimeusinganAPI.
Forexample,whenadeviceislockedand/oranappisclosed(hiddenorterminated),itmaybenec-essarytowipeallthesensitivedata.
Inthiscase,itisnecessarytoaddresetZeroAll()tothestate-changenotifyfunctionsinAppDelegate.
Severaltoolsareavailableforattackerstomodifythevaluesofcriticaldataandchangethebehaviorofanappli-cationatruntime.
SuchmodicationscanbetrackedusingthecreateCheck()andcreateCheckTest()APIstocreateacheck-sumofthecriticaldataandcheckitperiodicallytoensurethatthedataisnotmodiedbyanattacker.
4.
2UsingtheDynamicLibraryWheneverlesaremodied,accessedorcreated,thehijackedopen()callisinvokedandthemodied,accessed,createddatesandtimestamps(MACDTS)arecapturedandstoredinthelogle.
Thelogleisstored244ADVANCESINDIGITALFORENSICSXIiSecureRing.
.
.
JailbreakingEncryptionCheckCodeTamperingSimulatingAttacksTimestampTamperingConfidentialDataStealingDebugModeHookingFigure2.
Simulatingattacksondevices.
outsidetheiPhoneatasecurelocationsuchasaserverorinthecloud.
Theinformationintheloglecanbeusedinaforensicinvestigationofthesmartphoneintheeventofasecurityincident.
5.
ExperimentalResultsTheexperimentsinvolvedthecreationoftwoapps,onewithoutanyprotectionandtheotherprotectedbyiSecureRing.
TheappswerethendeployedonajailbrokeniPhone4(iOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
0.
6).
Aseriesofattacksweresimulatedontheappsandtheirdatatovalidatetheproposedsolution(Figure2).
Attheapplicationlevel,theappsweresubjectedtovariousattackstoexploitthelackofbinaryprotection[2].
TheresultsinTable2demonstratethatanappwithiSecureRingrunningonajailbrokeniPhone(Row3)isjustassecureasanormalapprunningonanon-jailbrokeniPhone(Row1).
Performancebenchmarkingwasconductedforthethreecasesconsid-eredintheexperiments.
Figure3summarizestheresultsoftheinitialtests(veruns).
Theresultsshownosignicantdierencesindeviceperformance.
Govindaraj,Mata,Verma&Gupta245Table2.
Attacksandresults.
iPhone4Jail-DebugEncryptionHookingCode(iOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
0.
6)brokenModeCheckTamperingNotJailbrokenYesNoNoNoNo(Appwithoutprotection)JailbrokenN/AYesYesYesYes(Appwithoutprotection)JailbrokenN/ANoNoNoNo(AppwithiSecureRing)02004006008001,0001,2001,4001,6001,800CPUIntegermathCPUFloatingpointmathStoragewriteStoragereadMemorywriteMemoryread2D-Complexvectors2D-Imagerendering3D-ComplextestJailbrokenwithiSecureRingJailbrokenwithoutiSecureRingNotJailbrokenFigure3.
Performancebenchmarkresults.
Figure4.
MACDTSlogsforanimagele.
iSecureRingalsohelpsdetectattemptstoexploitknownorunknownvulnerabilitiesbycapturingthetimestampsofactivitiesassociatedwithasecuredapp.
OneexperimentinvolvedtimestamptamperingattemptsonimagesfromApple'sPhotoapp.
iSecureRingsuccessfullycapturedalltheeventsinthelog.
Ananalysisofthelogclearlyrevealedthetamperingattempts.
Figure4showstheMACDTSlogsforoneoftheimages.
246ADVANCESINDIGITALFORENSICSXIFigure5.
Preventingadebugmodeattack.
DebugModeAttack.
Figure5showsascreenshotofanXcodeap-plicationrunninginthedebugmode[11f20;BACKGROUND-COLOR:#4ae2f7">7]whileitwasbeingprotectedbyiSecureRing.
EncryptionAttack.
Clutch[11f20;BACKGROUND-COLOR:#4ae2f7">7]wasusedtosimulateanencryptionattack(Clutchmaybedownloadedfromcydia.
iphonecake.
com).
iSe-cureRingincludesachecktodetermineifapplicationencryptionisintactbyanalyzingencryptioninformationinthebinaryandalsothecryptidagvalue.
Iftheapplicationencryptionisfoundtobebroken,thentheuserisalertedandtheapplicationbehaviorcanbechangedatruntime.
Hooking.
AhookingattackwassimulatedbyhookingSSLvalidationmethods.
Itispossibletolaunchaman-in-the-middleattackonevenHTTPSrequeststounderstand,stealandmodifytherequesteddata.
iSecureRingincorporatesseveralcheckstoidentifythehookingofcriticalmethodssuchasSSLvalidationandauthentication.
ApplicationsthatuseiSecureRingareprotectedagainsttheattacksbecausetheuserisalertedandtheappbehaviorcanbechanged.
CodeTampering.
AcodetamperingattackwassimulatedusingCy-cript[1f20;BACKGROUND-COLOR:#4ae2f7">7],aJavaScriptinterpreter.
