ai_root_shield 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 3f124192172da4bb34ee0ec2c385049a4c25de229d2e14fc1df4a5459f2dab1a
+  data.tar.gz: e2bf7708d0ea5c292b04ba932d9537a3982554493959161ae09f6deb8997ef78
+SHA512:
+  metadata.gz: 0c3d53358069b9c79ca803256d41972e9390662d300033377127f7bf8e5ec6500147e0cdd4d742310a439943a00b2e1c78c58e2484d3f1cb98b21be6703c8d00
+  data.tar.gz: a2997cb19587cb3a49270252407b4f3c002c6af9de81801fba5697494d6cd232b268dd35814fd455106c8dbe65c37d1840197eb71d7d345ceba7ffb804988622

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/CHANGELOG.md

@@ -0,0 +1,56 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+- AI behavioral analysis integration (ONNX model support)
+- Enhanced hooking detection for iOS method swizzling
+- Real-time threat monitoring capabilities
+- Custom rule engine for security policies
+
+## [0.1.0] - 2024-09-09
+
+### Added
+- Initial release of AI Root Shield
+- Root/jailbreak detection for Android and iOS
+- Emulator and simulator detection
+- Hooking framework detection (Frida, Xposed, Substrate, Magisk)
+- Application integrity and repackaging checks
+- Network security analysis and MITM detection
+- TLS configuration validation
+- Comprehensive risk scoring system (0-100)
+- CLI tool with multiple output formats
+- Offline-first architecture with no data collection
+- Cross-platform support (Android/iOS)
+- Modular analyzer system for extensibility
+
+### Security Checks
+- **Root Detection**: Su binaries, root management apps, SELinux status, bootloader unlock
+- **Jailbreak Detection**: Cydia, MobileSubstrate, jailbreak files and packages
+- **Emulator Detection**: QEMU indicators, missing hardware, generic device models
+- **Hooking Detection**: Frida gadgets, Xposed framework, debugging tools
+- **Integrity Checks**: Code signatures, certificate validation, DEX/bundle tampering
+- **Network Analysis**: Proxy detection, custom CAs, MITM tools, VPN analysis
+
+### Risk Factors
+- 50+ security indicators with weighted risk scoring
+- Risk amplification for multiple high-risk factors
+- Contextual recommendations based on detected threats
+- Four-tier risk classification (LOW/MEDIUM/HIGH/CRITICAL)
+
+### Documentation
+- Comprehensive README with usage examples
+- API documentation with risk factor explanations
+- Device log format specification
+- CLI usage guide and configuration options
+
+### Testing
+- Unit tests for all analyzer modules
+- Integration tests for end-to-end scanning
+- Example device logs for testing and demonstration
+- RSpec test suite with comprehensive coverage

data/Gemfile

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in ai_root_shield.gemspec
+gemspec
+
+gem "rake", "~> 13.0"
+gem "rspec", "~> 3.0"
+gem "rubocop", "~> 1.21"
+gem "yard", "~> 0.9"
+
+group :development, :test do
+  gem "pry", "~> 0.14"
+  gem "simplecov", "~> 0.21"
+end

