root jailbreak detection evasion study on ios and android
play

Root/Jailbreak Detection Evasion Study on iOS and Android Research - PowerPoint PPT Presentation

Jan 02, 2023 •417 likes •718 views

Dana Geist & Marat Nigmatullin Root/Jailbreak Detection Evasion Study on iOS and Android Research Project 1 Motivation Compromised (rooted/jailbroken) devices are a major issue in the mobile security field. Security and business

  1. Dana Geist & Marat Nigmatullin Root/Jailbreak Detection Evasion Study on iOS and Android Research Project 1

  2. Motivation  Compromised (rooted/jailbroken) devices are a major issue in the mobile security field.  Security and business applications often attempt to identify rooted/jailbroken devices.  Cloaking techniques are being developed as the detection counterpart. Research Project 1: Root/Jailbreak 2 detection Evasion study on iOS and Android

  3. Research questions  RQ1 : Which techniques are used for root/jailbreak detection and evasion on Android and iOS?  RQ2 : Are there any differences between the techniques used for each of the platforms? Are the controls they present effective?  RQ3 : What are the latest trends used for detection?  RQ4 : Could those latest trends be circumvented? If so, is it possible to create new evasion methods and implement them? Research Project 1: Root/Jailbreak 3 detection Evasion study on iOS and Android

  4. Related work  Bulk of the research is focused on Android.  Detection methods are not effective against evasion techniques.  Focused on high level (Java) and native languages (C/C++).  IOS  Lack of formal research that addresses iOS detection and evasion methods.  NESO Security Labs AppMinder developed a free prototype for jailbreak detection, based on ARM assembly code. Research Project 1: Root/Jailbreak 4 detection Evasion study on iOS and Android

  5. Detection and Evasion Methods  Methodology  Study detection/evasion methods (RQ1, RQ2):  Primary literature  Existing tools and frameworks  Popular forums  Analyze collected information to detect latest trends (RQ3) Research Project 1: Root/Jailbreak 5 detection Evasion study on iOS and Android

  6. Detection and Evasion Methods  Taxonomy of Android Root Detection Methods  Presence of packages, applications, files.  Build settings: test keys, build version.  File permissions.  Shell command execution (su, which su).  Runtime characteristics: mount /system partition. Research Project 1: Root/Jailbreak 6 detection Evasion study on iOS and Android

  7. Detection and Evasion Methods Taxonomy of iOS Jailbreak Detection Methods  Existence of files.  if ([[NSFileManager defaultManager] fileExistsAtPath:@"/Applications/Cydia.app"]) Directory permissions.  { Process forking.  return YES; } SSH loopback  else connections. if ([[NSFileManager defaultManager] fileExistsAtPath:@"/Library/MobileSubstrate/Mobil Privilege actions  eSubstrate.dylib"]) execution. { return YES; Calling dynamic  } library functions. AppMinder Solution.  https://github.com/leecrossley/cordova-plugin-jailbreak-detection Research Project 1: Root/Jailbreak 7 detection Evasion study on iOS and Android

  8. Detection and Evasion Methods  Root/Jailbreak evasion methods  Simple methods:  Hiding su binary (Android)  Runtime checks (Android)  Binary patching (Android and iOS)  Frameworks:  RootCloak (Android)  RootCloak Plus (Android)  xCon (iOS) Research Project 1: Root/Jailbreak 8 detection Evasion study on iOS and Android

  9. Detection and Evasion Methods  Android vs. iOS: Method Comparison  Based on the same idea.  Detection/evasion methods implemented in different levels of abstraction:  High level: Java/Objective-C  Native level: C/C++  Low level: ARM assembly (No framework available)  Minor differences in implementation (e.g fork). Research Project 1: Root/Jailbreak 9 detection Evasion study on iOS and Android

  10. Detection and Evasion Methods  Latest trends  Most applications implement detection controls in high level and native languages  NESO Security Labs created a jailbreak detection solution implemented in ARM assembly : AppMinder Research Project 1: Root/Jailbreak 10 detection Evasion study on iOS and Android