ThetoolwasusedtomodifyiOSapplicationbehavioratruntime(e.
g.
,bypassingsomeauthenticationchecksandaccessingcriticalinformationfrommemory).
AnapplicationcompiledwithiSecureRingprovidesAPIsforidentifyingcodetamper-ingofcriticalinstancevariablesandclassobjectsusingCRCchecksums.
Also,APIsareprovidedforwipingsensitivedatafrommemory.
6.
CaseStudyTheiSecureRingimplementationwassuccessfullyusedtosecureaniPhonemobileappforaleadingbankinIndia.
ProblemStatement.
Thebankhadasecurityincidentinwhichtheapplicationrunningonajailbrokendevicerevealedsensitivedata.
JailbreakingAttack.
TheattackerhadusedthelatestjailbreakingtoolforiOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
1.
2Pangu[1].
Theattackeralsousedcertaintweakstode-Govindaraj,Mata,Verma&Gupta241f20;BACKGROUND-COLOR:#4ae2f7">7featjailbreakdetection.
SometweakswithinCydiabypassthejailbreakdetectioncheckofanapplicationandmaketheapplicationrunnormallyevenonjailbrokendevices.
OnesuchtweakisxCon[12],whichhookslow-levelAPIsusedforjailbreakdetectionsuchasle-relatedAPIsandothersystemcalls,thusbypassingthejailbreakdetectionfunctionsusedintheapplication.
NocongurationisrequiredforxCon,aMobileSub-stratedynamiclibrarythatcanbeinstalledfromCydia.
iSecureRingResults.
ThebankappwassecuredusingiSecureRing.
Thejailbreakdetectionfunctionwasrobustenoughtocheckifthede-vicewasjailbrokenandifanyjailbreakdetectionbypassingfunctionswerepresent.
ThesolutionwastestedwithxCon39beta1f20;BACKGROUND-COLOR:#4ae2f7">7oniPhone4deviceswithiOSversion1f20;BACKGROUND-COLOR:#4ae2f7">7.
1.
2.
xConwasunabletobypassthejailbreakdetectiontechniquesusedbyiSecureRing.
TheiSecureRingsolutionchecksfortheexistenceofle-relatedsystemfunctionhooking,render-ingxCon-liketweaksuseless.
ThesolutionalsomitigatesthejailbreakdetectionbypassingmechanismprovidedbythexCondynamiclibrary.
1f20;BACKGROUND-COLOR:#4ae2f7">7.
ConclusionsTheiSecureRingsolutionsecuresappsonjailbrokeniOSdevices.
Thestaticlibraryhelpsdetectsecurityvulnerabilitiesandalertsuserstotakeappropriateactions.
Thedynamiclibraryhelpsdetectmalicioustam-peringofdatabystoringauthenticcopiesofMACDTSvaluesonalocalserverorinthecloud;thisalsosupportsoinedigitalforensicinvestigationsaftersecurityincidents.
Thus,iSecureRingenablesexist-ingandnewappstobesecuredandmadeforensic-readyeveniftheiOSdevicehasbeenjailbroken.
WithenterprisesimplementingBYODpoliciesandjailbrokendevicesmakingtheirwayintoenterprises,theiSecureRingsolutionhelpsenterprisesmitigatethesecurityriskswhileenablingemployeestouseonedeviceforocialandpersonalactivities.
Futureresearchwillfocusonanalyzinganomalousinteractionswithsecuredapps,blockingattacksandraisingalerts.
EortswillalsobemadetocreatesimilarsolutionsforAndroidandWindowssmartphones.
References[1]J.
Benjamin,HowtojailbreakiOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
1.
xwithPangu1.
1onWin-dows,iDownloadBlog,June29,2014.
[2]C.
D'Orazio,A.
ArinandK.
Choo,iOSanti-forensics:Howcanwesecurelyconceal,deleteandinsertdataProceedingsoftheForty-SeventhHawaiiInternationalConferenceonSystemSciences,pp.
4838–4841f20;BACKGROUND-COLOR:#4ae2f7">7,2014.
248ADVANCESINDIGITALFORENSICSXI[3]D.
Ertel,DecryptingiOSapps(www.
infointox.
net/p=114),2013.
[4]S.
Esser,ExploitingtheiOSkernel,presentedatBlackHatUSA,2011.
[5]P.
Gianchandani,iOSApplicationSecurityPart2–GettingClassInformationofiOSApps,InfosecInstitute,ElmwoodPark,Illinois,2014.
[6]GitHub,ToolsforsecurelyclearingandvalidatingiOSapplicationmemory,SanFrancisco,California(github.
com/project-imas/memory-security),2014.
[1f20;BACKGROUND-COLOR:#4ae2f7">7]S.
GuerreroSelma,HackingiOSontherun:UsingCycript,pre-sentedattheRSAConference,2014.
[8]A.
HoogandK.
