CAPEC-661: Root/Jailbreak Detection Evasion via Debugging
An adversary inserts a debugger into the program entry point of a mobile application to modify the application binary, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Rooting/Jailbreaking a mobile device also provides users with access to system debuggers and disassemblers, which can be leveraged to exploit applications by dumping the application's memory at runtime in order to remove or bypass signature verification methods. This further allows the adversary to evade Root/Jailbreak detection mechanisms, which can result in execution of administrative commands, obtaining confidential data, impersonating legitimate users of the application, and more.
Last updated
Overview
CAPEC-661 (Root/Jailbreak Detection Evasion via Debugging) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Identify application with attack potential] The adversary searches for and identifies a mobile application that could be exploited for malicious purposes (e.g. banking, voting, or medical applications).
- Search application stores for mobile applications worth exploiting
- Step 2Experiment
[Debug the target application] The adversary inserts the debugger into the program entry point of the mobile application, after the application's signature has been identified, to dump its memory contents.
- Insert the debugger at the mobile application's program entry point, after the application's signature has been identified.
- Dump the memory region containing the now decrypted code from the address space of the binary.
- Step 3Experiment
[Remove application signature verification methods] Remove signature verification methods from the decrypted code and resign the application with a self-signed certificate.
- Step 4Exploit
[Execute the application and evade Root/Jailbreak detection methods] The application executes with the self-signed certificate, while believing it contains a trusted certificate. This now allows the adversary to evade Root/Jailbreak detection via code hooking or other methods.
- Optional: Hook code into the target application.
What the attacker needs
Prerequisites
- A debugger must be able to be inserted into the targeted application.
Skills required
- High skill: Knowledge about Root/Jailbreak detection and evasion techniques.
- Medium skill: Knowledge about runtime debugging.
Resources required
- The adversary must have a Rooted/Jailbroken mobile device with debugging capabilities.
Consequences
What a successful CAPEC-661 attack can achieve.
Execute Unauthorized Commands
Affects: Integrity, Authorization
Through Root/Jailbreak Detection Evasion via Debugging, the adversary compromises the integrity of the application.
Gain Privileges
Affects: Confidentiality, Access Control, Authorization
Read Data
Affects: Confidentiality, Access Control
An adversary may leverage Root/Jailbreak Detection Evasion via Debugging in order to obtain sensitive information.
How to mitigate it
Defenses that reduce the risk of CAPEC-661.
- Instantiate checks within the application code that ensures debuggers are not attached.
Examples
An adversary targets an iOS banking application in an attempt to compromise sensitive user data. The adversary launches the application with the iOS debugger and sets a breakpoint at the program entry point, after the application's signature has been verified. Next, the adversary dumps the memory region that contains the decrypted code from the address space of the binary. The 'Restrict' flag is then stripped from the application and the adversary resigns the application with a self-signed certificate. The application is now executed without the 'Restrict' flag, while trusting the self-signed certificate to be legitimate. However, the adversary is now able to evaded Jailbreak detection via code hooking or other methods and can glean user credentials and/or transaction details.
Frequently asked questions
Common questions about CAPEC-661.
- What is CAPEC-661?
- An adversary inserts a debugger into the program entry point of a mobile application to modify the application binary, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Rooting/Jailbreaking a mobile device also provides users with access to system debuggers and disassemblers, which can be leveraged to exploit applications by dumping the application's memory at runtime in order to remove or bypass signature verification methods. This further allows the adversary to evade Root/Jailbreak detection mechanisms, which can result in execution of administrative commands, obtaining confidential data, impersonating legitimate users of the application, and more.
- How does a Root/Jailbreak Detection Evasion via Debugging attack work?
- It typically unfolds over 4 phases. It begins with: [Identify application with attack potential] The adversary searches for and identifies a mobile application that could be exploited for malicious purposes (e.g. banking, voting, or medical applications).
- How do you prevent CAPEC-661?
- Instantiate checks within the application code that ensures debuggers are not attached.
- What weaknesses does CAPEC-661 target?
- CAPEC-661 exploits 1 CWE weakness, including CWE-489 (Active Debug Code).
- How severe is CAPEC-661?
- MITRE rates CAPEC-661 as Very High severity with medium likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-661
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.