Detection of function hooking in iOS










1















So far as I know, in iOS there are three techniques of function hooking:



  1. preload library using DYLD_INSERT_LIBRARIES

  2. imported symbol table redirection using fishhook

  3. patch the functions when they are already loaded - i.e. already in memory using substrate MSHookFunction

These expose security issues so I wanna be able to detect when such things happen. For point number 1, I can apply function pointer verification to detect. However for 2 and 3, I haven't had any idea. I am very thankful for ideas that can be done to address the issue.






ios security hook cydia-substrate







share|improve this question
























  • Are you developing an app? If so, is it granted root permissions (jailbroken)? For #3 I'd recommend you to take a look at the Cydia Substrate documentation and learn what methods it uses and how they work. Use a jailbroken device to discover exploits your app might be vulnerable to.

    – osvein
    Jan 7 '14 at 0:57











  • Yes, there is no reason not allowing my app to run on jailbroken devices.

    – Krypton
    Jan 9 '14 at 1:59











  • For 3, all I can think of is to compare .text section of binary to .text section in memory. However, iOS binary is encrypted, so this approach is not feasible.

    – Krypton
    Jan 9 '14 at 5:45











  • Have you ever solved this question? I'm trying to defeat xCon iOS tweak for jailbroken devices which seems to hook NSFileManager's methods. Any luck on defeating it?

    – Sergey Grischyov
    Jan 27 '15 at 23:31











  • I still have not found any acceptable solution for this. Please answer if you guys got any clue.

    – Krypton
    Sep 28 '15 at 3:31















1















So far as I know, in iOS there are three techniques of function hooking:



  1. preload library using DYLD_INSERT_LIBRARIES

  2. imported symbol table redirection using fishhook

  3. patch the functions when they are already loaded - i.e. already in memory using substrate MSHookFunction

These expose security issues so I wanna be able to detect when such things happen. For point number 1, I can apply function pointer verification to detect. However for 2 and 3, I haven't had any idea. I am very thankful for ideas that can be done to address the issue.






ios security hook cydia-substrate







share|improve this question
























  • Are you developing an app? If so, is it granted root permissions (jailbroken)? For #3 I'd recommend you to take a look at the Cydia Substrate documentation and learn what methods it uses and how they work. Use a jailbroken device to discover exploits your app might be vulnerable to.

    – osvein
    Jan 7 '14 at 0:57











  • Yes, there is no reason not allowing my app to run on jailbroken devices.

    – Krypton
    Jan 9 '14 at 1:59











  • For 3, all I can think of is to compare .text section of binary to .text section in memory. However, iOS binary is encrypted, so this approach is not feasible.

    – Krypton
    Jan 9 '14 at 5:45











  • Have you ever solved this question? I'm trying to defeat xCon iOS tweak for jailbroken devices which seems to hook NSFileManager's methods. Any luck on defeating it?

    – Sergey Grischyov
    Jan 27 '15 at 23:31











  • I still have not found any acceptable solution for this. Please answer if you guys got any clue.

    – Krypton
    Sep 28 '15 at 3:31













1












1








1


1






So far as I know, in iOS there are three techniques of function hooking:



  1. preload library using DYLD_INSERT_LIBRARIES

  2. imported symbol table redirection using fishhook

  3. patch the functions when they are already loaded - i.e. already in memory using substrate MSHookFunction

These expose security issues so I wanna be able to detect when such things happen. For point number 1, I can apply function pointer verification to detect. However for 2 and 3, I haven't had any idea. I am very thankful for ideas that can be done to address the issue.






ios security hook cydia-substrate







share|improve this question
















So far as I know, in iOS there are three techniques of function hooking:



  1. preload library using DYLD_INSERT_LIBRARIES

  2. imported symbol table redirection using fishhook

  3. patch the functions when they are already loaded - i.e. already in memory using substrate MSHookFunction