Strzempka,iPhoneandiOSForensics:Investiga-tion,AnalysisandMobileSecurityforAppleiPhone,iPadandiOSDevices,Syngress,Waltham,Massachusetts,2011.
[9]iPhoneDevWiki,debugserver(iphonedevwiki.
net/index.
php/Debugserver),2015.
[10]iPhoneDevWiki,Theos(iphonedevwiki.
net/index.
php/Theos),2015.
[11]iPhoneHacks,JailbreakingyouriPhoneremainslegalinUS,butitisillegaltojailbreakyouriPadandunlockyouriPhoneunderDMCA,October26,2012.
[12]iPhoneWiki,xCon(theiphonewiki.
com/wiki/XCon),2014.
[13]C.
Miller,Owningthefanboys:HackingMacOSX,presentedatBlackHatJapan,2008.
[14]C.
Miller,Mobileattacksanddefense,IEEESecurityandPrivacy,vol.
9(4),pp.
68–1f20;BACKGROUND-COLOR:#4ae2f7">70,2011.
[15]S.
Morrissey,iOSForensicAnalysisforiPhone,iPadandiPodTouch,Apress,NewYork,2010.
[16]M.
Renard,PracticaliOSappshacking,ProceedingsoftheFirstInternationalSymposiumonGrey-HatHacking,pp.
14–26,2012.
[11f20;BACKGROUND-COLOR:#4ae2f7">7]B.
Satish,PenetrationTestingforiPhoneApplications–Part5,InfosecInstitute,ElmwoodPark,Illinois,2013.
[18]SaurikIT,CydiaSubstrate,IslaVista,California(www.
cydiasubstrate.
com),2014.
[19]A.
Smith,SmartphoneOwnership2013,PewResearchCenter,Washington,DC,June5,2013.
Govindaraj,Mata,Verma&Gupta249[20]B.
Trebitowski,BeginningJailbrokeniOSDevelopment–BuildingandDeployment,Pixegon,Albuquerque,NewMexico(brandontreb.
com/beginning-jailbroken-ios-development-building-and-deployment),2011.
[21]R.
Verma,J.
GovindarajandG.
Gupta,Preservingdateandtime-stampsforincidenthandlinginAndroidsmartphones,inAdvancesinDigitalForensicsX,G.
PetersonandS.
Shenoi(Eds.
),Springer,Heidelberg,Germany,pp.
209–225,2014.
妮妮云的来历妮妮云是 789 陈总 张总 三方共同投资建立的网站 本着“良心 便宜 稳定”的初衷 为小白用户避免被坑妮妮云的市场定位妮妮云主要代理市场稳定速度的云服务器产品,避免新手购买云服务器的时候众多商家不知道如何选择,妮妮云就帮你选择好了产品,无需承担购买风险,不用担心出现被跑路 被诈骗的情况。妮妮云的售后保证妮妮云退款 通过于合作商的友好协商,云服务器提供2天内全额退款,超过2天不退款 物...
10gbiz怎么样?10gbiz在本站也多次分享过,是一家成立于2020的国人主机商家,主要销售VPS和独立服务器,机房目前有中国香港和美国洛杉矶、硅谷等地,线路都非常不错,香港为三网直连,电信走CN2,洛杉矶线路为三网回程CN2 GIA,10gbiz商家七月连续推出各种优惠活动,除了延续之前的VPS产品4折优惠,目前增加了美国硅谷独立服务器首月半价的活动,有需要的朋友可以看看。10gbiz优惠码...
cyun怎么样?cyun蓝米数据是一家(香港)藍米數據有限公司旗下品牌,蓝米云、蓝米主机等同属于该公司品牌。CYUN全系列云产品采用KVM架构,SSD磁盘阵列,优化线路,低延迟,高稳定。目前,cyun推出的香港云服务器性价比超高,香港cn2 gia云服务器,1核1G1M/系统盘+20G数据盘,低至29元/月起;香港多ip站群云服务器,16个ip/4核4G仅220元/月起,希望买香港站群服务器的站长...
netbios端口为你推荐
phpechophp echo函数 是什么意思联通版iphone4s怎么知道到苹果4s是联通版,还是移动版icloudiphone没开启icloud的iphone怎么用find my iphone找回firefoxflash插件火狐浏览器adobe flash player装了不能用win7还原系统win7如何一键还原电脑系统怎么操作android5.1安卓系统5.1好吗ios5.1.1固件下载关于iphone4s 现在的系统是ios5.1.1,可以直接升级到系统ios6.1?搜狗浏览器2.2搜狗浏览器打开跳出两个上网导航怎么办搜狗浏览器2.2在搜狗浏览器快速通道里设置的网址为什么打不开?安卓4.4.4微信旧版本安卓4.4.4可用
注册cn域名 hostmaster a2hosting 建站代码 浙江独立 卡巴斯基永久免费版 php空间申请 什么是刀片服务器 七夕促销 东莞数据中心 稳定免费空间 中国电信宽带测速网 美国独立日 空间登录首页 smtp虚拟服务器 www789 美国盐湖城 湖南idc cdn网站加速 学生机 更多