Talk about iOS identification virtual positioning research

[[415572]]

This article is reprinted from the WeChat public account "Swift Community", the author is Jingfeng Lingyu. Please contact the Swift Community public account to reprint this article.

Preface

In recent business development, we have encountered the situation where the location of our project app was tampered, which was particularly obvious on the Android side. In order to prevent this kind of black industry from using virtual positioning to make money, iOS also has to circumvent virtual positioning.

After doing technical research, we found that it is difficult to achieve virtual positioning on an Apple phone with just a phone, but it is still possible. The bugly record of one of the company's project app reported that a user was using a jailbroken Apple phone, which really makes this behavior suspicious.

With the joint efforts of myself and my company partners, we have roughly investigated the following situations of using virtual positioning (the method of using Xcode virtual positioning is ignored in this article):

The first method: using a jailbroken phone

Generally, app users use jailbroken Apple phones. It can be inferred that the users are trying to take advantage of the system (there is also the possibility that their apps are reverse engineered by competing companies). This is because it is more difficult to buy a jailbroken phone than a normal one, and it is not as good as a normal phone in terms of system upgrades and use of the App Store. I have had some superficial knowledge of app reverse engineering by jailbreaking an iPhone 5s.

Identification method

It is recommended to use a one-size-fits-all approach, which is to identify whether the phone has Cydia.app installed. If it has, it will be directly judged as a jailbroken phone and report the "device abnormality" information to the backend. If you do not use this method, please continue reading, there will be other solutions later.

Professional reverse engineers can definitely avoid app developers from detecting Cydia installations. Of course, this is because the app is very popular in the market and is used by competitors for reverse analysis. In this case, virtual identification is basically meaningless. My personal suggestion is to directly lock and stop the interface service of this mobile app. Here is an article on how developers can identify whether an Apple phone has been jailbroken [1].

Code Implementation

 /// Determine whether it is a jailbroken device
 /// - Returns : true indicates the device is jailbroken
 func isBrokenDevice() -> Bool { 
     
 var isBroken = false   
     
    let cydiaPath = "/Applications/Cydia.app"   
     
    let aptPath = "/private/var/lib/apt"   
     
    if FileManager. default .fileExists(atPath: cydiaPath) {
 isBroken = true  
 } 
     
    if FileManager. default .fileExists(atPath: aptPath) {
 isBroken = true  
 } 
     
 return isBroken
 }

The second method: Use Aisi Assistant

For scenarios where virtual positioning is used, it should mostly be drivers or docking personnel clocking in. In this scenario, a group of black industries that specialize in using virtual positioning to clock in and out may have emerged. For Apple phones, at present, the virtual positioning function of Aisi Assistant can be very well implemented.

Usage steps: Download the Aisi Assistant Mac client, connect the iPhone, click Virtual Positioning in the toolbox, select the location on the map, and then click Modify Virtual Positioning to modify the location information of the map.

Principle: On a non-jailbroken device, connect the computer and the phone via USB. The computer sends simulated coordinate data to the DTSimulateLocation service on the phone through a special protocol to achieve false positioning. Currently, the built-in location simulation in Xcode is achieved with the help of this technology. (Article source [2])

Identification method

1. By repeatedly recording the virtual positioning data of Aisi Assistant, it is found that the altitude of the longitude and latitude of its virtual positioning information is 0 and the number of longitude and latitude data bits is also worth studying. The real positioning and virtual positioning data are as follows:

True positioning

Virtual Positioning

By carefully observing the data, it is not difficult to find that if we compare the altitude of the positioning information and verify the double digits of the longitude and latitude, the black hat of virtual positioning can be easily cracked.

If we compare the virtual positioning height to 0, we will identify it as virtual positioning, and then a question will arise: the real altitude is the zero point. How to solve it? Here is a brief introduction to China's zero altitude position. China's zero point is located in the "People's Republic of China Zero Point" in Yinhai World on Donghai Middle Road, Qingdao. It is the only zero point in China. The only zero point.

At the same time, by comparing the double digits of longitude and latitude, it was found that the digits of virtual positioning were obviously wrong. By checking the digit precision of Swift's float and double, it was found that the longitude and latitude data of virtual positioning only perfunctorily met the double precision digits. The number of significant digits of Swift's float is 7, and the number of significant digits of double is 15.

