MASTG-TEST-0354: Runtime Use of Hook Detection Techniques

Overview

This test verifies whether the app detects and responds to instrumentation and hooking attempts at runtime. For example, if the app does not terminate immediately when the following APIs or functions are hooked:

• Keychain items, session tokens, credentials, and other secrets could be extracted if SecItemCopyMatching, SecItemAdd, or SecItemUpdate are hooked.
• Cryptographic keys, signatures, plaintext, or decrypted data could be extracted if SecKeyCreateSignature, SecKeyCreateDecryptedData, or CCCrypt are hooked.
• Authentication could be bypassed if LAContext.evaluatePolicy or LAContext.evaluateAccessControl are hooked.
• Sensitive network data could be extracted or modified if URLSession.dataTask(with:completionHandler:), URLSession.uploadTask(with:from:completionHandler:), URLSession.downloadTask(with:completionHandler:), or URLSessionTask.resume are hooked.
• Any other function that processes or returns sensitive data is hooked.

Warning

This list is just indicative, and each app may have its own defensive response mechanisms.

Out of Scope

This test does not assess the robustness or bypass-resistance of the hook detection mechanisms. Detection methods and bypass techniques evolve continuously, and determined attackers with sufficient time and resources can circumvent these protections, for example, by using advanced instrumentation mechanisms. These techniques should be part of a defense-in-depth strategy, not a standalone solution. See Hardening Against Reverse Engineering Tools for best practices on implementing effective runtime hook detection.

Steps

1. Use Installing Apps to install the app.
2. Use Method Hooking to hook the relevant API calls.
3. Exercise the app extensively to trigger as many flows as possible and enter sensitive data wherever you can.

Observation

The output should contain one of the following:

• The expected hook callback data, (e.g., function arguments, return values, or backtraces).
• Session termination, script errors, empty responses, or absence of expected hook data.

Evaluation

The test case fails if the hook executes successfully and returns the expected data, indicating the app lacks runtime integrity verification.

Expected False Negatives:

This test may produce false negatives if the selected hooks or traces do not cover the app's security-sensitive code paths, if the exercised flows do not trigger operations that process sensitive data, or if the app's runtime hook detection logic is implemented in a way that evades the instrumentation used in this test (for example, through obfuscation, dynamic loading, native code, anti-instrumentation techniques, or checks that run before the hooks are installed). In such cases, the absence of findings does not guarantee that the app has effective runtime hook detection, and additional manual reverse engineering or custom instrumentation may be required to identify and analyze runtime hook detection mechanisms.

Best Practices

MASTG-BEST-0048: Hardening Against Reverse Engineering Tools

Demos

MASTG-DEMO-0118: Detecting Frida Hooks Before Sensitive Cryptographic Operations MASTG-DEMO-0119: Bypassing Frida D-Bus Port Detection to Extract Sensitive Data MASTG-DEMO-0117: Extracting Sensitive Data from CCCrypt via Frida Hooking