  11. AppMinder: What is it? #if !defined(DISABLE_APPMINDER) && ! (TARGET_IPHONE_SIMULATOR) && !(__arm64__) __attribute__ ((always_inline)) static void Jailbreak detection tool for  dFRdWsEfEaJi (unsigned int Apple iOS. *___lxTgdaUaxSYingsbeypmEtHgmILez, unsigned int *___TukDsLwSvzYctQkYpXKiDfwnLvJJJ, unsigned int Based on ARM assembly.  *___aurUzzwAHntEjodevWkF) {asm volatile ("sub r1, r1, r1;mov r0, r1;b Fork system call is  L975215;push {r0-r12};L975215:;mov r12, #32;mov r3, r3;asr r12, #4;mov r3, r3;add r0, r0, #40;b evaluated for detection. L975216;stmdb sp!, {r0-r12};L975216:;mov r4, pc;ldr r4, [r4, #0];svc 0x80;ldr r3, % Code consists of  [lxTgdaUaxSYingsbeypmEtHgmILez];str r4, [r3, #0];b L975217;push {r0-r12};L975217:;sub r1, r1, r1;mov r0, 5 functions. r0;mov r3, r1;mov r2, r2;add r3, r3, #1;mov r1, r1;cmp Application is terminated  r0, r3;b L975218;stmdb sp!, {r0-r12};L975218:;beq L975219;mov r10, #79;mov pc, r10;L975219:;ldr r3, % on jailbroken devices [TukDsLwSvzYctQkYpXKiDfwnLvJJJ];str r0, [r3, #0];ldr r3, %[aurUzzwAHntEjodevWkF];str r12, [r3, #0]; ... Reference:http://appminder.nesolabs.de/ Research Project 1: Root/Jailbreak 11 detection Evasion study on iOS and Android

  12. AppMinder  Why is it difficult to bypass?  No traditional methods work on it.  Polymorphic.  Obsfuscation.  Self integrity checks.  Assembly code added ”inline”. Research Project 1: Root/Jailbreak 12 detection Evasion study on iOS and Android

  13. Experiments on iOS  Methodology (RQ4)  Study AppMinder.  Understand its inner workings.  Create methods for evasion and implement them. Research Project 1: Root/Jailbreak 13 detection Evasion study on iOS and Android

  14. Experiments on iOS  Methodology (RQ4)  Create an iOS testing application with AppMinder checks.  Static/Dynamic analysis.  Identify patterns.  Design a strategy to bypass AppMinder’s controls.  Implement solution. Research Project 1: Root/Jailbreak 14 detection Evasion study on iOS and Android

  15. Experiments on iOS: bypassing AppMinder  Techniques explored:  Hooking tools such as Cycript.  Binary patching.  Debbuging tools: GNU Debugger (a.k.a gdb). Research Project 1: Root/Jailbreak 15 detection Evasion study on iOS and Android

  16. Experiments on iOS: bypassing AppMinder  System architecture: Research Project 1: Root/Jailbreak 16 detection Evasion study on iOS and Android

  17. Experiments on iOS: bypassing AppMinder  Code analysis: supervisor calls (SVC)  Fork: jailbreak detection  Ptrace: anti-debugging measures  Exit Research Project 1: Root/Jailbreak 17 detection Evasion study on iOS and Android

  18. Experiments on iOS: bypassing AppMinder  Bypassing strategy: Fork Sample Code:  Normal device:r0=1 mov r1 , #2; b L505572 ;  Jailbroken device: r0!=1 stmdb sp ! , { r0−r 1 2 } ; L505572 : ; mov r12 , r1 ; (Child's PID) svc 0x80; ←Breakpoint sub r1, r1, r1; ←Breakpoint  Solution mov r3, r1; add r3, r3, #1;  Alter return value: cmp r0, r3; set r0=1 Research Project 1: Root/Jailbreak 18 detection Evasion study on iOS and Android

  19. Experiments on iOS: bypassing AppMinder  Component interaction: Research Project 1: Root/Jailbreak 19 detection Evasion study on iOS and Android

  20. Experiments on iOS: bypassing AppMinder  Semi-automatic solution Research Project 1: Root/Jailbreak 20 detection Evasion study on iOS and Android

  21. Experiments on iOS: bypassing AppMinder  Limitations:  We studied AppMinder’s variant B.  We worked with our own testing application.  Fifth function call exhibits different behavior. Research Project 1: Root/Jailbreak 21 detection Evasion study on iOS and Android

  22. Experiments on iOS: alternative jailbreak detection methods  Cordova jailbreak detection plugin:  Implemented in Objective-C.  Detection methods:  Check for existing directories, files or packages.  Execute privileged actions like writing outside of the sandbox. Research Project 1: Root/Jailbreak 22 detection Evasion study on iOS and Android

  23. Experiments on iOS: alternative jailbreak detection methods  Cordova bypassing:  Focus on if Objective-C ARM Assembly statements. if ([[NSFileManager Check for defaultManager] fileExistsAtPath: file  Target assembly @"/Applications/Cydia.app"]) existence compares. {return YES;} cmp r1, #0  Change register else if ...(next check) values. Research Project 1: Root/Jailbreak 23 detection Evasion study on iOS and Android

  24. Results & Analysis  AppMinder controls were evaded.  Bypassing mechanisms were successfully implemented.  Assembly level techniques can be used to evade methods at different abstraction levels.  Attaching a debugger affects performance. Research Project 1: Root/Jailbreak 24 detection Evasion study on iOS and Android

