loadedios
netbios端口 时间:2021-02-12 阅读:()
Chapter14FORENSIC-READYSECUREiOSAPPSFORJAILBROKENiPHONESJayaprakashGovindaraj,RashmiMata,RobinVermaandGauravGuptaAbstractAppleiOSisoneofthemostpopularsmartphoneoperatingsystems,butitrestrictstheinstallationofappsthatarenotfromtheAppleAppStore.
Asaresult,usersoftenjailbreaktheiriPhonestodefeatthisre-striction.
JailbrokeniPhonesaremakingtheirwayintoenterprisesthathaveaBringYourOwnDevice(BYOD)policy,butthesedevicesareof-tenbarredorrestrictedbymobiledevicemanagementsoftwarebecausetheyposesecurityrisks.
ThischapterdescribestheiSecureRingsolutionthatsecuresmobileappsandpreservesthedatesandtimestampsofeve-ntsinordertosupportforensicexaminationsofjailbrokeniPhones.
AnanalysisoftheliteraturerevealsthatiSecureRingistherstforensic-readymobileappsecuritysolutionforiOSapplicationsthatexecuteinunsecuredenterpriseenvironments.
Keywords:JailbrokeniPhones,enterpriseenvironments,forensicexaminations1.
IntroductionAccordingtoa2013Pewreport[19],40.
98%ofthesmartphonesusedbyadultAmericansareAppleiPhones.
Apple'siOSoperatingsystemdoesnotallowtheinstallationofapplications,extensionsandthemesthatarenotobtainedfromtheAppleAppStore.
Asaresult,usersfrequentlyjailbreaktheirdevicestoobtainrootaccessanddefeattheinstallationrestrictions[4].
AjailbrokeniPhoneallowstheretrievalofapplicationsandtheirassociateddata,potentiallycompromisingthesecurityoftheapplicationsandthecondentialityofthedata[4,16].
Sincejailbreakingisareality[8,11],itisincreasinglyimportanttodesignmobileapplicationsthatcanrunsecurelyonjailbrokeniPhones.
Therequirementofhavinganapplicationexecutesecurelyinanunse-cureenvironmentiscriticaltoscenarioswhereaproprietaryapplica-cIFIPInternationalFederationforInformationProcessing2015G.
Peterson,S.
Shenoi(Eds.
):AdvancesinDigitalForensicsXI,IFIPAICT462,pp.
235–249,2015.
DOI:10.
1001f20;BACKGROUND-COLOR:#4ae2f7">7/91f20;BACKGROUND-COLOR:#4ae2f7">78-3-319-24123-414236ADVANCESINDIGITALFORENSICSXItionshouldworkwithoutimpactingenterprisesecurity.
Atthistime,enterprisesthathaveaBringYourOwnDevice(BYOD)policygener-allydetectandrestrictjailbrokeniPhonesusingmobiledevicemanage-mentsoftwaresuchasCitrix'sXenMobileandIBM'sEndpointManager.
Thus,employeeshavetoun-jailbreaktheiriPhonesorinstallenterpriseapplicationsonotherapproveddevices.
Thesolutionproposedinthischapterenablesenterprisestoinstalltheirapplicationssecurelyonjail-brokeniPhones.
Newappsandexistingappscanbesecuredandbemadeforensic-ready.
Theforensicreadinessoftheappsenablesenter-prisestocheckiftheappsrunsecurelyandalsoensuresthatforensicartifactsareavailableintheeventofsecurityincidents.
2.
RelatedWorkD'Orazioetal.
[2]haveproposedaconcealmenttechniquethaten-hancesthesecurityofunprotected(classD)datathatisatrestiniOSdevices,alongwithadeletiontechniquetoreinforcedatadeletioniniOSdevices.
Hackersandmalicioususersresorttotechniquessuchasjailbreaking,runninganappinthedebugmode,reverseengineering,dy-namichookingortamperinginordertoaccessorcompromisesensitivedatastoredbyiOSapps:Jailbreaking:Attackersusejailbreakingtoobtainsystem-level(root)accesstoiOSdevices,potentiallycompromisingthesecurityofapplicationsandtheirassociateddata[15].
DebuggerMode:Attackersruntargetedapplicationsinthede-bugmode,obtainmemorydumpsandoverwritethememorywithmaliciouscode[9,13].
ReverseEngineering:AppsfromtheAppleStoreareencryptedusingApple'sFairplayDRM,whichcomplicatesthetaskofreverseengineeringbinaries.
However,anattackercanoverwritetheen-cryptioninformationofanapplicationinajailbrokendevicetoob-tainthememorydumpandanalyzeittocreatenewattacks[3,16].
DynamicCodeHooking:Afteradeviceisjailbroken,anat-tackercanhookmaliciouscodetoanappatruntimeinordertobypasssecuritychecks,potentiallycompromisingthesecurityoftheapplicationanditsdata[20].
Tampering:Attackerscanmodifythedatesandtimestampsofartifactsinordertocovertheirtracks.
Vermaetal.
[21]havere-centlyproposedamechanismforpreservingdatesandtimestampsinsupportofforensicexaminationsofAndroidsmartphones.
Govindaraj,Mata,Verma&Gupta231f20;BACKGROUND-COLOR:#4ae2f7">7ThischapterpresentsatechniqueforprotectingapplicationsanddatainjailbrokeniOSdevices.
Intheeventofasecurityincident,thetech-niquecanbeusedtosupportaforensicexaminationofajailbrokendevice.
3.
ImplementationMethodologyThesolutionhastwomodules:(i)astaticlibrarythatwrapsappsrunningonjailbrokendeviceswithanextralayerofprotection,makingthemdiculttocrackandpreventingaccesstotheirdata;and(ii)amodulethatpreservesauthenticdatesandtimestampsofeventsrelatedtothesecuredappstosupportforensicexaminations.
Thecaptureddatesandtimestampsarestoredoutsidethedeviceonasecureserverorinthecloud.
Themodulesarediscussedinfollowingsubsections.
3.
1SecuringAppsThestaticlibrary,whichisdesignedtosecureapps,incorporatesAPIsthatmaybeusedtoidentifyandmitigatesecurityvulnerabilitiesinjailbrokeniPhones[6].
Functionsinthelibraryinclude:isCheck1(),whichchecksifaniPhoneisjailbroken;isCheck2(),whichchecksifanapplicationisrunninginthedebugmode;enableDB(),whichdisablesthegdb(debugger)foraparticularapplication(process);isAppC(),whichchecksifanapplicationbinaryisencryptedandalsocheckstheintegrityofapplicationbundleles(Info.
Plist);initialize(),whichchecksifstaticlibraryfunctionsarehooked;CheckA(),whichchecksifcriticalmethods(functions)passedasargumentsarehooked;CheckS(),whichchecksifmethods(functions)relatedtoSSLcerticatevalidationarehooked;createCheck()andcreateCheckTest(),whichcheckifanapplicationhasbeentamperedwith;andresetZeroAll(),whichwipessensitivedatafrommemory.
3.
2PreservingDatesandTimestampsThedynamiclibraryhasbeencreatedusingtheMobileSubstrateframework.
ThisframeworkprovidesAPIsforaddingruntimepatchesorhookstosystemfunctionsinjailbrokeniOSdevices[18].
ThesolutionarchitectureshowninFigure1incorporatesthreecomponents:DynamicLibrary(dylib):Thiscomponenthookssystemopencallsandcaptureskernel-leveldatesandtimestampsofselectedlesandwritesthemtothelogle.
Itisloadedintorunningapplications.
Filtersareappliedsothatitisonlyloadedintospeciedapplications.
238ADVANCESINDIGITALFORENSICSXIFileModification/CreationProcessStartedDynamicLibraryHookedOpen()AppDBUpdateTimestampLogFileUploadLogFiletoSecureLocationOriginalOpen()FileAttributesGeneratedUserSpaceKernelSpaceiOSDeviceSecuredApp(UsingStaticLibrary)CydiaSubstrateDynamicLibraryLoadedFigure1.
Solutionarchitectureforpreservingdateandtimestamps.
TimestampLogFile:ThiscomponentisstoredintheinternalmemoryofaniPhone.
Itisnotdirectlyaccessibletoapplications,whichsecuresitfromunauthorizeddeletion.
LogFile:ThiscomponentisgeneratedbytheDLL.
Itisup-loadedatregularuser-denedintervalstoanexternalserverorcloudstoragebasedonnetworkconnectivity.