Of course, the weight of this comparison is relatively low. I just updated the Aisi Assistant version and found that the new version has more detailed latitude and longitude, but it still does not reach the level of double significant digits. Compared with the current Aisi Assistant's height comparison recognition as virtual positioning, it is completely possible.

Code Implementation

 if location.altitude == 0.0 {
 print( "Virtual Positioning" )
 } 
 
 //The number of digits is used as the weight ratio for judgment. If the number of digits is less than 12 (the assumed value, the number of digits of this data of the virtual positioning of Aisi Assistant is 9 at present), it is judged as virtual positioning.
 // Dangerous, use with caution, but it is still OK as a record of small-weight abnormal data
 let longitude = location.coordinate.longitude
 let longitudeStr = "\(longitude)" .components(separatedBy: "." ). last ?? ""   
 
 print( "Number of significant digits of longitude: \(longitudeStr.count)" )
 if longitudeStr.count < 12 { 
 
 print( "Virtual Positioning" )
 }

Second, upload the latitude and longitude of the positioned data to the backend, which then obtains detailed latitude and longitude information based on the received latitude and longitude, and makes an in-depth comparison of the driver's geographic information other than the latitude and longitude, giving priority to comparing the altitude, horizontalAccuracy, and verticalAccuracy values, and makes a decision after weighing whether the values ​​are equal.

three,

(1) By obtaining the public IP address, the approximate location can be obtained based on the IP address through the interface, but the error range is a bit large.

 //Get the public IP address
 var ipAddress: String? { 
 
    let ipUrl = URL(string: "https://ipof.in/txt" )!
    let ip = try? String.init(contentsOf: ipUrl, encoding: .utf8) 
 
 return ip
 }

(ii) Reading the app location via Wi-Fi hotspot[3]

(III) Use CLCircularRegion to set the specified longitude and latitude of the center of the region and the configurable radius for monitoring.

Simple code implementation:

 manager = CLLocationManager()
 //Set the location service manager proxy
 manager?.delegate = self
 //Set the positioning mode
 manager?.desiredAccuracy = kCLLocationAccuracyBest
 //Update distance
 manager?.distanceFilter = 100
 //Send authorization request
 manager?.requestWhenInUseAuthorization() 
 
 let latitude = 115.47560123242931
 let longitude = 29.9757535600194
 let centerCoordinate = CLLocationCoordinate2D(latitude: latitude, longitude: longitude)
 let locationIDStr = ""  
 let clRegion = CLCircularRegion(center: centerCoordinate, radius: 100, identifier: locationIDStr)
 manager?.startMonitoring( for : clRegion) 
 
 Proxy Methods 
 
 func locationManager(_ manager: CLLocationManager, didEnterRegion region: CLRegion) { 
 
 } 
 
 func locationManager(_ manager: CLLocationManager, didExitRegion region: CLRegion) { 
 
 }

(IV) Through IBeacon technology, use CBPeripheralManager under the CoreBluetooth framework to establish a Bluetooth base station. This positioning is end-to-end direct positioning, eliminating the need for GPS satellite and cellular data base station communication.

Simple code implementation:

 func locationManager(_ manager: CLLocationManager, didRangeBeacons beacons: [CLBeacon], in region: CLBeaconRegion) { 
 
 for beacon in beacons {
        var proximityStr: String = ""  
        switch beacon.proximity {
 case .far:
            proximityStr = "Unknown"  
 case .immediate:
            proximityStr = "Immediate"  
 case .near:
            proximityStr = "Near"  
 case .unknown:
            proximityStr = "Unknown"  
 } 
 
 var beaconStr = "Signal:" + beacon.proximityUUID.uuidString + "major:" + beacon.major.stringValue + "minor:" + beacon.minor.stringValue + "Distance:" + beacon.accuracy + "Signal:" + "\(Int64(beacon.rssi))" + "Proximity:" + proximityStr 
 
 print( "beacon information: \(beaconStr)" )
 } 
 
 } 
 
 func locationManager(_ manager: CLLocationManager, rangingBeaconsDidFailFor region: CLBeaconRegion, withError error: Error) { 
 
 } 
     
 -----------------------------------------------------------------------------------------------   
 
 //You cannot create a class that complies with the CBPeripheralManagerDelegate protocol alone. You need to comply with the NSObjectProtocol protocol first. Here, you can directly inherit NSObject
 class CoreBluetoothManager:NSObject, CBPeripheralManagerDelegate { 
     
