root jailbreak detection evasion study on ios and android
play

Root/Jailbreak Detection Evasion Study on iOS and Android Research - PowerPoint PPT Presentation

Jan 02, 2023 •417 likes •718 views

Dana Geist & Marat Nigmatullin Root/Jailbreak Detection Evasion Study on iOS and Android Research Project 1 Motivation Compromised (rooted/jailbroken) devices are a major issue in the mobile security field. Security and business

  1. Dana Geist & Marat Nigmatullin Root/Jailbreak Detection Evasion Study on iOS and Android Research Project 1

  2. Motivation  Compromised (rooted/jailbroken) devices are a major issue in the mobile security field.  Security and business applications often attempt to identify rooted/jailbroken devices.  Cloaking techniques are being developed as the detection counterpart. Research Project 1: Root/Jailbreak 2 detection Evasion study on iOS and Android

  3. Research questions  RQ1 : Which techniques are used for root/jailbreak detection and evasion on Android and iOS?  RQ2 : Are there any differences between the techniques used for each of the platforms? Are the controls they present effective?  RQ3 : What are the latest trends used for detection?  RQ4 : Could those latest trends be circumvented? If so, is it possible to create new evasion methods and implement them? Research Project 1: Root/Jailbreak 3 detection Evasion study on iOS and Android

  4. Related work  Bulk of the research is focused on Android.  Detection methods are not effective against evasion techniques.  Focused on high level (Java) and native languages (C/C++).  IOS  Lack of formal research that addresses iOS detection and evasion methods.  NESO Security Labs AppMinder developed a free prototype for jailbreak detection, based on ARM assembly code. Research Project 1: Root/Jailbreak 4 detection Evasion study on iOS and Android

  5. Detection and Evasion Methods  Methodology  Study detection/evasion methods (RQ1, RQ2):  Primary literature  Existing tools and frameworks  Popular forums  Analyze collected information to detect latest trends (RQ3) Research Project 1: Root/Jailbreak 5 detection Evasion study on iOS and Android

  6. Detection and Evasion Methods  Taxonomy of Android Root Detection Methods  Presence of packages, applications, files.  Build settings: test keys, build version.  File permissions.  Shell command execution (su, which su).  Runtime characteristics: mount /system partition. Research Project 1: Root/Jailbreak 6 detection Evasion study on iOS and Android

  7. Detection and Evasion Methods Taxonomy of iOS Jailbreak Detection Methods  Existence of files.  if ([[NSFileManager defaultManager] fileExistsAtPath:@"/Applications/Cydia.app"]) Directory permissions.  { Process forking.  return YES; } SSH loopback  else connections. if ([[NSFileManager defaultManager] fileExistsAtPath:@"/Library/MobileSubstrate/Mobil Privilege actions  eSubstrate.dylib"]) execution. { return YES; Calling dynamic  } library functions. AppMinder Solution.  https://github.com/leecrossley/cordova-plugin-jailbreak-detection Research Project 1: Root/Jailbreak 7 detection Evasion study on iOS and Android

  8. Detection and Evasion Methods  Root/Jailbreak evasion methods  Simple methods:  Hiding su binary (Android)  Runtime checks (Android)  Binary patching (Android and iOS)  Frameworks:  RootCloak (Android)  RootCloak Plus (Android)  xCon (iOS) Research Project 1: Root/Jailbreak 8 detection Evasion study on iOS and Android

  9. Detection and Evasion Methods  Android vs. iOS: Method Comparison  Based on the same idea.  Detection/evasion methods implemented in different levels of abstraction:  High level: Java/Objective-C  Native level: C/C++  Low level: ARM assembly (No framework available)  Minor differences in implementation (e.g fork). Research Project 1: Root/Jailbreak 9 detection Evasion study on iOS and Android

  10. Detection and Evasion Methods  Latest trends  Most applications implement detection controls in high level and native languages  NESO Security Labs created a jailbreak detection solution implemented in ARM assembly : AppMinder Research Project 1: Root/Jailbreak 10 detection Evasion study on iOS and Android