3.
3StaticLibraryThestaticlibraryisdesignedtosecureapplicationsandtheirassoci-ateddata.
Thelibrarywrapsappsinanadditionallayerofprotection,whichmakesthemmorediculttocrackinajailbrokeniOSdevice.
ThestaticlibrarycontainsseveralAPIs(Table1)thatcanbeusedtoidentifysecurityvulnerabilitiesinjailbrokendevices.
Thelibraryimplementsthedetectionofjailbrokendevices,thedisablingofapplicationdebuggers,thecheckingofapplicationencryption(forAppStorebinaries)andthedetectionofdynamiccodehooking.
Notethatthefunctionnamesareintentionallynotverydescriptiveinordertoenhancecodeobfuscationandhindermaliciousreverseengineeringeorts.
Govindaraj,Mata,Verma&Gupta239Table1.
StaticlibraryAPIs.
APIDescriptionisCheck1()ChecksifadevicehasbeenjailbrokenisAppC()ChecksiftheapplicationencryptionprovidedbytheAppStoreisintactenableDB()DisablestheapplicationdebuggerisCheck2()ChecksifanappisrunninginthedebugmodeInitialize()ChecksiflibraryAPIsarehookedbymethodswizzlingtech-niquescheckA()Checksifafunctionishookedbyamethodswizzlingtech-niquecheckS()ChecksiftheSSLvalidationmethodsprovidedbytheiOSSDKarehookedmakeZero()FindsthedataportionofobjectmemoryandzeroesitoutencPwd()EncryptsobjectdatainmemoryusingasecretdecPwd()Decryptsobjectdatainmemoryusingasecretlisted()AddsanobjecttothepointerlistusedbytheAPIsunlisted()RemovesanobjectfromthepointerlistresetAllZero()WipesalltrackedobjectscreateCheck()Providesandstaticallystoresastringofallthetrackedmem-oryaddressesandobjectchecksumscreateCheckTest()ChecksifthecurrentmemorystatesofallthetrackedobjectsmatchtheirstateswhenchecksumMem()wascalled3.
4DynamicLibraryThedynamiclibrarywascreatedusingtheMobileSubstrateframe-work,nowknownastheCydiaSubstrate[18].
TheframeworkprovidesaplatformandAPIsforaddingruntimepatchesorhookstosystemfunctionsaswellasotherapplicationsonjailbrokeniOSandrootedAndroiddevices.
TheMobileSubstrateframeworkincorporatesthreecomponents:(i)Mobilehooker;(ii)Mobileloader;and(iii)Safemode.
Mobilehooker:Thiscomponentreplacestheoriginalfunctionwiththehookedfunction.
TwoAPIsmaybeusedforiOSdevices:(i)MSHookMessage(),whichismainlyusedtoreplaceObjective-Cmethodsatruntime;and(ii)MSHookFunction(),whichisusedtoreplacesystemfunctions,mainlynativecodewritteninC,C++orassembly.
Mobileloader:CydiaSubstratecodeiscompiledtocreatethedynamiclibrary,whichisplacedinthedirectory/Library/MobileSubstrate/DynamicLibraries/injailbrokeniOSdevices.
ThemaintaskofMobileloaderistoloadthedynamiclibraryintorunning240ADVANCESINDIGITALFORENSICSXIapplications.
TheMobileloaderinitiallyloadsitselfandthenin-vokesdlopenonallthedynamiclibrariesinthedirectoryandloadsthematruntime.
ThedynamiclibrariesareconguredusingPropertyList(PList)les,whichactaslters,controllingifalibraryshouldbeloadedornot.
ThePListleshouldhavethesamenameasthatofdylibandshouldbestoredinthesamedirectoryasdylib.
ThePListshouldcontainasetofarraysinadictionarywiththekeyFilter.
Theotherkeysusedare:(i)Bundles(array)–theBundleIDofarunningapplicationismatchedagainstthelist,ifamatchoccurs,thendylibisloaded;(ii)Classes(array)–thedylibisloadedifoneofthespeciedObjective-Cclassesinthelistisimplementedintherunningapplication;and(iii)Executables(array)–dylibisloadedifanexecutablenameinthelistmatchestheexecutablenameoftherunningapplication.
Anexampleis:Filter=Executables=("mediaserverd");Bundles=("com.
apple.
MobileSlideShow");Mode="Any";;Intheexample,thelterensuresthatdylibisloadedonlyfortheiOSbuilt-inapplicationPhotos,whoseexecutablenamematchesmediaserverdorBundleIDiscom.
apple.
MobileSlideShow.
TheModekeyisusedwhentherearemorethanonelters.
Byspecify-ingMode=Any,dylibisloadedifoneoftheltershasamatch.
Safemode:Inthismode,allthird-partytweaksandextensionsaredisabled,preventingtheiOSdevicefromenteringthecrashmode.
Followingthis,thebrokendylibcanbeuninstalledfromthedevice.
CompilationProcedure.
TheTheos[10]developmentsuitewasusedtoedit,compileandinstallthedynamiclibraryonadevice.
ItprovidesacomponentnamedLogos,whichisabuilt-inpre-processor-basedlibrarydesignedtosimplifythedevelopmentofMobileSubstrateextensions.
Inordertocompilethedynamiclibrary,TheosmustbeinstalledonaMacmachine.
AMacOSXhasmostofthetoolsrequiredbyTheos;however,Xcodecommandlinetoolsmustbeinstallediftheyarenotpresent.
Ad-ditionally,itisnecessarytoinstalltheldidtool,whichisusedtosignappsortweakssothattheycanbeinstalledonjailbrokeniOSdevices.
Tostarttheproject,itisnecessarytoobtainalltheiOSprivatehead-ersofthefunctionsintendedtobehooked.
TheheaderscanbedumpedGovindaraj,Mata,Verma&Gupta241usingtheClass-Dump-Zcommandlinetool[5].
Thisreverseengineer-ingtoolprovidescompleteheaderinformationoftheObjective-CcodeofaniOSapplication.
Dumpingtheheaderscantakesometimebecauseheadersfromalltheframeworks,includingprivateframeworks,arealsocollected.
Thedumpedheadersaresavedinafolderwiththecorre-spondingframeworkname.
Insteadofdumpingtheheaders,headerscollectedbyotherresearcherscanbeused(e.
g.
,headersfromGitHub).
Alltheheadersaresavedat/opt/theos/include.
ThenextstepistocreatetheTheosproject.
Thisinvolvesexecutingthele/opt/theos/bin/nic.
plfromthecommandlineandchoosingtheprojecttemplate,name,etc.
Theprojecttypeshouldbelibrarybecausethegoalistohookasystemfunction.
Aftertheprojecthasbeencreated,anewlenamedtweak.
xmisfoundintheprojectdirectory;thisleisusedtostorethehookingcode.
Thefollowingpseudocodeforhookinganopen()systemcallisaddedinthetweak.
xmle:extern"C"{intorig\_open(constchar*path,intoflags);}inthijacked\_open(constchar*path,intoflags){//dosomething,thenreturnorig\_open(path,oflags);}\%ctor{NSAutoreleasePool*pool=[[NSAutoreleasePoolalloc]init];MSHookFunction(open(),\&hijacked\_open,\&orig\_open);[pooldrain];}TheMSHookFunction()APIisusedtohooktheopen()systemcall.
Thereplacementfunctionishijackedopen().
Themakefileisthenmodiedtoaddtherequiredframeworks.
NotethattheFoundationframeworkisusedtocreatethehookingcode.
ThetargetSDKversionandthearchitectureneededtosupportitarealsoadded:TARGET:=iPhone:1f20;BACKGROUND-COLOR:#4ae2f7">7.
0ARCHS:=armv1f20;BACKGROUND-COLOR:#4ae2f7">7arm64ProjectName\_FRAMEWORKS=FoundationOncedone,callmakefromcommandlineasbelow.
xyz:testxyzmakeMakingallforapplicationtest.
.
.
Copyingresourcedirectoriesintotheapplicationwrapper.
.
.
Signingtest.
.
.
TheprojectisthencompiledandaDLLiscreatedintheobjfolder.
242ADVANCESINDIGITALFORENSICSXIDLLLoading.
AftertheDLLiscreated,itcanbeinstalledonadevicebytheTheossuiteusingthecommandmakepackageinstall.