data/Gemfile.lock

@@ -0,0 +1,88 @@
+PATH
+  remote: .
+  specs:
+    ai_root_shield (0.1.0)
+      digest (~> 3.1)
+      json (~> 2.6)
+      openssl (~> 3.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    ast (2.4.3)
+    coderay (1.1.3)
+    diff-lcs (1.6.2)
+    digest (3.2.0)
+    docile (1.4.1)
+    json (2.13.2)
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
+    method_source (1.1.0)
+    openssl (3.3.0)
+    parallel (1.27.0)
+    parser (3.3.9.0)
+      ast (~> 2.4.1)
+      racc
+    prism (1.4.0)
+    pry (0.15.2)
+      coderay (~> 1.1)
+      method_source (~> 1.0)
+    racc (1.8.1)
+    rainbow (3.1.1)
+    rake (13.3.0)
+    regexp_parser (2.11.2)
+    rspec (3.13.1)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.5)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.5)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.5)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.5)
+    rubocop (1.80.2)
+      json (~> 2.3)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
+      parallel (~> 1.10)
+      parser (>= 3.3.0.2)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.46.0, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.46.0)
+      parser (>= 3.3.7.2)
+      prism (~> 1.4)
+    ruby-progressbar (1.13.0)
+    simplecov (0.22.0)
+      docile (~> 1.1)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-html (0.13.2)
+    simplecov_json_formatter (0.1.4)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.1.0)
+    yard (0.9.37)
+
+PLATFORMS
+  arm64-darwin-24
+  ruby
+
+DEPENDENCIES
+  ai_root_shield!
+  bundler (~> 2.0)
+  pry (~> 0.14)
+  rake (~> 13.0)
+  rspec (~> 3.0)
+  rubocop (~> 1.21)
+  simplecov (~> 0.21)
+  yard (~> 0.9)
+
+BUNDLED WITH
+   2.6.9

