ai_root_shield 0.1.0

data/lib/ai_root_shield/analyzers/network_analyzer.rb

@@ -0,0 +1,352 @@
+# frozen_string_literal: true
+
+require "openssl"
+
+module AiRootShield
+  module Analyzers
+    # Analyzes network security configurations and detects MITM threats
+    class NetworkAnalyzer
+      # Known proxy and MITM tools
+      MITM_INDICATORS = %w[
+        burpsuite
+        charles
+        fiddler
+        owasp zap
+        mitmproxy
+        proxyman
+        wireshark
+        tcpdump
+        packet capture
+        http toolkit
+        proxydroid
+        drony
+      ].freeze
+
+      # Suspicious certificate authorities
+      SUSPICIOUS_CA_PATTERNS = %w[
+        burp
+        portswigger
+        charles
+        fiddler
+        zap
+        mitmproxy
+        proxy
+        intercept
+        debug
+        test
+      ].freeze
+
+      # VPN indicators that might be used for malicious purposes
+      SUSPICIOUS_VPN_PATTERNS = %w[
+        tor
+        onion
+        proxy
+        tunnel
+        bypass
+        unblock
+        hide
+        anonymous
+      ].freeze
+
+      def analyze(device_data)
+        factors = []
+        risk_score = 0
+
+        # Check TLS/SSL configuration
+        tls_result = check_tls_configuration(device_data)
+        factors.concat(tls_result[:factors])
+        risk_score += tls_result[:risk_score]
+
+        # Check for custom CA certificates
+        ca_result = check_custom_certificates(device_data)
+        factors.concat(ca_result[:factors])
+        risk_score += ca_result[:risk_score]
+
+        # Check proxy configuration
+        proxy_result = check_proxy_configuration(device_data)
+        factors.concat(proxy_result[:factors])
+        risk_score += proxy_result[:risk_score]
+
+        # Check VPN configuration
+        vpn_result = check_vpn_configuration(device_data)
+        factors.concat(vpn_result[:factors])
+        risk_score += vpn_result[:risk_score]
+
+        # Check for MITM tools
+        mitm_result = check_mitm_tools(device_data)
+        factors.concat(mitm_result[:factors])
+        risk_score += mitm_result[:risk_score]
+
+        {
+          factors: factors,
+          risk_score: [risk_score, 100].min
+        }
+      end
+
+      private
+
+      def check_tls_configuration(device_data)
+        factors = []
+        risk_score = 0
+
+        network_config = device_data[:network_config] || {}
+        tls_config = network_config[:tls_config] || {}
+
+        # Check if certificate pinning is disabled
+        if tls_config["pinning_disabled"] == true
+          factors << "TLS_UNPINNED"
+          risk_score += 12
+        end
+
+        # Check for weak TLS versions
+        tls_version = tls_config["version"]
+        if tls_version && (tls_version.include?("1.0") || tls_version.include?("1.1"))
+          factors << "WEAK_TLS_VERSION"
+          risk_score += 8
+        end
+
+        # Check for weak cipher suites
+        cipher_suites = tls_config["cipher_suites"] || []
+        weak_ciphers = %w[RC4 DES 3DES MD5 SHA1]
+        
+        weak_ciphers.each do |weak_cipher|
+          if cipher_suites.any? { |cipher| cipher.to_s.upcase.include?(weak_cipher) }
+            factors << "WEAK_CIPHER_SUITE"
+            risk_score += 6
+            break
+          end
+        end
+
+        # Check for disabled certificate validation
+        if tls_config["cert_validation_disabled"] == true
+          factors << "CERTIFICATE_VALIDATION_DISABLED"
+          risk_score += 15
+        end
+
+        {
+          factors: factors,
+          risk_score: risk_score
+        }
+      end
+
+      def check_custom_certificates(device_data)
+        factors = []
+        risk_score = 0
+
+        certificates = device_data[:certificates] || []
+        network_config = device_data[:network_config] || {}
+        network_certificates = network_config[:certificates] || []
+
+        all_certificates = certificates + network_certificates
+
+        all_certificates.each do |cert|
+          next unless cert.is_a?(Hash)
+
+          # Check for suspicious CA names
