Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Port MASTG-TEST-0088 (by @appknox) #3073

Merged
merged 27 commits into from
Jan 10, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
44f02e0
port mastg test 0088
sk3l10x1ng Nov 21, 2024
5231d0d
deprecation note
sk3l10x1ng Nov 21, 2024
db2e50f
updated id
sk3l10x1ng Nov 21, 2024
09ca02b
added Demo
sk3l10x1ng Dec 16, 2024
825becf
fix
sk3l10x1ng Dec 16, 2024
d62e8f1
fix space
sk3l10x1ng Dec 16, 2024
e1c5f62
fix spell
sk3l10x1ng Dec 17, 2024
e5585cc
refactor jailbreak detection to return detailed status and proof
cpholguera Dec 22, 2024
b0cea4e
Merge branch 'master' of https://github.com/OWASP/owasp-mastg into pr…
cpholguera Jan 3, 2025
18ee1cf
Apply suggestions from code review
cpholguera Jan 3, 2025
e83090f
fix: correct filename in jailbreak detection script
cpholguera Jan 3, 2025
3b8f772
refactor: update title and instructions for jailbreak detection demo
cpholguera Jan 3, 2025
8e6e416
refactor: update jailbreak detection test descriptions and add new dy…
cpholguera Jan 3, 2025
728703c
fix: correct evaluation criteria for jailbreak detection test
cpholguera Jan 3, 2025
cab5174
Update tests/ios/MASVS-RESILIENCE/MASTG-TEST-0088.md
cpholguera Jan 3, 2025
fc1d0a0
feat: mark jailbreak detection tests as prone to false negatives
cpholguera Jan 3, 2025
d4e364a
Merge branch 'port-MASTG-TEST-0088' of https://github.com/sk3l10x1ng/…
cpholguera Jan 3, 2025
501bead
Update tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x88.md
cpholguera Jan 3, 2025
c984a1f
Update tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x89.md
cpholguera Jan 3, 2025
84df96d
Update tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x89.md
cpholguera Jan 3, 2025
b668a07
Update tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x88.md
cpholguera Jan 3, 2025
45eee2d
Update tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x89.md
cpholguera Jan 3, 2025
a430755
Update tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x89.md
cpholguera Jan 3, 2025
6139d55
updated changes
sk3l10x1ng Jan 7, 2025
8645323
updated demo app, output.asm & r2 script
sk3l10x1ng Jan 9, 2025
27e5ad5
update test IDs
cpholguera Jan 10, 2025
948541b
update demo ID
cpholguera Jan 10, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions demos/ios/MASVS-RESILIENCE/MASTG-DEMO-0021/MASTG-DEMO-0021.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
---
platform: ios
title: Uses of Jailbreak Detection Techniques with r2
code: [swift]
id: MASTG-DEMO-0021
test: MASTG-TEST-0240
---

### Sample

The code snippet below shows sample code that performs jailbreak detection checks on the device.

{{ MastgTest.swift }}

### Steps

1. Unzip the app package and locate the main binary file (@MASTG-TECH-0058), which in this case is `./Payload/MASTestApp.app/MASTestApp`.
2. Open the app binary with @MASTG-TOOL-0073 with the `-i` option to run this script.

{{ jailbreak_detection.r2 }}

{{ run.sh }}

### Observation

The output reveals the use of file permissions, protocol handlers and file directories in the app.

{{ output.txt }}

### Evaluation

The test passes because jailbreak detection checks are implemented in the app.
Binary file not shown.
110 changes: 110 additions & 0 deletions demos/ios/MASVS-RESILIENCE/MASTG-DEMO-0021/MastgTest.swift
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
import SwiftUI

class MastgTest {
static func mastgTest(completion: @escaping (String) -> Void) {
let jailbreakDetails = JailbreakDetector.isDeviceJailbroken()
completion(jailbreakDetails)
}
}

class JailbreakDetector {
static func isDeviceJailbroken() -> String {
// Check if running on a simulator
if DeviceUtils.isSimulator() {
let simulatorName = ProcessInfo.processInfo.environment["SIMULATOR_DEVICE_NAME"] ?? "Unknown Simulator"
return "Warning: Running on a simulator (\(simulatorName)).\n\nProof:\n\n" + collectJailbreakProof()
}

