Chapter14FORENSIC-READYSECUREiOSAPPSFORJAILBROKENiPHONESJayaprakashGovindaraj,RashmiMata,RobinVermaandGauravGuptaAbstractAppleiOSisoneofthemostpopularsmartphoneoperatingsystems,butitrestrictstheinstallationofappsthatarenotfromtheAppleAppStore.
Asaresult,usersoftenjailbreaktheiriPhonestodefeatthisre-striction.
JailbrokeniPhonesaremakingtheirwayintoenterprisesthathaveaBringYourOwnDevice(BYOD)policy,butthesedevicesareof-tenbarredorrestrictedbymobiledevicemanagementsoftwarebecausetheyposesecurityrisks.
ThischapterdescribestheiSecureRingsolutionthatsecuresmobileappsandpreservesthedatesandtimestampsofeve-ntsinordertosupportforensicexaminationsofjailbrokeniPhones.
AnanalysisoftheliteraturerevealsthatiSecureRingistherstforensic-readymobileappsecuritysolutionforiOSapplicationsthatexecuteinunsecuredenterpriseenvironments.
Keywords:JailbrokeniPhones,enterpriseenvironments,forensicexaminations1.
IntroductionAccordingtoa2013Pewreport[19],40.
98%ofthesmartphonesusedbyadultAmericansareAppleiPhones.
Apple'siOSoperatingsystemdoesnotallowtheinstallationofapplications,extensionsandthemesthatarenotobtainedfromtheAppleAppStore.
Asaresult,usersfrequentlyjailbreaktheirdevicestoobtainrootaccessanddefeattheinstallationrestrictions[4].
AjailbrokeniPhoneallowstheretrievalofapplicationsandtheirassociateddata,potentiallycompromisingthesecurityoftheapplicationsandthecondentialityofthedata[4,16].
Sincejailbreakingisareality[8,11],itisincreasinglyimportanttodesignmobileapplicationsthatcanrunsecurelyonjailbrokeniPhones.
Therequirementofhavinganapplicationexecutesecurelyinanunse-cureenvironmentiscriticaltoscenarioswhereaproprietaryapplica-cIFIPInternationalFederationforInformationProcessing2015G.
Peterson,S.
Shenoi(Eds.
):AdvancesinDigitalForensicsXI,IFIPAICT462,pp.
235–249,2015.
DOI:10.
1001f20;BACKGROUND-COLOR:#4ae2f7">7/91f20;BACKGROUND-COLOR:#4ae2f7">78-3-319-24123-414236ADVANCESINDIGITALFORENSICSXItionshouldworkwithoutimpactingenterprisesecurity.
Atthistime,enterprisesthathaveaBringYourOwnDevice(BYOD)policygener-allydetectandrestrictjailbrokeniPhonesusingmobiledevicemanage-mentsoftwaresuchasCitrix'sXenMobileandIBM'sEndpointManager.
Thus,employeeshavetoun-jailbreaktheiriPhonesorinstallenterpriseapplicationsonotherapproveddevices.
Thesolutionproposedinthischapterenablesenterprisestoinstalltheirapplicationssecurelyonjail-brokeniPhones.
Newappsandexistingappscanbesecuredandbemadeforensic-ready.
Theforensicreadinessoftheappsenablesenter-prisestocheckiftheappsrunsecurelyandalsoensuresthatforensicartifactsareavailableintheeventofsecurityincidents.
2.
RelatedWorkD'Orazioetal.
[2]haveproposedaconcealmenttechniquethaten-hancesthesecurityofunprotected(classD)datathatisatrestiniOSdevices,alongwithadeletiontechniquetoreinforcedatadeletioniniOSdevices.
Hackersandmalicioususersresorttotechniquessuchasjailbreaking,runninganappinthedebugmode,reverseengineering,dy-namichookingortamperinginordertoaccessorcompromisesensitivedatastoredbyiOSapps:Jailbreaking:Attackersusejailbreakingtoobtainsystem-level(root)accesstoiOSdevices,potentiallycompromisingthesecurityofapplicationsandtheirassociateddata[15].
DebuggerMode:Attackersruntargetedapplicationsinthede-bugmode,obtainmemorydumpsandoverwritethememorywithmaliciouscode[9,13].
ReverseEngineering:AppsfromtheAppleStoreareencryptedusingApple'sFairplayDRM,whichcomplicatesthetaskofreverseengineeringbinaries.
