nmilcoff / BreachDetector

Detect root, emulation, debug mode and other security concerns in your Xamarin apps
MIT License
89 stars 14 forks source link
debug detection emulation mobile owasp root security vulnerability-identification xamarin

BreachDetector

Build status NuGet

:wrench: Setup

Grab the latest NuGet package and install in your solution:

Install-Package Plugin.BreachDetector

In your iOS app, update the Info.plist and add the following URLs (those are queried as part of detecting jailbreak):

<key>LSApplicationQueriesSchemes</key>
<array>
    <string>cydia</string>
    <string>undecimus</string>
    <string>sileo</string>
    <string>zbra</string>
</array>

Additionally, if you want to use GetDeviceLocalSecurityType() method on iOS, you need to add an additional key to the Info.plist:

<key>NSFaceIDUsageDescription</key>
<string>Use a nice explanation here</string>

:iphone: Platforms supported

:key: Key features

:bulb: Examples

using Plugin.BreachDetector;

var isRootOrJailbreak = CrossBreachDetector.Current.IsRooted();
var isVirtualDevice = CrossBreachDetector.Current.IsRunningOnVirtualDevice();
var inDebug = CrossBreachDetector.Current.InDebugMode();
var fromStore = CrossBreachDetector.Current.InstalledFromStore(); 
var localAuthentication = CrossBreachDetector.Current.GetDeviceLocalSecurityType(); // values: Unknown, None, Pass, Biometric

Note: For a method that returns bool?, you can expect the result to be null if the platform that is running doesn't have an appropiate representation (example: IsRooted will return null for UWP).

:lock: Security considerations

Good practices (OWASP)

The sample app in this repository also contains some good practices implementations that are not part of the BreachDetector library, but that you can copy into your own code:

MSTG-ARCH-9: A mechanism for enforcing updates of the mobile app exists.

Xamarin.Essentials VersionTracking to track the install versions of your app in the user device. If the current version is deprecated, you should take the user to a screen where it is asked to download the updated version. Here is an examlpe.

MSTG-STORAGE-9: The app removes sensitive data from views when moved to the background.

Auto-logout due to user inactivity

The sample app in this repository has this mechanism implemented. You can see it here.

:construction_worker: Contributions

Yes, please! Issues are open for bugs/ideas and PRs are also welcome.

:bow: Acknowledgements

:scroll: License

BreachDetector is licensed under MIT.