+          issuer = cert["issuer"].to_s.downcase
+          subject = cert["subject"].to_s.downcase
+
+          SUSPICIOUS_CA_PATTERNS.each do |pattern|
+            if issuer.include?(pattern) || subject.include?(pattern)
+              factors << "CUSTOM_CA_INSTALLED"
+              risk_score += 15
+              break
+            end
+          end
+
+          # Check for user-installed certificates
+          if cert["user_installed"] == true
+            factors << "USER_CA_CERTIFICATE"
+            risk_score += 10
+          end
+
+          # Check for certificates with suspicious purposes
+          key_usage = cert["key_usage"].to_s.downcase
+          if key_usage.include?("digital signature") && key_usage.include?("key encipherment")
+            # This is normal, but combined with other factors might be suspicious
+          end
+
+          # Check for wildcard certificates from suspicious issuers
+          if subject.start_with?("*.") && SUSPICIOUS_CA_PATTERNS.any? { |pattern| issuer.include?(pattern) }
+            factors << "SUSPICIOUS_WILDCARD_CERT"
+            risk_score += 12
+          end
+        end
+
+        {
+          factors: factors,
+          risk_score: risk_score
+        }
+      end
+
+      def check_proxy_configuration(device_data)
+        factors = []
+        risk_score = 0
+
+        network_config = device_data[:network_config] || {}
+        proxy_settings = network_config[:proxy_settings] || {}
+
+        # Check if proxy is configured
+        if proxy_settings["enabled"] == true
+          proxy_host = proxy_settings["host"].to_s.downcase
+          proxy_port = proxy_settings["port"]
+
+          # Check for common MITM proxy ports
+          mitm_ports = [8080, 8888, 3128, 8081, 8082, 9090, 9999]
+          if mitm_ports.include?(proxy_port.to_i)
+            factors << "MITM_PROXY_PORT"
+            risk_score += 12
+          end
+
+          # Check for localhost/loopback proxy (common with MITM tools)
+          if proxy_host.include?("localhost") || proxy_host.include?("127.0.0.1") || proxy_host.include?("::1")
+            factors << "LOCALHOST_PROXY"
+            risk_score += 10
+          end
+
+          # Check for suspicious proxy hostnames
+          MITM_INDICATORS.each do |indicator|
+            if proxy_host.include?(indicator.downcase.gsub(" ", ""))
+              factors << "MITM_PROXY_DETECTED"
+              risk_score += 18
+              break
+            end
+          end
+
+          # Any proxy configuration is somewhat suspicious for mobile apps
+          factors << "PROXY_CONFIGURED"
+          risk_score += 6
+        end
+
+        {
+          factors: factors,
+          risk_score: risk_score
+        }
+      end
+
+      def check_vpn_configuration(device_data)
+        factors = []
+        risk_score = 0
+
+        network_config = device_data[:network_config] || {}
+        
+        # Check if VPN is active
+        if network_config[:vpn_active] == true
+          factors << "VPN_ACTIVE"
+          risk_score += 5  # VPN itself is not necessarily malicious
+
+          # Check installed packages for VPN apps
+          packages = device_data[:installed_packages] || []
+          package_names = packages.map { |pkg| pkg.is_a?(Hash) ? pkg["name"] : pkg.to_s }
+
+          SUSPICIOUS_VPN_PATTERNS.each do |pattern|
+            if package_names.any? { |pkg| pkg.downcase.include?(pattern) }
+              factors << "VPN_SUSPICIOUS"
+              risk_score += 8
+              break
+            end
+          end
+        end
+
+        # Check for VPN-related processes
+        processes = device_data[:processes] || []
+        process_names = processes.map { |proc| proc.is_a?(Hash) ? proc["name"] : proc.to_s }
+
+        vpn_processes = %w[openvpn strongswan racoon vpnc]
+        vpn_processes.each do |vpn_proc|
+          if process_names.any? { |proc| proc.downcase.include?(vpn_proc) }
+            factors << "VPN_PROCESS_DETECTED"
+            risk_score += 4
+            break
+          end
+        end
+
+        {