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 AI Root Shield
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,310 @@
+# AI Root Shield
+
+[![Gem Version](https://badge.fury.io/rb/ai_root_shield.svg)](https://badge.fury.io/rb/ai_root_shield)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Ruby](https://img.shields.io/badge/ruby-%23CC342D.svg?style=flat&logo=ruby&logoColor=white)](https://www.ruby-lang.org/)
+[![Security](https://img.shields.io/badge/security-first-green.svg)](https://github.com/ahmetxhero/ai-root-shield)
+
+> **Created by [Ahmet KAHRAMAN](https://ahmetxhero.web.app)** - Mobile Developer & Cyber Security Expert  
+> *"Security first, innovation always"* 🛡️
+
+An AI-powered Ruby library that performs comprehensive on-device compromise detection for mobile applications without requiring a backend. Protects against root/jailbreak, emulators, hooking frameworks, and provides behavioral risk analysis.
+
+## 🚀 Features
+
+- **Root & Jailbreak Detection**: Detects binaries, file system anomalies, SELinux states (Android), DYLD injections (iOS), and system property manipulation
+- **Emulator/Simulator Detection**: Identifies QEMU drivers, missing baseband, sensor entropy anomalies, and virtualized environments
+- **Hooking & Instrumentation Detection**: Flags Frida gadgets, Magisk modules, Xposed frameworks, method swizzling, and debugger attachments
+- **Repackaging & Integrity Checks**: Validates code signatures, DEX hashes, app bundle integrity, and tamper indicators
+- **Network Security Analysis**: Provides TLS pinning helpers and detects custom CA injections or MITM proxies
+- **AI Behavioral Analysis**: Ready for lightweight ONNX model integration for behavioral risk scoring
+- **Offline & Privacy-Preserving**: Works fully offline, requires no cloud connectivity, and collects no PII
+
+## 📦 Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'ai_root_shield'
+```
+
+And then execute:
+
+```bash
+$ bundle install
+```
+
+Or install it yourself as:
+
+```bash
+$ gem install ai_root_shield
+```
+
+## 🔧 Usage
+
+### Basic Usage
+
+```ruby
+require "ai_root_shield"
+
+# Scan device using device logs
+result = AiRootShield.scan_device("device_logs/sample.json")
+
+puts result[:risk_score]  # => 87
+puts result[:factors]     # => ["ROOT_SU_FOUND", "FRIDA_GADGET", "TLS_UNPINNED"]
+```
+
+### Advanced Configuration
+
+```ruby
+# Custom configuration
+config = {
+  enable_root_detection: true,
+  enable_emulator_detection: true,
+  enable_hooking_detection: true,
+  enable_integrity_checks: true,
+  enable_network_analysis: true,
+  risk_threshold: 70
+}
+
+result = AiRootShield.scan_device_with_config("device_logs/sample.json", config)
+
+# Get risk level description
+risk_level = AiRootShield::RiskCalculator.risk_level_description(result[:risk_score])
+puts risk_level  # => "HIGH" or "CRITICAL"
+
+# Get recommended actions
+actions = AiRootShield::RiskCalculator.recommended_actions(result[:factors])
+actions.each { |action| puts "→ #{action}" }
+```
+
+### CLI Usage
+
+The gem includes a command-line interface:
+
+```bash
+# Basic scan
+$ ai_root_shield device_logs/sample.json
+
+# With options
+$ ai_root_shield --format text --threshold 60 device_logs/sample.json
+
+# Disable specific checks
+$ ai_root_shield --no-emulator --no-network device_logs/sample.json
+
+# Get help
+$ ai_root_shield --help
+```
+
+## 📊 Risk Scoring
+
+The library provides a comprehensive risk score (0-100) based on detected security factors:
+
+- **0-20**: LOW - Minimal security concerns
+- **21-40**: MEDIUM - Some security issues detected
+- **41-70**: HIGH - Significant security threats present
+- **71-100**: CRITICAL - Severe compromise indicators
+
+### Risk Factors
+
+| Category | Examples | Risk Weight |
+|----------|----------|-------------|
+| Root/Jailbreak | `ROOT_SU_FOUND`, `JAILBREAK_CYDIA` | High (15-25) |
+| Emulator | `EMULATOR_QEMU`, `MISSING_BASEBAND` | Medium-High (10-20) |
+| Hooking | `FRIDA_GADGET`, `XPOSED_FRAMEWORK` | High (18-25) |
+| Integrity | `REPACKAGED_APP`, `DEX_TAMPERED` | Medium (10-18) |
+| Network | `TLS_UNPINNED`, `MITM_PROXY_DETECTED` | Medium (8-18) |
+
+## 📋 Device Log Format
+
+The library expects device logs in JSON format with the following structure:
+
+```json
+{
+  "platform": "android",
+  "system_info": {
+    "os_version": "Android 11",
+    "kernel_version": "4.19.95-g0123456789ab",
+    "build_fingerprint": "google/flame/flame:11/RQ3A.210905.001/7511028:user/release-keys",
+    "bootloader_status": "unlocked",
+    "selinux_status": "enforcing"
+  },
+  "installed_packages": [
+    {
+      "name": "com.example.app",
+      "signature": "release-keys"
+    }
+  ],
+  "file_system": {
+    "suspicious_files": ["/system/bin/su"],
+    "system_binaries": ["/system/bin/sh"],
+    "writable_system_dirs": []
+  },
+  "running_processes": [
+    {
+      "name": "system_server",
+      "pid": 123
+    }
+  ],
+  "network": {
+    "proxy_settings": {"enabled": false},
+    "vpn_active": false,
+    "certificates": []
+  },
+  "hardware": {
+    "device_model": "Pixel 4",
+    "manufacturer": "Google",
+    "sensors": ["accelerometer", "gyroscope"]