These expose security issues so I wanna be able to detect when such things happen. For point number 1, I can apply function pointer verification to detect. However for 2 and 3, I haven't had any idea. I am very thankful for ideas that can be done to address the issue.






ios security hook cydia-substrate




ios security hook cydia-substrate






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 2 '14 at 2:59







Krypton

















asked Jan 2 '14 at 2:21









KryptonKrypton

2,94052442




2,94052442












  • Are you developing an app? If so, is it granted root permissions (jailbroken)? For #3 I'd recommend you to take a look at the Cydia Substrate documentation and learn what methods it uses and how they work. Use a jailbroken device to discover exploits your app might be vulnerable to.

    – osvein
    Jan 7 '14 at 0:57











  • Yes, there is no reason not allowing my app to run on jailbroken devices.

    – Krypton
    Jan 9 '14 at 1:59











  • For 3, all I can think of is to compare .text section of binary to .text section in memory. However, iOS binary is encrypted, so this approach is not feasible.

    – Krypton
    Jan 9 '14 at 5:45











  • Have you ever solved this question? I'm trying to defeat xCon iOS tweak for jailbroken devices which seems to hook NSFileManager's methods. Any luck on defeating it?

    – Sergey Grischyov
    Jan 27 '15 at 23:31











  • I still have not found any acceptable solution for this. Please answer if you guys got any clue.

    – Krypton
    Sep 28 '15 at 3:31

















  • Are you developing an app? If so, is it granted root permissions (jailbroken)? For #3 I'd recommend you to take a look at the Cydia Substrate documentation and learn what methods it uses and how they work. Use a jailbroken device to discover exploits your app might be vulnerable to.

    – osvein
    Jan 7 '14 at 0:57











  • Yes, there is no reason not allowing my app to run on jailbroken devices.

    – Krypton
    Jan 9 '14 at 1:59











  • For 3, all I can think of is to compare .text section of binary to .text section in memory. However, iOS binary is encrypted, so this approach is not feasible.

    – Krypton
    Jan 9 '14 at 5:45











  • Have you ever solved this question? I'm trying to defeat xCon iOS tweak for jailbroken devices which seems to hook NSFileManager's methods. Any luck on defeating it?

    – Sergey Grischyov
    Jan 27 '15 at 23:31











  • I still have not found any acceptable solution for this. Please answer if you guys got any clue.

    – Krypton
    Sep 28 '15 at 3:31
















Are you developing an app? If so, is it granted root permissions (jailbroken)? For #3 I'd recommend you to take a look at the Cydia Substrate documentation and learn what methods it uses and how they work. Use a jailbroken device to discover exploits your app might be vulnerable to.

– osvein
Jan 7 '14 at 0:57





Are you developing an app? If so, is it granted root permissions (jailbroken)? For #3 I'd recommend you to take a look at the Cydia Substrate documentation and learn what methods it uses and how they work. Use a jailbroken device to discover exploits your app might be vulnerable to.

– osvein
Jan 7 '14 at 0:57













Yes, there is no reason not allowing my app to run on jailbroken devices.

– Krypton
Jan 9 '14 at 1:59





Yes, there is no reason not allowing my app to run on jailbroken devices.

– Krypton
Jan 9 '14 at 1:59













For 3, all I can think of is to compare .text section of binary to .text section in memory. However, iOS binary is encrypted, so this approach is not feasible.

– Krypton
Jan 9 '14 at 5:45





For 3, all I can think of is to compare .text section of binary to .text section in memory. However, iOS binary is encrypted, so this approach is not feasible.

– Krypton
Jan 9 '14 at 5:45













Have you ever solved this question? I'm trying to defeat xCon iOS tweak for jailbroken devices which seems to hook NSFileManager's methods. Any luck on defeating it?

– Sergey Grischyov
Jan 27 '15 at 23:31





Have you ever solved this question? I'm trying to defeat xCon iOS tweak for jailbroken devices which seems to hook NSFileManager's methods. Any luck on defeating it?

