How to hide from very curious users Anton Shepeta Security Engineer @ Cossack Labs 

Anton Shepeta Security Engineer @ Breaking things, building things, having fun c: 

Resilience Against Reverse Engineering and Tampering Resilience controls in software are defensive measures that help applications continue functioning (or fail gracefully) when under attack or being tampered with. Absence of these measures does not necessarily cause vulnerabilities - instead, they provide additional threat-specific protection. 

Why do you need this ● Compliance (PCI DSS, NIST SP 800-124r2) ● Potential presence of installed malware due to user’s mistake ● Preventing theft or compromise of valuable business assets such as proprietary algorithms, ML models ● Ensuring competitive integrity in multiplayer games Screenshot of PCI DSS recommendation for mobile applications 

Resilience Against Reverse Engineering and Tampering According to OWASP requirements, resilience controls can be divided in four parts: MASVS-RESILIENCE-1 The app validates the integrity of the platform. MASVS-RESILIENCE-2 The app implements anti-tampering mechanisms. MASVS-RESILIENCE-3 The app implements anti-static analysis mechanisms. MASVS-RESILIENCE-4 The app implements anti-dynamic analysis techniques. https://mas.owasp.org/MASVS/ https://mas.owasp.org/MASTG/ 

Platform integrity ● Compromised platform has disabled built-in security measures Trusting the platform is essential for many of the security controls relying on the platform being secure (e.g. secure storage, biometrics, sandboxing, etc.) ● Includes jailbreak detection and emulator detection ● Cannot be fully satisfied due to presence of undetectable solutions, such as Roothide and TrollStore typical iOS security researchers they don’t look like this in reality and have furry or anime pfp 

Platform integrity Vanilla iOS disallows performing many of reverse engineering tasks, specifically: 1. FairPlay DRM prevents app dumping 2. Kernel prevents accessing other app’s memory space you can’t know whether your app was dumped you can’t know if i’m currently reversing your app Since TrollStore isn’t a jailbreak, I don’t need to have a jailbroken device to dump any application from the device for static analysis or add debugging entitlements for dynamic analysis. 

Current jailbreak solutions checkra1n/palera1n iOS 12.0 - iOS 18.0.1 All devices up until A11 chip Semi-tethered, installable using desktop device Dopamine iOS 15.0 - iOS 16.6.1 Any arm64/arm64e devices Semi-untethered, installable via TrollStore 

Indicators of jailbroken devices ● Suspicious files ● Incorrect sandbox permissions ● Injected dylibs ● Atypical environment variables ● Code signing flags ● Disabled Library Validation Spoiler: unreliable and trivially bypassable in any application 

iOS Security Suite https://github.com/securing/IOSSecuritySuite Allows to implement comprehensive application self-protection measures, including ● Jailbreak detection ● Static integrity checks ● Debugger detection ● RE tools detection ● Network settings detection 

Bypass solutions https://github.com/roothide/Dopamine2-roothide Custom version of Dopamine jailbreak Absolutely undetectable Unreliably hides Frida and debugger https://github.com/jjolano/shadow Installable as separate tweak Detectable by iOSSecuritySuite until you slightly modify it Might be unstable I don’t need to disassemble your application to bypass jailbreak detection, live with it 

Anti-tampering MASVS-RESILIENCE-2 means static integrity controls. ● Includes runtime integrity checks of executable files and resources ● Requires CI/CD configuration ● Protects against repackaging attacks and re-distribution of modified app copy ● Mandatory for cross-platform applications, e.g. using Flutter 

Countermeasures against static analysis MASVS-RESILIENCE-3 means protection against static analysis: ● Includes string obfuscation, code, other advanced techniques ● Requires CI/CD configuration ● Protects secrets, e.g. API keys, OAuth client secret, code of self protection measures, etc. OpenAI API key in application binary 

Countermeasures against static analysis Good libraries for string obfuscation: ● swift-confidential https://github.com/securevale/swift-confidential ● macro-ios-string-obfuscation https://github.com/vigram-sw/macro-ios-string-obfuscation Uses Swift macros, really easy to use Good libraries for code obfuscation: ● no good libraries available 😢, just rename sensitive classes and methods pls don’t use something like bnlhIGthd2FpaX4=, be more subtle 

Countermeasures against dynamic analysis MASVS-RESILIENCE-4 is a companion of previous requirement, but implemented in different way. ● Debugger detection 🪲, protections against dynamic instrumentation tools like Frida ● Does not require CI/CD configuration 🥰 ● Sometimes referred as RASP (Runtime Application Self-Protection) Pure static analysis is very difficult and time consuming so it typically goes hand in hand with dynamic analysis. Observing and manipulating an app during runtime makes it much easier to understand its behavior. 

How exactly your application can be attacked? Depends on specific use-cases, goals and skills of an attacker. silly memes retrieving sensitive data encrypted with Secure Enclave 

How to test jailbreak bypass? also what to use as a reference implementation Reveil https://github.com/Lessica/Reveil 

Illustrative example of implemented checks Roothide palera1n with attached debugger Shadow 

Emulator detection Currently, Corellium is the only emulator available for usage. ● Cloud-based emulation solution ● Allows to select any device ● Supports all versions of iOS ● Allows to setup any pre-boot aspects for iOS device ☠ ● Does not have App Store or iCloud capabilities ● Intended for security researches 

Emulator detection Corellium can be detected in several ways, but there are two easy paths: ● File system check ● Absence of GPU acceleration 

Emulator detection Dumped device properties from two real devices and emulated Corellium environment. 

Key recommendations for implementation of anti-RE controls Protect your secrets, don’t include API keys in plaintext Make your controls stealthy and try to obtain information, e.g. send incidents to analytics and react accordingly Don’t rely solely on jailbreak detection for app protection Never forget that reverse engineer always wins if has unlimited time constraints Don’t implement controls just for the record, do it according to your risks and potential threats 

Q& A Let’s talk! Anton Shepeta Security Engineer @ Cossack Labs https://www.linkedin.com/in/anton-shepeta-5a300b215/