### Install with Swift Package Manager Source: https://github.com/securing/iossecuritysuite/blob/master/README.md Add the library dependency to your Swift Package Manager configuration. ```swift .package(url: "https://github.com/securing/IOSSecuritySuite.git", from: "1.5.0") ``` -------------------------------- ### Find Loaded Dylibs (arm64) Source: https://context7.com/securing/iossecuritysuite/llms.txt Use IOSSecuritySuite.findLoadedDylibs to get a list of all dynamically loaded libraries for the main executable or a specified framework. This is useful for detecting injected libraries. Ensure the arm64 architecture is targeted. ```swift #if arch(arm64) import IOSSecuritySuite // Get all dylibs loaded by the main executable if let loadedDylibs = IOSSecuritySuite.findLoadedDylibs(.default) { print("Loaded dylibs (\(loadedDylibs.count)):") for dylib in loadedDylibs { print(" - \(dylib)") } // Check for suspicious injected libraries let suspiciousLibs = ["FridaGadget", "cycript", "SSLKillSwitch"] for suspicious in suspiciousLibs { if loadedDylibs.contains(where: { $0.contains(suspicious) }) { print("WARNING: Suspicious library detected: \(suspicious)") } } } // Get dylibs loaded by a specific framework if let frameworkDylibs = IOSSecuritySuite.findLoadedDylibs(.custom("MyFramework")) { print("MyFramework dependencies: \(frameworkDylibs)") } #endif ``` -------------------------------- ### Reverse Engineering Tools Detection with Swift Source: https://context7.com/securing/iossecuritysuite/llms.txt Detects common reverse engineering tools like Frida and Cycript. Use the detailed check to get specific reasons for detection. ```swift import IOSSecuritySuite // Simple check for reverse engineering tools let isReverseEngineered = IOSSecuritySuite.amIReverseEngineered() if isReverseEngineered { print("Reverse engineering tools detected!") } ``` ```swift // Detailed check with specific failures let reStatus = IOSSecuritySuite.amIReverseEngineeredWithFailedChecks() if reStatus.reverseEngineered { print("Reverse engineering evidence found:") for check in reStatus.failedChecks { print(" \(check.check): \(check.failMessage)") // Example outputs: // existenceOfSuspiciousFiles: Suspicious file found: /usr/sbin/frida-server // dyld: Suspicious library loaded: FridaGadget // openedPorts: Port 27042 is open (default Frida port) } } ``` -------------------------------- ### Configure Info.plist for Jailbreak Detection Source: https://github.com/securing/iossecuritysuite/blob/master/README.md Update the Info.plist file to include URL schemes required for jailbreak detection. ```xml LSApplicationQueriesSchemes undecimus sileo zbra filza ``` -------------------------------- ### Detect Reverse Engineering Tools Source: https://github.com/securing/iossecuritysuite/blob/master/README.md Identify if common reverse engineering tools are present on the device. ```swift if IOSSecuritySuite.amIReverseEngineered() { print("This device has evidence of reverse engineering") } else { print("This device hasn't evidence of reverse engineering") } ``` ```swift let reverseStatus = IOSSecuritySuite.amIReverseEngineeredWithFailedChecks() if reverseStatus.reverseEngineered { // check for reverseStatus.failedChecks for more details } ``` -------------------------------- ### Emulator Detection with Swift Source: https://context7.com/securing/iossecuritysuite/llms.txt Determine if the application is running in an iOS Simulator or emulator environment. This check can be combined with other security checks. ```swift import IOSSecuritySuite // Check if running in emulator/simulator let isEmulator = IOSSecuritySuite.amIRunInEmulator() if isEmulator { print("Running in simulator - some features may be disabled") // Disable sensitive operations or show warning } ``` ```swift // Combine with other checks for comprehensive security func performSecurityCheck() -> Bool { if