safetorun / safe_to_run Goto Github PK

https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05j-testing-resiliency-against-reverse-engineering#testing-runtime-integrity-checks-mstg-resilience-6

Create the ability for data to be stored locally and sent in bulk to the backend server for analytics event

Codacy detected an issue:

Message: The function throwApiException is missing documentation.

Occurred on:

• Commit: 017f84a
• File: safeToRun/src/main/java/com/safetorun/api/ApiException.kt
• LineNum: 11
• Code: fun throwApiException(message: String): ApiException = ApiException(message)

Currently on:

• Commit: a09189b
• File: safeToRun/src/main/java/com/safetorun/api/ApiException.kt
• LineNum: 11

https://docs.gradle.org/current/userguide/platforms.html

static boolean detect_threadCpuTimeNanos(){
long start = Debug.threadCpuTimeNanos();

for(int i=0; i<1000000; ++i)
continue;

long stop = Debug.threadCpuTimeNanos();

if(stop - start < 10000000) {
return false;
}
else {
return true;
}
}

Add the configuration builder for off device configuration including

• Blacklisted app checks
• Signature
• Install origin
• OS Checks

Prevent an app + its data from being copied and working correctly from one device to another

Can do this by using the android keystore to generate a signature and then verifying it on launch

ZipFile(Main.MyContext.getPackageCodePath());

Unzip and whitelist the code is in there as expected

We should ideally keep track of device IDs by creating a unique device ID for each user and storing it on device.

We should also look to allow someone to access the device ID from the public facing SDK.

https://github.com/Kotlin/dokka

Add documentation for the analytics work to explain usage

Codacy detected an issue:

Message: IDeviceInformationBuilder is missing required documentation.

Occurred on:

• Commit: 3381d7e
• File: safeToRunInternal/src/main/kotlin/com/safetorun/models/builders/IDeviceInformationBuilder.kt
• LineNum: 5
• Code: interface IDeviceInformationBuilder {

Currently on:

• Commit: 163c469
• File: safeToRunInternal/src/main/kotlin/com/safetorun/models/builders/IDeviceInformationBuilder.kt
• LineNum: 5

Set up a kotlin multiplatform project that can be used to start sending analytics data to the backend

Codacy detected an issue:

Message: ConfirmVerificationRequest is missing required documentation.

Occurred on:

• Commit: 103293c
• File: safeToRunInternal/src/main/kotlin/com/safetorun/models/core/ConfirmVerificationRequest.kt
• LineNum: 3
• Code: data class ConfirmVerificationRequest(

Currently on:

• Commit: 163c469
• File: safeToRunInternal/src/main/kotlin/com/safetorun/models/core/ConfirmVerificationRequest.kt
• LineNum: 3

Add configuration for on-device checks including

• Root check
• Debugger attached

• We should be able to allow logging of check failures so that we are able to either log to console for debugging purposes when a check fails (note: must make sure to disable for production deployments)
• Or / and allow for remote logging to a server, particularly for failed intent / url / file checks so that developers can adjust their configurations to make sure they aren't too restrictive.
• Also makes sense to allow for a 'dry-run' mode so that if developers are integrating safe to run they can safely deploy without suddenly breaking app functionality

Allow for having a builder and configuration that looks like this:

safeToRun(
       blacklistedAppCheck {
              "com.test.app".add()
              rootApps.addAll()
       }
 )

• URL
• File
• Intents [Beta]

Capture device metadata to form part of the API call. Should include:

• Version code
• Package name
• Version string

Currently to add a URL Configuration, you have to do this:

val extraIntent = intent.getParcelableExtra<Intent>("extra_intent")
        extraIntent?.verify(this) {

            urlConfiguration {
                "insecureapp.com".allowHost()
            }.addConfiguration()

            actionOnSuccess = {
                startActivity(extraIntent)
                finish()
            }

            actionOnFailure = {
                throw RuntimeException("Please don't hack my app")
            }
        }

Instead, it should just be added automatically by adding a URL configuration function to the builder. e.g. it should look like this:

extraIntent?.verify(this) {

            urlConfiguration {
                "insecureapp.com".allowHost()
            } 
}

Allow generation of input verification code from a configuration file. This will allow input verification configuration to be validated at build time, but also allow us to change configuration remotely

Attempt to detect native debuggers (ptrace) attached

Provide a mechanism for rotating the backend secret (ideally using a certificate) and also provide a way of exposing the public certificate to 3rd parties for verification on their own server

Check for sensitive files that you might be accidentally egressing and also check for directory traversal that you might be downloading

Codacy detected an issue:

Message: The function build is missing documentation.

