are defensive measures that help applications continue functioning (or fail gracefully) when under attack or being tampered with. Absence of these measures does not necessarily cause vulnerabilities - instead, they provide additional threat-specific protection.
SP 800-124r2) • Potential presence of installed malware due to user’s mistake • Preventing theft or compromise of valuable business assets such as proprietary algorithms, ML models • Ensuring competitive integrity in multiplayer games Screenshot of PCI DSS recommendation for mobile applications
resilience controls can be divided in four parts: MASVS-RESILIENCE-1 The app validates the integrity of the platform. MASVS-RESILIENCE-2 The app implements anti-tampering mechanisms. MASVS-RESILIENCE-3 The app implements anti-static analysis mechanisms. MASVS-RESILIENCE-4 The app implements anti-dynamic analysis techniques. https://mas.owasp.org/MASVS/ https://mas.owasp.org/MASTG/
Trusting the platform is essential for many of the security controls relying on the platform being secure (e.g. secure storage, biometrics, sandboxing, etc.) • Includes jailbreak detection and emulator detection • Cannot be fully satisfied due to presence of undetectable solutions, such as Roothide and TrollStore typical iOS security researchers they don’t look like this in reality and have furry or anime pfp
tasks, specifically: 1. FairPlay DRM prevents app dumping 2. Kernel prevents accessing other app’s memory space you can’t know whether your app was dumped you can’t know if i’m currently reversing your app Since TrollStore isn’t a jailbreak, I don’t need to have a jailbroken device to dump any application from the device for static analysis or add debugging entitlements for dynamic analysis.
devices up until A11 chip Semi-tethered, installable using desktop device Dopamine iOS 15.0 - iOS 16.6.1 Any arm64/arm64e devices Semi-untethered, installable via TrollStore
Unreliably hides Frida and debugger https://github.com/jjolano/shadow Installable as separate tweak Detectable by iOSSecuritySuite until you slightly modify it Might be unstable I don’t need to disassemble your application to bypass jailbreak detection, live with it
checks of executable files and resources • Requires CI/CD configuration • Protects against repackaging attacks and re-distribution of modified app copy • Mandatory for cross-platform applications, e.g. using Flutter
• Includes string obfuscation, code, other advanced techniques • Requires CI/CD configuration • Protects secrets, e.g. API keys, OAuth client secret, code of self protection measures, etc. OpenAI API key in application binary
swift-confidential https://github.com/securevale/swift-confidential • macro-ios-string-obfuscation https://github.com/vigram-sw/macro-ios-string-obfuscation Uses Swift macros, really easy to use Good libraries for code obfuscation: • no good libraries available 😢, just rename sensitive classes and methods pls don’t use something like bnlhIGthd2FpaX4=, be more subtle
requirement, but implemented in different way. • Debugger detection 🪲, protections against dynamic instrumentation tools like Frida • Does not require CI/CD configuration 🥰 • Sometimes referred as RASP (Runtime Application Self-Protection) Pure static analysis is very difficult and time consuming so it typically goes hand in hand with dynamic analysis. Observing and manipulating an app during runtime makes it much easier to understand its behavior.
usage. • Cloud-based emulation solution • Allows to select any device • Supports all versions of iOS • Allows to setup any pre-boot aspects for iOS device ☠ • Does not have App Store or iCloud capabilities • Intended for security researches
don’t include API keys in plaintext Make your controls stealthy and try to obtain information, e.g. send incidents to analytics and react accordingly Don’t rely solely on jailbreak detection for app protection Never forget that reverse engineer always wins if has unlimited time constraints Don’t implement controls just for the record, do it according to your risks and potential threats