IOSSecuritySuite.amIRunInEmulator() { print("Emulator detected") return false } if IOSSecuritySuite.amIJailbroken() { print("Jailbreak detected") return false } if IOSSecuritySuite.amIDebugged() { print("Debugger detected") return false } return true } ``` -------------------------------- ### Verify file integrity Source: https://github.com/securing/iossecuritysuite/blob/master/README.md Check for application tampering by verifying bundle IDs, mobile provisions, or Mach-O file hashes. ```Swift // Determine if application has been tampered with if IOSSecuritySuite.amITampered([.bundleID("biz.securing.FrameworkClientApp"), .mobileProvision("2976c70b56e9ae1e2c8e8b231bf6b0cff12bbbd0a593f21846d9a004dd181be3"), .machO("IOSSecuritySuite", "6d8d460b9a4ee6c0f378e30f137cebaf2ce12bf31a2eef3729c36889158aa7fc")]).result { print("I have been Tampered.") } else { print("I have not been Tampered.") } // Manually verify SHA256 hash value of a loaded dylib if let hashValue = IOSSecuritySuite.getMachOFileHashValue(.custom("IOSSecuritySuite")), hashValue == "6d8d460b9a4ee6c0f378e30f137cebaf2ce12bf31a2eef3729c36889158aa7fc" { print("I have not been Tampered.") } else { print("I have been Tampered.") } // Check SHA256 hash value of the main executable // Tip: Your application may retrieve this value from the server if let hashValue = IOSSecuritySuite.getMachOFileHashValue(.default), hashValue == "your-application-executable-hash-value" { print("I have not been Tampered.") } else { print("I have been Tampered.") } ``` -------------------------------- ### Jailbreak Detection with Swift Source: https://context7.com/securing/iossecuritysuite/llms.txt Use these methods to detect if a device is jailbroken. The simple boolean check is quick, while detailed checks provide specific failure reasons. ```swift import IOSSecuritySuite // Simple boolean check let isJailbroken = IOSSecuritySuite.amIJailbroken() if isJailbroken { print("Device is jailbroken - taking security measures") } ``` ```swift // Check with failure message let jailbreakStatus = IOSSecuritySuite.amIJailbrokenWithFailMessage() if jailbreakStatus.jailbroken { print("Jailbreak detected: \(jailbreakStatus.failMessage)") // Example output: "Jailbreak detected: Suspicious library loaded: /Library/MobileSubstrate/MobileSubstrate.dylib" } ``` ```swift // Detailed check with list of failed checks let detailedStatus = IOSSecuritySuite.amIJailbrokenWithFailedChecks() if detailedStatus.jailbroken { print("Jailbreak detected!") for failedCheck in detailedStatus.failedChecks { print("Failed check: \(failedCheck.check) - \(failedCheck.failMessage)") // Example output: // Failed check: existenceOfSuspiciousFiles - Suspicious file exists: /Applications/Cydia.app // Failed check: dyld - Suspicious library loaded: TweakInject.dylib } } ``` -------------------------------- ### Detect System Proxy and VPN Source: https://github.com/securing/iossecuritysuite/blob/master/README.md Check if the application traffic is routed through a proxy or VPN. ```swift let amIProxied: Bool = IOSSecuritySuite.amIProxied(considerVPNConnectionAsProxy: true) ``` -------------------------------- ### Check Application Integrity with IOSSecuritySuite Source: https://context7.com/securing/iossecuritysuite/llms.txt Verifies application integrity by checking bundle ID, mobile provisioning profile hash, and Mach-O executable hash. Use this to detect tampering or repackaging. ```swift import IOSSecuritySuite // Check for application tampering with multiple integrity checks let integrityResult = IOSSecuritySuite.amITampered([ .bundleID("com.example.myapp"), .mobileProvision("a]31b3y86c7d31e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7") ]) if integrityResult.result { print("Application has been tampered!") for check in integrityResult.hitChecks { print("Integrity check failed: \(check.description)") // Example: "The expected bundle identify was com.example.myapp" } } else { print("Application integrity verified") } // For dylibs (arm64 only): verify Mach-O __TEXT.