  11. AppMinder: What is it? #if !defined(DISABLE_APPMINDER) && ! (TARGET_IPHONE_SIMULATOR) && !(__arm64__) __attribute__ ((always_inline)) static void Jailbreak detection tool for  dFRdWsEfEaJi (unsigned int Apple iOS. *___lxTgdaUaxSYingsbeypmEtHgmILez, unsigned int *___TukDsLwSvzYctQkYpXKiDfwnLvJJJ, unsigned int Based on ARM assembly.  *___aurUzzwAHntEjodevWkF) {asm volatile ("sub r1, r1, r1;mov r0, r1;b Fork system call is  L975215;push {r0-r12};L975215:;mov r12, #32;mov r3, r3;asr r12, #4;mov r3, r3;add r0, r0, #40;b evaluated for detection. L975216;stmdb sp!, {r0-r12};L975216:;mov r4, pc;ldr r4, [r4, #0];svc 0x80;ldr r3, % Code consists of  [lxTgdaUaxSYingsbeypmEtHgmILez];str r4, [r3, #0];b L975217;push {r0-r12};L975217:;sub r1, r1, r1;mov r0, 5 functions. r0;mov r3, r1;mov r2, r2;add r3, r3, #1;mov r1, r1;cmp Application is terminated  r0, r3;b L975218;stmdb sp!, {r0-r12};L975218:;beq L975219;mov r10, #79;mov pc, r10;L975219:;ldr r3, % on jailbroken devices [TukDsLwSvzYctQkYpXKiDfwnLvJJJ];str r0, [r3, #0];ldr r3, %[aurUzzwAHntEjodevWkF];str r12, [r3, #0]; ... Reference:http://appminder.nesolabs.de/ Research Project 1: Root/Jailbreak 11 detection Evasion study on iOS and Android

  12. AppMinder  Why is it difficult to bypass?  No traditional methods work on it.  Polymorphic.  Obsfuscation.  Self integrity checks.  Assembly code added ”inline”. Research Project 1: Root/Jailbreak 12 detection Evasion study on iOS and Android

  13. Experiments on iOS  Methodology (RQ4)  Study AppMinder.  Understand its inner workings.  Create methods for evasion and implement them. Research Project 1: Root/Jailbreak 13 detection Evasion study on iOS and Android

  14. Experiments on iOS  Methodology (RQ4)  Create an iOS testing application with AppMinder checks.  Static/Dynamic analysis.  Identify patterns.  Design a strategy to bypass AppMinder’s controls.  Implement solution. Research Project 1: Root/Jailbreak 14 detection Evasion study on iOS and Android

  15. Experiments on iOS: bypassing AppMinder  Techniques explored:  Hooking tools such as Cycript.  Binary patching.  Debbuging tools: GNU Debugger (a.k.a gdb). Research Project 1: Root/Jailbreak 15 detection Evasion study on iOS and Android

  16. Experiments on iOS: bypassing AppMinder  System architecture: Research Project 1: Root/Jailbreak 16 detection Evasion study on iOS and Android

  17. Experiments on iOS: bypassing AppMinder  Code analysis: supervisor calls (SVC)  Fork: jailbreak detection  Ptrace: anti-debugging measures  Exit Research Project 1: Root/Jailbreak 17 detection Evasion study on iOS and Android

  18. Experiments on iOS: bypassing AppMinder  Bypassing strategy: Fork Sample Code:  Normal device:r0=1 mov r1 , #2; b L505572 ;  Jailbroken device: r0!=1 stmdb sp ! , { r0−r 1 2 } ; L505572 : ; mov r12 , r1 ; (Child's PID) svc 0x80; ←Breakpoint sub r1, r1, r1; ←Breakpoint  Solution mov r3, r1; add r3, r3, #1;  Alter return value: cmp r0, r3; set r0=1 Research Project 1: Root/Jailbreak 18 detection Evasion study on iOS and Android

  19. Experiments on iOS: bypassing AppMinder  Component interaction: Research Project 1: Root/Jailbreak 19 detection Evasion study on iOS and Android