ThiscommandcreatesaDebianpackageoftheDLLandinstallsitintheproperlocationonthedevice.
Beforethisisdone,theenvironmentvariablemustbesettoexportTHEOSDEVICEIP=iPhoneDeviceIP.
Next,thepackageistransferredtothedeviceforinstallationviaSFTP.
TheiOSdeviceshouldbeonthesamenetworkasthecomputerusedfordevelopment[20].
4.
PreventingAttacksandAnti-ForensicsThesectiondiscusseshowattacksandanti-forensicapproachescanbemitigatedusingthestaticanddynamiclibraries.
4.
1UsingtheStaticLibraryBOOLisCheck1():ThisfunctionisusedtocheckifaniOSdeviceisjailbroken.
ItreturnsyesiftheiOSdeviceisjailbro-ken;otherwiseno.
Thisfunctioncanbecalledbeforeapplicationlaunch.
APIforCheckingDebugMode:TheapplicationexitswhenlaunchedinthedebugmodeusingtheenableDB()function.
Thisfunctioncanbecalledfrommain()andfromelsewhereintheprojecttodisabledebuggingatanystage.
BycallingenabledDB()inmain()orbeforeapplaunch,theapplicationcanbepreventedfromrunninginthedebugmode.
Therefore,thefunctionshouldbecalledinthereleasemode.
isCheck2():Thisfunctiongivesinformationabouthowtheap-plicationisrunning.
Iftheapplicationwasstartedinthedebugmode,thenavalueofoneisreturned;otherwisezeroisreturned.
BOOLisAppC(char*inBundlePath):Thisfunctionchecksiftheapplicationhasbeenhacked.
TheparameterinBundlePathcanbeanycharacterpointer;itisonlyaddedforobfuscationandisnotusedinsidethefunction.
Itincludesanappencryptioncheck(iftheAppStoreencryptionisbroken),signeridentitychecks,etc.
Iftheappiscracked,thefunctionreturnsyes;otherwiseno.
ThefunctionisprimarilyusedtocheckifAppStorebinariesarecracked.
intInitialize():ThisfunctionchecksiftheAPIsinthestaticlibraryarethemselveshooked.
Thefunctionhastobecalledini-tially,preferablyduringapplaunch,tocheckifthelibraryAPIsGovindaraj,Mata,Verma&Gupta243arehookedbymethodswizzling,afterwhichtheappropriateac-tionsmustbetaken.
Ifthefunctionsarehooked,thenitmakesnosensetousetheAPIstoprotectapplications.
intcheckA(constchar*MCl,constchar*MFr,constchar*MFn,void*funcPTR):Thisfunctionchecksifanyhookingisdoneforacriticalmethodwithinanapplicationpassedasanar-gumenttothefunction.
Thefunctionreturnsoneifnohookingisdiscoveredandzeroifafunctionishooked.
Itrequiresthemethodname,methodclassandthepathoftheframework(foraframe-workmethod)orappbundlepath(foranapplicationmethod).
intcheckS():ThisfunctionchecksifSSLcerticatevalidationmethodsprovidedbytheiOSSDKarehooked.
ThisfunctionisinvokedwithinanapplicationbeforecallingSSLvalidationmeth-odssothattheproperactionscanbetaken.
Thefunctionreturnsoneifthereisnohookingandzeroifafunctionishooked.
makeZero(obj):Thisfunctionisusedtozerothevalueofasensitivevariableafteritsuse.
encPwd()anddecPwd():TheseAPIsareusedforencryptingsensitivedataimmediatelyafterthedataiscreatedanddecryptingthedataonlyduringitsuse.
Afterthesensitivedatahasbeenused,itshouldbeclearedfrommemorypermanently.
listed()andunlisted():Thesefunctionstrackseveralobjectsinordertoclearthemfrommemorysimultaneously.
Sensitiveobjectsareaddedtothelisttokeeptrackofthem;theyareallclearedatonetimeusinganAPI.
Forexample,whenadeviceislockedand/oranappisclosed(hiddenorterminated),itmaybenec-essarytowipeallthesensitivedata.
Inthiscase,itisnecessarytoaddresetZeroAll()tothestate-changenotifyfunctionsinAppDelegate.
Severaltoolsareavailableforattackerstomodifythevaluesofcriticaldataandchangethebehaviorofanappli-cationatruntime.
SuchmodicationscanbetrackedusingthecreateCheck()andcreateCheckTest()APIstocreateacheck-sumofthecriticaldataandcheckitperiodicallytoensurethatthedataisnotmodiedbyanattacker.
4.
2UsingtheDynamicLibraryWheneverlesaremodied,accessedorcreated,thehijackedopen()callisinvokedandthemodied,accessed,createddatesandtimestamps(MACDTS)arecapturedandstoredinthelogle.
Thelogleisstored244ADVANCESINDIGITALFORENSICSXIiSecureRing.
.
.
JailbreakingEncryptionCheckCodeTamperingSimulatingAttacksTimestampTamperingConfidentialDataStealingDebugModeHookingFigure2.
Simulatingattacksondevices.
outsidetheiPhoneatasecurelocationsuchasaserverorinthecloud.
Theinformationintheloglecanbeusedinaforensicinvestigationofthesmartphoneintheeventofasecurityincident.
5.
ExperimentalResultsTheexperimentsinvolvedthecreationoftwoapps,onewithoutanyprotectionandtheotherprotectedbyiSecureRing.
TheappswerethendeployedonajailbrokeniPhone4(iOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
0.
6).
Aseriesofattacksweresimulatedontheappsandtheirdatatovalidatetheproposedsolution(Figure2).
Attheapplicationlevel,theappsweresubjectedtovariousattackstoexploitthelackofbinaryprotection[2].
TheresultsinTable2demonstratethatanappwithiSecureRingrunningonajailbrokeniPhone(Row3)isjustassecureasanormalapprunningonanon-jailbrokeniPhone(Row1).
Performancebenchmarkingwasconductedforthethreecasesconsid-eredintheexperiments.
Figure3summarizestheresultsoftheinitialtests(veruns).
Theresultsshownosignicantdierencesindeviceperformance.
Govindaraj,Mata,Verma&Gupta245Table2.
Attacksandresults.
iPhone4Jail-DebugEncryptionHookingCode(iOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
0.
6)brokenModeCheckTamperingNotJailbrokenYesNoNoNoNo(Appwithoutprotection)JailbrokenN/AYesYesYesYes(Appwithoutprotection)JailbrokenN/ANoNoNoNo(AppwithiSecureRing)02004006008001,0001,2001,4001,6001,800CPUIntegermathCPUFloatingpointmathStoragewriteStoragereadMemorywriteMemoryread2D-Complexvectors2D-Imagerendering3D-ComplextestJailbrokenwithiSecureRingJailbrokenwithoutiSecureRingNotJailbrokenFigure3.
Performancebenchmarkresults.
Figure4.
MACDTSlogsforanimagele.
iSecureRingalsohelpsdetectattemptstoexploitknownorunknownvulnerabilitiesbycapturingthetimestampsofactivitiesassociatedwithasecuredapp.
OneexperimentinvolvedtimestamptamperingattemptsonimagesfromApple'sPhotoapp.
iSecureRingsuccessfullycapturedalltheeventsinthelog.
Ananalysisofthelogclearlyrevealedthetamperingattempts.
Figure4showstheMACDTSlogsforoneoftheimages.
246ADVANCESINDIGITALFORENSICSXIFigure5.
Preventingadebugmodeattack.
DebugModeAttack.
Figure5showsascreenshotofanXcodeap-plicationrunninginthedebugmode[11f20;BACKGROUND-COLOR:#4ae2f7">7]whileitwasbeingprotectedbyiSecureRing.
EncryptionAttack.
Clutch[11f20;BACKGROUND-COLOR:#4ae2f7">7]wasusedtosimulateanencryptionattack(Clutchmaybedownloadedfromcydia.
iphonecake.
com).
iSe-cureRingincludesachecktodetermineifapplicationencryptionisintactbyanalyzingencryptioninformationinthebinaryandalsothecryptidagvalue.
Iftheapplicationencryptionisfoundtobebroken,thentheuserisalertedandtheapplicationbehaviorcanbechangedatruntime.
Hooking.
AhookingattackwassimulatedbyhookingSSLvalidationmethods.
Itispossibletolaunchaman-in-the-middleattackonevenHTTPSrequeststounderstand,stealandmodifytherequesteddata.
iSecureRingincorporatesseveralcheckstoidentifythehookingofcriticalmethodssuchasSSLvalidationandauthentication.
