Kali Linux

IOSSecuritySuite : iOS Platform Security And Anti-Tampering Swift Library

iOS Security Suite is an advanced and easy-to-use platform security & anti-tampering library written in pure Swift! If you are developing for iOS and you want to protect your app according to the OWASP MASVS standard, chapter v8, then this library could save you a lot of time. 

What ISS detects:

  • Jailbreak (even the iOS 11+ with brand new indicators!
  • Attached debugger
  • If an app was run in an emulator
  • Common reverse engineering tools running on the device

Setup

There are 4 ways you can start using IOSSecuritySuite

1. Add source

Add IOSSecuritySuite/*.swift files to your project

2. Setup with CocoaPods

pod 'IOSSecuritySuite'

3. Setup with Carthage

github "securing/IOSSecuritySuite"

4. Setup with Swift Package Manager

.package(url: “https://github.com/securing/IOSSecuritySuite.git”, from: “1.5.0”)

Update Info.plist

After adding ISS to your project, you will also need to update your main Info.plist. There is a check in jailbreak detection module that uses canOpenURL(_:) method and requires specifying URLs that will be queried.

key>LSApplicationQueriesSchemes
array>
string>cydia
string>undecimus
string>sileo
string>zbra
string>filza
string>activator
/array>

How to use

Jailbreak detector module

  • The simplest method returns True/False if you just want to know if the device is jailbroken or jailed

if IOSSecuritySuite.amIJailbroken() {
print(“This device is jailbroken”)
} else {
print(“This device is not jailbroken”)
}

Verbose, if you also want to know what indicators were identified

let jailbreakStatus = IOSSecuritySuite.amIJailbrokenWithFailMessage()
if jailbreakStatus.jailbroken {
print(“This device is jailbroken”)
print(“Because: (jailbreakStatus.failMessage)”)
} else {
print(“This device is not jailbroken”)
}

The failMessage is a String containing comma-separated indicators as shown on the example below: Cydia URL scheme detected, Suspicious file exists: /Library/MobileSubstrate/MobileSubstrate.dylib, Fork was able to create a new process

  • Verbose & filterable, if you also want to for example identify devices that were jailbroken in the past, but now are jailed

let jailbreakStatus = IOSSecuritySuite.amIJailbrokenWithFailedChecks()
if jailbreakStatus.jailbroken {
if (jailbreakStatus.failedChecks.contains { $0.check == .existenceOfSuspiciousFiles }) && (jailbreakStatus.failedChecks.contains { $0.check == .suspiciousFilesCanBeOpened }) {
print(“This is real jailbroken device”)
}
}

Debugger detector module

let amIDebugged: Bool = IOSSecuritySuite.amIDebugged()

Deny debugger at all

IOSSecuritySuite.denyDebugger()

Emulator detector module

let runInEmulator: Bool = IOSSecuritySuite.amIRunInEmulator()

Experimental features

Runtime hook detector module

let amIRuntimeHooked: Bool = amIRuntimeHook(dyldWhiteList: dylds, detectionClass: SomeClass.self, selector: #selector(SomeClass.someFunction), isClassMethod: false)

Symbol hook deny module

// If we want to deny symbol hook of Swift function, we have to pass mangled name of that function
denySymbolHook(“$s10Foundation5NSLogyySS_s7CVarArg_pdtF”) // denying hooking for the NSLog function
NSLog(“Hello Symbol Hook”)
denySymbolHook(“abort”)
abort()

MSHook detector module

// Function declaration
func someFunction(takes: Int) -> Bool {
return false
}
// Defining FunctionType : @convention(thin) indicates a “thin” function reference, which uses the Swift calling convention with no special “self” or “context” parameters.
typealias FunctionType = @convention(thin) (Int) -> (Bool)
// Getting pointer address of function we want to verify
func getSwiftFunctionAddr(_ function: @escaping FunctionType) -> UnsafeMutableRawPointer {
return unsafeBitCast(function, to: UnsafeMutableRawPointer.self)
}
let funcAddr = getSwiftFunctionAddr(someFunction)
let amIMSHooked = IOSSecuritySuite.amIMSHooked(funcAddr)

File integrity verifier module

// Determine if application has been tampered with
if IOSSecuritySuite.amITampered([.bundleID(“biz.securing.FrameworkClientApp”),
.mobileProvision(“2976c70b56e9ae1e2c8e8b231bf6b0cff12bbbd0a593f21846d9a004dd181be3”),
.machO(“IOSSecuritySuite”, “6d8d460b9a4ee6c0f378e30f137cebaf2ce12bf31a2eef3729c36889158aa7fc”)]).result {
print(“I have been Tampered.”)
}
else {
print(“I have not been Tampered.”)
}
// Manually verify SHA256 hash value of a loaded dylib
if let hashValue = IOSSecuritySuite.getMachOFileHashValue(.custom(“IOSSecuritySuite”)), hashValue == “6d8d460b9a4ee6c0f378e30f137cebaf2ce12bf31a2eef3729c36889158aa7fc” {
print(“I have not been Tampered.”)
}
else {
print(“I have been Tampered.”)
}
// Check SHA256 hash value of the main executable
// Tip: Your application may retrieve this value from the server
if let hashValue = IOSSecuritySuite.getMachOFileHashValue(.default), hashValue == “your-application-executable-hash-value” {
print(“I have not been Tampered.”)
}
else {
print(“I have been Tampered.”)
}

R K

Recent Posts

Install Opera Web Browser on Ubuntu 18.04: Complete Setup Guide

Opera is one of the most popular cross-platform web browsers in the world, available on Windows,…

4 hours ago

Install Gogs on Ubuntu 18.04: Self-Hosted Git Server Setup Guide

Gogs is a free, self-hosted Git service written in Go. It gives you a private GitHub-like…

4 hours ago

Install Elasticsearch on Ubuntu 18.04: Setup and Config Guide

Elasticsearch is an open-source distributed search and analytics engine built on Apache Lucene. It supports RESTful…

4 hours ago

Install Flask on Ubuntu 18.04: venv Setup and Hello World App

Flask is a free, open-source micro web framework for Python. It is built on Werkzeug and…

4 hours ago

Install Memcached on Ubuntu 18.04: Setup, Config, and Client Guide

Memcached is a free, open-source, high-performance in-memory caching system. It stores data as key-value pairs in…

4 hours ago

Install TensorFlow on Ubuntu 18.04: Python venv Setup and Usage

TensorFlow is a free, open-source machine learning platform developed by Google. It is used by major…

1 day ago