  20. Experiments on iOS: bypassing AppMinder  Semi-automatic solution Research Project 1: Root/Jailbreak 20 detection Evasion study on iOS and Android

  21. Experiments on iOS: bypassing AppMinder  Limitations:  We studied AppMinder’s variant B.  We worked with our own testing application.  Fifth function call exhibits different behavior. Research Project 1: Root/Jailbreak 21 detection Evasion study on iOS and Android

  22. Experiments on iOS: alternative jailbreak detection methods  Cordova jailbreak detection plugin:  Implemented in Objective-C.  Detection methods:  Check for existing directories, files or packages.  Execute privileged actions like writing outside of the sandbox. Research Project 1: Root/Jailbreak 22 detection Evasion study on iOS and Android

  23. Experiments on iOS: alternative jailbreak detection methods  Cordova bypassing:  Focus on if Objective-C ARM Assembly statements. if ([[NSFileManager Check for defaultManager] fileExistsAtPath: file  Target assembly @"/Applications/Cydia.app"]) existence compares. {return YES;} cmp r1, #0  Change register else if ...(next check) values. Research Project 1: Root/Jailbreak 23 detection Evasion study on iOS and Android

  24. Results & Analysis  AppMinder controls were evaded.  Bypassing mechanisms were successfully implemented.  Assembly level techniques can be used to evade methods at different abstraction levels.  Attaching a debugger affects performance. Research Project 1: Root/Jailbreak 24 detection Evasion study on iOS and Android

  25. Conclusions  Android and iOS use similar detection and evasion methods.  Detection trends are moving controls to lower level languages. AppMinder is an example of that.  Even low level techniques can be bypassed.  With enough time and resources an attacker will be able to evade all detection controls. Research Project 1: Root/Jailbreak 25 detection Evasion study on iOS and Android

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Android: One Root to Own Them All Jeff Forristal / Bluebox Image courtesy www.norebbo.com

Android: One Root to Own Them All Jeff Forristal / Bluebox Image courtesy www.norebbo.com

Android: One Root to Own Them All Jeff Forristal / Bluebox Image courtesy www.norebbo.com ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Please Complete Speaker Feedback Survey Or else ANDROID: ONE

985 views • 85 slides
Scaling the Root A study of the impact on the DNS root system of increasing the size and

Scaling the Root A study of the impact on the DNS root system of increasing the size and

Scaling the Root A study of the impact on the DNS root system of increasing the size and volatility of the root zone Jaap Akkerhuis Lyman Chapin Patrik Fltstrm Glenn Kowack Bill Manning Lars-Johan Liman Summary of Findings Root Scaling

558 views • 20 slides
Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android Applications Daniele Gallingani, Rigel Gjomemo , V.N. Venkatakrishnan, Stefano Zanero Android Message Passing Mechanism Android apps are composed of

566 views • 23 slides
Own your Android! Yet Another Universal Root Wen Xu Yubin Fu xuwen.sjtu@gmail.com

Own your Android! Yet Another Universal Root Wen Xu Yubin Fu xuwen.sjtu@gmail.com

Own your Android! Yet Another Universal Root Wen Xu Yubin Fu xuwen.sjtu@gmail.com QooBee1993@gmail.com Keen Team Usenix Woot 15' 1 About Me Security research intern at Keen Team Mobile vulnerability research Android Rooting

785 views • 34 slides
From Dalvik Bytecode Analysis to Leak Detection in Android Applications Alexandre Bartel, Eric

From Dalvik Bytecode Analysis to Leak Detection in Android Applications Alexandre Bartel, Eric

FlowDroid Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware T aint Analysis for Android Apps From Dalvik Bytecode Analysis to Leak Detection in Android Applications Alexandre Bartel, Eric Bodden, Steven Artz, Siegfried

620 views • 45 slides
Tests for detection of Oomycete root and stem rot pathogens Tim P Tim Pettit ettitt Univ

Tests for detection of Oomycete root and stem rot pathogens Tim P Tim Pettit ettitt Univ