  25. Conclusions  Android and iOS use similar detection and evasion methods.  Detection trends are moving controls to lower level languages. AppMinder is an example of that.  Even low level techniques can be bypassed.  With enough time and resources an attacker will be able to evade all detection controls. Research Project 1: Root/Jailbreak 25 detection Evasion study on iOS and Android

Recommend

Android: One Root to Own Them All Jeff Forristal / Bluebox Image courtesy www.norebbo.com

Android: One Root to Own Them All Jeff Forristal / Bluebox Image courtesy www.norebbo.com

Android: One Root to Own Them All Jeff Forristal / Bluebox Image courtesy www.norebbo.com ANDROID: ONE ROOT TO OWN THEM ALL / JEFF FORRISTAL / BLACKHAT USA 2013 Please Complete Speaker Feedback Survey Or else ANDROID: ONE

985 views • 85 slides
Scaling the Root A study of the impact on the DNS root system of increasing the size and

Scaling the Root A study of the impact on the DNS root system of increasing the size and

Scaling the Root A study of the impact on the DNS root system of increasing the size and volatility of the root zone Jaap Akkerhuis Lyman Chapin Patrik Fltstrm Glenn Kowack Bill Manning Lars-Johan Liman Summary of Findings Root Scaling

558 views • 20 slides
Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android

Static Detection and Automatic Exploitation of Intent Message Vulnerabilities in Android Applications Daniele Gallingani, Rigel Gjomemo , V.N. Venkatakrishnan, Stefano Zanero Android Message Passing Mechanism Android apps are composed of

566 views • 23 slides
Own your Android! Yet Another Universal Root Wen Xu Yubin Fu xuwen.sjtu@gmail.com

Own your Android! Yet Another Universal Root Wen Xu Yubin Fu xuwen.sjtu@gmail.com

Own your Android! Yet Another Universal Root Wen Xu Yubin Fu xuwen.sjtu@gmail.com QooBee1993@gmail.com Keen Team Usenix Woot 15' 1 About Me Security research intern at Keen Team Mobile vulnerability research Android Rooting

785 views • 34 slides
From Dalvik Bytecode Analysis to Leak Detection in Android Applications Alexandre Bartel, Eric

From Dalvik Bytecode Analysis to Leak Detection in Android Applications Alexandre Bartel, Eric

FlowDroid Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware T aint Analysis for Android Apps From Dalvik Bytecode Analysis to Leak Detection in Android Applications Alexandre Bartel, Eric Bodden, Steven Artz, Siegfried

620 views • 45 slides
Tests for detection of Oomycete root and stem rot pathogens Tim P Tim Pettit ettitt Univ

Tests for detection of Oomycete root and stem rot pathogens Tim P Tim Pettit ettitt Univ

Tests for detection of Oomycete root and stem rot pathogens Tim P Tim Pettit ettitt Univ Univer ersity sity of of Wor orce ceste ster Main oomycete root and stem rot pathogen genera are Pythium, Phytophthora & Aphanomyces At

435 views • 26 slides
OVERVIEW OF EDD EMPLOYMENT TAX EVASION Investigation Division Criminal Tax Evasion Unit EDD

OVERVIEW OF EDD EMPLOYMENT TAX EVASION Investigation Division Criminal Tax Evasion Unit EDD

OVERVIEW OF EDD EMPLOYMENT TAX EVASION Investigation Division Criminal Tax Evasion Unit EDD Frank Waldschmitt WHAT IS EDD? The Employment Development Department (EDD) is the State agency responsible for the administration of Unemployment

216 views • 21 slides
Anomaly Detection on DNS Auths Root DNS, ccTLDs and DNS providers Team

Anomaly Detection on DNS Auths Root DNS, ccTLDs and DNS providers Team

Anomaly Detection on DNS Auths Root DNS, ccTLDs and DNS providers Team SchabeltierAnomalizers RIPE 74 Budapest, Hungary 2017-05-09 1/12 Team Members (alphabetically) Christian Doerr (TU Delft) Ella Titova

362 views • 12 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Bypassing Android Password Manager Apps Without Root Stephan Huber, Siegfried Rasthofer, Steven

Bypassing Android Password Manager Apps Without Root Stephan Huber, Siegfried Rasthofer, Steven

Bypassing Android Password Manager Apps Without Root Stephan Huber, Siegfried Rasthofer, Steven Arzt Fraunhofer SIT 2 Stephan Siegfried Mobile Security Researcher at Head of Department Secure Fraunhofer SIT Software Engineering

948 views • 58 slides
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web Alexei Bulazel & Blent Yener River Loop Security Rensselaer Polytechnic Institute (RPI) Introduction Automated dynamic malware analysis is

