search

OWASP / owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
https://mas.owasp.org/
Creative Commons Attribution Share Alike 4.0 International
11.61k stars 2.3k forks source link

-- TODO -- Add a generic Frida script that catches many JB detection methods #901

Closed sushi2k closed 5 years ago

sushi2k commented 6 years ago

In 0x06j chapter, #### Bypassing Jailbreak Detection

rubaljain commented 5 years ago

Step by step process & scripts to be used to bypass the Jailbreak detection mechanism in the iOS application using Frida.

https://github.com/rubaljain/frida-jb-bypass

commjoen commented 5 years ago

Thanks @rubaljain ! Can we reference to this in the MSTG?

rubaljain commented 5 years ago

Hi Jeroen,

Sure, you can create a reference to it. I would further love to contribute in MSTG.

Let me know in case you have any further requirement.

Thanks, Rubal

On Wed, 20 Mar, 2019, 9:08 PM Jeroen Willemsen, notifications@github.com wrote:

Thanks @rubaljain https://github.com/rubaljain ! Can we reference to this in the MSTG?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OWASP/owasp-mstg/issues/901#issuecomment-474889976, or mute the thread https://github.com/notifications/unsubscribe-auth/AS2UtWqyTojZNV1I58wM_G00lUBYhPCmks5vYlXkgaJpZM4UhdMU .

TheDauntless commented 5 years ago

The script referenced above only works for the DamnVulnerable iOS app so I don't think we need to reference it.

I suggest we reference to objection and its jailbreak bypass script, as it makes more sense to have people contribute to it there, than to have to update a very long script in a testing guide:

https://github.com/sensepost/objection/blob/master/agent/src/ios/jailbreak.ts

If that's ok with you, I can just add this reference and leave the rest as is (there's already some info in the guide)

rubaljain commented 5 years ago

Yes, we can do that. However, in case objection fails to bypass the Jailbreak detection then my script can be used wherein the user has to manually provide the class and method name.

On Wed, May 8, 2019 at 12:55 AM Jeroen Beckers notifications@github.com wrote:

The script referenced above only works for the DamnVulnerable iOS app so I don't think we need to reference it.

I suggest we reference to objection's jailbreak bypass script, as it makes more sense to have people contribute to it there, than to have to update a very long script in a testing guide:

https://github.com/sensepost/objection/blob/master/agent/src/ios/jailbreak.ts

If that's ok with you, I can just add this reference and leave the rest as is (there's already some info in the guide)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OWASP/owasp-mstg/issues/901#issuecomment-490222452, or mute the thread https://github.com/notifications/unsubscribe-auth/AEWZJNOFVWNLICR6EUBANVDPUHJTTANCNFSM4FEF2MKA .

-- Regards Rubal Jain

sushi2k commented 5 years ago

https://github.com/OWASP/owasp-mstg/pull/1276

commjoen commented 5 years ago

Fixe din #1276