+  }
+}
+```
+
+See the `examples/device_logs/` directory for complete examples.
+
+## 🛡️ Security Checks
+
+### Root/Jailbreak Detection
+- Su binary presence (`/system/bin/su`, `/system/xbin/su`)
+- Root management apps (SuperSU, Magisk, Superuser)
+- Jailbreak files (`/Applications/Cydia.app`, MobileSubstrate)
+- SELinux status (permissive/disabled)
+- Bootloader unlock status
+- Custom ROM indicators
+
+### Emulator/Simulator Detection
+- QEMU indicators (`/dev/qemu_pipe`, goldfish kernel)
+- Emulator packages (Genymotion, BlueStacks, Nox)
+- Missing hardware components (baseband, sensors)
+- Generic device identifiers
+- Virtualization processes
+
+### Hooking/Instrumentation Detection
+- Frida framework (`frida-server`, `libfrida-gadget.so`)
+- Xposed framework (`XposedBridge.jar`, Xposed installer)
+- Cydia Substrate (`MobileSubstrate`, `libsubstrate.dylib`)
+- Magisk modules and hiding mechanisms
+- Debugging tools (gdb, lldb, strace)
+
+### Integrity Checks
+- Application signature validation
+- Debug certificate detection
+- Repackaging indicators (test-keys, unsigned)
+- DEX file tampering (Android)
+- Bundle modification (iOS)
+- Code injection detection
+
+### Network Security Analysis
+- TLS configuration and certificate pinning
+- Custom CA certificate installation
+- Proxy configuration detection
+- MITM tool presence (Burp Suite, Charles Proxy)
+- VPN analysis for suspicious patterns
+
+## 🗺️ Roadmap
+
+- **v0.1** ✅ Static root/jailbreak checks
+- **v0.2** ✅ Emulator/simulator detection + TLS pinning helper
+- **v0.3** 🔄 AI behavioral model (ONNX inference)
+- **v0.4** 📋 Enhanced hooking/instrumentation detection
+- **v1.0** 🎯 Full compromise detection with comprehensive risk scoring
+
+## 🤝 Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/ai-root-shield/ai-root-shield.
+
+1. Fork the repository
+2. Create your feature branch (`git checkout -b feature/amazing-feature`)
+3. Commit your changes (`git commit -am 'Add some amazing feature'`)
+4. Push to the branch (`git push origin feature/amazing-feature`)
+5. Open a Pull Request
+
+## 📄 License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+## 🎯 Use Cases
+
+### Financial Services
+- Mobile banking applications
+- Payment processing apps
+- Cryptocurrency wallets
+- Trading platforms
+
+### Healthcare
+- Electronic health records
+- Telemedicine applications
+- Medical device interfaces
+- Patient data management
+
+### Government & Defense
+- Secure communication apps
+- Identity verification systems
+- Classified information access
+- Military applications
+
+### Enterprise Security
+- Corporate mobile applications
+- VPN clients
+- Secure document viewers
+- Enterprise resource planning
+
+## 🔬 Technical Details
+
+### Architecture
+- Modular analyzer system for extensibility
+- Risk calculation engine with weighted factors
+- Offline-first design for privacy and performance
+- Cross-platform support (Android/iOS)
+
+### Performance
+- Lightweight footprint (~2MB)
+- Fast scanning (typically <100ms)
+- No network dependencies
+- Minimal memory usage
+
+### Privacy
+- No data collection or transmission
+- All processing happens locally
+- No user identification or tracking
+- Transparent open-source implementation
+
+## 📞 Support
+
+For questions, issues, or feature requests:
+- GitHub Issues: [Report a bug or request a feature](https://github.com/ahmetxhero/ai-root-shield/issues)
+- Documentation: [Wiki](https://github.com/ahmetxhero/ai-root-shield/wiki)
+- Security Issues: Please email ahmetxhero@gmail.com
+
+## 👨‍💻 About the Author
+
+**Ahmet KAHRAMAN** is a Mobile Developer & Cyber Security Expert with 10+ years of experience in Public Sector IT.
+
+- 🌐 **Website**: [ahmetxhero.web.app](https://ahmetxhero.web.app)
+- 🎥 **YouTube**: [@ahmetxhero](https://youtube.com/@ahmetxhero)
+- 💼 **LinkedIn**: [linkedin.com/in/ahmetxhero](https://linkedin.com/in/ahmetxhero)
+- 🐤 **Twitter**: [@ahmetxhero](https://x.com/ahmetxhero)
+- 📧 **Email**: ahmetxhero@gmail.com
+- 🏠 **Location**: Ankara, Turkey 🇹🇷
+
+**Education & Expertise:**
+- Master's Degree in Forensic Informatics (Gazi University)
+- Certified Ethical Hacker (CEH)
+- Digital Forensics Expert
+- Mobile Development (iOS, Android, Flutter)
+- Cybersecurity & Penetration Testing
+
+---
+
+**AI Root Shield** - Protecting mobile applications from compromise, one device at a time. 🛡️
+
+---
+
+<div align="center">
+  <strong>Built with ❤️ by <a href="https://ahmetxhero.web.app">Ahmet KAHRAMAN</a></strong><br>
+  <em>Mobile Developer & Cyber Security Expert</em><br><br>
+  
+  [![YouTube](https://img.shields.io/badge/YouTube-FF0000?style=for-the-badge&logo=youtube&logoColor=white)](https://youtube.com/@ahmetxhero)
+  [![LinkedIn](https://img.shields.io/badge/LinkedIn-0077B5?style=for-the-badge&logo=linkedin&logoColor=white)](https://linkedin.com/in/ahmetxhero)
+  [![Twitter](https://img.shields.io/badge/Twitter-1DA1F2?style=for-the-badge&logo=twitter&logoColor=white)](https://x.com/ahmetxhero)
+  [![Website](https://img.shields.io/badge/Website-4285F4?style=for-the-badge&logo=google-chrome&logoColor=white)](https://ahmetxhero.web.app)
+</div>