ApplicationsthatuseiSecureRingareprotectedagainsttheattacksbecausetheuserisalertedandtheappbehaviorcanbechanged.
CodeTampering.
AcodetamperingattackwassimulatedusingCy-cript[1f20;BACKGROUND-COLOR:#4ae2f7">7],aJavaScriptinterpreter.
ThetoolwasusedtomodifyiOSapplicationbehavioratruntime(e.
g.
,bypassingsomeauthenticationchecksandaccessingcriticalinformationfrommemory).
AnapplicationcompiledwithiSecureRingprovidesAPIsforidentifyingcodetamper-ingofcriticalinstancevariablesandclassobjectsusingCRCchecksums.
Also,APIsareprovidedforwipingsensitivedatafrommemory.
6.
CaseStudyTheiSecureRingimplementationwassuccessfullyusedtosecureaniPhonemobileappforaleadingbankinIndia.
ProblemStatement.
Thebankhadasecurityincidentinwhichtheapplicationrunningonajailbrokendevicerevealedsensitivedata.
JailbreakingAttack.
TheattackerhadusedthelatestjailbreakingtoolforiOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
1.
2Pangu[1].
Theattackeralsousedcertaintweakstode-Govindaraj,Mata,Verma&Gupta241f20;BACKGROUND-COLOR:#4ae2f7">7featjailbreakdetection.
SometweakswithinCydiabypassthejailbreakdetectioncheckofanapplicationandmaketheapplicationrunnormallyevenonjailbrokendevices.
OnesuchtweakisxCon[12],whichhookslow-levelAPIsusedforjailbreakdetectionsuchasle-relatedAPIsandothersystemcalls,thusbypassingthejailbreakdetectionfunctionsusedintheapplication.
NocongurationisrequiredforxCon,aMobileSub-stratedynamiclibrarythatcanbeinstalledfromCydia.
iSecureRingResults.
ThebankappwassecuredusingiSecureRing.
Thejailbreakdetectionfunctionwasrobustenoughtocheckifthede-vicewasjailbrokenandifanyjailbreakdetectionbypassingfunctionswerepresent.
ThesolutionwastestedwithxCon39beta1f20;BACKGROUND-COLOR:#4ae2f7">7oniPhone4deviceswithiOSversion1f20;BACKGROUND-COLOR:#4ae2f7">7.
1.
2.
xConwasunabletobypassthejailbreakdetectiontechniquesusedbyiSecureRing.
TheiSecureRingsolutionchecksfortheexistenceofle-relatedsystemfunctionhooking,render-ingxCon-liketweaksuseless.
ThesolutionalsomitigatesthejailbreakdetectionbypassingmechanismprovidedbythexCondynamiclibrary.
1f20;BACKGROUND-COLOR:#4ae2f7">7.
ConclusionsTheiSecureRingsolutionsecuresappsonjailbrokeniOSdevices.
Thestaticlibraryhelpsdetectsecurityvulnerabilitiesandalertsuserstotakeappropriateactions.
Thedynamiclibraryhelpsdetectmalicioustam-peringofdatabystoringauthenticcopiesofMACDTSvaluesonalocalserverorinthecloud;thisalsosupportsoinedigitalforensicinvestigationsaftersecurityincidents.
Thus,iSecureRingenablesexist-ingandnewappstobesecuredandmadeforensic-readyeveniftheiOSdevicehasbeenjailbroken.
WithenterprisesimplementingBYODpoliciesandjailbrokendevicesmakingtheirwayintoenterprises,theiSecureRingsolutionhelpsenterprisesmitigatethesecurityriskswhileenablingemployeestouseonedeviceforocialandpersonalactivities.
Futureresearchwillfocusonanalyzinganomalousinteractionswithsecuredapps,blockingattacksandraisingalerts.
EortswillalsobemadetocreatesimilarsolutionsforAndroidandWindowssmartphones.
References[1]J.
Benjamin,HowtojailbreakiOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
1.
xwithPangu1.
1onWin-dows,iDownloadBlog,June29,2014.
[2]C.
D'Orazio,A.
ArinandK.
Choo,iOSanti-forensics:Howcanwesecurelyconceal,deleteandinsertdataProceedingsoftheForty-SeventhHawaiiInternationalConferenceonSystemSciences,pp.
4838–4841f20;BACKGROUND-COLOR:#4ae2f7">7,2014.
248ADVANCESINDIGITALFORENSICSXI[3]D.
Ertel,DecryptingiOSapps(www.
infointox.
net/p=114),2013.
[4]S.
Esser,ExploitingtheiOSkernel,presentedatBlackHatUSA,2011.
[5]P.
Gianchandani,iOSApplicationSecurityPart2–GettingClassInformationofiOSApps,InfosecInstitute,ElmwoodPark,Illinois,2014.
[6]GitHub,ToolsforsecurelyclearingandvalidatingiOSapplicationmemory,SanFrancisco,California(github.
com/project-imas/memory-security),2014.
[1f20;BACKGROUND-COLOR:#4ae2f7">7]S.
GuerreroSelma,HackingiOSontherun:UsingCycript,pre-sentedattheRSAConference,2014.
[8]A.
HoogandK.
Strzempka,iPhoneandiOSForensics:Investiga-tion,AnalysisandMobileSecurityforAppleiPhone,iPadandiOSDevices,Syngress,Waltham,Massachusetts,2011.
[9]iPhoneDevWiki,debugserver(iphonedevwiki.
net/index.
php/Debugserver),2015.
[10]iPhoneDevWiki,Theos(iphonedevwiki.
net/index.
php/Theos),2015.
[11]iPhoneHacks,JailbreakingyouriPhoneremainslegalinUS,butitisillegaltojailbreakyouriPadandunlockyouriPhoneunderDMCA,October26,2012.
[12]iPhoneWiki,xCon(theiphonewiki.
com/wiki/XCon),2014.
[13]C.
Miller,Owningthefanboys:HackingMacOSX,presentedatBlackHatJapan,2008.
[14]C.
Miller,Mobileattacksanddefense,IEEESecurityandPrivacy,vol.
9(4),pp.
68–1f20;BACKGROUND-COLOR:#4ae2f7">70,2011.
[15]S.
Morrissey,iOSForensicAnalysisforiPhone,iPadandiPodTouch,Apress,NewYork,2010.
[16]M.
Renard,PracticaliOSappshacking,ProceedingsoftheFirstInternationalSymposiumonGrey-HatHacking,pp.
14–26,2012.
[11f20;BACKGROUND-COLOR:#4ae2f7">7]B.
Satish,PenetrationTestingforiPhoneApplications–Part5,InfosecInstitute,ElmwoodPark,Illinois,2013.
[18]SaurikIT,CydiaSubstrate,IslaVista,California(www.
cydiasubstrate.
com),2014.
[19]A.
Smith,SmartphoneOwnership2013,PewResearchCenter,Washington,DC,June5,2013.
Govindaraj,Mata,Verma&Gupta249[20]B.
Trebitowski,BeginningJailbrokeniOSDevelopment–BuildingandDeployment,Pixegon,Albuquerque,NewMexico(brandontreb.
com/beginning-jailbroken-ios-development-building-and-deployment),2011.
[21]R.
Verma,J.
GovindarajandG.
Gupta,Preservingdateandtime-stampsforincidenthandlinginAndroidsmartphones,inAdvancesinDigitalForensicsX,G.
PetersonandS.
Shenoi(Eds.
),Springer,Heidelberg,Germany,pp.
209–225,2014.
Asaresult,usersoftenjailbreaktheiriPhonestodefeatthisre-striction.
JailbrokeniPhonesaremakingtheirwayintoenterprisesthathaveaBringYourOwnDevice(BYOD)policy,butthesedevicesareof-tenbarredorrestrictedbymobiledevicemanagementsoftwarebecausetheyposesecurityrisks.
ThischapterdescribestheiSecureRingsolutionthatsecuresmobileappsandpreservesthedatesandtimestampsofeve-ntsinordertosupportforensicexaminationsofjailbrokeniPhones.
AnanalysisoftheliteraturerevealsthatiSecureRingistherstforensic-readymobileappsecuritysolutionforiOSapplicationsthatexecuteinunsecuredenterpriseenvironments.
Keywords:JailbrokeniPhones,enterpriseenvironments,forensicexaminations1.