+          factors: factors,
+          risk_score: risk_score
+        }
+      end
+
+      def check_mitm_tools(device_data)
+        factors = []
+        risk_score = 0
+
+        # Check installed packages for MITM tools
+        packages = device_data[:installed_packages] || []
+        package_names = packages.map { |pkg| pkg.is_a?(Hash) ? pkg["name"] : pkg.to_s }
+
+        MITM_INDICATORS.each do |indicator|
+          clean_indicator = indicator.downcase.gsub(" ", "")
+          if package_names.any? { |pkg| pkg.downcase.include?(clean_indicator) }
+            factors << "MITM_TOOL_INSTALLED"
+            risk_score += 20
+            break
+          end
+        end
+
+        # Check running processes for MITM tools
+        processes = device_data[:processes] || []
+        process_names = processes.map { |proc| proc.is_a?(Hash) ? proc["name"] : proc.to_s }
+
+        MITM_INDICATORS.each do |indicator|
+          clean_indicator = indicator.downcase.gsub(" ", "")
+          if process_names.any? { |proc| proc.downcase.include?(clean_indicator) }
+            factors << "MITM_TOOL_RUNNING"
+            risk_score += 22
+            break
+          end
+        end
+
+        # Check for packet capture capabilities
+        file_system = device_data[:file_system] || {}
+        system_binaries = file_system[:system_binaries] || []
+
+        packet_capture_tools = %w[tcpdump wireshark tshark dumpcap]
+        packet_capture_tools.each do |tool|
+          if system_binaries.any? { |binary| binary.to_s.downcase.include?(tool) }
+            factors << "PACKET_CAPTURE_TOOL"
+            risk_score += 15
+            break
+          end
+        end
+
+        # Check system logs for MITM activity
+        logs = device_data[:logs] || []
+        mitm_log_patterns = [
+          "certificate pinning",
+          "ssl kill switch",
+          "trust user certs",
+          "certificate transparency",
+          "proxy intercept"
+        ]
+
+        mitm_log_patterns.each do |pattern|
+          if logs.any? { |log| log.to_s.downcase.include?(pattern) }
+            factors << "MITM_LOG_ACTIVITY"
+            risk_score += 12
+            break
+          end
+        end
+
+        {
+          factors: factors,
+          risk_score: risk_score
+        }
+      end
+
+      # Helper methods for TLS pinning (future feature)
+      def self.create_pin_for_certificate(cert_data)
+        # This would create a certificate pin for use in certificate pinning
+        # Implementation would depend on the certificate format and pinning strategy
+        digest = OpenSSL::Digest::SHA256.new
+        digest.digest(cert_data)
+      end
+
+      def self.validate_certificate_chain(cert_chain, trusted_roots)
+        # This would validate a certificate chain against trusted roots
+        # Implementation would use OpenSSL certificate verification
+        true  # Placeholder
+      end
+    end
+  end
+end

data/lib/ai_root_shield/analyzers/root_detector.rb

@@ -0,0 +1,292 @@
+# frozen_string_literal: true
+
+module AiRootShield
+  module Analyzers
+    # Detects root/jailbreak indicators on Android and iOS devices
+    class RootDetector
+      # Known root/jailbreak binaries and files
+      ROOT_BINARIES = %w[
+        /system/bin/su
+        /system/xbin/su
+        /sbin/su
+        /vendor/bin/su
+        /system/app/Superuser.apk
+        /system/app/SuperSU.apk
+        /system/etc/init.d/99SuperSUDaemon
+        /dev/com.koushikdutta.superuser.daemon/
+        /system/xbin/daemonsu
+        /system/xbin/sugote
+        /system/xbin/sugote-mksh
+        /system/xbin/supolicy
+        /system/bin/.ext/.su
+        /cache/su
+        /data/local/su
+        /data/local/bin/su
+        /data/local/xbin/su
+        /system/sd/xbin/su
+        /system/bin/failsafe/su
+        /data/local/tmp/su
+      ].freeze
+
+      JAILBREAK_FILES = %w[
+        /Applications/Cydia.app
+        /Library/MobileSubstrate/MobileSubstrate.dylib
+        /bin/bash
+        /usr/sbin/sshd
+        /etc/apt
+        /private/var/lib/apt/
+        /private/var/lib/cydia
