Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to hide from very curious users

How to hide from very curious users

📍 What are anti-RE controls, why do they exist, and who needs them
📍 What is the situation today?
📍 What do reverse engineers use?
📍 How easy it is to bypass it
📍 A few words about emulators

🎙 Anton Shepeta
Security Engineer at Cossack Labs, specialising in mobile application security with strong reverse engineering skills, covering both static and dynamic analysis. Anton has experience with mission-critical, financial, and govtech applications. Anton’s expertise in reverse engineering allows him to dissect an application's internal logic, identify potential weaknesses, and propose effective mitigation strategies.

CocoaHeads Ukraine

November 02, 2024
Tweet

More Decks by CocoaHeads Ukraine

Other Decks in Programming

Transcript

  1. Resilience Against Reverse Engineering and Tampering Resilience controls in software

    are defensive measures that help applications continue functioning (or fail gracefully) when under attack or being tampered with. Absence of these measures does not necessarily cause vulnerabilities - instead, they provide additional threat-specific protection.
  2. Why do you need this • Compliance (PCI DSS, NIST

    SP 800-124r2) • Potential presence of installed malware due to user’s mistake • Preventing theft or compromise of valuable business assets such as proprietary algorithms, ML models • Ensuring competitive integrity in multiplayer games Screenshot of PCI DSS recommendation for mobile applications
  3. Resilience Against Reverse Engineering and Tampering According to OWASP requirements,

    resilience controls can be divided in four parts: MASVS-RESILIENCE-1 The app validates the integrity of the platform. MASVS-RESILIENCE-2 The app implements anti-tampering mechanisms. MASVS-RESILIENCE-3 The app implements anti-static analysis mechanisms. MASVS-RESILIENCE-4 The app implements anti-dynamic analysis techniques. https://mas.owasp.org/MASVS/ https://mas.owasp.org/MASTG/
  4. Platform integrity • Compromised platform has disabled built-in security measures

    Trusting the platform is essential for many of the security controls relying on the platform being secure (e.g. secure storage, biometrics, sandboxing, etc.) • Includes jailbreak detection and emulator detection • Cannot be fully satisfied due to presence of undetectable solutions, such as Roothide and TrollStore typical iOS security researchers they don’t look like this in reality and have furry or anime pfp
  5. Platform integrity Vanilla iOS disallows performing many of reverse engineering

    tasks, specifically: 1. FairPlay DRM prevents app dumping 2. Kernel prevents accessing other app’s memory space you can’t know whether your app was dumped you can’t know if i’m currently reversing your app Since TrollStore isn’t a jailbreak, I don’t need to have a jailbroken device to dump any application from the device for static analysis or add debugging entitlements for dynamic analysis.
  6. Current jailbreak solutions checkra1n/palera1n iOS 12.0 - iOS 18.0.1 All

    devices up until A11 chip Semi-tethered, installable using desktop device Dopamine iOS 15.0 - iOS 16.6.1 Any arm64/arm64e devices Semi-untethered, installable via TrollStore
  7. Indicators of jailbroken devices • Suspicious files • Incorrect sandbox

    permissions • Injected dylibs • Atypical environment variables • Code signing flags • Disabled Library Validation Spoiler: unreliable and trivially bypassable in any application
  8. iOS Security Suite https://github.com/securing/IOSSecuritySuite Allows to implement comprehensive application self-protection

    measures, including • Jailbreak detection • Static integrity checks • Debugger detection • RE tools detection • Network settings detection
  9. Bypass solutions https://github.com/roothide/Dopamine2-roothide Custom version of Dopamine jailbreak Absolutely undetectable

    Unreliably hides Frida and debugger https://github.com/jjolano/shadow Installable as separate tweak Detectable by iOSSecuritySuite until you slightly modify it Might be unstable I don’t need to disassemble your application to bypass jailbreak detection, live with it
  10. Anti-tampering MASVS-RESILIENCE-2 means static integrity controls. • Includes runtime integrity

    checks of executable files and resources • Requires CI/CD configuration • Protects against repackaging attacks and re-distribution of modified app copy • Mandatory for cross-platform applications, e.g. using Flutter
  11. Countermeasures against static analysis MASVS-RESILIENCE-3 means protection against static analysis:.

    • Includes string obfuscation, code, other advanced techniques • Requires CI/CD configuration • Protects secrets, e.g. API keys, OAuth client secret, code of self protection measures, etc. OpenAI API key in application binary
  12. Countermeasures against static analysis Good libraries for string obfuscation: •

    swift-confidential https://github.com/securevale/swift-confidential • macro-ios-string-obfuscation https://github.com/vigram-sw/macro-ios-string-obfuscation Uses Swift macros, really easy to use Good libraries for code obfuscation: • no good libraries available 😢, just rename sensitive classes and methods pls don’t use something like bnlhIGthd2FpaX4=, be more subtle
  13. Countermeasures against dynamic analysis MASVS-RESILIENCE-4 is a companion of previous

    requirement, but implemented in different way. • Debugger detection 🪲, protections against dynamic instrumentation tools like Frida • Does not require CI/CD configuration 🥰 • Sometimes referred as RASP (Runtime Application Self-Protection) Pure static analysis is very difficult and time consuming so it typically goes hand in hand with dynamic analysis. Observing and manipulating an app during runtime makes it much easier to understand its behavior.
  14. How exactly your application can be attacked? Depends on specific

    use-cases, goals and skills of an attacker. silly memes retrieving sensitive data encrypted with Secure Enclave
  15. How to test jailbreak bypass? also what to use as

    a reference implementation Reveil https://github.com/Lessica/Reveil
  16. Emulator detection Currently, Corellium is the only emulator available for

    usage. • Cloud-based emulation solution • Allows to select any device • Supports all versions of iOS • Allows to setup any pre-boot aspects for iOS device ☠ • Does not have App Store or iCloud capabilities • Intended for security researches
  17. Emulator detection Corellium can be detected in several ways, but

    there are two easy paths: • File system check • Absence of GPU acceleration
  18. Key recommendations for implementation of anti-RE controls Protect your secrets,

    don’t include API keys in plaintext Make your controls stealthy and try to obtain information, e.g. send incidents to analytics and react accordingly Don’t rely solely on jailbreak detection for app protection Never forget that reverse engineer always wins if has unlimited time constraints Don’t implement controls just for the record, do it according to your risks and potential threats
  19. Q& A Let’s talk! Anton Shepeta Security Engineer @ Cossack

    Labs https://www.linkedin.com/in/anton-shepeta-5a300b215/