IntroductionAccordingtoa2013Pewreport[19],40.
98%ofthesmartphonesusedbyadultAmericansareAppleiPhones.
Apple'siOSoperatingsystemdoesnotallowtheinstallationofapplications,extensionsandthemesthatarenotobtainedfromtheAppleAppStore.
Asaresult,usersfrequentlyjailbreaktheirdevicestoobtainrootaccessanddefeattheinstallationrestrictions[4].
AjailbrokeniPhoneallowstheretrievalofapplicationsandtheirassociateddata,potentiallycompromisingthesecurityoftheapplicationsandthecondentialityofthedata[4,16].
Sincejailbreakingisareality[8,11],itisincreasinglyimportanttodesignmobileapplicationsthatcanrunsecurelyonjailbrokeniPhones.
Therequirementofhavinganapplicationexecutesecurelyinanunse-cureenvironmentiscriticaltoscenarioswhereaproprietaryapplica-cIFIPInternationalFederationforInformationProcessing2015G.
Peterson,S.
Shenoi(Eds.
):AdvancesinDigitalForensicsXI,IFIPAICT462,pp.
235–249,2015.
DOI:10.
1001f20;BACKGROUND-COLOR:#4ae2f7">7/91f20;BACKGROUND-COLOR:#4ae2f7">78-3-319-24123-414236ADVANCESINDIGITALFORENSICSXItionshouldworkwithoutimpactingenterprisesecurity.
Atthistime,enterprisesthathaveaBringYourOwnDevice(BYOD)policygener-allydetectandrestrictjailbrokeniPhonesusingmobiledevicemanage-mentsoftwaresuchasCitrix'sXenMobileandIBM'sEndpointManager.
Thus,employeeshavetoun-jailbreaktheiriPhonesorinstallenterpriseapplicationsonotherapproveddevices.
Thesolutionproposedinthischapterenablesenterprisestoinstalltheirapplicationssecurelyonjail-brokeniPhones.
Newappsandexistingappscanbesecuredandbemadeforensic-ready.
Theforensicreadinessoftheappsenablesenter-prisestocheckiftheappsrunsecurelyandalsoensuresthatforensicartifactsareavailableintheeventofsecurityincidents.
2.
RelatedWorkD'Orazioetal.
[2]haveproposedaconcealmenttechniquethaten-hancesthesecurityofunprotected(classD)datathatisatrestiniOSdevices,alongwithadeletiontechniquetoreinforcedatadeletioniniOSdevices.
Hackersandmalicioususersresorttotechniquessuchasjailbreaking,runninganappinthedebugmode,reverseengineering,dy-namichookingortamperinginordertoaccessorcompromisesensitivedatastoredbyiOSapps:Jailbreaking:Attackersusejailbreakingtoobtainsystem-level(root)accesstoiOSdevices,potentiallycompromisingthesecurityofapplicationsandtheirassociateddata[15].
DebuggerMode:Attackersruntargetedapplicationsinthede-bugmode,obtainmemorydumpsandoverwritethememorywithmaliciouscode[9,13].
ReverseEngineering:AppsfromtheAppleStoreareencryptedusingApple'sFairplayDRM,whichcomplicatesthetaskofreverseengineeringbinaries.
However,anattackercanoverwritetheen-cryptioninformationofanapplicationinajailbrokendevicetoob-tainthememorydumpandanalyzeittocreatenewattacks[3,16].
DynamicCodeHooking:Afteradeviceisjailbroken,anat-tackercanhookmaliciouscodetoanappatruntimeinordertobypasssecuritychecks,potentiallycompromisingthesecurityoftheapplicationanditsdata[20].
Tampering:Attackerscanmodifythedatesandtimestampsofartifactsinordertocovertheirtracks.
Vermaetal.
[21]havere-centlyproposedamechanismforpreservingdatesandtimestampsinsupportofforensicexaminationsofAndroidsmartphones.
Govindaraj,Mata,Verma&Gupta231f20;BACKGROUND-COLOR:#4ae2f7">7ThischapterpresentsatechniqueforprotectingapplicationsanddatainjailbrokeniOSdevices.
Intheeventofasecurityincident,thetech-niquecanbeusedtosupportaforensicexaminationofajailbrokendevice.
3.
ImplementationMethodologyThesolutionhastwomodules:(i)astaticlibrarythatwrapsappsrunningonjailbrokendeviceswithanextralayerofprotection,makingthemdiculttocrackandpreventingaccesstotheirdata;and(ii)amodulethatpreservesauthenticdatesandtimestampsofeventsrelatedtothesecuredappstosupportforensicexaminations.
Thecaptureddatesandtimestampsarestoredoutsidethedeviceonasecureserverorinthecloud.
Themodulesarediscussedinfollowingsubsections.
3.
1SecuringAppsThestaticlibrary,whichisdesignedtosecureapps,incorporatesAPIsthatmaybeusedtoidentifyandmitigatesecurityvulnerabilitiesinjailbrokeniPhones[6].
Functionsinthelibraryinclude:isCheck1(),whichchecksifaniPhoneisjailbroken;isCheck2(),whichchecksifanapplicationisrunninginthedebugmode;enableDB(),whichdisablesthegdb(debugger)foraparticularapplication(process);isAppC(),whichchecksifanapplicationbinaryisencryptedandalsocheckstheintegrityofapplicationbundleles(Info.
Plist);initialize(),whichchecksifstaticlibraryfunctionsarehooked;CheckA(),whichchecksifcriticalmethods(functions)passedasargumentsarehooked;CheckS(),whichchecksifmethods(functions)relatedtoSSLcerticatevalidationarehooked;createCheck()andcreateCheckTest(),whichcheckifanapplicationhasbeentamperedwith;andresetZeroAll(),whichwipessensitivedatafrommemory.
3.
2PreservingDatesandTimestampsThedynamiclibraryhasbeencreatedusingtheMobileSubstrateframework.
ThisframeworkprovidesAPIsforaddingruntimepatchesorhookstosystemfunctionsinjailbrokeniOSdevices[18].
ThesolutionarchitectureshowninFigure1incorporatesthreecomponents:DynamicLibrary(dylib):Thiscomponenthookssystemopencallsandcaptureskernel-leveldatesandtimestampsofselectedlesandwritesthemtothelogle.
Itisloadedintorunningapplications.
Filtersareappliedsothatitisonlyloadedintospeciedapplications.
238ADVANCESINDIGITALFORENSICSXIFileModification/CreationProcessStartedDynamicLibraryHookedOpen()AppDBUpdateTimestampLogFileUploadLogFiletoSecureLocationOriginalOpen()FileAttributesGeneratedUserSpaceKernelSpaceiOSDeviceSecuredApp(UsingStaticLibrary)CydiaSubstrateDynamicLibraryLoadedFigure1.
Solutionarchitectureforpreservingdateandtimestamps.
TimestampLogFile:ThiscomponentisstoredintheinternalmemoryofaniPhone.
Itisnotdirectlyaccessibletoapplications,whichsecuresitfromunauthorizeddeletion.
LogFile:ThiscomponentisgeneratedbytheDLL.
Itisup-loadedatregularuser-denedintervalstoanexternalserverorcloudstoragebasedonnetworkconnectivity.
3.
3StaticLibraryThestaticlibraryisdesignedtosecureapplicationsandtheirassoci-ateddata.
Thelibrarywrapsappsinanadditionallayerofprotection,whichmakesthemmorediculttocrackinajailbrokeniOSdevice.
ThestaticlibrarycontainsseveralAPIs(Table1)thatcanbeusedtoidentifysecurityvulnerabilitiesinjailbrokendevices.
Thelibraryimplementsthedetectionofjailbrokendevices,thedisablingofapplicationdebuggers,thecheckingofapplicationencryption(forAppStorebinaries)andthedetectionofdynamiccodehooking.
Notethatthefunctionnamesareintentionallynotverydescriptiveinordertoenhancecodeobfuscationandhindermaliciousreverseengineeringeorts.
Govindaraj,Mata,Verma&Gupta239Table1.
StaticlibraryAPIs.