However,anattackercanoverwritetheen-cryptioninformationofanapplicationinajailbrokendevicetoob-tainthememorydumpandanalyzeittocreatenewattacks[3,16].
DynamicCodeHooking:Afteradeviceisjailbroken,anat-tackercanhookmaliciouscodetoanappatruntimeinordertobypasssecuritychecks,potentiallycompromisingthesecurityoftheapplicationanditsdata[20].
Tampering:Attackerscanmodifythedatesandtimestampsofartifactsinordertocovertheirtracks.
Vermaetal.
[21]havere-centlyproposedamechanismforpreservingdatesandtimestampsinsupportofforensicexaminationsofAndroidsmartphones.
Govindaraj,Mata,Verma&Gupta231f20;BACKGROUND-COLOR:#4ae2f7">7ThischapterpresentsatechniqueforprotectingapplicationsanddatainjailbrokeniOSdevices.
Intheeventofasecurityincident,thetech-niquecanbeusedtosupportaforensicexaminationofajailbrokendevice.
3.
ImplementationMethodologyThesolutionhastwomodules:(i)astaticlibrarythatwrapsappsrunningonjailbrokendeviceswithanextralayerofprotection,makingthemdiculttocrackandpreventingaccesstotheirdata;and(ii)amodulethatpreservesauthenticdatesandtimestampsofeventsrelatedtothesecuredappstosupportforensicexaminations.
Thecaptureddatesandtimestampsarestoredoutsidethedeviceonasecureserverorinthecloud.
Themodulesarediscussedinfollowingsubsections.
3.
1SecuringAppsThestaticlibrary,whichisdesignedtosecureapps,incorporatesAPIsthatmaybeusedtoidentifyandmitigatesecurityvulnerabilitiesinjailbrokeniPhones[6].
Functionsinthelibraryinclude:isCheck1(),whichchecksifaniPhoneisjailbroken;isCheck2(),whichchecksifanapplicationisrunninginthedebugmode;enableDB(),whichdisablesthegdb(debugger)foraparticularapplication(process);isAppC(),whichchecksifanapplicationbinaryisencryptedandalsocheckstheintegrityofapplicationbundleles(Info.
Plist);initialize(),whichchecksifstaticlibraryfunctionsarehooked;CheckA(),whichchecksifcriticalmethods(functions)passedasargumentsarehooked;CheckS(),whichchecksifmethods(functions)relatedtoSSLcerticatevalidationarehooked;createCheck()andcreateCheckTest(),whichcheckifanapplicationhasbeentamperedwith;andresetZeroAll(),whichwipessensitivedatafrommemory.
3.
2PreservingDatesandTimestampsThedynamiclibraryhasbeencreatedusingtheMobileSubstrateframework.
ThisframeworkprovidesAPIsforaddingruntimepatchesorhookstosystemfunctionsinjailbrokeniOSdevices[18].
ThesolutionarchitectureshowninFigure1incorporatesthreecomponents:DynamicLibrary(dylib):Thiscomponenthookssystemopencallsandcaptureskernel-leveldatesandtimestampsofselectedlesandwritesthemtothelogle.
Itisloadedintorunningapplications.
Filtersareappliedsothatitisonlyloadedintospeciedapplications.
238ADVANCESINDIGITALFORENSICSXIFileModification/CreationProcessStartedDynamicLibraryHookedOpen()AppDBUpdateTimestampLogFileUploadLogFiletoSecureLocationOriginalOpen()FileAttributesGeneratedUserSpaceKernelSpaceiOSDeviceSecuredApp(UsingStaticLibrary)CydiaSubstrateDynamicLibraryLoadedFigure1.
Solutionarchitectureforpreservingdateandtimestamps.
TimestampLogFile:ThiscomponentisstoredintheinternalmemoryofaniPhone.
Itisnotdirectlyaccessibletoapplications,whichsecuresitfromunauthorizeddeletion.
LogFile:ThiscomponentisgeneratedbytheDLL.
Itisup-loadedatregularuser-denedintervalstoanexternalserverorcloudstoragebasedonnetworkconnectivity.
3.
3StaticLibraryThestaticlibraryisdesignedtosecureapplicationsandtheirassoci-ateddata.
Thelibrarywrapsappsinanadditionallayerofprotection,whichmakesthemmorediculttocrackinajailbrokeniOSdevice.
ThestaticlibrarycontainsseveralAPIs(Table1)thatcanbeusedtoidentifysecurityvulnerabilitiesinjailbrokendevices.
