Nativescript - 在 iOS 上检测越狱和动态检测
Posted
技术标签:
【中文标题】Nativescript - 在 iOS 上检测越狱和动态检测【英文标题】:Nativescript - Detect Jailbreak and Dynamic Instrumentation on iOS 【发布时间】:2021-11-15 15:22:21 【问题描述】:鉴于 Nativescript 社区中提供的插件,您的 Nativescript 应用可能不足以通过安全渗透测试。
下面列出了两个插件。
https://www.npmjs.com/package/@nstudio/root-detection https://www.npmjs.com/package/nativescript-jailbreak-detector在某些情况下,您可以通过手动编写自己的越狱检查和动态检测(例如 Frida)来获得更好的结果,因为现在有很多工具可以绕过越狱检测(例如 HideJB)。
有哪些方法可以检测越狱并防止 ios Nativescript 上的动态检测?
【问题讨论】:
【参考方案1】:可以多层次进行检测:
检查 URL 是否可以通过非法 URL 方案打开 检查文件是否可以在非法目录中打开 检查是否存在非法文件(包括 Cydia、Sileo、HideJB 等) 检查文件是否可在受限目录中写入代码
public amIJailbroken(): boolean
let urlSchemes: Array<string> = ['undecimus://', 'cydia://', 'sileo://', 'zbra://', 'filza://', 'activator://'];
// List of suspicious files associated with jailbreak
let paths: Array<string> = [
'/.bootstrapped_electra',
'/.cydia_no_stash',
'/.installed_unc0ver',
'/Applications/blackra1n.app',
'/Applications/Cydia.app',
'/Applications/FakeCarrier.app',
'/Applications/HideJB.app',
'/Applications/Icy.app',
'/Applications/IntelliScreen.app',
'/Applications/MxTube.app',
'/Applications/RockApp.app',
'/Applications/SBSettings.app',
'/Applications/SBSetttings.app',
'/Applications/Sileo.app',
'/Applications/Snoop-itConfig.app',
'/Applications/WinterBoard.app',
'/bin.sh',
'/bin/bash',
'/bin/sh',
'/etc/apt',
'/etc/apt/sources.list.d/electra.list',
'/etc/apt/sources.list.d/sileo.sources',
'/etc/apt/undecimus/undecimus.list',
'/etc/ssh/sshd_config',
'/jb/amfid_payload.dylib',
'/jb/jailbreakd.plist',
'/jb/libjailbreak.dylib',
'/jb/lzma',
'/jb/offsets.plist',
'/Library/dpkg/info/re.frida.server.list',
'/Library/LaunchDaemons/re.frida.server.plist',
'/Library/MobileSubstrate/CydiaSubstrate.dylib',
'/Library/MobileSubstrate/DynamicLibraries/LiveClock.plist',
'/Library/MobileSubstrate/DynamicLibraries/Veency.plist',
'/Library/MobileSubstrate/HideJB.dylib',
'/Library/MobileSubstrate/MobileSubstrate.dylib',
'/Library/PreferenceBundles/ABypassPrefs.bundle',
'/Library/PreferenceBundles/FlyJBPrefs.bundle',
'/Library/PreferenceBundles/HideJBPrefs.bundle',
'/Library/PreferenceBundles/LibertyPref.bundle',
'/Library/PreferenceBundles/ShadowPreferences.bundle',
'/private/etc/apt',
'/private/etc/dpkg/origins/debian',
'/private/etc/ssh/sshd_config',
'/private/var/cache/apt/',
'/private/var/lib/apt',
'/private/var/lib/apt/',
'/private/var/lib/cydia',
'/private/var/log/syslog',
'/private/var/mobile/Library/SBSettings/Themes',
'/private/var/mobileLibrary/SBSettingsThemes/',
'/private/var/stash',
'/private/var/tmp/cydia.log',
'/private/var/Users/',
'/System/Library/LaunchDaemons/com.ikey.bbot.plist',
'/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist',
'/usr/bin/cycript',
'/usr/bin/ssh',
'/usr/bin/sshd',
'/usr/lib/libcycript.dylib',
'/usr/lib/libhooker.dylib',
'/usr/lib/libjailbreak.dylib',
'/usr/lib/libsubstitute.dylib',
'/usr/lib/substrate',
'/usr/lib/TweakInject',