APIDescriptionisCheck1()ChecksifadevicehasbeenjailbrokenisAppC()ChecksiftheapplicationencryptionprovidedbytheAppStoreisintactenableDB()DisablestheapplicationdebuggerisCheck2()ChecksifanappisrunninginthedebugmodeInitialize()ChecksiflibraryAPIsarehookedbymethodswizzlingtech-niquescheckA()Checksifafunctionishookedbyamethodswizzlingtech-niquecheckS()ChecksiftheSSLvalidationmethodsprovidedbytheiOSSDKarehookedmakeZero()FindsthedataportionofobjectmemoryandzeroesitoutencPwd()EncryptsobjectdatainmemoryusingasecretdecPwd()Decryptsobjectdatainmemoryusingasecretlisted()AddsanobjecttothepointerlistusedbytheAPIsunlisted()RemovesanobjectfromthepointerlistresetAllZero()WipesalltrackedobjectscreateCheck()Providesandstaticallystoresastringofallthetrackedmem-oryaddressesandobjectchecksumscreateCheckTest()ChecksifthecurrentmemorystatesofallthetrackedobjectsmatchtheirstateswhenchecksumMem()wascalled3.
4DynamicLibraryThedynamiclibrarywascreatedusingtheMobileSubstrateframe-work,nowknownastheCydiaSubstrate[18].
TheframeworkprovidesaplatformandAPIsforaddingruntimepatchesorhookstosystemfunctionsaswellasotherapplicationsonjailbrokeniOSandrootedAndroiddevices.
TheMobileSubstrateframeworkincorporatesthreecomponents:(i)Mobilehooker;(ii)Mobileloader;and(iii)Safemode.
Mobilehooker:Thiscomponentreplacestheoriginalfunctionwiththehookedfunction.
TwoAPIsmaybeusedforiOSdevices:(i)MSHookMessage(),whichismainlyusedtoreplaceObjective-Cmethodsatruntime;and(ii)MSHookFunction(),whichisusedtoreplacesystemfunctions,mainlynativecodewritteninC,C++orassembly.
Mobileloader:CydiaSubstratecodeiscompiledtocreatethedynamiclibrary,whichisplacedinthedirectory/Library/MobileSubstrate/DynamicLibraries/injailbrokeniOSdevices.
ThemaintaskofMobileloaderistoloadthedynamiclibraryintorunning240ADVANCESINDIGITALFORENSICSXIapplications.
TheMobileloaderinitiallyloadsitselfandthenin-vokesdlopenonallthedynamiclibrariesinthedirectoryandloadsthematruntime.
ThedynamiclibrariesareconguredusingPropertyList(PList)les,whichactaslters,controllingifalibraryshouldbeloadedornot.
ThePListleshouldhavethesamenameasthatofdylibandshouldbestoredinthesamedirectoryasdylib.
ThePListshouldcontainasetofarraysinadictionarywiththekeyFilter.
Theotherkeysusedare:(i)Bundles(array)–theBundleIDofarunningapplicationismatchedagainstthelist,ifamatchoccurs,thendylibisloaded;(ii)Classes(array)–thedylibisloadedifoneofthespeciedObjective-Cclassesinthelistisimplementedintherunningapplication;and(iii)Executables(array)–dylibisloadedifanexecutablenameinthelistmatchestheexecutablenameoftherunningapplication.
Anexampleis:Filter=Executables=("mediaserverd");Bundles=("com.
apple.
MobileSlideShow");Mode="Any";;Intheexample,thelterensuresthatdylibisloadedonlyfortheiOSbuilt-inapplicationPhotos,whoseexecutablenamematchesmediaserverdorBundleIDiscom.
apple.
MobileSlideShow.
TheModekeyisusedwhentherearemorethanonelters.
Byspecify-ingMode=Any,dylibisloadedifoneoftheltershasamatch.
Safemode:Inthismode,allthird-partytweaksandextensionsaredisabled,preventingtheiOSdevicefromenteringthecrashmode.
Followingthis,thebrokendylibcanbeuninstalledfromthedevice.
CompilationProcedure.
TheTheos[10]developmentsuitewasusedtoedit,compileandinstallthedynamiclibraryonadevice.
ItprovidesacomponentnamedLogos,whichisabuilt-inpre-processor-basedlibrarydesignedtosimplifythedevelopmentofMobileSubstrateextensions.
Inordertocompilethedynamiclibrary,TheosmustbeinstalledonaMacmachine.
AMacOSXhasmostofthetoolsrequiredbyTheos;however,Xcodecommandlinetoolsmustbeinstallediftheyarenotpresent.
Ad-ditionally,itisnecessarytoinstalltheldidtool,whichisusedtosignappsortweakssothattheycanbeinstalledonjailbrokeniOSdevices.
Tostarttheproject,itisnecessarytoobtainalltheiOSprivatehead-ersofthefunctionsintendedtobehooked.
TheheaderscanbedumpedGovindaraj,Mata,Verma&Gupta241usingtheClass-Dump-Zcommandlinetool[5].
Thisreverseengineer-ingtoolprovidescompleteheaderinformationoftheObjective-CcodeofaniOSapplication.
Dumpingtheheaderscantakesometimebecauseheadersfromalltheframeworks,includingprivateframeworks,arealsocollected.
Thedumpedheadersaresavedinafolderwiththecorre-spondingframeworkname.
Insteadofdumpingtheheaders,headerscollectedbyotherresearcherscanbeused(e.
g.
,headersfromGitHub).
Alltheheadersaresavedat/opt/theos/include.
ThenextstepistocreatetheTheosproject.
Thisinvolvesexecutingthele/opt/theos/bin/nic.
plfromthecommandlineandchoosingtheprojecttemplate,name,etc.
Theprojecttypeshouldbelibrarybecausethegoalistohookasystemfunction.
Aftertheprojecthasbeencreated,anewlenamedtweak.
xmisfoundintheprojectdirectory;thisleisusedtostorethehookingcode.
Thefollowingpseudocodeforhookinganopen()systemcallisaddedinthetweak.
xmle:extern"C"{intorig\_open(constchar*path,intoflags);}inthijacked\_open(constchar*path,intoflags){//dosomething,thenreturnorig\_open(path,oflags);}\%ctor{NSAutoreleasePool*pool=[[NSAutoreleasePoolalloc]init];MSHookFunction(open(),\&hijacked\_open,\&orig\_open);[pooldrain];}TheMSHookFunction()APIisusedtohooktheopen()systemcall.
Thereplacementfunctionishijackedopen().
Themakefileisthenmodiedtoaddtherequiredframeworks.
NotethattheFoundationframeworkisusedtocreatethehookingcode.
ThetargetSDKversionandthearchitectureneededtosupportitarealsoadded:TARGET:=iPhone:1f20;BACKGROUND-COLOR:#4ae2f7">7.
0ARCHS:=armv1f20;BACKGROUND-COLOR:#4ae2f7">7arm64ProjectName\_FRAMEWORKS=FoundationOncedone,callmakefromcommandlineasbelow.
xyz:testxyzmakeMakingallforapplicationtest.
.
.
Copyingresourcedirectoriesintotheapplicationwrapper.
.
.
Signingtest.
.
.
TheprojectisthencompiledandaDLLiscreatedintheobjfolder.
242ADVANCESINDIGITALFORENSICSXIDLLLoading.
AftertheDLLiscreated,itcanbeinstalledonadevicebytheTheossuiteusingthecommandmakepackageinstall.
ThiscommandcreatesaDebianpackageoftheDLLandinstallsitintheproperlocationonthedevice.
Beforethisisdone,theenvironmentvariablemustbesettoexportTHEOSDEVICEIP=iPhoneDeviceIP.
Next,thepackageistransferredtothedeviceforinstallationviaSFTP.
TheiOSdeviceshouldbeonthesamenetworkasthecomputerusedfordevelopment[20].
4.
PreventingAttacksandAnti-ForensicsThesectiondiscusseshowattacksandanti-forensicapproachescanbemitigatedusingthestaticanddynamiclibraries.
4.
1UsingtheStaticLibraryBOOLisCheck1():ThisfunctionisusedtocheckifaniOSdeviceisjailbroken.
ItreturnsyesiftheiOSdeviceisjailbro-ken;otherwiseno.
Thisfunctioncanbecalledbeforeapplicationlaunch.
APIforCheckingDebugMode:TheapplicationexitswhenlaunchedinthedebugmodeusingtheenableDB()function.
Thisfunctioncanbecalledfrommain()andfromelsewhereintheprojecttodisabledebuggingatanystage.
BycallingenabledDB()inmain()orbeforeapplaunch,theapplicationcanbepreventedfromrunninginthedebugmode.