Thelibraryimplementsthedetectionofjailbrokendevices,thedisablingofapplicationdebuggers,thecheckingofapplicationencryption(forAppStorebinaries)andthedetectionofdynamiccodehooking.
Notethatthefunctionnamesareintentionallynotverydescriptiveinordertoenhancecodeobfuscationandhindermaliciousreverseengineeringeorts.
Govindaraj,Mata,Verma&Gupta239Table1.
StaticlibraryAPIs.
APIDescriptionisCheck1()ChecksifadevicehasbeenjailbrokenisAppC()ChecksiftheapplicationencryptionprovidedbytheAppStoreisintactenableDB()DisablestheapplicationdebuggerisCheck2()ChecksifanappisrunninginthedebugmodeInitialize()ChecksiflibraryAPIsarehookedbymethodswizzlingtech-niquescheckA()Checksifafunctionishookedbyamethodswizzlingtech-niquecheckS()ChecksiftheSSLvalidationmethodsprovidedbytheiOSSDKarehookedmakeZero()FindsthedataportionofobjectmemoryandzeroesitoutencPwd()EncryptsobjectdatainmemoryusingasecretdecPwd()Decryptsobjectdatainmemoryusingasecretlisted()AddsanobjecttothepointerlistusedbytheAPIsunlisted()RemovesanobjectfromthepointerlistresetAllZero()WipesalltrackedobjectscreateCheck()Providesandstaticallystoresastringofallthetrackedmem-oryaddressesandobjectchecksumscreateCheckTest()ChecksifthecurrentmemorystatesofallthetrackedobjectsmatchtheirstateswhenchecksumMem()wascalled3.
4DynamicLibraryThedynamiclibrarywascreatedusingtheMobileSubstrateframe-work,nowknownastheCydiaSubstrate[18].
TheframeworkprovidesaplatformandAPIsforaddingruntimepatchesorhookstosystemfunctionsaswellasotherapplicationsonjailbrokeniOSandrootedAndroiddevices.
TheMobileSubstrateframeworkincorporatesthreecomponents:(i)Mobilehooker;(ii)Mobileloader;and(iii)Safemode.
Mobilehooker:Thiscomponentreplacestheoriginalfunctionwiththehookedfunction.
TwoAPIsmaybeusedforiOSdevices:(i)MSHookMessage(),whichismainlyusedtoreplaceObjective-Cmethodsatruntime;and(ii)MSHookFunction(),whichisusedtoreplacesystemfunctions,mainlynativecodewritteninC,C++orassembly.
Mobileloader:CydiaSubstratecodeiscompiledtocreatethedynamiclibrary,whichisplacedinthedirectory/Library/MobileSubstrate/DynamicLibraries/injailbrokeniOSdevices.
ThemaintaskofMobileloaderistoloadthedynamiclibraryintorunning240ADVANCESINDIGITALFORENSICSXIapplications.
TheMobileloaderinitiallyloadsitselfandthenin-vokesdlopenonallthedynamiclibrariesinthedirectoryandloadsthematruntime.
ThedynamiclibrariesareconguredusingPropertyList(PList)les,whichactaslters,controllingifalibraryshouldbeloadedornot.
ThePListleshouldhavethesamenameasthatofdylibandshouldbestoredinthesamedirectoryasdylib.
ThePListshouldcontainasetofarraysinadictionarywiththekeyFilter.
Theotherkeysusedare:(i)Bundles(array)–theBundleIDofarunningapplicationismatchedagainstthelist,ifamatchoccurs,thendylibisloaded;(ii)Classes(array)–thedylibisloadedifoneofthespeciedObjective-Cclassesinthelistisimplementedintherunningapplication;and(iii)Executables(array)–dylibisloadedifanexecutablenameinthelistmatchestheexecutablenameoftherunningapplication.
Anexampleis:Filter=Executables=("mediaserverd");Bundles=("com.
apple.
MobileSlideShow");Mode="Any";;Intheexample,thelterensuresthatdylibisloadedonlyfortheiOSbuilt-inapplicationPhotos,whoseexecutablenamematchesmediaserverdorBundleIDiscom.
apple.
MobileSlideShow.
TheModekeyisusedwhentherearemorethanonelters.
Byspecify-ingMode=Any,dylibisloadedifoneoftheltershasamatch.
Safemode:Inthismode,allthird-partytweaksandextensionsaredisabled,preventingtheiOSdevicefromenteringthecrashmode.
