Repackaging detection

Repackaging detection is a security feature that detects if the application was modified and resigned with a different signing certificate.

Malwarelytics for Apple is able to detect that the app has been repackaged and can be configured to terminate the app in that case.

Configuration

let raspConfig = AppProtectionRaspConfig(
    repackage: RepackageConfig
    // configuration of other RASP features
)

Available values of RepackageConfig:

Value Description
.noAction(
trustedCerts: [TrustedCertificate])
indicates that repackaging will not be automatically detected. A manual check is still possible.
.notify(
trustedCerts: [TrustedCertificate])
indicates that repackaging will be automatically detected and the delegates will be notified via the repackageDetected() method.
.exit(
trustedCerts: [TrustedCertificate],
exitUrl: String?)
indicates that the repackaging will be automatically detected and the app will be terminated when the repackaging is automatically detected.

Repackaging detection defaults to .noAction([]).

List of available parameters for some config values:

Parameter Description
trustedCerts: [TrustedCertificate] defines trusted certificates for ad-hoc or enterprise distribution. AppStore signing certificates are trusted by default.
exitUrl: String? defines the URL to be opened when the app is terminated because of the automatic detection. Defaults to nil.

Certificate Configuration Details

To properly configure the repackaging detection, you need to get the Base64 encoded string of your signing certificate:

  1. Open the Keychain Access application.
  2. Find a certificate that will be used to sign your application, for example, “Apple Development: Jan Tester (c)”.
  3. Right-click on the item and click “Export…”.
  4. Export the certificate in the .cer format.
  5. Open up the terminal and cd into the folder with your exported certificate.
  6. Encode the certificate in Base64 with cat your_exported.cer | base64.
  7. Copy the output of the command and use it as a parameter for the repackage detection configuration:
// Prepare the RASP feature configuration
let raspConfig = AppProtectionRaspConfig(
    // ...
    repackage: .exit([AppProtectionTrustedCert(withBase64EncodedString: "BASE_64_ENCODED_CERT")!], "https://myurl.com/repackage-explained")
    // ...
)

Tip: To hide the string in your binary, use the init constructor for AppProtectionTrustedCert with Data or [UInt8] arguments.

Usage

After service creation, the repackaging detection feature can be accessed via AppProtectionRasp. This can be used to add a delegate or to trigger a manual repackaging detection check.

Observing Detection

Repackaging detection can trigger a certain action. To achieve that, a delegate needs to be added.

Delegate configuration:

class RaspDelegate: AppProtectionRaspDelegate {

    // other delegate code

    func repackageDetected() {
        // handle repackaging detection
    }
}

The delegate can be added in AppProtectionRasp. When it is no longer needed, it can be removed again.

let raspDelegate = RaspDelegate()
appProtection.rasp.addDelegate(raspDelegate)
appProtection.rasp.removeDelegate(raspDelegate)

Triggering a Manual Check

The repackaging detection check can be triggered manually in AppProtectionRasp by getting the isRepackaged property value. A simple Bool answer is given.

let isRepackaged = appProtection.rasp.isRepackaged

More information on general RASP feature configuration and usage can be found in this overview.

Last updated on Apr 11, 2024 (08:13) View product
Search

develop

Malwarelytics for Apple