// Collect jailbreak proofs
let proof = collectJailbreakProof()
if proof.isEmpty {
return "Jailbreak: False\n\nNo signs of a jailbreak detected."
} else {
return "Jailbreak: True\n\nProof:\n\n" + proof
}
}

private static func collectJailbreakProof() -> String {
var reasons = [String]()

// Check 1: Common jailbreak files and directories
let jailbreakPaths = [
"/Applications/Cydia.app",
"/Applications/Sileo.app",
"/Applications/Zebra.app",
"/Applications/Installer.app",
"/Library/MobileSubstrate/MobileSubstrate.dylib",
"/usr/libexec/cydia",
"/usr/libexec/ssh-keysign",
"/usr/sbin/sshd",
"/usr/bin/ssh",
"/var/cache/apt",
"/var/lib/apt",
"/var/lib/cydia",
"/var/log/syslog",
"/bin/bash",
"/bin/sh",
"/etc/apt",
"/private/var/lib/undecimus",
"/private/var/root/Library/PreferenceLoader/Preferences",
"/private/etc/apt"
]

for path in jailbreakPaths {
if FileManager.default.fileExists(atPath: path) {
reasons.append("Detected jailbreak file or directory at \(path)")
}
}

// Check 2: Custom URL schemes
let urlSchemes = [
"cydia://",
"sileo://",
"zebra://",
"filza://"
]

for scheme in urlSchemes {
if let url = URL(string: scheme), UIApplication.shared.canOpenURL(url) {
reasons.append("Able to open suspicious URL scheme: \(scheme)")
}
}

// Check 3: Suspicious environment variables
let suspiciousEnvVars = [
"DYLD_INSERT_LIBRARIES",
"DYLD_FRAMEWORK_PATH",
"DYLD_LIBRARY_PATH"
]

for envVar in suspiciousEnvVars {
if ProcessInfo.processInfo.environment[envVar] != nil {
reasons.append("Suspicious environment variable detected: \(envVar)")
}
}

// Check 4: Write access to system paths
let paths = [
"/private/jailbreak.txt",
"/private/var/mobile/Library/jailbreak.txt"
]

for path in paths {
do {
try "test".write(toFile: path, atomically: true, encoding: .utf8)
try FileManager.default.removeItem(atPath: path)
reasons.append("Write access detected at \(path)")
} catch {
continue
}
}

return reasons.joined(separator: "\n")
}
}

class DeviceUtils {
static func isSimulator() -> Bool {
return ProcessInfo.processInfo.environment["SIMULATOR_DEVICE_NAME"] != nil
}
}
57 changes: 57 additions & 0 deletions demos/ios/MASVS-RESILIENCE/MASTG-DEMO-0021/jailbreak_detection.r2
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
e asm.bytes=false
e scr.color=false
e asm.var=false

?e

?e search for jailbreak path:

/ /Applications/Cydia.app
/ /Applications/Sileo.app
/ /Applications/Zebra.app
/ /usr/sbin/sshd
/ /usr/bin/ssh
/ /var/cache/apt
/ /var/lib/apt
/ /var/lib/cydia
/ /var/log/syslog
/ /bin/bash
/ /bin/sh
/ /etc/apt
/ /private/jailbreak.txt
/ /private/var/mobile/Library/jailbreak.txt

?e

?e search for urlSchemes:

/ cydia://
/ sileo://
/ zebra://
/ filza://

?e

?e search for suspiciousEnvVars:

/ DYLD_INSERT_LIBRARIES
/ DYLD_FRAMEWORK_PATH
/ DYLD_LIBRARY_PATH

?e

?e Searching for Jailbreak output:

iz~+jail


?e

?e xrefs to Jailbreak strings:
axt 0x10011db00

?e

?e Disassembled Jailbreak function:

pdf @ 0x100008c14
Loading
Loading