Followingthis,thebrokendylibcanbeuninstalledfromthedevice.
CompilationProcedure.
TheTheos[10]developmentsuitewasusedtoedit,compileandinstallthedynamiclibraryonadevice.
ItprovidesacomponentnamedLogos,whichisabuilt-inpre-processor-basedlibrarydesignedtosimplifythedevelopmentofMobileSubstrateextensions.
Inordertocompilethedynamiclibrary,TheosmustbeinstalledonaMacmachine.
AMacOSXhasmostofthetoolsrequiredbyTheos;however,Xcodecommandlinetoolsmustbeinstallediftheyarenotpresent.
Ad-ditionally,itisnecessarytoinstalltheldidtool,whichisusedtosignappsortweakssothattheycanbeinstalledonjailbrokeniOSdevices.
Tostarttheproject,itisnecessarytoobtainalltheiOSprivatehead-ersofthefunctionsintendedtobehooked.
TheheaderscanbedumpedGovindaraj,Mata,Verma&Gupta241usingtheClass-Dump-Zcommandlinetool[5].
Thisreverseengineer-ingtoolprovidescompleteheaderinformationoftheObjective-CcodeofaniOSapplication.
Dumpingtheheaderscantakesometimebecauseheadersfromalltheframeworks,includingprivateframeworks,arealsocollected.
Thedumpedheadersaresavedinafolderwiththecorre-spondingframeworkname.
Insteadofdumpingtheheaders,headerscollectedbyotherresearcherscanbeused(e.
g.
,headersfromGitHub).
Alltheheadersaresavedat/opt/theos/include.
ThenextstepistocreatetheTheosproject.
Thisinvolvesexecutingthele/opt/theos/bin/nic.
plfromthecommandlineandchoosingtheprojecttemplate,name,etc.
Theprojecttypeshouldbelibrarybecausethegoalistohookasystemfunction.
Aftertheprojecthasbeencreated,anewlenamedtweak.
xmisfoundintheprojectdirectory;thisleisusedtostorethehookingcode.
Thefollowingpseudocodeforhookinganopen()systemcallisaddedinthetweak.
xmle:extern"C"{intorig\_open(constchar*path,intoflags);}inthijacked\_open(constchar*path,intoflags){//dosomething,thenreturnorig\_open(path,oflags);}\%ctor{NSAutoreleasePool*pool=[[NSAutoreleasePoolalloc]init];MSHookFunction(open(),\&hijacked\_open,\&orig\_open);[pooldrain];}TheMSHookFunction()APIisusedtohooktheopen()systemcall.
Thereplacementfunctionishijackedopen().
Themakefileisthenmodiedtoaddtherequiredframeworks.
NotethattheFoundationframeworkisusedtocreatethehookingcode.
ThetargetSDKversionandthearchitectureneededtosupportitarealsoadded:TARGET:=iPhone:1f20;BACKGROUND-COLOR:#4ae2f7">7.
0ARCHS:=armv1f20;BACKGROUND-COLOR:#4ae2f7">7arm64ProjectName\_FRAMEWORKS=FoundationOncedone,callmakefromcommandlineasbelow.
xyz:testxyzmakeMakingallforapplicationtest.
.
.
Copyingresourcedirectoriesintotheapplicationwrapper.
.
.
Signingtest.
.
.
TheprojectisthencompiledandaDLLiscreatedintheobjfolder.
242ADVANCESINDIGITALFORENSICSXIDLLLoading.
AftertheDLLiscreated,itcanbeinstalledonadevicebytheTheossuiteusingthecommandmakepackageinstall.
ThiscommandcreatesaDebianpackageoftheDLLandinstallsitintheproperlocationonthedevice.
Beforethisisdone,theenvironmentvariablemustbesettoexportTHEOSDEVICEIP=iPhoneDeviceIP.
Next,thepackageistransferredtothedeviceforinstallationviaSFTP.
TheiOSdeviceshouldbeonthesamenetworkasthecomputerusedfordevelopment[20].
4.
PreventingAttacksandAnti-ForensicsThesectiondiscusseshowattacksandanti-forensicapproachescanbemitigatedusingthestaticanddynamiclibraries.
4.
1UsingtheStaticLibraryBOOLisCheck1():ThisfunctionisusedtocheckifaniOSdeviceisjailbroken.
ItreturnsyesiftheiOSdeviceisjailbro-ken;otherwiseno.
Thisfunctioncanbecalledbeforeapplicationlaunch.
