ai_root_shield 0.1.0

data/lib/ai_root_shield/analyzers/integrity_checker.rb

@@ -0,0 +1,407 @@
+# frozen_string_literal: true
+
+require "digest"
+require "openssl"
+
+module AiRootShield
+  module Analyzers
+    # Checks application integrity and detects repackaging/tampering
+    class IntegrityChecker
+      # Known repackaging indicators
+      REPACKAGING_INDICATORS = %w[
+        test-keys
+        platform.pk8
+        shared.pk8
+        media.pk8
+        debug.keystore
+        androiddebugkey
+        unsigned
+        CERT.RSA
+        CERT.DSA
+      ].freeze
+
+      # Suspicious certificate authorities
+      SUSPICIOUS_CAS = %w[
+        CN=Android Debug
+        CN=Test
+        CN=Debug
+        O=Android
+        OU=Android
+      ].freeze
+
+      def analyze(device_data)
+        factors = []
+        risk_score = 0
+
+        # Check application signatures
+        signature_result = check_app_signatures(device_data)
+        factors.concat(signature_result[:factors])
+        risk_score += signature_result[:risk_score]
+
+        # Check for repackaging indicators
+        repackaging_result = check_repackaging_indicators(device_data)
+        factors.concat(repackaging_result[:factors])
+        risk_score += repackaging_result[:risk_score]
+
+        # Check file integrity
+        integrity_result = check_file_integrity(device_data)
+        factors.concat(integrity_result[:factors])
+        risk_score += integrity_result[:risk_score]
+
+        # Check for code injection
+        injection_result = check_code_injection(device_data)
+        factors.concat(injection_result[:factors])
+        risk_score += injection_result[:risk_score]
+
+        {
+          factors: factors,
+          risk_score: [risk_score, 100].min
+        }
+      end
+
+      private
+
+      def check_app_signatures(device_data)
+        factors = []
+        risk_score = 0
+
+        certificates = device_data[:certificates] || []
+
+        certificates.each do |cert|
+          next unless cert.is_a?(Hash)
+
+          # Check for debug certificates
+          if debug_certificate?(cert)
+            factors << "DEBUG_CERTIFICATE_DETECTED"
+            risk_score += 15
+          end
+
+          # Check for suspicious issuers
+          if suspicious_issuer?(cert)
+            factors << "SUSPICIOUS_CERTIFICATE_ISSUER"
+            risk_score += 12
+          end
+
+          # Check certificate validity
+          if expired_certificate?(cert)
+            factors << "EXPIRED_CERTIFICATE"
+            risk_score += 8
+          end
+
+          # Check for self-signed certificates
+          if self_signed_certificate?(cert)
+            factors << "SELF_SIGNED_CERTIFICATE"
+            risk_score += 10
+          end
+        end
+
+        # Check for missing signatures
+        if certificates.empty?
+          factors << "MISSING_SIGNATURES"
+          risk_score += 20
+        end
+
+        {
+          factors: factors,
+          risk_score: risk_score
+        }
+      end
+
+      def check_repackaging_indicators(device_data)
+        factors = []
+        risk_score = 0
+
+        # Check system info for repackaging signs
+        system_info = device_data[:system_info] || {}
+        
+        # Check build fingerprint
+        fingerprint = system_info[:build_fingerprint].to_s
+        REPACKAGING_INDICATORS.each do |indicator|
+          if fingerprint.downcase.include?(indicator.downcase)
+            factors << "REPACKAGED_APP"
+            risk_score += 18
+            break
+          end
+        end
+
+        # Check installed packages for suspicious signatures
+        packages = device_data[:installed_packages] || []
+        
+        packages.each do |package|
+          next unless package.is_a?(Hash)
+          
+          signature = package["signature"] || package["cert"]
+          next unless signature
+
+          REPACKAGING_INDICATORS.each do |indicator|
+            if signature.to_s.downcase.include?(indicator.downcase)
+              factors << "PACKAGE_REPACKAGED"
+              risk_score += 15
+              break
+            end
+          end
+        end
+
+        # Check for multiple signatures on same package
+        signature_counts = {}
+        packages.each do |package|
+          next unless package.is_a?(Hash)
+          
+          pkg_name = package["name"]
+          signature = package["signature"]
+          
+          next unless pkg_name && signature
+          
+          signature_counts[pkg_name] ||= []
+          signature_counts[pkg_name] << signature
+        end
+
+        signature_counts.each do |pkg_name, signatures|
+          if signatures.uniq.length > 1
+            factors << "MULTIPLE_SIGNATURES_DETECTED"
+            risk_score += 12
+            break
+          end
+        end
+
+        {
+          factors: factors,
+          risk_score: risk_score
+        }
+      end
+
+      def check_file_integrity(device_data)
+        factors = []
+        risk_score = 0
+
+        file_system = device_data[:file_system] || {}
+        
+        # Check for modified system files
+        system_binaries = file_system[:system_binaries] || []
+        
+        # Look for unexpected modifications in system directories
+        writable_system_dirs = file_system[:writable_system_dirs] || []
+        
+        if writable_system_dirs.any?