 //Build a Bluetooth base station.
    lazy var peripheralManager: CBPeripheralManager = CBPeripheralManager(delegate: self, queue: DispatchQueue.main, options: nil) 
             
    lazy var region: CLBeaconRegion = { 
         
        guard let uuid = UUID(uuidString: "xxx" ) else {
 return CLBeaconRegion()
 }
        let major: CLBeaconMajorValue = 1
        let minor: CLBeaconMajorValue = 1
 let id = "the name of the created Bluetooth base station"  
        let region = CLBeaconRegion(proximityUUID: uuid, major: major, minor: minor, identifier: id)
 return region
 }() 
     
    func peripheralManagerDidUpdateState(_ peripheral: CBPeripheralManager) { 
         
        switch peripheral.state {
 case CBManagerState.poweredOn: 
             
            if let data = self.region.peripheralData(withMeasuredPower: nil) as ? [String : Any ] { 
                 
                self.peripheralManager.startAdvertising(data)
 } 
             
 case CBManagerState.poweredOff,
             CBManagerState.resetting,
             CBManagerState.unauthorized,
             CBManagerState.unsupported,
             CBManagerState.unknown: 
             
 break
 }
 } 
    
    func peripheralManagerDidStartAdvertising(_ peripheral: CBPeripheralManager, error: Error?) { 
         
 } 
         
 }

4. (To be improved) I have tried the solution at the end of the article on iOS anti-black industry false location detection technology. I read the fLocation of CLLocation's _internal through kvc layer by layer, but I can only read this far. If I read it through kvc again, the following error will be reported:

 Expression can't be run, because there is   no JIT compiled function  

After further research, I found this explanation in Apple's official development documents [4]. It also said to set the debug+ optimization strategy, but the default bug environment of iOS is -Onone level. In fact, the main reason seems to be that the JIT setting can only be found in the Hardened Runtime of Signing & Capabilities when developing the Mac client. About the setting of Allow Execution of JIT-compiled Code (official article [5]). In the end, I can only get here. If there is a great god who can read the real location of CLLocation through other methods (this is an extremely perfect solution), please feel free to enlighten me.

Attachment:

The official definition of the CLLocation object private variable _internal instance object [6]:

 @interface CLLocationInternal : NSObject {
 struct {
 int suitability;
 struct {
 double latitude;
 double longitude;
 } coordinate;
 double horizontalAccuracy;
 double altitude;
 double verticalAccuracy;
 double speed;
 double speedAccuracy;
 double course;
 double courseAccuracy;
 double   timestamp ;
 int confidence;
 double lifespan;
 int type;
 struct {
 double latitude;
 double longitude;
 } rawCoordinate;
 double rawCourse;
 int floor;
        unsigned int integrity;
 int referenceFrame;
 int rawReferenceFrame;
 } fLocation;
    CLLocationMatchInfo * fMatchInfo;
 double fTrustedTimestamp;
 }

 @class NSData; 
 
 @interface CLLocationMatchInfo : NSObject <NSCopying, NSSecureCoding> { 
 
 id _internal;
 }
 @property (nonatomic,readonly) long long matchQuality;
 @property (nonatomic,readonly) CLLocationCoordinate2D matchCoordinate;
 @property (nonatomic,readonly) double matchCourse;
 @property (nonatomic,readonly) int matchFormOfWay;
 @property (nonatomic,readonly) int matchRoadClass;
 @property (getter=isMatchShifted,nonatomic,readonly) BOOL matchShifted;
 @property (nonatomic,copy,readonly) NSData * matchDataArray;

References

[1]

How to use code to determine whether the iOS system is jailbroken: https://www.huaweicloud.com/articles/7c6b8027253c4a97196d359840f638d9.html

[2]

iOS anti-black industry false location detection technology: https://cloud.tencent.com/developer/article/1800531

[3]

Wifi positioning principle and iOS Wifi list acquisition: http://www.caojiarun.com/2017/01/iOS_Wifilist/

[4]

Allow Execution of JIT-compiled Code Entitlement: https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_allow-jit

[5]

Hardened Runtime: https://developer.apple.com/documentation/security/hardened_runtime

[6]

Official definition of _internal instance object: https://github.com/nst/iOS-Runtime-Headers/blob/master/Frameworks/CoreLocation.framework/CLLocationInternal.h