APIforCheckingDebugMode:TheapplicationexitswhenlaunchedinthedebugmodeusingtheenableDB()function.
Thisfunctioncanbecalledfrommain()andfromelsewhereintheprojecttodisabledebuggingatanystage.
BycallingenabledDB()inmain()orbeforeapplaunch,theapplicationcanbepreventedfromrunninginthedebugmode.
Therefore,thefunctionshouldbecalledinthereleasemode.
isCheck2():Thisfunctiongivesinformationabouthowtheap-plicationisrunning.
Iftheapplicationwasstartedinthedebugmode,thenavalueofoneisreturned;otherwisezeroisreturned.
BOOLisAppC(char*inBundlePath):Thisfunctionchecksiftheapplicationhasbeenhacked.
TheparameterinBundlePathcanbeanycharacterpointer;itisonlyaddedforobfuscationandisnotusedinsidethefunction.
Itincludesanappencryptioncheck(iftheAppStoreencryptionisbroken),signeridentitychecks,etc.
Iftheappiscracked,thefunctionreturnsyes;otherwiseno.
ThefunctionisprimarilyusedtocheckifAppStorebinariesarecracked.
intInitialize():ThisfunctionchecksiftheAPIsinthestaticlibraryarethemselveshooked.
Thefunctionhastobecalledini-tially,preferablyduringapplaunch,tocheckifthelibraryAPIsGovindaraj,Mata,Verma&Gupta243arehookedbymethodswizzling,afterwhichtheappropriateac-tionsmustbetaken.
Ifthefunctionsarehooked,thenitmakesnosensetousetheAPIstoprotectapplications.
intcheckA(constchar*MCl,constchar*MFr,constchar*MFn,void*funcPTR):Thisfunctionchecksifanyhookingisdoneforacriticalmethodwithinanapplicationpassedasanar-gumenttothefunction.
Thefunctionreturnsoneifnohookingisdiscoveredandzeroifafunctionishooked.
Itrequiresthemethodname,methodclassandthepathoftheframework(foraframe-workmethod)orappbundlepath(foranapplicationmethod).
intcheckS():ThisfunctionchecksifSSLcerticatevalidationmethodsprovidedbytheiOSSDKarehooked.
ThisfunctionisinvokedwithinanapplicationbeforecallingSSLvalidationmeth-odssothattheproperactionscanbetaken.
Thefunctionreturnsoneifthereisnohookingandzeroifafunctionishooked.
makeZero(obj):Thisfunctionisusedtozerothevalueofasensitivevariableafteritsuse.
encPwd()anddecPwd():TheseAPIsareusedforencryptingsensitivedataimmediatelyafterthedataiscreatedanddecryptingthedataonlyduringitsuse.
Afterthesensitivedatahasbeenused,itshouldbeclearedfrommemorypermanently.
listed()andunlisted():Thesefunctionstrackseveralobjectsinordertoclearthemfrommemorysimultaneously.
Sensitiveobjectsareaddedtothelisttokeeptrackofthem;theyareallclearedatonetimeusinganAPI.
Forexample,whenadeviceislockedand/oranappisclosed(hiddenorterminated),itmaybenec-essarytowipeallthesensitivedata.
Inthiscase,itisnecessarytoaddresetZeroAll()tothestate-changenotifyfunctionsinAppDelegate.
Severaltoolsareavailableforattackerstomodifythevaluesofcriticaldataandchangethebehaviorofanappli-cationatruntime.
SuchmodicationscanbetrackedusingthecreateCheck()andcreateCheckTest()APIstocreateacheck-sumofthecriticaldataandcheckitperiodicallytoensurethatthedataisnotmodiedbyanattacker.
4.
2UsingtheDynamicLibraryWheneverlesaremodied,accessedorcreated,thehijackedopen()callisinvokedandthemodied,accessed,createddatesandtimestamps(MACDTS)arecapturedandstoredinthelogle.
Thelogleisstored244ADVANCESINDIGITALFORENSICSXIiSecureRing.
.
.
JailbreakingEncryptionCheckCodeTamperingSimulatingAttacksTimestampTamperingConfidentialDataStealingDebugModeHookingFigure2.
Simulatingattacksondevices.
outsidetheiPhoneatasecurelocationsuchasaserverorinthecloud.
Theinformationintheloglecanbeusedinaforensicinvestigationofthesmartphoneintheeventofasecurityincident.
5.