__text section hash #if arch(arm64) let machoResult = IOSSecuritySuite.amITampered([ .machO("MyFramework", "6d8d460b9a4ee6c0f378e30f137cebaf2ce12bf31a2eef3729c36889158aa7fc") ]) if machoResult.result { print("Framework binary has been modified!") } #endif ``` -------------------------------- ### Verify Mach-O Hash (arm64) Source: https://context7.com/securing/iossecuritysuite/llms.txt Retrieves the SHA256 hash of a Mach-O file's __TEXT.__text section for integrity verification. Use this to ensure loaded dylibs or the main executable have not been modified. ```swift #if arch(arm64) import IOSSecuritySuite // Get hash of the main executable's text section if let mainHash = IOSSecuritySuite.getMachOFileHashValue(.default) { print("Main executable hash: \(mainHash)") // Compare against known good hash let expectedHash = "abc123..." if mainHash != expectedHash { print("Executable has been modified!") } } // Get hash of a specific loaded dylib if let frameworkHash = IOSSecuritySuite.getMachOFileHashValue(.custom("IOSSecuritySuite")) { print("IOSSecuritySuite hash: \(frameworkHash)") // Verify against expected hash (pre-computed during build) let expectedFrameworkHash = "6d8d460b9a4ee6c0f378e30f137cebaf2ce12bf31a2eef3729c36889158aa7fc" if frameworkHash == expectedFrameworkHash { print("Framework integrity verified") } else { print("Framework has been tampered!") } } #endif ``` -------------------------------- ### Detect Hardware Watchpoints (arm64) Source: https://context7.com/securing/iossecuritysuite/llms.txt Detects hardware watchpoints that monitor memory access, commonly used during debugging. This function checks for watchpoints before processing sensitive data and can be used in a broader analysis detection routine. ```swift #if arch(arm64) import IOSSecuritySuite func protectedOperation() -> Bool { // Sensitive data that might be watched var secretKey = "sensitive-api-key" var transactionAmount = 99.99 // Check for watchpoints before processing sensitive data if IOSSecuritySuite.hasWatchpoint() { print("Watchpoint detected - memory is being monitored!") // Clear sensitive data and abort operation secretKey = "" transactionAmount = 0 return false } // Proceed with secure operation print("No watchpoints detected - proceeding safely") return true } // Usage in debugging detection routine func isUnderAnalysis() -> Bool { return IOSSecuritySuite.amIDebugged() || IOSSecuritySuite.hasWatchpoint() || IOSSecuritySuite.isParentPidUnexpected() } #endif ``` -------------------------------- ### Detect Emulator Usage Source: https://github.com/securing/iossecuritysuite/blob/master/README.md Check if the application is running within an emulator. ```swift let runInEmulator: Bool = IOSSecuritySuite.amIRunInEmulator() ``` -------------------------------- ### Detect Runtime Method Hooking with IOSSecuritySuite Source: https://context7.com/securing/iossecuritysuite/llms.txt Detects if Objective-C methods have been hooked at runtime by checking if the method implementation resides in an unexpected dylib. Ensure to provide a list of allowed dylibs. ```swift import IOSSecuritySuite // Define a class with a method you want to protect class SecureViewController: UIViewController { @objc dynamic func validatePurchase() -> Bool { // Critical purchase validation logic return true } } // List of allowed dylibs that may contain your method implementations let allowedDylibs = [ "IOSSecuritySuite", "MyApp" ] // Check if the method has been hooked let isHooked = IOSSecuritySuite.amIRuntimeHooked( dyldAllowList: allowedDylibs, detectionClass: SecureViewController.self, selector: #selector(SecureViewController.validatePurchase), isClassMethod: false ) if isHooked { print("Method has been hooked by an external framework!") // Take