'/usr/libexec/cydia/',
'/usr/libexec/cydia/firmware.sh',
'/usr/libexec/sftp-server',
'/usr/libexec/ssh-keysign',
'/usr/local/bin/cycript',
'/usr/sbin/frida-server',
'/usr/sbin/sshd',
'/usr/share/jailbreak/injectme.plist',
'/var/binpack',
'/var/cache/apt',
'/var/checkra1n.dmg',
'/var/lib/apt',
'/var/lib/cydia',
'/var/lib/dpkg/info/mobilesubstrate.md5sums',
'/var/log/apt',
'/var/log/syslog',
'/var/tmp/cydia.log',
];
// Check if target is not an iOS simulator
if (!isIOS || !this.isTarget()) return false;
else
// Check URL schemes
for (const url of urlSchemes)
if (this.canOpenIllegalURL(url)) return true;
// Check files and directories associated with jailbreaks
for (const path of paths)
if (this.canOpenIllegalFile(path)) return true;
// Check file permissions outside device sandbox, if writtable = jailbroken
if (this.canWriteToRestrictedDirectories()) return true;
return false;
/*
********** Helper Methods **********
*/
/* Check if environment is being run as a RELEASE build */
private isTarget()
return process.env.RELEASE_ENV;
/* Check if we can open illegal URL schemes */
private canOpenIllegalURL(url): boolean
return UIApplication.sharedApplication.canOpenURL(NSURL.URLWithString(url + 'package/com.example.app'));
/* Check if file is openable */
private canOpenIllegalFile(path): boolean
const file = fopen(path, 'r');
if (!file)
fclose(file);
return this.fileExists(path) || this.directoryExists(path);
fclose(file);
return true;
/* Check if file exists at path */
private fileExists(path): boolean
return NSFileManager.defaultManager.fileExistsAtPath(path);
/* Check if directory exists at path */
private directoryExists(path): boolean
return NSFileManager.defaultManager.fileExistsAtPathIsDirectory(path, new interop.Reference());
/* Check if file is writtable to illegal directory */
private canWriteToRestrictedDirectories(): boolean
let error;
try
const stringToBeWritten = NSString.stringWithString('I am evil.');
stringToBeWritten.writeToFileAtomicallyEncodingError('/private/jailbreak.txt', true, NSUTF8StringEncoding);
stringToBeWritten.writeToFileAtomicallyEncodingError('/root/jailbreak.txt', true, NSUTF8StringEncoding);
NSFileManager.defaultManager.removeItemAtPathError('/private/jailbreak.txt');
NSFileManager.defaultManager.removeItemAtPathError('/root/jailbreak.txt');
catch (e)
error = e;
return !error ? true : false;
参考文献
这项研究来自以下思想的整合:
https://***.com/a/26712383/2192332 https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06j-testing-resiliency-against-reverse-engineering https://github.com/securing/IOSSecuritySuite/blob/master/IOSSecuritySuite/JailbreakChecker.swift https://github.com/avltree9798/isJailbroken/blob/master/isJailbroken/JB.m改进
请随时提出建议!
例如使用_dyld_get_image_name检查内存中的非法动态库@
【讨论】:
以上是关于Nativescript - 在 iOS 上检测越狱和动态检测的主要内容,如果未能解决你的问题,请参考以下文章
Nativescript 在设备 IOS 上运行 - dyld 库未加载 @rpath/Nativescript.framework
Nativescript translateY 在 Android 和 iOS 上不同