684 views • 33 slides
Host-based Intrusion Detection Systems (HIDS) Pieter de Boer Martin Pels 09/02/2005 Contents

Host-based Intrusion Detection Systems (HIDS) Pieter de Boer Martin Pels 09/02/2005 Contents

Host-based Intrusion Detection Systems (HIDS) Pieter de Boer Martin Pels 09/02/2005 Contents HIDS-types Example break-in Protection using HIDS Evasion possibilities Evasion prevention Conclusion 09/02/2005 Host-based

314 views • 8 slides
Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2 Anthony Morris Jan-Felix Schmakeit Tech Lead, Android Maps API Android Developer Relations Code, Slides, Worksheet: http://goo.gl/MfY67 Welcome!

687 views • 49 slides
Kotlin, The Pragmatic Language For Android Mike Gouline Android Developer gouline.net

Kotlin, The Pragmatic Language For Android Mike Gouline Android Developer gouline.net

Kotlin, The Pragmatic Language For Android Mike Gouline Android Developer gouline.net @mgouline +MikeGouline Background What is Kotlin? Perfect for Android Performance and cost Agenda Case study

960 views • 56 slides
Evading/Attacking NIDS Insertion, Evasion, DoS Attacks Proposed Solutions Traf fi c

Evading/Attacking NIDS Insertion, Evasion, DoS Attacks Proposed Solutions Traf fi c

Agenda Network ID Systems Architecture, Problems Evading/Attacking NIDS Insertion, Evasion, DoS Attacks Proposed Solutions Traf fi c Normalization Priyank Porwal Active Mapping COMP 290 Network Intrusion Detection

397 views • 11 slides
SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun,

SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun,

SigPID: Significant Permission Identification for Android Malware Detection Authors: Lichao Sun, Zhiqiang Li, Qiben Yan, Witawas Srisa-an and Yu Pan Department of Computer Science and Engineering University of Nebraska Lincoln Presenters: Yu

999 views • 24 slides
Mixed Strategies 4/24/17 Recall: Pursuit/Evasion Game Pursuit/Evasion Payoff Matrix L R L

Mixed Strategies 4/24/17 Recall: Pursuit/Evasion Game Pursuit/Evasion Payoff Matrix L R L

Mixed Strategies 4/24/17 Recall: Pursuit/Evasion Game Pursuit/Evasion Payoff Matrix L R L 0,1 5,-1 R 3,-1 0,1 None of the outcomes is a Nash equilibrium. Key idea: randomize your action so that it cant be guessed. Mixed

334 views • 15 slides
Fare Gates & Fare Evasion Board Presentation September 26, 2019 Fare Evasion Estimation

Fare Gates & Fare Evasion Board Presentation September 26, 2019 Fare Evasion Estimation

Fare Gates & Fare Evasion Board Presentation September 26, 2019 Fare Evasion Estimation 5 to 6% Daily Average Systemwide Based on actual counts in stations and on trains by Proof of Payment Officers Ring Counter Proof of Payment

475 views • 29 slides
Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
THttpServer for ROOT Bertrand Bellenot, CERN Sergey Linev, GSI Darmstadt 28.02.2014 JSRootIO

THttpServer for ROOT Bertrand Bellenot, CERN Sergey Linev, GSI Darmstadt 28.02.2014 JSRootIO

THttpServer for ROOT Bertrand Bellenot, CERN Sergey Linev, GSI Darmstadt 28.02.2014 JSRootIO Written on JavaScript, works in all major browsers IE, Firefox, Opera, Safari, Android, Allows to draw many kinds of ROOT objects

808 views • 23 slides
Evaluation of Threshold-based Fall Detection on Android Smartphones Tobias Gimpel, Simon

Evaluation of Threshold-based Fall Detection on Android Smartphones Tobias Gimpel, Simon

Evaluation of Threshold-based Fall Detection on Android Smartphones Tobias Gimpel, Simon Kiertscher, Alexander Lindemann, Bettina Schnor and Petra Vogel University of Potsdam Germany Before we start 2 Outline Motivation

522 views • 22 slides
Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to use operating system that powers more than a billion devices across the globe - from phones and tablets to watches, TV, cars and more to come.

464 views • 21 slides
AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max

AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max

AVPASS: Automatically Bypassing Android Malware Detection System Jinho Jung, Chanil Jeon, Max Wolotsky, Insu Yun, and Taesoo Kim Georgia Institute of Technology, July 27, 2017 Ab About t Us SSLab (@GT) Focusing on s ystem and security

1.25k views • 72 slides
CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest <manifest

CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest <manifest

Project #1: Color Guess Game CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="net.cserna.bence.colorguess

201 views • 3 slides

More recommend