Port MASTG-TEST-0088 (by @appknox) (#3073)

* port mastg test 0088 * deprecation note * updated id * added Demo * fix * fix space * fix spell * refactor jailbreak detection to return detailed status and proof * Apply suggestions from code review Co-authored-by: Jeroen Beckers <[email protected]> * fix: correct filename in jailbreak detection script * refactor: update title and instructions for jailbreak detection demo * refactor: update jailbreak detection test descriptions and add new dynamic analysis test * fix: correct evaluation criteria for jailbreak detection test * Update tests/ios/MASVS-RESILIENCE/MASTG-TEST-0088.md * feat: mark jailbreak detection tests as prone to false negatives * Update tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x88.md Co-authored-by: Jeroen Beckers <[email protected]> * Update tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x89.md Co-authored-by: Jeroen Beckers <[email protected]> * Update tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x89.md * Update tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x88.md Co-authored-by: Jeroen Beckers <[email protected]> * Update tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x89.md Co-authored-by: Jeroen Beckers <[email protected]> * Update tests-beta/ios/MASVS-RESILIENCE/MASTG-TEST-0x89.md Co-authored-by: Jeroen Beckers <[email protected]> * updated changes * updated demo app, output.asm & r2 script * update test IDs * update demo ID --------- Co-authored-by: Carlos Holguera <[email protected]> Co-authored-by: Jeroen Beckers <[email protected]>
OWASP · Jan 10, 2025 · 08157d5 · 08157d5
1 parent b906f01
commit 08157d5
Show file tree

