Enhanced jailbreak-detection using app server
Necessity of Enhanced Jailbreak Detection Method
Section titled “Necessity of Enhanced Jailbreak Detection Method”One of the main functions within AppSealing SDK is detecting the environment of the jailbroken device and forcibly closes the app. However, there is a possibility that these detection functions will be bypassed by more sophisticated attack methods. This is because, due to the characteristics of the iOS operating system, the code of the loaded dynamic library (dylib) is executed first when the app is launched. An attacker may distribute the code to patch a specific area of the executable file in such a dynamic library.
If this code patch occurs before AppSealing’s detection logic is executed, the code that terminates the app has been removed, so even if a jailbreak is detected, the app will remain running.
Of course, not everyone can perform this type of attack easily, but since this type of attack has been confirmed by a group of hackers with specialized hacking knowledge, AppSealing provides an additional jailbreak detection method to overcome such an attack situation.
Since the characteristic of this attack method is to change the code of the running app in advance, no matter how strong detection logic is added to the AppSealing library itself, the situation in which the code is patched by the dynamic library is unavoidable. Therefore, the newly provided jailbreak detection function does not detect in the app, but in a way that rejects all services and actions, such as log-in in or accepting API calls, in the case of a terminal suspected of being jailbroken in the server linked to the app.
The basic method is to obtain server credentials from the app through the AppSealing interface, add them to the existing authentication parameters, and send them to the server.
This method cannot be applied for a client-only app that does not work with the server.
The following sections describe, with example code, how to obtain and validate server credentials.
iOS App Code
Section titled “iOS App Code”Additional process of your app needs verify the server credentials is to call a function in the AppSealing SDK to get the server credential string and send it to the server along with the existing authentication parameters.
Most apps that work with the server will go through a user authentication or login process, and in this process, the account information entered by the user will be transmitted to the server. You can add the server credential string to the parameters you send to the server.
Sample credential acquire code for Cordova/Ionic project:
let inst: AppSealingInterface = AppSealingInterface();let credential = String.init(cString: inst._GetEncryptedCredential());print("AppSealing Credential: \(credential)")// LoginToServer(userID, password, credential)For Objective-C based projects:
char credential[290];int result = ObjC_GetEncryptedCredential(credential);if (result == 0) { NSString *strCredential = [NSString stringWithUTF8String:credential]; NSLog(@"AppSealing Credential: %@", strCredential); // [self loginToServer:userID password:password credential:strCredential];}After you get the credential string, send it as an additional parameter when your app communicates with the server for the login or authentication process, and let the server validate it.
If your server fails to validate credential, you should also force the login to fail and the app to not proceed further. However, since code such as checking the login result and closing the app is likely to be tampered by an attacker, the best practice is configuring your server to deny service or response for any requests from that client after the server fails credential validation.
Verification at app server
Section titled “Verification at app server”The credential data (hex string) returned from the interface call to the AppSealing module is only valid when the security logic inside AppSealing is normally performed and no dangerous situation is detected in the device.
If code patch attack is made through the dynamic library or the security logic is bypassed by other methods, valid credential data will not be generated, so the server should verify this value and blocks the attack situation of the device.
The app server must check whether the credential value sent by the client (app) is correct, and if it is not correct, it must deny authentication (login) and then deny any services (API call) requested by that client.
[Preparation]
Section titled “[Preparation]”To verify credential data on the server, you need an AES Key and IV to decrypt the data sent from the client, and the original credential data to compare and verify.
All of these values can be acquired through the “Check Credential” button of the project in the ADC. Just copy the Hex string shown here and paste it into the example code and use it.
For server-side implementation examples in various languages (Node.js, Java, C#, Python, Ruby, C++), please refer to the complete server validation code provided in the AppSealing SDK documentation.