appropriate action - the method may return manipulated results } // For class methods, set isClassMethod to true class Analytics { @objc dynamic class func trackEvent(_ name: String) { // Analytics tracking } } let isClassMethodHooked = IOSSecuritySuite.amIRuntimeHooked( dyldAllowList: allowedDylibs, detectionClass: Analytics.self, selector: #selector(Analytics.trackEvent(_:)), isClassMethod: true ) ``` -------------------------------- ### Detect Runtime Hooks Source: https://github.com/securing/iossecuritysuite/blob/master/README.md Identify if specific methods or classes have been hooked at runtime. ```swift let amIRuntimeHooked: Bool = amIRuntimeHook(dyldWhiteList: dylds, detectionClass: SomeClass.self, selector: #selector(SomeClass.someFunction), isClassMethod: false) ``` -------------------------------- ### Detect and Deny Debuggers Source: https://github.com/securing/iossecuritysuite/blob/master/README.md Check for attached debuggers or actively deny them. ```swift let amIDebugged: Bool = IOSSecuritySuite.amIDebugged() ``` ```swift IOSSecuritySuite.denyDebugger() ``` -------------------------------- ### Detect Software Breakpoints (arm64) Source: https://context7.com/securing/iossecuritysuite/llms.txt Detects software breakpoints set at specific function addresses, indicating active debugging or analysis. Use this to identify if a critical function is being analyzed. ```swift #if arch(arm64) import IOSSecuritySuite // Function to protect from breakpoint analysis func criticalSecurityCheck() -> Bool { // Sensitive security logic return true } // Get function address typealias CheckType = @convention(thin) () -> Bool let checkFunc: CheckType = criticalSecurityCheck let funcAddr = unsafeBitCast(checkFunc, to: UnsafeRawPointer.self) // Check for breakpoints at function let hasBreakpoint = IOSSecuritySuite.hasBreakpointAt(funcAddr, functionSize: nil) if hasBreakpoint { print("Breakpoint detected at critical function!") // Function is being analyzed - take defensive action } // With known function size for more accurate detection let hasBreakpointWithSize = IOSSecuritySuite.hasBreakpointAt(funcAddr, functionSize: 256) #endif ``` -------------------------------- ### Detect MSHook Function with IOSSecuritySuite (arm64) Source: https://context7.com/securing/iossecuritysuite/llms.txt Detects if a function has been hooked using MSHookFunction (Mobile Substrate/Substitute) by analyzing the function prologue for hook trampolines. This is applicable for arm64 architecture. ```swift #if arch(arm64) import IOSSecuritySuite // Define a critical function to protect func performSecureOperation(value: Int) -> Int { return value * 2 } // Get function address using type casting typealias SecureOperationType = @convention(thin) (Int) -> Int let secureFunc: SecureOperationType = performSecureOperation let funcAddress = unsafeBitCast(secureFunc, to: UnsafeMutableRawPointer.self) // Check if function has been hooked let isMSHooked = IOSSecuritySuite.amIMSHooked(funcAddress) if isMSHooked { print("Function has been hooked via MSHookFunction!") // Attempt to get original function and call it instead if let originalFunc = IOSSecuritySuite.denyMSHook(funcAddress) { let original = unsafeBitCast(originalFunc, to: SecureOperationType.self) let result = original(42) // Call original, bypassing hook print("Original function result: \(result)") } } #endif ``` -------------------------------- ### Detect MSHook usage Source: https://github.com/securing/iossecuritysuite/blob/master/README.md Verify if a specific Swift function has been hooked using amIMSHooked. ```Swift // Function declaration func someFunction(takes: Int) -> Bool { return false } // Defining FunctionType : @convention(thin) indicates a “thin” function reference, which uses the Swift calling convention with no special “self” or “context” parameters. typealias FunctionType = @convention(thin) (Int) -> (Bool) // Getting pointer address of function we want to verify func getSwiftFunctionAddr(_ function: @escaping FunctionType) -> UnsafeMutableRawPointer { return unsafeBitCast(function, to: UnsafeMutableRawPointer.self) } let funcAddr = getSwiftFunctionAddr(someFunction) let amIMSHooked = IOSSecuritySuite.amIMSHooked(funcAddr) ``` -------------------------------- ### Detect Jailbreak Status Source: https://github.com/securing/iossecuritysuite/blob/master/README.md Methods to check if a device is jailbroken, including simple boolean checks and verbose reporting. ```swift if IOSSecuritySuite.amIJailbroken() { print("This device is jailbroken") } else { print("This device is not jailbroken") } ``` ```swift let jailbreakStatus = IOSSecuritySuite.amIJailbrokenWithFailMessage() if jailbreakStatus.jailbroken { print("This device is jailbroken") print("Because: \(jailbreakStatus.failMessage)") } else { print("This device is not jailbroken") } ``` ```swift let jailbreakStatus = IOSSecuritySuite.amIJailbrokenWithFailedChecks() if jailbreakStatus.jailbroken { if (jailbreakStatus.failedChecks.contains { $0.check == .existenceOfSuspiciousFiles }) && (jailbreakStatus.failedChecks.contains { $0.check == .suspiciousFilesCanBeOpened }) { print("This is real jailbroken device") } } ``` -------------------------------- ### Detect watchpoints Source: https://github.com/securing/iossecuritysuite/blob/master/README.md Use hasWatchpoint to detect if a watchpoint is active in the current process. ```Swift // Set a breakpoint at the testWatchpoint function func testWatchpoint() -> Bool{ // lldb: watchpoint set expression ptr var ptr = malloc(9) // lldb: watchpoint set variable count var count = 3 return IOSSecuritySuite.hasWatchpoint() } ``` -------------------------------- ### Detect HTTP/HTTPS Proxy Configuration with IOSSecuritySuite Source: https://context7.com/securing/iossecuritysuite/llms.txt Detects if an HTTP/HTTPS proxy is configured in iOS Settings, which may indicate traffic interception attempts. This check is useful for network security. ```swift import IOSSecuritySuite // Check if device has proxy configured let isProxied = IOSSecuritySuite.amIProxied() if isProxied { print("HTTP proxy detected - traffic may be intercepted") // Consider: // - Showing warning to user // - Disabling sensitive network operations // - Implementing certificate pinning } // Use in combination with other security checks func isNetworkSecure() -> Bool { if IOSSecuritySuite.amIProxied() { return false } // Add additional network security checks return true } ``` -------------------------------- ### Debugger Detection with Swift Source: https://context7.com/securing/iossecuritysuite/llms.txt Detect if a debugger is attached or proactively deny attachment. Call `denyDebugger()` early in your app's lifecycle. ```swift import IOSSecuritySuite // Check if currently being debugged let isDebugged = IOSSecuritySuite.amIDebugged() if isDebugged { print("Debugger detected - app may be under analysis") exit(1) } ``` ```swift // Proactively deny debugger attachment (call early in app lifecycle) // This uses ptrace with PT_DENY_ATTACH to prevent future debugger connections IOSSecuritySuite.denyDebugger() ``` ```swift // Check if app was launched by something other than LaunchD // LaunchD has pid 1; any other parent indicates potential debugger launch let unexpectedParent = IOSSecuritySuite.isParentPidUnexpected() if unexpectedParent { print("App was not launched by LaunchD - possible debugger") } ``` -------------------------------- ### Deny Symbol Hooking (arm64) Source: https://context7.com/securing/iossecuritysuite/llms.txt Rebinds symbols hooked by fishhook to restore original function implementations. Call early in app startup to prevent interception of security-sensitive functions like NSLog, abort, and dlsym. ```swift #if arch(arm64) import IOSSecuritySuite import MachO // Deny fishhook on common security-sensitive symbols // This should be called early in app startup // Rebind NSLog to prevent logging interception IOSSecuritySuite.denySymbolHook("$s10Foundation5NSLogyySS_s7CVarArg_pdtF") // Rebind abort to prevent bypass IOSSecuritySuite.denySymbolHook("abort") // Rebind dlsym to prevent dynamic symbol resolution hooks IOSSecuritySuite.denySymbolHook("dlsym") // For more targeted protection, rebind symbol at specific image for i in 0..