Therefore,thefunctionshouldbecalledinthereleasemode.
isCheck2():Thisfunctiongivesinformationabouthowtheap-plicationisrunning.
Iftheapplicationwasstartedinthedebugmode,thenavalueofoneisreturned;otherwisezeroisreturned.
BOOLisAppC(char*inBundlePath):Thisfunctionchecksiftheapplicationhasbeenhacked.
TheparameterinBundlePathcanbeanycharacterpointer;itisonlyaddedforobfuscationandisnotusedinsidethefunction.
Itincludesanappencryptioncheck(iftheAppStoreencryptionisbroken),signeridentitychecks,etc.
Iftheappiscracked,thefunctionreturnsyes;otherwiseno.
ThefunctionisprimarilyusedtocheckifAppStorebinariesarecracked.
intInitialize():ThisfunctionchecksiftheAPIsinthestaticlibraryarethemselveshooked.
Thefunctionhastobecalledini-tially,preferablyduringapplaunch,tocheckifthelibraryAPIsGovindaraj,Mata,Verma&Gupta243arehookedbymethodswizzling,afterwhichtheappropriateac-tionsmustbetaken.
Ifthefunctionsarehooked,thenitmakesnosensetousetheAPIstoprotectapplications.
intcheckA(constchar*MCl,constchar*MFr,constchar*MFn,void*funcPTR):Thisfunctionchecksifanyhookingisdoneforacriticalmethodwithinanapplicationpassedasanar-gumenttothefunction.
Thefunctionreturnsoneifnohookingisdiscoveredandzeroifafunctionishooked.
Itrequiresthemethodname,methodclassandthepathoftheframework(foraframe-workmethod)orappbundlepath(foranapplicationmethod).
intcheckS():ThisfunctionchecksifSSLcerticatevalidationmethodsprovidedbytheiOSSDKarehooked.
ThisfunctionisinvokedwithinanapplicationbeforecallingSSLvalidationmeth-odssothattheproperactionscanbetaken.
Thefunctionreturnsoneifthereisnohookingandzeroifafunctionishooked.
makeZero(obj):Thisfunctionisusedtozerothevalueofasensitivevariableafteritsuse.
encPwd()anddecPwd():TheseAPIsareusedforencryptingsensitivedataimmediatelyafterthedataiscreatedanddecryptingthedataonlyduringitsuse.
Afterthesensitivedatahasbeenused,itshouldbeclearedfrommemorypermanently.
listed()andunlisted():Thesefunctionstrackseveralobjectsinordertoclearthemfrommemorysimultaneously.
Sensitiveobjectsareaddedtothelisttokeeptrackofthem;theyareallclearedatonetimeusinganAPI.
Forexample,whenadeviceislockedand/oranappisclosed(hiddenorterminated),itmaybenec-essarytowipeallthesensitivedata.
Inthiscase,itisnecessarytoaddresetZeroAll()tothestate-changenotifyfunctionsinAppDelegate.
Severaltoolsareavailableforattackerstomodifythevaluesofcriticaldataandchangethebehaviorofanappli-cationatruntime.
SuchmodicationscanbetrackedusingthecreateCheck()andcreateCheckTest()APIstocreateacheck-sumofthecriticaldataandcheckitperiodicallytoensurethatthedataisnotmodiedbyanattacker.
4.
2UsingtheDynamicLibraryWheneverlesaremodied,accessedorcreated,thehijackedopen()callisinvokedandthemodied,accessed,createddatesandtimestamps(MACDTS)arecapturedandstoredinthelogle.
Thelogleisstored244ADVANCESINDIGITALFORENSICSXIiSecureRing.
.
.
JailbreakingEncryptionCheckCodeTamperingSimulatingAttacksTimestampTamperingConfidentialDataStealingDebugModeHookingFigure2.
Simulatingattacksondevices.
outsidetheiPhoneatasecurelocationsuchasaserverorinthecloud.
Theinformationintheloglecanbeusedinaforensicinvestigationofthesmartphoneintheeventofasecurityincident.
5.
ExperimentalResultsTheexperimentsinvolvedthecreationoftwoapps,onewithoutanyprotectionandtheotherprotectedbyiSecureRing.
TheappswerethendeployedonajailbrokeniPhone4(iOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
0.
6).
Aseriesofattacksweresimulatedontheappsandtheirdatatovalidatetheproposedsolution(Figure2).
Attheapplicationlevel,theappsweresubjectedtovariousattackstoexploitthelackofbinaryprotection[2].
TheresultsinTable2demonstratethatanappwithiSecureRingrunningonajailbrokeniPhone(Row3)isjustassecureasanormalapprunningonanon-jailbrokeniPhone(Row1).
Performancebenchmarkingwasconductedforthethreecasesconsid-eredintheexperiments.
Figure3summarizestheresultsoftheinitialtests(veruns).
Theresultsshownosignicantdierencesindeviceperformance.
Govindaraj,Mata,Verma&Gupta245Table2.
Attacksandresults.
iPhone4Jail-DebugEncryptionHookingCode(iOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
0.
6)brokenModeCheckTamperingNotJailbrokenYesNoNoNoNo(Appwithoutprotection)JailbrokenN/AYesYesYesYes(Appwithoutprotection)JailbrokenN/ANoNoNoNo(AppwithiSecureRing)02004006008001,0001,2001,4001,6001,800CPUIntegermathCPUFloatingpointmathStoragewriteStoragereadMemorywriteMemoryread2D-Complexvectors2D-Imagerendering3D-ComplextestJailbrokenwithiSecureRingJailbrokenwithoutiSecureRingNotJailbrokenFigure3.
Performancebenchmarkresults.
Figure4.
MACDTSlogsforanimagele.
iSecureRingalsohelpsdetectattemptstoexploitknownorunknownvulnerabilitiesbycapturingthetimestampsofactivitiesassociatedwithasecuredapp.
OneexperimentinvolvedtimestamptamperingattemptsonimagesfromApple'sPhotoapp.
iSecureRingsuccessfullycapturedalltheeventsinthelog.
Ananalysisofthelogclearlyrevealedthetamperingattempts.
Figure4showstheMACDTSlogsforoneoftheimages.
246ADVANCESINDIGITALFORENSICSXIFigure5.
Preventingadebugmodeattack.
DebugModeAttack.
Figure5showsascreenshotofanXcodeap-plicationrunninginthedebugmode[11f20;BACKGROUND-COLOR:#4ae2f7">7]whileitwasbeingprotectedbyiSecureRing.
EncryptionAttack.
Clutch[11f20;BACKGROUND-COLOR:#4ae2f7">7]wasusedtosimulateanencryptionattack(Clutchmaybedownloadedfromcydia.
iphonecake.
com).
iSe-cureRingincludesachecktodetermineifapplicationencryptionisintactbyanalyzingencryptioninformationinthebinaryandalsothecryptidagvalue.
Iftheapplicationencryptionisfoundtobebroken,thentheuserisalertedandtheapplicationbehaviorcanbechangedatruntime.
Hooking.
AhookingattackwassimulatedbyhookingSSLvalidationmethods.
Itispossibletolaunchaman-in-the-middleattackonevenHTTPSrequeststounderstand,stealandmodifytherequesteddata.
iSecureRingincorporatesseveralcheckstoidentifythehookingofcriticalmethodssuchasSSLvalidationandauthentication.
ApplicationsthatuseiSecureRingareprotectedagainsttheattacksbecausetheuserisalertedandtheappbehaviorcanbechanged.
CodeTampering.
AcodetamperingattackwassimulatedusingCy-cript[1f20;BACKGROUND-COLOR:#4ae2f7">7],aJavaScriptinterpreter.
ThetoolwasusedtomodifyiOSapplicationbehavioratruntime(e.
g.
,bypassingsomeauthenticationchecksandaccessingcriticalinformationfrommemory).
AnapplicationcompiledwithiSecureRingprovidesAPIsforidentifyingcodetamper-ingofcriticalinstancevariablesandclassobjectsusingCRCchecksums.
Also,APIsareprovidedforwipingsensitivedatafrommemory.
6.
CaseStudyTheiSecureRingimplementationwassuccessfullyusedtosecureaniPhonemobileappforaleadingbankinIndia.
ProblemStatement.
Thebankhadasecurityincidentinwhichtheapplicationrunningonajailbrokendevicerevealedsensitivedata.
JailbreakingAttack.
TheattackerhadusedthelatestjailbreakingtoolforiOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
1.
2Pangu[1].
Theattackeralsousedcertaintweakstode-Govindaraj,Mata,Verma&Gupta241f20;BACKGROUND-COLOR:#4ae2f7">7featjailbreakdetection.
SometweakswithinCydiabypassthejailbreakdetectioncheckofanapplicationandmaketheapplicationrunnormallyevenonjailbrokendevices.
OnesuchtweakisxCon[12],whichhookslow-levelAPIsusedforjailbreakdetectionsuchasle-relatedAPIsandothersystemcalls,thusbypassingthejailbreakdetectionfunctionsusedintheapplication.
NocongurationisrequiredforxCon,aMobileSub-stratedynamiclibrarythatcanbeinstalledfromCydia.
iSecureRingResults.
ThebankappwassecuredusingiSecureRing.
Thejailbreakdetectionfunctionwasrobustenoughtocheckifthede-vicewasjailbrokenandifanyjailbreakdetectionbypassingfunctionswerepresent.
ThesolutionwastestedwithxCon39beta1f20;BACKGROUND-COLOR:#4ae2f7">7oniPhone4deviceswithiOSversion1f20;BACKGROUND-COLOR:#4ae2f7">7.
1.
2.
xConwasunabletobypassthejailbreakdetectiontechniquesusedbyiSecureRing.
TheiSecureRingsolutionchecksfortheexistenceofle-relatedsystemfunctionhooking,render-ingxCon-liketweaksuseless.
ThesolutionalsomitigatesthejailbreakdetectionbypassingmechanismprovidedbythexCondynamiclibrary.
1f20;BACKGROUND-COLOR:#4ae2f7">7.
ConclusionsTheiSecureRingsolutionsecuresappsonjailbrokeniOSdevices.
Thestaticlibraryhelpsdetectsecurityvulnerabilitiesandalertsuserstotakeappropriateactions.
Thedynamiclibraryhelpsdetectmalicioustam-peringofdatabystoringauthenticcopiesofMACDTSvaluesonalocalserverorinthecloud;thisalsosupportsoinedigitalforensicinvestigationsaftersecurityincidents.
Thus,iSecureRingenablesexist-ingandnewappstobesecuredandmadeforensic-readyeveniftheiOSdevicehasbeenjailbroken.
WithenterprisesimplementingBYODpoliciesandjailbrokendevicesmakingtheirwayintoenterprises,theiSecureRingsolutionhelpsenterprisesmitigatethesecurityriskswhileenablingemployeestouseonedeviceforocialandpersonalactivities.
Futureresearchwillfocusonanalyzinganomalousinteractionswithsecuredapps,blockingattacksandraisingalerts.
EortswillalsobemadetocreatesimilarsolutionsforAndroidandWindowssmartphones.
References[1]J.
Benjamin,HowtojailbreakiOS1f20;BACKGROUND-COLOR:#4ae2f7">7.
1.
xwithPangu1.
1onWin-dows,iDownloadBlog,June29,2014.
[2]C.
D'Orazio,A.
ArinandK.
Choo,iOSanti-forensics:Howcanwesecurelyconceal,deleteandinsertdataProceedingsoftheForty-SeventhHawaiiInternationalConferenceonSystemSciences,pp.
4838–4841f20;BACKGROUND-COLOR:#4ae2f7">7,2014.
248ADVANCESINDIGITALFORENSICSXI[3]D.
Ertel,DecryptingiOSapps(www.
infointox.
net/p=114),2013.
[4]S.
Esser,ExploitingtheiOSkernel,presentedatBlackHatUSA,2011.
[5]P.
Gianchandani,iOSApplicationSecurityPart2–GettingClassInformationofiOSApps,InfosecInstitute,ElmwoodPark,Illinois,2014.
[6]GitHub,ToolsforsecurelyclearingandvalidatingiOSapplicationmemory,SanFrancisco,California(github.
com/project-imas/memory-security),2014.
[1f20;BACKGROUND-COLOR:#4ae2f7">7]S.
GuerreroSelma,HackingiOSontherun:UsingCycript,pre-sentedattheRSAConference,2014.
[8]A.
HoogandK.
Strzempka,iPhoneandiOSForensics:Investiga-tion,AnalysisandMobileSecurityforAppleiPhone,iPadandiOSDevices,Syngress,Waltham,Massachusetts,2011.
[9]iPhoneDevWiki,debugserver(iphonedevwiki.
net/index.
php/Debugserver),2015.
[10]iPhoneDevWiki,Theos(iphonedevwiki.
net/index.
php/Theos),2015.
[11]iPhoneHacks,JailbreakingyouriPhoneremainslegalinUS,butitisillegaltojailbreakyouriPadandunlockyouriPhoneunderDMCA,October26,2012.
[12]iPhoneWiki,xCon(theiphonewiki.
com/wiki/XCon),2014.
[13]C.
Miller,Owningthefanboys:HackingMacOSX,presentedatBlackHatJapan,2008.
[14]C.
Miller,Mobileattacksanddefense,IEEESecurityandPrivacy,vol.
9(4),pp.
68–1f20;BACKGROUND-COLOR:#4ae2f7">70,2011.
[15]S.
Morrissey,iOSForensicAnalysisforiPhone,iPadandiPodTouch,Apress,NewYork,2010.
[16]M.
Renard,PracticaliOSappshacking,ProceedingsoftheFirstInternationalSymposiumonGrey-HatHacking,pp.
14–26,2012.
[11f20;BACKGROUND-COLOR:#4ae2f7">7]B.
Satish,PenetrationTestingforiPhoneApplications–Part5,InfosecInstitute,ElmwoodPark,Illinois,2013.
[18]SaurikIT,CydiaSubstrate,IslaVista,California(www.
cydiasubstrate.
com),2014.
[19]A.
Smith,SmartphoneOwnership2013,PewResearchCenter,Washington,DC,June5,2013.
Govindaraj,Mata,Verma&Gupta249[20]B.
Trebitowski,BeginningJailbrokeniOSDevelopment–BuildingandDeployment,Pixegon,Albuquerque,NewMexico(brandontreb.
com/beginning-jailbroken-ios-development-building-and-deployment),2011.
[21]R.
Verma,J.
GovindarajandG.
Gupta,Preservingdateandtime-stampsforincidenthandlinginAndroidsmartphones,inAdvancesinDigitalForensicsX,G.
PetersonandS.
Shenoi(Eds.
),Springer,Heidelberg,Germany,pp.
209–225,2014.
阿里云秋季促销活动 轻量云服务器2G5M配置新购年60元
已经有一段时间没有分享阿里云服务商的促销活动,主要原因在于他们以前的促销都仅限新用户,而且我们大部分人都已经有过账户基本上促销活动和我们无缘。即便老用户可选新产品购买,也是比较配置较高的,所以就懒得分享。这不看到有阿里云金秋活动,有不错的促销活动可以允许产品新购。即便我们是老用户,但是比如你没有购买过他们轻量服务器,也是可以享受优惠活动的。这次轻量服务器在金秋活动中力度折扣比较大,2G5M配置年付...
wordpress公司网站模板 wordpress简洁高级通用公司主题
wordpress公司网站模板,wordpresss简洁风格的高级通用自适应网站效果,完美自适应支持多终端移动屏幕设备功能,高级可视化后台自定义管理模块+规范高效的搜索优化。wordpress公司网站模板采用标准的HTML5+CSS3语言开发,兼容当下的各种主流浏览器: IE 6+(以及类似360、遨游等基于IE内核的)、Firefox、Google Chrome、Safari、Opera等;同时...
NameCheap黑色星期五和网络礼拜一
如果我们较早关注NameCheap商家的朋友应该记得前几年商家黑色星期五和网络星期一的时候大促采用的闪购活动,每一个小时轮番变化一次促销活动而且限量的。那时候会导致拥挤官网打不开迟缓的问题。从去年开始,包括今年,NameCheap商家比较直接的告诉你黑色星期五和网络星期一为期6天的活动。没有给你限量的活动,只有限时六天,这个是到11月29日。如果我们有需要新注册、转入域名的可以参加,优惠力度还是比...
netbios端口为你推荐
-
处理器flash腾讯周鸿祎签约xpJAN-201f20;BACKGROUND-COLOR:#4ae2f7">16中南财经政法大学知识产权研究中心generatedgooglecontributionsgraph支持ipad支持ipad支持ipad