ExperimentalResultsTheexperimentsinvolvedthecreationoftwoapps,onewithoutanyprotectionandtheotherprotectedbyiSecureRing.
TheappswerethendeployedonajailbrokeniPhone4(iOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
0.
6).
Aseriesofattacksweresimulatedontheappsandtheirdatatovalidatetheproposedsolution(Figure2).
Attheapplicationlevel,theappsweresubjectedtovariousattackstoexploitthelackofbinaryprotection[2].
TheresultsinTable2demonstratethatanappwithiSecureRingrunningonajailbrokeniPhone(Row3)isjustassecureasanormalapprunningonanon-jailbrokeniPhone(Row1).
Performancebenchmarkingwasconductedforthethreecasesconsid-eredintheexperiments.
Figure3summarizestheresultsoftheinitialtests(veruns).
Theresultsshownosignicantdierencesindeviceperformance.
Govindaraj,Mata,Verma&Gupta245Table2.
Attacksandresults.
iPhone4Jail-DebugEncryptionHookingCode(iOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
0.
6)brokenModeCheckTamperingNotJailbrokenYesNoNoNoNo(Appwithoutprotection)JailbrokenN/AYesYesYesYes(Appwithoutprotection)JailbrokenN/ANoNoNoNo(AppwithiSecureRing)02004006008001,0001,2001,4001,6001,800CPUIntegermathCPUFloatingpointmathStoragewriteStoragereadMemorywriteMemoryread2D-Complexvectors2D-Imagerendering3D-ComplextestJailbrokenwithiSecureRingJailbrokenwithoutiSecureRingNotJailbrokenFigure3.
Performancebenchmarkresults.
Figure4.
MACDTSlogsforanimagele.
iSecureRingalsohelpsdetectattemptstoexploitknownorunknownvulnerabilitiesbycapturingthetimestampsofactivitiesassociatedwithasecuredapp.
OneexperimentinvolvedtimestamptamperingattemptsonimagesfromApple'sPhotoapp.
iSecureRingsuccessfullycapturedalltheeventsinthelog.
Ananalysisofthelogclearlyrevealedthetamperingattempts.
Figure4showstheMACDTSlogsforoneoftheimages.
246ADVANCESINDIGITALFORENSICSXIFigure5.
Preventingadebugmodeattack.
DebugModeAttack.
Figure5showsascreenshotofanXcodeap-plicationrunninginthedebugmode[11f20;BACKGROUND-COLOR:#4ae2f7">7]whileitwasbeingprotectedbyiSecureRing.
EncryptionAttack.
Clutch[11f20;BACKGROUND-COLOR:#4ae2f7">7]wasusedtosimulateanencryptionattack(Clutchmaybedownloadedfromcydia.
iphonecake.
com).
iSe-cureRingincludesachecktodetermineifapplicationencryptionisintactbyanalyzingencryptioninformationinthebinaryandalsothecryptidagvalue.
Iftheapplicationencryptionisfoundtobebroken,thentheuserisalertedandtheapplicationbehaviorcanbechangedatruntime.
Hooking.
AhookingattackwassimulatedbyhookingSSLvalidationmethods.
Itispossibletolaunchaman-in-the-middleattackonevenHTTPSrequeststounderstand,stealandmodifytherequesteddata.
iSecureRingincorporatesseveralcheckstoidentifythehookingofcriticalmethodssuchasSSLvalidationandauthentication.
ApplicationsthatuseiSecureRingareprotectedagainsttheattacksbecausetheuserisalertedandtheappbehaviorcanbechanged.
CodeTampering.
AcodetamperingattackwassimulatedusingCy-cript[1f20;BACKGROUND-COLOR:#4ae2f7">7],aJavaScriptinterpreter.
ThetoolwasusedtomodifyiOSapplicationbehavioratruntime(e.
g.
,bypassingsomeauthenticationchecksandaccessingcriticalinformationfrommemory).
AnapplicationcompiledwithiSecureRingprovidesAPIsforidentifyingcodetamper-ingofcriticalinstancevariablesandclassobjectsusingCRCchecksums.
Also,APIsareprovidedforwipingsensitivedatafrommemory.
6.
CaseStudyTheiSecureRingimplementationwassuccessfullyusedtosecureaniPhonemobileappforaleadingbankinIndia.
ProblemStatement.
Thebankhadasecurityincidentinwhichtheapplicationrunningonajailbrokendevicerevealedsensitivedata.
JailbreakingAttack.
TheattackerhadusedthelatestjailbreakingtoolforiOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
1.