+        /private/var/mobile/Library/SBSettings/Themes
+        /Library/MobileSubstrate/DynamicLibraries/Veency.plist
+        /Library/MobileSubstrate/DynamicLibraries/LiveClock.plist
+        /System/Library/LaunchDaemons/com.ikey.bbot.plist
+        /System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
+        /etc/ssh/sshd_config
+        /var/tmp/cydia.log
+        /Applications/Icy.app
+        /Applications/MxTube.app
+        /Applications/RockApp.app
+        /Applications/blackra1n.app
+        /Applications/SBSettings.app
+        /Applications/FakeCarrier.app
+        /Applications/WinterBoard.app
+        /Applications/IntelliScreen.app
+      ].freeze
+
+      ROOT_PACKAGES = %w[
+        com.noshufou.android.su
+        com.noshufou.android.su.elite
+        eu.chainfire.supersu
+        com.koushikdutta.superuser
+        com.thirdparty.superuser
+        com.yellowes.su
+        com.koushikdutta.rommanager
+        com.koushikdutta.rommanager.license
+        com.dimonvideo.luckypatcher
+        com.chelpus.lackypatch
+        com.ramdroid.appquarantine
+        com.ramdroid.appquarantinepro
+        com.topjohnwu.magisk
+        de.robv.android.xposed.installer
+        com.saurik.substrate
+      ].freeze
+
+      JAILBREAK_PACKAGES = %w[
+        cydia
+        apt7
+        com.saurik.substrate.safemode
+        com.bigboss.categories.sbsettings
+        com.exile90.icleanerpro
+        winterboard
+        com.saurik.cydia.startup
+        com.saurik.mobilesubstrate
+        com.rpetrich.rocketbootstrap
+        preferenceloader
+        applist
+        com.saurik.substrate
+      ].freeze
+
+      def analyze(device_data)
+        factors = []
+        risk_score = 0
+
+        # Check for root/jailbreak based on platform
+        case device_data[:platform]
+        when "android"
+          android_result = check_android_root(device_data)
+          factors.concat(android_result[:factors])
+          risk_score += android_result[:risk_score]
+        when "ios"
+          ios_result = check_ios_jailbreak(device_data)
+          factors.concat(ios_result[:factors])
+          risk_score += ios_result[:risk_score]
+        end
+
+        {
+          factors: factors,
+          risk_score: [risk_score, 100].min
+        }
+      end
+
+      private
+
+      def check_android_root(device_data)
+        factors = []
+        risk_score = 0
+
+        # Check for root binaries in file system
+        root_binaries_found = check_root_binaries(device_data[:file_system])
+        factors.concat(root_binaries_found)
+        risk_score += root_binaries_found.length * 15
+
+        # Check for root packages
+        root_packages_found = check_root_packages(device_data[:installed_packages])
+        factors.concat(root_packages_found)
+        risk_score += root_packages_found.length * 12
+
+        # Check SELinux status
+        selinux_factor = check_selinux_status(device_data[:system_info])
+        factors << selinux_factor if selinux_factor
+        risk_score += 20 if selinux_factor
+
+        # Check bootloader status
+        bootloader_factor = check_bootloader_status(device_data[:system_info])
+        factors << bootloader_factor if bootloader_factor
+        risk_score += 15 if bootloader_factor
+
+        # Check for suspicious system properties
+        prop_factors = check_system_properties(device_data[:system_info])
+        factors.concat(prop_factors)
+        risk_score += prop_factors.length * 8
+
+        {
+          factors: factors,
+          risk_score: risk_score
+        }
+      end
+
+      def check_ios_jailbreak(device_data)
+        factors = []
+        risk_score = 0
+
+        # Check for jailbreak files
+        jailbreak_files_found = check_jailbreak_files(device_data[:file_system])
+        factors.concat(jailbreak_files_found)
+        risk_score += jailbreak_files_found.length * 18
+
+        # Check for jailbreak packages/apps
+        jailbreak_packages_found = check_jailbreak_packages(device_data[:installed_packages])
+        factors.concat(jailbreak_packages_found)