– Sergey Grischyov
Jan 27 '15 at 23:31













I still have not found any acceptable solution for this. Please answer if you guys got any clue.

– Krypton
Sep 28 '15 at 3:31





I still have not found any acceptable solution for this. Please answer if you guys got any clue.

– Krypton
Sep 28 '15 at 3:31












1 Answer
1






active

oldest

votes


















0














I had the same issue - trying to avoid any potential function hooking within my app.



My app was recently PEN tested and was found to have a vulnerability around function hooking. The security report referenced Frida as one of the main culprits for executing such an act. I'm sure most of you peeps would be familiar with this tool.



OWASP suggests a few remedial solutions for securing your app, but in this context, the section titled Anti-Debugging Checks would be the main focus.



As suggested by OWASP, I used ptrace with PT_DENY_ATTACH - denying a GDB/LLDB process to attach to the application.



From OWASP:




In other words, using ptrace with PT_DENY_ATTACH ensures that no other debugger can attach to the calling process; if a debugger attempts to attach, the process will terminate




Here is the solution I used (for Swift). I also had help from this Raywenderlich.com article (Objective-C). I can confirm that using the linked solution works - the app launches but the debugger cuts out, stopping all logs to the console. This could potentially deter hackers, but there will always be a way to get around this. As stated the Raywenderlich article linked:




Don’t get too comfortable. Hackers often use Cycript, a JavaScript-styled program that can manipulate Objective-C apps at runtime. The scariest thing is that the previous logic to check for debugging activity fails when Cycript is attached. Remember, nothing is truly secure…




However, according to Joseph Lord, writing apps using Swift can hopefully help you here. But then again, the reverse engineer always wins.



I hope this helps, in some way or form ...






share|improve this answer






















    Your Answer






    StackExchange.ifUsing("editor", function ()
    StackExchange.using("externalEditor", function ()
    StackExchange.using("snippets", function ()
    StackExchange.snippets.init();
    );
    );
    , "code-snippets");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "1"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f20875415%2fdetection-of-function-hooking-in-ios%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    I had the same issue - trying to avoid any potential function hooking within my app.



    My app was recently PEN tested and was found to have a vulnerability around function hooking. The security report referenced Frida as one of the main culprits for executing such an act. I'm sure most of you peeps would be familiar with this tool.



    OWASP suggests a few remedial solutions for securing your app, but in this context, the section titled Anti-Debugging Checks would be the main focus.



    As suggested by OWASP, I used ptrace with PT_DENY_ATTACH - denying a GDB/LLDB process to attach to the application.



    From OWASP:




    In other words, using ptrace with PT_DENY_ATTACH ensures that no other debugger can attach to the calling process; if a debugger attempts to attach, the process will terminate




    Here is the solution I used (for Swift). I also had help from this Raywenderlich.com article (Objective-C). I can confirm that using the linked solution works - the app launches but the debugger cuts out, stopping all logs to the console. This could potentially deter hackers, but there will always be a way to get around this. As stated the Raywenderlich article linked:




    Don’t get too comfortable. Hackers often use Cycript, a JavaScript-styled program that can manipulate Objective-C apps at runtime. The scariest thing is that the previous logic to check for debugging activity fails when Cycript is attached. Remember, nothing is truly secure…




    However, according to Joseph Lord, writing apps using Swift can hopefully help you here. But then again, the reverse engineer always wins.



    I hope this helps, in some way or form ...






    share|improve this answer



























      0














      I had the same issue - trying to avoid any potential function hooking within my app.



      My app was recently PEN tested and was found to have a vulnerability around function hooking. The security report referenced Frida as one of the main culprits for executing such an act. I'm sure most of you peeps would be familiar with this tool.



      OWASP suggests a few remedial solutions for securing your app, but in this context, the section titled Anti-Debugging Checks would be the main focus.