Hide file tree

Showing 9 changed files with 488 additions and 0 deletions.
diff --git a/demos/ios/MASVS-RESILIENCE/MASTG-DEMO-0021/MASTG-DEMO-0021.md b/demos/ios/MASVS-RESILIENCE/MASTG-DEMO-0021/MASTG-DEMO-0021.md
@@ -0,0 +1,32 @@
+---
+platform: ios
+title: Uses of Jailbreak Detection Techniques with r2
+code: [swift]
+id: MASTG-DEMO-0021
+test: MASTG-TEST-0240
+---
+
+### Sample
+
+The code snippet below shows sample code that performs jailbreak detection checks on the device.
+
+{{ MastgTest.swift }}
+
+### Steps
+
+1. Unzip the app package and locate the main binary file (@MASTG-TECH-0058), which in this case is `./Payload/MASTestApp.app/MASTestApp`.
+2. Open the app binary with @MASTG-TOOL-0073 with the `-i` option to run this script.
+
+{{ jailbreak_detection.r2 }}
+
+{{ run.sh }}
+
+### Observation
+
+The output reveals the use of file permissions, protocol handlers and file directories in the app.
+
+{{ output.txt }}
+
+### Evaluation
+
+The test passes because jailbreak detection checks are implemented in the app.
diff --git a/demos/ios/MASVS-RESILIENCE/MASTG-DEMO-0021/MASTestApp b/demos/ios/MASVS-RESILIENCE/MASTG-DEMO-0021/MASTestApp
diff --git a/demos/ios/MASVS-RESILIENCE/MASTG-DEMO-0021/MastgTest.swift b/demos/ios/MASVS-RESILIENCE/MASTG-DEMO-0021/MastgTest.swift
@@ -0,0 +1,110 @@
+import SwiftUI
+
+class MastgTest {
+    static func mastgTest(completion: @escaping (String) -> Void) {
+        let jailbreakDetails = JailbreakDetector.isDeviceJailbroken()
+        completion(jailbreakDetails)
+    }
+}
+
+class JailbreakDetector {
+    static func isDeviceJailbroken() -> String {
+        // Check if running on a simulator
+        if DeviceUtils.isSimulator() {
+            let simulatorName = ProcessInfo.processInfo.environment["SIMULATOR_DEVICE_NAME"] ?? "Unknown Simulator"
+            return "Warning: Running on a simulator (\(simulatorName)).\n\nProof:\n\n" + collectJailbreakProof()
+        }
+
+        // Collect jailbreak proofs
+        let proof = collectJailbreakProof()
+        if proof.isEmpty {
+            return "Jailbreak: False\n\nNo signs of a jailbreak detected."
+        } else {
+            return "Jailbreak: True\n\nProof:\n\n" + proof
+        }
+    }
+
+    private static func collectJailbreakProof() -> String {
+        var reasons = [String]()
+
+        // Check 1: Common jailbreak files and directories
+        let jailbreakPaths = [
+            "/Applications/Cydia.app",
+            "/Applications/Sileo.app",
+            "/Applications/Zebra.app",
+            "/Applications/Installer.app",
+            "/Library/MobileSubstrate/MobileSubstrate.dylib",
+            "/usr/libexec/cydia",
+            "/usr/libexec/ssh-keysign",
+            "/usr/sbin/sshd",
+            "/usr/bin/ssh",
+            "/var/cache/apt",
+            "/var/lib/apt",
+            "/var/lib/cydia",
+            "/var/log/syslog",
+            "/bin/bash",
+            "/bin/sh",
+            "/etc/apt",
+            "/private/var/lib/undecimus",
+            "/private/var/root/Library/PreferenceLoader/Preferences",
+            "/private/etc/apt"
+        ]
+
+        for path in jailbreakPaths {
+            if FileManager.default.fileExists(atPath: path) {
+                reasons.append("Detected jailbreak file or directory at \(path)")
+            }
+        }
+
+        // Check 2: Custom URL schemes
+        let urlSchemes = [
+            "cydia://",
+            "sileo://",
+            "zebra://",
+            "filza://"
+        ]
+
+        for scheme in urlSchemes {
+            if let url = URL(string: scheme), UIApplication.shared.canOpenURL(url) {
+                reasons.append("Able to open suspicious URL scheme: \(scheme)")
+            }
+        }
+
+        // Check 3: Suspicious environment variables
+        let suspiciousEnvVars = [
+            "DYLD_INSERT_LIBRARIES",
+            "DYLD_FRAMEWORK_PATH",
+            "DYLD_LIBRARY_PATH"
+        ]
+
+        for envVar in suspiciousEnvVars {
+            if ProcessInfo.processInfo.environment[envVar] != nil {
+                reasons.append("Suspicious environment variable detected: \(envVar)")
+            }
+        }
+
+        // Check 4: Write access to system paths
+        let paths = [
+            "/private/jailbreak.txt",
+            "/private/var/mobile/Library/jailbreak.txt"
+        ]
+
+        for path in paths {
+            do {
+                try "test".write(toFile: path, atomically: true, encoding: .utf8)
+                try FileManager.default.removeItem(atPath: path)
+                reasons.append("Write access detected at \(path)")
+            } catch {
+                continue
+            }
+        }
+
+        return reasons.joined(separator: "\n")
+    }
+}
+
+class DeviceUtils {
+    static func isSimulator() -> Bool {
+        return ProcessInfo.processInfo.environment["SIMULATOR_DEVICE_NAME"] != nil
+    }
+}
diff --git a/demos/ios/MASVS-RESILIENCE/MASTG-DEMO-0021/jailbreak_detection.r2 b/demos/ios/MASVS-RESILIENCE/MASTG-DEMO-0021/jailbreak_detection.r2
@@ -0,0 +1,57 @@
+e asm.bytes=false
+e scr.color=false
+e asm.var=false
+
+?e
+
+?e search for jailbreak path:
+
+/ /Applications/Cydia.app
+/ /Applications/Sileo.app
+/ /Applications/Zebra.app
+/ /usr/sbin/sshd
+/ /usr/bin/ssh
+/ /var/cache/apt
+/ /var/lib/apt
+/ /var/lib/cydia
+/ /var/log/syslog
+/ /bin/bash
+/ /bin/sh
+/ /etc/apt
+/ /private/jailbreak.txt
+/ /private/var/mobile/Library/jailbreak.txt
+
+?e
+
+?e search for urlSchemes:
+
+/ cydia://
+/ sileo://
+/ zebra://
+/ filza://
+
+?e
+
+?e search for suspiciousEnvVars:
+
+/ DYLD_INSERT_LIBRARIES
+/ DYLD_FRAMEWORK_PATH
+/ DYLD_LIBRARY_PATH
+
+?e
+
+?e Searching for Jailbreak output:
+
+iz~+jail
+
+
+?e
+
+?e xrefs to Jailbreak strings:
+axt 0x10011db00
+
+?e
+
+?e Disassembled Jailbreak function:
+
+pdf @ 0x100008c14