+        risk_score += jailbreak_packages_found.length * 15
+
+        # Check for suspicious URL schemes
+        url_scheme_factors = check_url_schemes(device_data)
+        factors.concat(url_scheme_factors)
+        risk_score += url_scheme_factors.length * 10
+
+        {
+          factors: factors,
+          risk_score: risk_score
+        }
+      end
+
+      def check_root_binaries(file_system)
+        factors = []
+        suspicious_files = file_system[:suspicious_files] || []
+        system_binaries = file_system[:system_binaries] || []
+        
+        all_files = suspicious_files + system_binaries
+
+        ROOT_BINARIES.each do |binary_path|
+          if all_files.any? { |file| file.to_s.include?(binary_path) }
+            factors << "ROOT_SU_FOUND"
+            break
+          end
+        end
+
+        # Check for Superuser APK
+        if all_files.any? { |file| file.to_s.include?("Superuser.apk") }
+          factors << "ROOT_SUPERUSER_APK"
+        end
+
+        factors
+      end
+
+      def check_root_packages(packages)
+        factors = []
+        package_names = packages.map { |pkg| pkg.is_a?(Hash) ? pkg["name"] : pkg.to_s }
+
+        ROOT_PACKAGES.each do |root_pkg|
+          if package_names.any? { |pkg| pkg&.include?(root_pkg) }
+            case root_pkg
+            when /magisk/i
+              factors << "ROOT_MAGISK_DETECTED"
+            when /xposed/i
+              factors << "ROOT_XPOSED_DETECTED"
+            when /supersu|superuser/i
+              factors << "ROOT_SUPERUSER_DETECTED"
+            else
+              factors << "ROOT_PACKAGE_DETECTED"
+            end
+          end
+        end
+
+        factors
+      end
+
+      def check_jailbreak_files(file_system)
+        factors = []
+        suspicious_files = file_system[:suspicious_files] || []
+        
+        JAILBREAK_FILES.each do |jb_file|
+          if suspicious_files.any? { |file| file.to_s.include?(jb_file) }
+            if jb_file.include?("Cydia")
+              factors << "JAILBREAK_CYDIA"
+            elsif jb_file.include?("MobileSubstrate")
+              factors << "JAILBREAK_SUBSTRATE"
+            else
+              factors << "JAILBREAK_FILE_DETECTED"
+            end
+          end
+        end
+
+        factors
+      end
+
+      def check_jailbreak_packages(packages)
+        factors = []
+        package_names = packages.map { |pkg| pkg.is_a?(Hash) ? pkg["name"] : pkg.to_s }
+
+        JAILBREAK_PACKAGES.each do |jb_pkg|
+          if package_names.any? { |pkg| pkg&.include?(jb_pkg) }
+            factors << "JAILBREAK_PACKAGE_DETECTED"
+          end
+        end
+
+        factors
+      end
+
+      def check_selinux_status(system_info)
+        selinux_status = system_info[:selinux_status]
+        return "SELINUX_PERMISSIVE" if selinux_status&.downcase&.include?("permissive")
+        return "SELINUX_DISABLED" if selinux_status&.downcase&.include?("disabled")
+        
+        nil
+      end
+
+      def check_bootloader_status(system_info)
+        bootloader_status = system_info[:bootloader_status]
+        return "BOOTLOADER_UNLOCKED" if bootloader_status&.downcase&.include?("unlocked")
+        
+        nil
+      end
+
+      def check_system_properties(system_info)
+        factors = []
+        
+        # Check developer options
+        if system_info[:developer_options] == true
+          factors << "DEVELOPER_OPTIONS_ENABLED"
+        end
+
+        # Check build fingerprint for custom ROMs
+        fingerprint = system_info[:build_fingerprint]
+        if fingerprint&.include?("test-keys") || fingerprint&.include?("unofficial")
+          factors << "CUSTOM_ROM_DETECTED"
+        end
+
+        factors
+      end
+
+      def check_url_schemes(device_data)
+        factors = []
+        
+        # This would typically check if the device can open jailbreak-specific URL schemes
+        # For now, we'll check if there are any suspicious network configurations
+        # that might indicate jailbreak tweaks
+        
+        factors
+      end
+    end
+  end
+end