      As suggested by OWASP, I used ptrace with PT_DENY_ATTACH - denying a GDB/LLDB process to attach to the application.



      From OWASP:




      In other words, using ptrace with PT_DENY_ATTACH ensures that no other debugger can attach to the calling process; if a debugger attempts to attach, the process will terminate




      Here is the solution I used (for Swift). I also had help from this Raywenderlich.com article (Objective-C). I can confirm that using the linked solution works - the app launches but the debugger cuts out, stopping all logs to the console. This could potentially deter hackers, but there will always be a way to get around this. As stated the Raywenderlich article linked:




      Don’t get too comfortable. Hackers often use Cycript, a JavaScript-styled program that can manipulate Objective-C apps at runtime. The scariest thing is that the previous logic to check for debugging activity fails when Cycript is attached. Remember, nothing is truly secure…




      However, according to Joseph Lord, writing apps using Swift can hopefully help you here. But then again, the reverse engineer always wins.



      I hope this helps, in some way or form ...






      share|improve this answer

























        0












        0








        0







        I had the same issue - trying to avoid any potential function hooking within my app.



        My app was recently PEN tested and was found to have a vulnerability around function hooking. The security report referenced Frida as one of the main culprits for executing such an act. I'm sure most of you peeps would be familiar with this tool.



        OWASP suggests a few remedial solutions for securing your app, but in this context, the section titled Anti-Debugging Checks would be the main focus.



        As suggested by OWASP, I used ptrace with PT_DENY_ATTACH - denying a GDB/LLDB process to attach to the application.



        From OWASP:




        In other words, using ptrace with PT_DENY_ATTACH ensures that no other debugger can attach to the calling process; if a debugger attempts to attach, the process will terminate




        Here is the solution I used (for Swift). I also had help from this Raywenderlich.com article (Objective-C). I can confirm that using the linked solution works - the app launches but the debugger cuts out, stopping all logs to the console. This could potentially deter hackers, but there will always be a way to get around this. As stated the Raywenderlich article linked:




        Don’t get too comfortable. Hackers often use Cycript, a JavaScript-styled program that can manipulate Objective-C apps at runtime. The scariest thing is that the previous logic to check for debugging activity fails when Cycript is attached. Remember, nothing is truly secure…




        However, according to Joseph Lord, writing apps using Swift can hopefully help you here. But then again, the reverse engineer always wins.



        I hope this helps, in some way or form ...






        share|improve this answer













        I had the same issue - trying to avoid any potential function hooking within my app.



        My app was recently PEN tested and was found to have a vulnerability around function hooking. The security report referenced Frida as one of the main culprits for executing such an act. I'm sure most of you peeps would be familiar with this tool.



        OWASP suggests a few remedial solutions for securing your app, but in this context, the section titled Anti-Debugging Checks would be the main focus.



        As suggested by OWASP, I used ptrace with PT_DENY_ATTACH - denying a GDB/LLDB process to attach to the application.



        From OWASP:




        In other words, using ptrace with PT_DENY_ATTACH ensures that no other debugger can attach to the calling process; if a debugger attempts to attach, the process will terminate




        Here is the solution I used (for Swift). I also had help from this Raywenderlich.com article (Objective-C). I can confirm that using the linked solution works - the app launches but the debugger cuts out, stopping all logs to the console. This could potentially deter hackers, but there will always be a way to get around this. As stated the Raywenderlich article linked:




        Don’t get too comfortable. Hackers often use Cycript, a JavaScript-styled program that can manipulate Objective-C apps at runtime. The scariest thing is that the previous logic to check for debugging activity fails when Cycript is attached. Remember, nothing is truly secure…




        However, according to Joseph Lord, writing apps using Swift can hopefully help you here. But then again, the reverse engineer always wins.



        I hope this helps, in some way or form ...