+          factors << "SYSTEM_PARTITION_WRITABLE"
+          risk_score += 15
+        end
+
+        # Check for suspicious file permissions
+        suspicious_files = file_system[:suspicious_files] || []
+        
+        suspicious_files.each do |file_info|
+          next unless file_info.is_a?(Hash)
+          
+          permissions = file_info["permissions"]
+          path = file_info["path"]
+          
+          # Check for world-writable system files
+          if permissions && permissions.include?("777") && path&.start_with?("/system")
+            factors << "SUSPICIOUS_FILE_PERMISSIONS"
+            risk_score += 10
+            break
+          end
+        end
+
+        # Check for DEX file modifications (Android)
+        if device_data[:platform] == "android"
+          dex_result = check_dex_integrity(device_data)
+          factors.concat(dex_result[:factors])
+          risk_score += dex_result[:risk_score]
+        end
+
+        # Check for bundle modifications (iOS)
+        if device_data[:platform] == "ios"
+          bundle_result = check_bundle_integrity(device_data)
+          factors.concat(bundle_result[:factors])
+          risk_score += bundle_result[:risk_score]
+        end
+
+        {
+          factors: factors,
+          risk_score: risk_score
+        }
+      end
+
+      def check_code_injection(device_data)
+        factors = []
+        risk_score = 0
+
+        processes = device_data[:processes] || []
+        
+        processes.each do |process|
+          next unless process.is_a?(Hash)
+          
+          # Check for unexpected loaded libraries
+          libraries = process["loaded_libraries"] || []
+          memory_maps = process["memory_maps"] || []
+          
+          # Look for libraries loaded from suspicious locations
+          suspicious_locations = %w[/data/local/tmp /sdcard /cache /data/data]
+          
+          libraries.each do |lib|
+            suspicious_locations.each do |location|
+              if lib.to_s.start_with?(location)
+                factors << "SUSPICIOUS_LIBRARY_INJECTION"
+                risk_score += 15
+                break
+              end
+            end
+          end
+
+          # Check for executable memory in data segments
+          memory_maps.each do |map|
+            next unless map.is_a?(Hash)
+            
+            permissions = map["permissions"]
+            path = map["path"]
+            
+            if permissions&.include?("x") && path&.start_with?("/data")
+              factors << "EXECUTABLE_DATA_SEGMENT"
+              risk_score += 12
+              break
+            end
+          end
+        end
+
+        # Check system logs for injection indicators
+        logs = device_data[:logs] || []
+        
+        injection_keywords = %w[
+          "code injection"
+          "library injection"
+          "process injection"
+          "dll injection"
+          "dylib injection"
+        ]
+        
+        injection_keywords.each do |keyword|
+          if logs.any? { |log| log.to_s.downcase.include?(keyword) }
+            factors << "CODE_INJECTION_DETECTED"
+            risk_score += 18
+            break
+          end
+        end
+
+        {
+          factors: factors,
+          risk_score: risk_score
+        }
+      end
+
+      def check_dex_integrity(device_data)
+        factors = []
+        risk_score = 0
+
+        packages = device_data[:installed_packages] || []
+        
+        packages.each do |package|
+          next unless package.is_a?(Hash)
+          
+          dex_hash = package["dex_hash"]
+          original_hash = package["original_dex_hash"]
+          
+          if dex_hash && original_hash && dex_hash != original_hash
+            factors << "DEX_TAMPERED"
+            risk_score += 12
+            break
+          end
+        end
+
+        # Check for multiple DEX files (could indicate repackaging)
+        file_system = device_data[:file_system] || {}
+        suspicious_files = file_system[:suspicious_files] || []
+        
+        dex_files = suspicious_files.select { |file| file.to_s.end_with?(".dex") }
+        
+        if dex_files.length > 2  # Most apps have 1-2 DEX files normally
+          factors << "MULTIPLE_DEX_FILES"
+          risk_score += 8
+        end
+
+        {
+          factors: factors,
+          risk_score: risk_score
+        }
+      end
+
+      def check_bundle_integrity(device_data)
+        factors = []
+        risk_score = 0
+
+        packages = device_data[:installed_packages] || []
+        
+        packages.each do |package|
+          next unless package.is_a?(Hash)
+          
+          bundle_hash = package["bundle_hash"]
+          original_hash = package["original_bundle_hash"]
+          
+          if bundle_hash && original_hash && bundle_hash != original_hash
+            factors << "BUNDLE_MODIFIED"
+            risk_score += 10
+            break
+          end
+        end
+
+        # Check for suspicious Info.plist modifications
+        file_system = device_data[:file_system] || {}
+        suspicious_files = file_system[:suspicious_files] || []
+        
+        info_plist_files = suspicious_files.select { |file| file.to_s.include?("Info.plist") }
+        
+        info_plist_files.each do |plist_file|
+          # This would typically check for modifications to critical plist values
+          # For now, we'll flag if there are multiple Info.plist files
+          if info_plist_files.length > 1
+            factors << "MULTIPLE_INFO_PLIST"
+            risk_score += 6
+            break
+          end
+        end
+
+        {
+          factors: factors,
+          risk_score: risk_score
+        }
+      end
+
+      def debug_certificate?(cert)
+        subject = cert["subject"].to_s
+        issuer = cert["issuer"].to_s
+        
+        debug_indicators = ["debug", "test", "android debug", "development"]
+        
+        debug_indicators.any? do |indicator|
+          subject.downcase.include?(indicator) || issuer.downcase.include?(indicator)
+        end
+      end
+
+      def suspicious_issuer?(cert)
+        issuer = cert["issuer"].to_s
+        
+        SUSPICIOUS_CAS.any? { |ca| issuer.include?(ca) }
+      end
+
+      def expired_certificate?(cert)
+        not_after = cert["not_after"]
+        return false unless not_after
+        
+        begin
+          expiry_date = Time.parse(not_after)
+          expiry_date < Time.now
+        rescue
+          false
+        end
+      end
+
+      def self_signed_certificate?(cert)
+        subject = cert["subject"].to_s
+        issuer = cert["issuer"].to_s
+        
+        subject == issuer
+      end
+    end
+  end
+end