2Pangu[1].
Theattackeralsousedcertaintweakstode-Govindaraj,Mata,Verma&Gupta241f20;BACKGROUND-COLOR:#4ae2f7">7featjailbreakdetection.
SometweakswithinCydiabypassthejailbreakdetectioncheckofanapplicationandmaketheapplicationrunnormallyevenonjailbrokendevices.
OnesuchtweakisxCon[12],whichhookslow-levelAPIsusedforjailbreakdetectionsuchasle-relatedAPIsandothersystemcalls,thusbypassingthejailbreakdetectionfunctionsusedintheapplication.
NocongurationisrequiredforxCon,aMobileSub-stratedynamiclibrarythatcanbeinstalledfromCydia.
iSecureRingResults.
ThebankappwassecuredusingiSecureRing.
Thejailbreakdetectionfunctionwasrobustenoughtocheckifthede-vicewasjailbrokenandifanyjailbreakdetectionbypassingfunctionswerepresent.
ThesolutionwastestedwithxCon39beta1f20;BACKGROUND-COLOR:#4ae2f7">7oniPhone4deviceswithiOSversion1f20;BACKGROUND-COLOR:#4ae2f7">7.
1.
2.
xConwasunabletobypassthejailbreakdetectiontechniquesusedbyiSecureRing.
TheiSecureRingsolutionchecksfortheexistenceofle-relatedsystemfunctionhooking,render-ingxCon-liketweaksuseless.
ThesolutionalsomitigatesthejailbreakdetectionbypassingmechanismprovidedbythexCondynamiclibrary.
1f20;BACKGROUND-COLOR:#4ae2f7">7.
ConclusionsTheiSecureRingsolutionsecuresappsonjailbrokeniOSdevices.
Thestaticlibraryhelpsdetectsecurityvulnerabilitiesandalertsuserstotakeappropriateactions.
Thedynamiclibraryhelpsdetectmalicioustam-peringofdatabystoringauthenticcopiesofMACDTSvaluesonalocalserverorinthecloud;thisalsosupportsoinedigitalforensicinvestigationsaftersecurityincidents.
Thus,iSecureRingenablesexist-ingandnewappstobesecuredandmadeforensic-readyeveniftheiOSdevicehasbeenjailbroken.
WithenterprisesimplementingBYODpoliciesandjailbrokendevicesmakingtheirwayintoenterprises,theiSecureRingsolutionhelpsenterprisesmitigatethesecurityriskswhileenablingemployeestouseonedeviceforocialandpersonalactivities.
Futureresearchwillfocusonanalyzinganomalousinteractionswithsecuredapps,blockingattacksandraisingalerts.
EortswillalsobemadetocreatesimilarsolutionsforAndroidandWindowssmartphones.
References[1]J.
Benjamin,HowtojailbreakiOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
1.
xwithPangu1.
1onWin-dows,iDownloadBlog,June29,2014.
[2]C.
D'Orazio,A.
ArinandK.
Choo,iOSanti-forensics:Howcanwesecurelyconceal,deleteandinsertdataProceedingsoftheForty-SeventhHawaiiInternationalConferenceonSystemSciences,pp.
4838–4841f20;BACKGROUND-COLOR:#4ae2f7">7,2014.
248ADVANCESINDIGITALFORENSICSXI[3]D.
Ertel,DecryptingiOSapps(www.
infointox.
net/p=114),2013.
[4]S.
Esser,ExploitingtheiOSkernel,presentedatBlackHatUSA,2011.
[5]P.
Gianchandani,iOSApplicationSecurityPart2–GettingClassInformationofiOSApps,InfosecInstitute,ElmwoodPark,Illinois,2014.
[6]GitHub,ToolsforsecurelyclearingandvalidatingiOSapplicationmemory,SanFrancisco,California(github.
com/project-imas/memory-security),2014.
[1f20;BACKGROUND-COLOR:#4ae2f7">7]S.
GuerreroSelma,HackingiOSontherun:UsingCycript,pre-sentedattheRSAConference,2014.
[8]A.
HoogandK.
Strzempka,iPhoneandiOSForensics:Investiga-tion,AnalysisandMobileSecurityforAppleiPhone,iPadandiOSDevices,Syngress,Waltham,Massachusetts,2011.
[9]iPhoneDevWiki,debugserver(iphonedevwiki.
net/index.
php/Debugserver),2015.
[10]iPhoneDevWiki,Theos(iphonedevwiki.
net/index.
php/Theos),2015.
