Post

Replies

Boosts

Views

Activity

Detecting Frida
Hi, I am writing in to check if there is a way to detect Frida. As we have a Mobile App Penetration Test (MAPT), and the tester uses Frida as the tool for the penetration test. We have implemented these codes to detect Frida and Objection: static bool isInjected0(){ NSArray *suspiciousLibraries = [NSArray arrayWithObjects:@"FridaGadget", @"frida", @"cynject", @"libcycript", nil]; int count = _dyld_image_count();//Get the number of loaded images if (count> 0) { for (int i = 0; i <count; i++) { //Traverse all image_names. Determine whether there are DynamicLibraries const char * dyld = _dyld_get_image_name(i); if (strstr(dyld, "DynamicLibraries")) { return YES; } for (NSString *suspiciousLibrary in suspiciousLibraries) { if ([[NSString stringWithUTF8String: dyld] rangeOfString:suspiciousLibrary].location != NSNotFound) { return YES; } } } } return NO; } We also added these codes to detect the default ports than Frida is using @interface FridaDetector : NSObject + (BOOL)detectFridaPort; + (BOOL)isPortOpen:(in_port_t)port; @end @implementation FridaDetector + (BOOL)detectFridaPort { in_port_t port = 27042; return [self isPortOpen:port]; } + (BOOL)isPortOpen:(in_port_t)port { int socketFileDescriptor = socket(AF_INET, SOCK_STREAM, 0); if (socketFileDescriptor == -1) { NSLog(@"Failed to create socket"); return NO; } struct sockaddr_in addr; memset(&addr, 0, sizeof(addr)); addr.sin_len = sizeof(addr); addr.sin_family = AF_INET; addr.sin_port = htons(port); // Ensuring the port is in network byte order addr.sin_addr.s_addr = inet_addr("127.0.0.1"); struct sockaddr bind_addr; memcpy(&bind_addr, &addr, sizeof(addr)); BOOL result = NO; if (bind(socketFileDescriptor, (struct sockaddr*)&bind_addr, sizeof(addr)) == -1) { NSLog(@"Failed to bind socket, port might be open"); result = YES; } else if (listen(socketFileDescriptor, SOMAXCONN) == -1) { NSLog(@"Failed to listen on socket, port might be open"); result = YES; } close(socketFileDescriptor); return result; } @end We are able to detect Frida on a normal device, but I believe the tester did some workaround to prevent us from detecting the Frida present on their device. Is there a better way to detect Frida and Objection?
0
0
625
Jul ’24
App flagged with bypassed SSL Pinning during Mobile App Penetration Test
Recently our app went through a series of Mobile App Penetration Test (MAPT), and was flagged with bypassed SSL Pinning (https://cwe.mitre.org/data/definitions/693.html). The tester is using Frida and is able to attach to SSL_CTX_set_custom_verify() from libboringssl.dylib, as shown in this script (https://codeshare.frida.re/@federicodotta/ios13-pinning-bypass/). As per my research, though I'm not absolutely sure, I see that boringSSL was added since iOS 11 (https://developer.apple.com/forums/thread/88387) and (https://github.com/firebase/firebase-ios-sdk/issues/314). I would like to check if there is anyway around this, as I am using TrustKit (https://cocoapods.org/pods/TrustKit), and I realised many other pods also tag on SSL_CTX_set_custom_verify() for SSL Pinning. As our app requires SSL Pinning, and a resolution to this issue, I would like to ask if there is any solution, whether it being a recommended pod/library, or a native solution (preferred) to do SSL Certificate Pinning. Thank you.
5
0
675
Jul ’24