Runtime Protection Frameworks
Runtime Protection Frameworks
RASP frameworks protect applications during runtime against various attacks.
// iOS - Runtime protection implementation
class RuntimeProtectionFramework {
// Anti-tampering protection
class TamperProtection {
private static var originalMethods: [String: IMP] = [:]
static func enableProtection() {
// Hook critical methods
hookMethod(
class: NSFileManager.self,
selector: #selector(NSFileManager.removeItem(at:)),
newImplementation: secureRemoveItem
)
// Monitor method swizzling
startSwizzleDetection()
// Enable anti-debugging
enableAntiDebugging()
}
private static func hookMethod(class: AnyClass, selector: Selector, newImplementation: @escaping @convention(c) (AnyObject, Selector, Any) -> Any) {
guard let method = class_getInstanceMethod(class, selector) else { return }
let originalImplementation = method_getImplementation(method)
originalMethods[NSStringFromSelector(selector)] = originalImplementation
method_setImplementation(method, imp_implementationWithBlock(newImplementation))
}
private static let secureRemoveItem: @convention(c) (AnyObject, Selector, URL) -> Void = { (self, _cmd, url) in
// Security check before file deletion
if isProtectedFile(url) {
logSecurityEvent("Attempted deletion of protected file: \(url)")
return
}
// Call original implementation
if let originalIMP = originalMethods[NSStringFromSelector(_cmd)] {
typealias OriginalType = @convention(c) (AnyObject, Selector, URL) -> Void
let original = unsafeBitCast(originalIMP, to: OriginalType.self)
original(self, _cmd, url)
}
}
}
// Jailbreak detection framework
class JailbreakDetection {
private static let jailbreakIndicators = [
"/Applications/Cydia.app",
"/Library/MobileSubstrate/MobileSubstrate.dylib",
"/bin/bash",
"/usr/sbin/sshd",
"/etc/apt",
"/private/var/lib/apt/",
"/private/var/lib/cydia",
"/private/var/stash",
"/usr/libexec/sftp-server",
"/usr/bin/cycript",
"/usr/local/bin/cycript",
"/usr/lib/libcycript.dylib"
]
static func isJailbroken() -> Bool {
// Multiple detection methods for reliability
return checkFileSystem() ||
checkURLSchemes() ||
checkDynamicLibraries() ||
checkSystemCalls() ||
checkSandboxIntegrity()
}
private static func checkFileSystem() -> Bool {
for path in jailbreakIndicators {
if FileManager.default.fileExists(atPath: path) {
return true
}
// Also check if we can read the path
if let _ = try? FileManager.default.contentsOfDirectory(atPath: path) {
return true
}
}
// Check write access outside sandbox
let testPath = "/private/test_\(UUID().uuidString).txt"
do {
try "test".write(toFile: testPath, atomically: true, encoding: .utf8)
try FileManager.default.removeItem(atPath: testPath)
return true // Successfully wrote outside sandbox
} catch {
// Expected behavior - cannot write
}
return false
}
private static func checkDynamicLibraries() -> Bool {
for i in 0..<_dyld_image_count() {
if let imageName = _dyld_get_image_name(i) {
let name = String(cString: imageName)
let suspiciousLibraries = [
"MobileSubstrate",
"SubstrateLoader",
"TweakInject",
"cycript",
"libsparkapplist",
"FridaGadget"
]
for lib in suspiciousLibraries {
if name.contains(lib) {
return true
}
}
}
}
return false
}
}
}