Tests for detection of Oomycete root and stem rot pathogens Tim P Tim Pettit ettitt Univ Univer ersity sity of of Wor orce ceste ster Main oomycete root and stem rot pathogen genera are Pythium, Phytophthora & Aphanomyces At

435 views • 26 slides
OVERVIEW OF EDD EMPLOYMENT TAX EVASION Investigation Division Criminal Tax Evasion Unit EDD

OVERVIEW OF EDD EMPLOYMENT TAX EVASION Investigation Division Criminal Tax Evasion Unit EDD

OVERVIEW OF EDD EMPLOYMENT TAX EVASION Investigation Division Criminal Tax Evasion Unit EDD Frank Waldschmitt WHAT IS EDD? The Employment Development Department (EDD) is the State agency responsible for the administration of Unemployment

216 views • 21 slides
Anomaly Detection on DNS Auths Root DNS, ccTLDs and DNS providers Team

Anomaly Detection on DNS Auths Root DNS, ccTLDs and DNS providers Team

Anomaly Detection on DNS Auths Root DNS, ccTLDs and DNS providers Team SchabeltierAnomalizers RIPE 74 Budapest, Hungary 2017-05-09 1/12 Team Members (alphabetically) Christian Doerr (TU Delft) Ella Titova

362 views • 12 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Bypassing Android Password Manager Apps Without Root Stephan Huber, Siegfried Rasthofer, Steven

Bypassing Android Password Manager Apps Without Root Stephan Huber, Siegfried Rasthofer, Steven

Bypassing Android Password Manager Apps Without Root Stephan Huber, Siegfried Rasthofer, Steven Arzt Fraunhofer SIT 2 Stephan Siegfried Mobile Security Researcher at Head of Department Secure Fraunhofer SIT Software Engineering

948 views • 58 slides
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web Alexei Bulazel & Blent Yener River Loop Security Rensselaer Polytechnic Institute (RPI) Introduction Automated dynamic malware analysis is

684 views • 33 slides
Host-based Intrusion Detection Systems (HIDS) Pieter de Boer Martin Pels 09/02/2005 Contents

Host-based Intrusion Detection Systems (HIDS) Pieter de Boer Martin Pels 09/02/2005 Contents

Host-based Intrusion Detection Systems (HIDS) Pieter de Boer Martin Pels 09/02/2005 Contents HIDS-types Example break-in Protection using HIDS Evasion possibilities Evasion prevention Conclusion 09/02/2005 Host-based

314 views • 8 slides
Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2 Anthony Morris Jan-Felix Schmakeit Tech Lead, Android Maps API Android Developer Relations Code, Slides, Worksheet: http://goo.gl/MfY67 Welcome!

687 views • 49 slides
Kotlin, The Pragmatic Language For Android Mike Gouline Android Developer gouline.net

Kotlin, The Pragmatic Language For Android Mike Gouline Android Developer gouline.net

Kotlin, The Pragmatic Language For Android Mike Gouline Android Developer gouline.net @mgouline +MikeGouline Background What is Kotlin? Perfect for Android Performance and cost Agenda Case study

960 views • 56 slides
Evading/Attacking NIDS Insertion, Evasion, DoS Attacks Proposed Solutions Traf fi c

Evading/Attacking NIDS Insertion, Evasion, DoS Attacks Proposed Solutions Traf fi c

Agenda Network ID Systems Architecture, Problems Evading/Attacking NIDS Insertion, Evasion, DoS Attacks Proposed Solutions Traf fi c Normalization Priyank Porwal Active Mapping COMP 290 Network Intrusion Detection

397 views • 11 slides
SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun,

SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun,

SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun, Zhiqiang Li, Qiben Yan, Witawas Srisa-an and Yu Pan Department of Computer Science and Engineering University of Nebraska Lincoln Presenters: Yu

999 views • 24 slides
Can We Use Dormant Almond Orchards for Groundwater Recharge? Ken Shackel, Helen Dahlke, Astrid