[11]iPhoneHacks,JailbreakingyouriPhoneremainslegalinUS,butitisillegaltojailbreakyouriPadandunlockyouriPhoneunderDMCA,October26,2012.
[12]iPhoneWiki,xCon(theiphonewiki.
com/wiki/XCon),2014.
[13]C.
Miller,Owningthefanboys:HackingMacOSX,presentedatBlackHatJapan,2008.
[14]C.
Miller,Mobileattacksanddefense,IEEESecurityandPrivacy,vol.
9(4),pp.
68–1f20;BACKGROUND-COLOR:#4ae2f7">70,2011.
[15]S.
Morrissey,iOSForensicAnalysisforiPhone,iPadandiPodTouch,Apress,NewYork,2010.
[16]M.
Renard,PracticaliOSappshacking,ProceedingsoftheFirstInternationalSymposiumonGrey-HatHacking,pp.
14–26,2012.
[11f20;BACKGROUND-COLOR:#4ae2f7">7]B.
Satish,PenetrationTestingforiPhoneApplications–Part5,InfosecInstitute,ElmwoodPark,Illinois,2013.
[18]SaurikIT,CydiaSubstrate,IslaVista,California(www.
cydiasubstrate.
com),2014.
[19]A.
Smith,SmartphoneOwnership2013,PewResearchCenter,Washington,DC,June5,2013.
Govindaraj,Mata,Verma&Gupta249[20]B.
Trebitowski,BeginningJailbrokeniOSDevelopment–BuildingandDeployment,Pixegon,Albuquerque,NewMexico(brandontreb.
com/beginning-jailbroken-ios-development-building-and-deployment),2011.
[21]R.
Verma,J.
GovindarajandG.
Gupta,Preservingdateandtime-stampsforincidenthandlinginAndroidsmartphones,inAdvancesinDigitalForensicsX,G.
PetersonandS.
Shenoi(Eds.
),Springer,Heidelberg,Germany,pp.
209–225,2014.
hypervmart怎么样?hypervmart是一家国外主机商,成立于2011年,提供虚拟主机、VPS等,vps基于Hyper-V 2012 R2,宣称不超售,支持linux和windows,有荷兰和英国2个数据中心,特色是1Gbps带宽、不限流量。现在配置提高,价格不变,性价比提高了很多。(数据中心不太清楚,按以前的记录,应该是欧洲),支持Paypal付款。点击进入:hypervmart官方网...
DiyVM是一家比较低调的国人主机商,成立于2009年,提供VPS主机和独立服务器租用等产品,其中VPS基于XEN(HVM)架构,数据中心包括香港沙田、美国洛杉矶和日本大阪等,CN2或者直连线路,支持异地备份与自定义镜像,可提供内网IP。本月商家最高提供5折优惠码,优惠后香港沙田CN2线路VPS最低2GB内存套餐每月仅50元起。香港(CN2)VPSCPU:2cores内存:2GB硬盘:50GB/R...
触碰云怎么样?触碰云是一家成立于2019年的商家。触碰云主营香港/美国 VPS服务器、独立服务器以及免备案CDN。采用的是kvm虚拟构架,硬盘Raid10,Cn2线路,去程电信CN2、移动联通直连,回程三网CN2。最低1核1G带宽1M仅20.8元/月,不过这里推荐香港4核4G15M,香港cn2 gia线路云服务器,仅115.2元/月起,性价比还是不错的。点击进入:触碰云官方网站地址触碰云优惠码:优...
netbios端口为你推荐
互联网周鸿祎浙江世纪华通集团股份有限公司支持ipad深圳市富满电子集团股份有限公司win7telnetWin7系统中的telnet命令如何应用?联通合约机iphone5联通合约机iphone5能用移动卡吗google搜图google自定义搜索是什么?怎么用routeaddRout add -p在网络中是什么意思?Route add Cp又是什么意思?routeaddroute add 命令后,本地连接的ipv4默认网关会被自动清除。这个默认网关应该怎么设置?morphvoxpro怎么用如何使用MorphVOX Pro变声
域名空间 黑龙江域名注册 免费动态域名 qq云存储 表单样式 新世界电讯 双11抢红包攻略 seovip NetSpeeder 免费博客空间 网站cdn加速 佛山高防服务器 四核服务器 华为云盘 联通网站 空间购买 河南移动梦网 个人免费邮箱 国外免费云空间 服务器硬件配置 更多