<_dyld_image_count() { if let imageName = _dyld_get_image_name(i) { let name = String(cString: imageName) if name.contains("IOSSecuritySuite"), let image = _dyld_get_image_header(i) { IOSSecuritySuite.denySymbolHook( "dlsym", at: image, imageSlide: _dyld_get_image_vmaddr_slide(i) ) break } } } #endif ``` -------------------------------- ### Detect Lockdown Mode Source: https://github.com/securing/iossecuritysuite/blob/master/README.md Check if the device is currently in Lockdown Mode. ```swift let amIInLockdownMode: Bool = IOSSecuritySuite.amIInLockdownMode() ``` -------------------------------- ### Deny symbol hooks in Swift Source: https://github.com/securing/iossecuritysuite/blob/master/README.md Use denySymbolHook to prevent hooking of specific functions by passing their mangled names. ```Swift // If we want to deny symbol hook of Swift function, we have to pass mangled name of that function denySymbolHook("$s10Foundation5NSLogyySS_s7CVarArg_pdtF") // denying hooking for the NSLog function NSLog("Hello Symbol Hook") denySymbolHook("abort") abort() ``` -------------------------------- ### Deny MSHook for functions Source: https://github.com/securing/iossecuritysuite/blob/master/README.md Use denyMSHook to prevent MSHook from intercepting a function and optionally call the original implementation. ```Swift // Function declaration func denyDebugger(value: Int) { } // Defining FunctionType : @convention(thin) indicates a “thin” function reference, which uses the Swift calling convention with no special “self” or “context” parameters. typealias FunctionType = @convention(thin) (Int)->() // Getting original function address let funcDenyDebugger: FunctionType = denyDebugger let funcAddr = unsafeBitCast(funcDenyDebugger, to: UnsafeMutableRawPointer.self) if let originalDenyDebugger = denyMSHook(funcAddr) { // Call the original function with 1337 as Int argument unsafeBitCast(originalDenyDebugger, to: FunctionType.self)(1337) } else { denyDebugger() } ``` -------------------------------- ### Detect breakpoints Source: https://github.com/securing/iossecuritysuite/blob/master/README.md Check if a breakpoint is set at a specific function address using hasBreakpointAt. ```Swift func denyDebugger() { // Set breakpoint here } typealias FunctionType = @convention(thin) ()->() let func_denyDebugger: FunctionType = denyDebugger // `: FunctionType` is a must let func_addr = unsafeBitCast(func_denyDebugger, to: UnsafeMutableRawPointer.self) let hasBreakpoint = IOSSecuritySuite.hasBreakpointAt(func_addr, functionSize: nil) if hasBreakpoint { print("Breakpoint found in the specified function") } else { print("Breakpoint not found in the specified function") } ``` -------------------------------- ### Detect Lockdown Mode on iOS 16+ Source: https://context7.com/securing/iossecuritysuite/llms.txt Detects if the device has Lockdown Mode enabled, which is Apple's extreme protection feature for high-risk users. This check is available on iOS 16 and later. ```swift import IOSSecuritySuite // Check if Lockdown Mode is enabled (iOS 16+) if #available(iOS 16, *) { let isLockdownMode = IOSSecuritySuite.amIInLockdownMode() if isLockdownMode { print("Device is in Lockdown Mode - enhanced security active") // Adjust app behavior for restricted environment // Some features may be limited in Lockdown Mode } } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.