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 15 '18 at 15:47









        PlazPlaz

        11




        11





























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f20875415%2fdetection-of-function-hooking-in-ios%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Top Tejano songwriter Luis Silva dead of heart attack at 64

            Image
            Ramiro Burr's New Blog - to go back: www.ramiroburr.com From Latin rock to reggaeton, boleros to blues,Tex-Mex to Tejano, conjunto to corridos and beyond, Ramiro Burr has it covered. If you have a new CD release, a trivia question or are looking for tour info, post a message here or e-mail Ramiro directly at: musicreporter@gmail.com Top Tejano songwriter Luis Silva dead of heart attack at 64 By Ramiro Burr on October 23, 2008 8:40 AM | Permalink | Comments (12) | TrackBacks (0) UPDATE: Luis Silva Funeral Service details released Visitation 4-9 p.m. Saturday, Rosary service 6 p.m. Saturday at Porter Loring, 1101 McCullough Ave Funeral Service 10:30 a.m. Monday St. Anthony De Padua Catholic Church, Burial Service at Chapel Hills, 7735 Gibbs Sprawl Road. Porter Loring (210) 227-8221 Related New Flash: Irma Laura Lopez: long time record promoter killed in accident NewsFlash: 9:02 a.m. (New comments below) Luis Silva , one of the most well-known and prolif
            Read more

            ReactJS Fetched API data displays live - need Data displayed static

            Image
            .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box; 0 I'm fetching data from API with axios which is live (counters, date and time etc.). When I display it, browser gets not responding because it gets a lot of requests. What I need just get a first snapshot of live data. Same goes for: var date = new Date; return (<p>date.toLacaleString()</p>) It gets live time (ticking every second) :D I just need date and time at that moment when it gets requested (snapshot). reactjs date time static axios share | improve this question edited Nov 16 '18 at 16:18 Sung M. Kim 17.9k 33 112 165 asked Nov 16 '18 at 13:39 Laurynas Žilinskas Laurynas Žilinskas 8 4 add a comment  |  0 I'm fetching data from API with axios which is live (counters, date and time etc.). When I display it, brow
            Read more

            政党

            Image
            政治主題的一部分 政党政治 政治光譜 左派 極左 中間偏左 中间派 中間偏左 激進中間 ( 英语 : Radical centrism ) 中間偏右 右派 中間偏右 極右 政綱 極端 激进 ( 英语 : Political radicalism ) 温和 ( 英语 : Moderate ) 改良 混合 ( 英语 : Syncretic politics ) 第三位置 保守 原教旨 反动 政党制度 无党制 ( 英语 : Non-partisan democracy ) 一党制 一党优势制 兩黨制 多黨制 联盟 ( 英语 : Coalition ) 懸峙國會 信任與支持 ( 英语 : Confidence and supply ) 少數派政府 聯合政府 大聯合政府 聯合政府 National unity government ( 英语 : National unity government ) Majority government ( 英语 : Majority government ) 列表 各國執政黨 政治意識形態 政治主題頁 查 论 编 系列条目 政治 基本主题 各国政治 政治经济学 政治史 ( 英语 : Political history ) 世界政治史 ( 英语 : Political history of the world ) 政治哲学 政治体系 无政府主义 城邦 民主制 联盟制 ( 英语 : Federacy ) 封建制 独裁制 委员会制 精英政治 君主制 议会制 总统制 半总统制 神权政治 学术门类 政治学 (政治学家) 国际关系学 (理论) 比较政治学 公共行政 官僚制 (基层) 灵活组织机构 ( 英语 : Adhocracy ) 政策 公共政策 ( 原则 ( 英语 : Public policy doctrine ) ) 公共利益 外交政策 政府机构 权力分立 立法机构 行政机构 司法机构 选举机构 相关主题 主权 政治行为理论 ( 英语 : Theories of political behavior ) 政治心理学 生理与政治导向 ( 英语 : Biology and political orientation ) 政治组织 ( 英语 : Political organisation ) 下属系列 选举制度 选举(投票) 联邦主义 政府 意识
            Read more