/BreachDetector

Detect root, emulation, debug mode and other security concerns in your Xamarin apps

Primary LanguageC#MIT LicenseMIT

BreachDetector

Build status NuGet

🔧 Setup

Grab the latest NuGet package and install in your solution:

Install-Package Plugin.BreachDetector

In your iOS app, update the Info.plist and add the following URLs (those are queried as part of detecting jailbreak):

<key>LSApplicationQueriesSchemes</key>
<array>
	<string>cydia</string>
	<string>undecimus</string>
	<string>sileo</string>
	<string>zbra</string>
</array>

Additionally, if you want to use GetDeviceLocalSecurityType() method on iOS, you need to add an additional key to the Info.plist:

<key>NSFaceIDUsageDescription</key>
<string>Use a nice explanation here</string>

📱 Platforms supported

  • iOS +10
  • Android API +21
  • UWP Build +10240

🔑 Key features

  • Root/Jailbreak detection
  • Debug mode detection
  • Emulator/simulator detection
  • Store installation detection
  • Device local authentication method detection

💡 Examples

using Plugin.BreachDetector;

var isRootOrJailbreak = CrossBreachDetector.Current.IsRooted();
var isVirtualDevice = CrossBreachDetector.Current.IsRunningOnVirtualDevice();
var inDebug = CrossBreachDetector.Current.InDebugMode();
var fromStore = CrossBreachDetector.Current.InstalledFromStore(); 
var localAuthentication = CrossBreachDetector.Current.GetDeviceLocalSecurityType(); // values: Unknown, None, Pass, Biometric

Note: For a method that returns bool?, you can expect the result to be null if the platform that is running doesn't have an appropiate representation (example: IsRooted will return null for UWP).

🔒 Security considerations

  • The approach of this library is to rely on "traditional" iOS/Android libraries as much as possible. The reason is simply that the size of those communities is bigger compared to Xamarin.
  • Security is a cat and mouse game. Please be aware this library will try its best, but it might be defeated.
  • If possible, use AOT for your Xamarin.Android app (enabled by default in Xamarin.iOS, requires Enterprise license for Xamarin.Android). When using AOT, your IL code will be compiled into native instructions (x86, ARM instructions) and your code will be more difficult to reverse engineer.
  • Be aware ProGuard will only shrink the code of your Xamarin.Android app, obfuscation only works on the Java end.
  • Don't hardcode any of your keys in your mobile apps, those are really easy to spot using simple tools. In most cases you can serve them from your API.
  • To learn more about mobile security, I would highly recommend you start with the OWASP Mobile Application Security Verification Standard .

Good practices (OWASP)

The sample app in this repository also contains some good practices implementations that are not part of the BreachDetector library, but that you can copy into your own code:

MSTG-ARCH-9: A mechanism for enforcing updates of the mobile app exists.

Xamarin.Essentials VersionTracking to track the install versions of your app in the user device. If the current version is deprecated, you should take the user to a screen where it is asked to download the updated version. Here is an examlpe.

MSTG-STORAGE-9: The app removes sensitive data from views when moved to the background.

  • On Android you can set the Secure flags for the Window, here is an example. This will hide the content of the UI when the app is in background and also prevent the user from taking screenshots. Please be aware though the scope has some limitations related to child windows.
  • On iOS you can use the AppDelegate lifecycle methods to add / remove an image on top of your UI to hide the content (also note that on iOS you can't prevent the user from taking screenshots). Here is an example for this implementation. It is also possible to identify when the user takes a screenshoot and trigger an event. Here is an example for this implementation.

Auto-logout due to user inactivity

The sample app in this repository has this mechanism implemented. You can see it here.

👷 Contributions

Yes, please! Issues are open for bugs/ideas and PRs are also welcome.

🙇 Acknowledgements

  • Many iOS features are implemented through a binding library for IOSSecuritySuite (MIT)
  • Root detection on Android is implemented through binding libraries for rootbeer (MIT) and Anti-Emulator (Apache-2.0)

📜 License

BreachDetector is licensed under MIT.