data/Rakefile

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+require "rubocop/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+RuboCop::RakeTask.new
+
+desc "Run all tests and linting"
+task :test => [:spec, :rubocop]
+
+desc "Generate documentation"
+task :doc do
+  sh "yard doc"
+end
+
+desc "Clean generated files"
+task :clean do
+  sh "rm -rf coverage/"
+  sh "rm -rf doc/"
+  sh "rm -rf pkg/"
+end
+
+desc "Run example scans"
+task :examples do
+  puts "Running example scans..."
+  
+  puts "\n=== Clean Device Scan ==="
+  sh "ruby exe/ai_root_shield --format text examples/device_logs/clean_device.json"
+  
+  puts "\n=== Rooted Device Scan ==="
+  sh "ruby exe/ai_root_shield --format text examples/device_logs/rooted_android.json"
+end
+
+task :default => :test

data/examples/device_logs/clean_device.json

@@ -0,0 +1,74 @@
+{
+  "platform": "android",
+  "system_info": {
+    "os_version": "Android 12",
+    "kernel_version": "5.4.147-android12-9-00009-g277909d0bff5",
+    "build_fingerprint": "google/redfin/redfin:12/SQ3A.220705.003.A1/8672226:user/release-keys",
+    "bootloader_status": "locked",
+    "selinux_status": "enforcing",
+    "developer_options": false
+  },
+  "installed_packages": [
+    {
+      "name": "com.android.chrome",
+      "signature": "release-keys"
+    },
+    {
+      "name": "com.google.android.gms",
+      "signature": "platform"
+    },
+    {
+      "name": "com.whatsapp",
+      "signature": "valid"
+    }
+  ],
+  "file_system": {
+    "suspicious_files": [],
+    "system_binaries": [
+      "/system/bin/sh",
+      "/system/bin/ls"
+    ],
+    "writable_system_dirs": []
+  },
+  "running_processes": [
+    {
+      "name": "zygote",
+      "pid": 123
+    },
+    {
+      "name": "system_server",
+      "pid": 456
+    }
+  ],
+  "network": {
+    "proxy_settings": {
+      "enabled": false
+    },
+    "vpn_active": false,
+    "certificates": []
+  },
+  "security": {
+    "screen_lock_enabled": true,
+    "encryption_enabled": true,
+    "unknown_sources": false,
+    "usb_debugging": false
+  },
+  "hardware": {
+    "device_model": "Pixel 5",
+    "manufacturer": "Google",
+    "sensors": ["accelerometer", "gyroscope", "magnetometer", "proximity", "light"],
+    "baseband_version": "g7250-00168-210528-B-7167256",
+    "serial_number": "1A2B3C4D5E6F"
+  },
+  "certificates": [
+    {
+      "subject": "CN=Google Inc, O=Google Inc, C=US",
+      "issuer": "CN=GeoTrust Global CA, O=GeoTrust Inc., C=US",
+      "not_after": "2025-12-31T23:59:59Z"
+    }
+  ],
+  "system_logs": [
+    "system_server: System ready",
+    "zygote: Process started"
+  ]
+}