How to hide from too curious users

Transcript

1. How to hide from very curious users Anton Shepeta Security

   Engineer @ Cossack Labs

2. Anton Shepeta Security Engineer @ Breaking things, building things, having

   fun c:

3. Resilience Against Reverse Engineering and Tampering Resilience controls in software

   are defensive measures that help applications continue functioning (or fail gracefully) when under attack or being tampered with. Absence of these measures does not necessarily cause vulnerabilities - instead, they provide additional threat-specific protection.

4. Why do you need this • Compliance (PCI DSS, NIST

   SP 800-124r2) • Potential presence of installed malware due to user’s mistake • Preventing theft or compromise of valuable business assets such as proprietary algorithms, ML models • Ensuring competitive integrity in multiplayer games Screenshot of PCI DSS recommendation for mobile applications

5. Resilience Against Reverse Engineering and Tampering According to OWASP requirements,

   resilience controls can be divided in four parts: MASVS-RESILIENCE-1 The app validates the integrity of the platform. MASVS-RESILIENCE-2 The app implements anti-tampering mechanisms. MASVS-RESILIENCE-3 The app implements anti-static analysis mechanisms. MASVS-RESILIENCE-4 The app implements anti-dynamic analysis techniques. https://mas.owasp.org/MASVS/ https://mas.owasp.org/MASTG/

6. Platform integrity • Compromised platform has disabled built-in security measures

   Trusting the platform is essential for many of the security controls relying on the platform being secure (e.g. secure storage, biometrics, sandboxing, etc.) • Includes jailbreak detection and emulator detection • Cannot be fully satisfied due to presence of undetectable solutions, such as Roothide and TrollStore typical iOS security researchers they don’t look like this in reality and have furry or anime pfp

7. Platform integrity Vanilla iOS disallows performing many of reverse engineering

   tasks, specifically: 1. FairPlay DRM prevents app dumping 2. Kernel prevents accessing other app’s memory space you can’t know whether your app was dumped you can’t know if i’m currently reversing your app Since TrollStore isn’t a jailbreak, I don’t need to have a jailbroken device to dump any application from the device for static analysis or add debugging entitlements for dynamic analysis.

8. Current jailbreak solutions checkra1n/palera1n iOS 12.0 - iOS 18.0.1 All

   devices up until A11 chip Semi-tethered, installable using desktop device Dopamine iOS 15.0 - iOS 16.6.1 Any arm64/arm64e devices Semi-untethered, installable via TrollStore

9. Indicators of jailbroken devices • Suspicious files • Incorrect sandbox

   permissions • Injected dylibs • Atypical environment variables • Code signing flags • Disabled Library Validation Spoiler: unreliable and trivially bypassable in any application

10. iOS Security Suite https://github.com/securing/IOSSecuritySuite Allows to implement comprehensive application self-protection

    measures, including • Jailbreak detection • Static integrity checks • Debugger detection • RE tools detection • Network settings detection

11. Bypass solutions https://github.com/roothide/Dopamine2-roothide Custom version of Dopamine jailbreak Absolutely undetectable

    Unreliably hides Frida and debugger https://github.com/jjolano/shadow Installable as separate tweak Detectable by iOSSecuritySuite until you slightly modify it Might be unstable I don’t need to disassemble your application to bypass jailbreak detection, live with it

12. Anti-tampering MASVS-RESILIENCE-2 means static integrity controls. • Includes runtime integrity

    checks of executable files and resources • Requires CI/CD configuration • Protects against repackaging attacks and re-distribution of modified app copy • Mandatory for cross-platform applications, e.g. using Flutter

13. Countermeasures against static analysis MASVS-RESILIENCE-3 means protection against static analysis:

    • Includes string obfuscation, code, other advanced techniques • Requires CI/CD configuration • Protects secrets, e.g. API keys, OAuth client secret, code of self protection measures, etc. OpenAI API key in application binary

14. Countermeasures against static analysis Good libraries for string obfuscation: •

    swift-confidential https://github.com/securevale/swift-confidential • macro-ios-string-obfuscation https://github.com/vigram-sw/macro-ios-string-obfuscation Uses Swift macros, really easy to use Good libraries for code obfuscation: • no good libraries available 😢, just rename sensitive classes and methods pls don’t use something like bnlhIGthd2FpaX4=, be more subtle

15. Countermeasures against dynamic analysis MASVS-RESILIENCE-4 is a companion of previous

    requirement, but implemented in different way. • Debugger detection 🪲, protections against dynamic instrumentation tools like Frida • Does not require CI/CD configuration 🥰 • Sometimes referred as RASP (Runtime Application Self-Protection) Pure static analysis is very difficult and time consuming so it typically goes hand in hand with dynamic analysis. Observing and manipulating an app during runtime makes it much easier to understand its behavior.

16. How exactly your application can be attacked? Depends on specific

    use-cases, goals and skills of an attacker. silly memes retrieving sensitive data encrypted with Secure Enclave

17. How to test jailbreak bypass? also what to use as

    a reference implementation Reveil https://github.com/Lessica/Reveil

18. Illustrative example of implemented checks Roothide palera1n with attached debugger

    Shadow

19. Emulator detection Currently, Corellium is the only emulator available for

    usage. • Cloud-based emulation solution • Allows to select any device • Supports all versions of iOS • Allows to setup any pre-boot aspects for iOS device ☠ • Does not have App Store or iCloud capabilities • Intended for security researches

20. Emulator detection Corellium can be detected in several ways, but

    there are two easy paths: • File system check • Absence of GPU acceleration

21. Emulator detection Dumped device properties from two real devices and

    emulated Corellium environment.

22. Key recommendations for implementation of anti-RE controls Protect your secrets,

    don’t include API keys in plaintext Make your controls stealthy and try to obtain information, e.g. send incidents to analytics and react accordingly Don’t rely solely on jailbreak detection for app protection Never forget that reverse engineer always wins if has unlimited time constraints Don’t implement controls just for the record, do it according to your risks and potential threats

23. Q& A Let’s talk! Anton Shepeta Security Engineer @ Cossack

    Labs https://www.linkedin.com/in/anton-shepeta-5a300b215/