Occurred on:

• Commit: 3381d7e
• File: safeToRunInternal/src/main/kotlin/com/safetorun/models/builders/DeviceInformationDtoBuilder.kt
• LineNum: 30
• Code: fun build() = deviceInformationBuilder.build().run {

Currently on:

• Commit: 163c469
• File: safeToRunInternal/src/main/kotlin/com/safetorun/models/builders/DeviceInformationDtoBuilder.kt
• LineNum: 30

Add a function to fail nox emulator:

https://www.bignox.com/

• Need to have a way of adding configuration in a way that can be 'recalled' later on - i.e. allow configuration of something by 'name'
• Need to have a way of verification against something by 'name' later on

Add the ability for a function or interface to be attached to safe to run resilience which will allow us to log failures and successes - also add a default logger which logs to logcat.

• Need to be attachable in some way to this: package com.safetorun.inline/safetorun.kt

Most likely the best way would be adding a function as a parameter - e.g.:

// Current 

inline fun safeToRun(
    safeToRunChecks: List<SafeToRunCheck>
)

// Add this:
inline fun safeToRun(
    logFunction : (Boolean) -> Unit,
    safeToRunChecks: List<SafeToRunCheck>
)

Need to do this in such a way that we actually have two functions so as not to break for existing users

Some (or maybe all) Xiaomi devices have set Build.BOOTLOADER = "unknown"

because of that, every emulator check false triggers

these method are affected
banAvdEmulatorCheck()
banBluestacksEmulatorCheck()
banGenymotionEmulatorCheck()

• Intent verification could (and probably should) be reviewed to make it so that you can model what an intent should look like. For example:

intentVerificationBuilder {
  allowUnknownFields = false
  addDataVerification(...)
  actionVerification(..)
  addBundleVerification(parameterName = "") {
  }

  addIntentVerification(parameterName =   "") {
     intentVerification = intentVerificationBuilder { ... }
  }

  addStringVerification(parameterName = "file") {
      fileVerification =  //...
  }
 
  addStringVerification(parameterName = "url") {
     urlVerification = urlVerification {}
  }
}

Need to verify loads of different types, e.g. Int, Byte, IntArray, ByteArray etc

We should be able to store device information and query it from the API

We can look at using a combination of inline functions, annotation processing and compiler plugins to make binary modification harder

Requires

• A global object that can be called to ask 'is the user logged in'
• A global object to log a user out
• A way of creating a PIN for the first time
• A way of storing said pin securely
• A way of verifying the PIN for future
• A callback that can be used to register for pin changes (i.e. has the user logged out)

Synch data between #112 and #113

In order to allow safe to run functionality to run from react we can package & create a package that can be installed in a react native app and called from javascript.

Need to consider:

• No-op for non-android apps (e.g. iOS)
• Deployment to package manager
• Automated testing

Create a comprehensive function for capturing device metadata and potential failures.

Specifically, this should be the object to capturing data:

data class DeviceMetadata(buildInfo : Map<String, String>, rooted : Boolean, emulator : Boolean, signature:String, installOrigin:String, extraData : Map<String, String>) 

Build information would be populated by the Build class.

Extra data would be left empty by default, but allow people to populate with extra checks they make

Currently to add a URL Configuration, you have to do this:

val extraIntent = intent.getParcelableExtra<Intent>("extra_intent")
        extraIntent?.verify(this) {

            urlConfiguration {
                "insecureapp.com".allowHost()
            }.addConfiguration()

            actionOnSuccess = {
                startActivity(extraIntent)
                finish()
            }

            actionOnFailure = {
                throw RuntimeException("Please don't hack my app")
            }
        }

Instead, it should just be added automatically by adding a URL configuration function to the builder. e.g. it should look like this:

  extraIntent?.verify(this) {

            urlConfiguration {
                "insecureapp.com".allowHost()
            } 
}

Create a function which is able to log users successes and failures to a backend API

We'll need to be able to differentiate between simple API key auth as would be provided from the app (e.g. a public API key) and users who need to perform extra queries - e.g. because they want to be able to query for a list of device information(s) etc

The os check syntax is slightly clunky it might make more sense for conditional builder to be re written

Allow Annotation to provide check before a function is executed.

This means

• creating an Annotation most likely one per check type e.g. Intent check, URL check, file check
• Annotation takes a name eg the checker to use
• write a kotlin Compiler plugin to parse those annotations
• replace with a call to a function that checks against the configuration for that name