CAPEC-661

Root/Jailbreak Detection Evasion via Debugging
Medium
Stable
2020-12-17
00h00 +00:00
CAPEC Mitre.org
Alerte pour un CAPEC
Stay informed of any changes for a specific CAPEC.
Notifications manage

Descriptions CAPEC

An adversary inserts a debugger into the program entry point of a mobile application to modify the application binary, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Rooting/Jailbreaking a mobile device also provides users with access to system debuggers and disassemblers, which can be leveraged to exploit applications by dumping the application's memory at runtime in order to remove or bypass signature verification methods. This further allows the adversary to evade Root/Jailbreak detection mechanisms, which can result in execution of administrative commands, obtaining confidential data, impersonating legitimate users of the application, and more.

Informations CAPEC

Execution Flow

1) Explore

[Identify application with attack potential] The adversary searches for and identifies a mobile application that could be exploited for malicious purposes (e.g. banking, voting, or medical applications).

Technique
  • Search application stores for mobile applications worth exploiting
2) Experiment

[Debug the target application] The adversary inserts the debugger into the program entry point of the mobile application, after the application's signature has been identified, to dump its memory contents.

Technique
  • Insert the debugger at the mobile application's program entry point, after the application's signature has been identified.
  • Dump the memory region containing the now decrypted code from the address space of the binary.
3) Experiment

[Remove application signature verification methods] Remove signature verification methods from the decrypted code and resign the application with a self-signed certificate.

4) Exploit

[Execute the application and evade Root/Jailbreak detection methods] The application executes with the self-signed certificate, while believing it contains a trusted certificate. This now allows the adversary to evade Root/Jailbreak detection via code hooking or other methods.

Technique
  • Optional: Hook code into the target application.

Prerequisites

A debugger must be able to be inserted into the targeted application.

Skills Required

Knowledge about Root/Jailbreak detection and evasion techniques.
Knowledge about runtime debugging.

Resources Required

The adversary must have a Rooted/Jailbroken mobile device with debugging capabilities.

Mitigations

Instantiate checks within the application code that ensures debuggers are not attached.

Related Weaknesses

CWE-ID Weakness Name

CWE-489

 Active Debug Code
The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

References

REF-625

Android Rooting: Methods, Detection, and Evasion
San-Tsai Sun, Andrea Cuadros, Konstantin Beznosov.
http://lersse-dl.ece.ubc.ca/record/310/files/p3.pdf?subformat=pdfa

REF-626

Who owns your runtime?
Jose Lopes.
https://labs.nettitude.com/blog/ios-and-android-runtime-and-anti-debugging-protections/#hooking

REF-627

Android Root Detection Bypass by Reverse Engineering APK
Suresh Khutale.
https://resources.infosecinstitute.com/topic/android-root-detection-bypass-reverse-engineering-apk/

REF-628

PiOS: Detecting Privacy Leaks in iOS Applications
Manuel Egele, Christopher Kruegel, Engin Kirda, Giovanni Vigna.
https://www.ndss-symposium.org/wp-content/uploads/2017/09/egel.pdf

Submission

Name Organization Date Date release
CAPEC Content Team The MITRE Corporation 2020-12-17 +00:00
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.