Can We Use Dormant Almond Orchards for Groundwater Recharge? Ken Shackel, Helen Dahlke, Astrid

Can We Use Dormant Almond Orchards for Groundwater Recharge? Ken Shackel, Helen Dahlke, Astrid Volder, Bruce Lampinen, Roger Duncan, David Doll. Nick Blom, Modesto Irrigation District Almond Board of CA Using Orchards for Winter Recharge Many

660 views • 27 slides
UCLA Head & Neck Surgery Patient Safety and Quality Improvement: Root Cause Analysis and

UCLA Head & Neck Surgery Patient Safety and Quality Improvement: Root Cause Analysis and

UCLA Head & Neck Surgery Patient Safety and Quality Improvement: Root Cause Analysis and Action 9/11/19 Brooke M. Su-Velez, MD, MPH QI Resident Representative 1 2 The Quadruple Aim 3 Goals of PS/QI 1. Organizational culture of safety

478 views • 17 slides
Practical introduction to ROOT Atommag- s Nehzionfizikai Tli Iskola 2016 Anna Julia

Practical introduction to ROOT Atommag- s Nehzionfizikai Tli Iskola 2016 Anna Julia

Practical introduction to ROOT Atommag- s Nehzionfizikai Tli Iskola 2016 Anna Julia Zsigmond (Wigner RCP) zsigmond.anna@wigner.mta.hu This tutorial Introductory presentation What is ROOT? (ROOT 6 series) Basic functionalities

822 views • 61 slides
Tree Stewardship and Planting Tips Case Western Green Bag Lunch, September 21, 2017 The

Tree Stewardship and Planting Tips Case Western Green Bag Lunch, September 21, 2017 The

Tree Stewardship and Planting Tips Case Western Green Bag Lunch, September 21, 2017 The Cleveland Tree Plan Summary The Cleveland Tree Plan Why Trees? Over 100 years trees appreciate Other infrastructure depreciates The Cleveland Tree

1.02k views • 67 slides
ARSENIC IN VEGETABLES AND ITS ARSENIC IN VEGETABLES AND ITS IMPLICATIONS ON HUMAN ARSENIC

ARSENIC IN VEGETABLES AND ITS ARSENIC IN VEGETABLES AND ITS IMPLICATIONS ON HUMAN ARSENIC

ARSENIC IN VEGETABLES AND ITS ARSENIC IN VEGETABLES AND ITS IMPLICATIONS ON HUMAN ARSENIC IMPLICATIONS ON HUMAN ARSENIC EXPOSURE EXPOSURE by Dr. M. Ashraf Ali Department of Civil Engineering Bangladesh University of Engineering and

277 views • 27 slides
javaROOT . . . . . . . Features Introduction . . . . javaROOT . Introduction M.

javaROOT . . . . . . . Features Introduction . . . . javaROOT . Introduction M.

. . M. Lynch, M. Stanitzki, J. Strube July 2009 STFC Rutherford Appleton Laboratory J. Strube M. Stanitzki M. Lynch A Java Interface to ROOT javaROOT . . . . . . . Features Introduction . . . . javaROOT . Introduction M.

398 views • 19 slides
Preference Policy Recommendations PREPARED BY Heidi Aggeler, Managing Director Denver, Colorado

Preference Policy Recommendations PREPARED BY Heidi Aggeler, Managing Director Denver, Colorado

City and County of Denver Preference Policy Recommendations PREPARED BY Heidi Aggeler, Managing Director Denver, Colorado 80220 970.880.1415 x102 heidi@rootpolicy.com Considerations for a Preference Policy Primary goal: To foster stable

585 views • 17 slides
How to Effectively Tell Your Story So that People Will Listen and Understand the Truth May 13,

How to Effectively Tell Your Story So that People Will Listen and Understand the Truth May 13,

How to Effectively Tell Your Story So that People Will Listen and Understand the Truth May 13, 2016 2 Reaching Your Audience 3 The Reality, Unknown to Many 4 They Must We say Many Think Understand Ranchers lease to graze

336 views • 20 slides

More recommend