ai_root_shield 0.3.0 → 0.4.0

data/lib/ai_root_shield/enterprise_policy_manager.rb

@@ -0,0 +1,431 @@
+# frozen_string_literal: true
+
+require "json"
+
+module AiRootShield
+  # Enterprise policy management for customizable security rules and compliance
+  class EnterprisePolicyManager
+    # Default enterprise policy template
+    DEFAULT_POLICY = {
+      "version" => "1.0",
+      "name" => "Default Enterprise Policy",
+      "description" => "Standard enterprise security policy",
+      "minimum_security_level" => 70,
+      "compliance_rules" => {
+        "device_requirements" => {
+          "allow_rooted_devices" => false,
+          "allow_jailbroken_devices" => false,
+          "allow_emulators" => false,
+          "require_screen_lock" => true,
+          "minimum_os_version" => {
+            "android" => "8.0",
+            "ios" => "12.0"
+          }
+        },
+        "network_security" => {
+          "allow_vpn" => true,
+          "allow_proxy" => false,
+          "allow_tor" => false,
+          "require_certificate_pinning" => true,
+          "allowed_dns_servers" => [],
+          "blocked_dns_servers" => []
+        },
+        "application_integrity" => {
+          "allow_debug_builds" => false,
+          "allow_repackaged_apps" => false,
+          "require_code_signing" => true,
+          "allowed_certificate_issuers" => []
+        },
+        "runtime_protection" => {
+          "enable_rasp" => true,
+          "allow_debugging" => false,
+          "allow_hooking_frameworks" => false,
+          "enable_tamper_detection" => true
+        }
+      },
+      "risk_thresholds" => {
+        "low" => 20,
+        "medium" => 50,
+        "high" => 70,
+        "critical" => 90
+      },
+      "actions" => {
+        "on_policy_violation" => "block",
+        "on_high_risk" => "alert",
+        "on_critical_risk" => "block",
+        "custom_actions" => {}
+      },
+      "reporting" => {
+        "enable_audit_logs" => true,
+        "log_level" => "info",
+        "retention_days" => 90
+      }
+    }.freeze
+
+    # Policy violation severity levels
+    VIOLATION_LEVELS = %w[info warning critical].freeze
+
+    def initialize(policy_config = nil)
+      @policy = load_policy(policy_config)
+      @violations = []
+      @compliance_cache = {}
+      @audit_logs = []
+    end
+
+    # Load policy from file or use provided configuration
+    # @param policy_source [String, Hash, nil] Policy file path, hash, or nil for default
+    # @return [Hash] Loaded policy
+    def load_policy(policy_source = nil)
+      case policy_source
+      when String
+        load_policy_from_file(policy_source)
+      when Hash
+        merge_with_default_policy(policy_source)
+      when nil
+        DEFAULT_POLICY.dup
+      else
+        raise ArgumentError, "Invalid policy source type: #{policy_source.class}"
+      end
+    end
+
+    # Validate device compliance against enterprise policy
+    # @param scan_result [Hash] Device scan result from AI Root Shield
+    # @return [Hash] Compliance validation result
+    def validate_compliance(scan_result)
+      compliance_result = {
+        compliant: true,
+        violations: [],
+        risk_assessment: {},
+        recommended_actions: [],
+        policy_version: @policy["version"],
+        validation_timestamp: Time.now.to_f
+      }
+
+      # Check device requirements
+      compliance_result = validate_device_requirements(scan_result, compliance_result)
+      
+      # Check network security
+      compliance_result = validate_network_security(scan_result, compliance_result)
+      
+      # Check application integrity
+      compliance_result = validate_application_integrity(scan_result, compliance_result)
+      
+      # Check runtime protection
+      compliance_result = validate_runtime_protection(scan_result, compliance_result)
+      
+      # Assess overall risk against thresholds
+      compliance_result = assess_risk_thresholds(scan_result, compliance_result)
+      
+      # Determine final compliance status
+      compliance_result[:compliant] = compliance_result[:violations].empty?
+      
+      # Log compliance check
+      log_compliance_check(scan_result, compliance_result)
+      
+      compliance_result
+    end
+
+    # Check if minimum security level is met
+    # @param risk_score [Integer] Current risk score
+    # @return [Boolean] True if minimum security level is met
+    def meets_minimum_security_level?(risk_score)
+      minimum_level = @policy["minimum_security_level"]
+      (100 - risk_score) >= minimum_level
+    end
+
+    # Get policy configuration
+    # @return [Hash] Current policy configuration
+    def policy_configuration
+      @policy.dup
+    end
+
+    # Update policy configuration
+    # @param new_policy [Hash] New policy configuration
+    def update_policy(new_policy)
+      @policy = merge_with_default_policy(new_policy)
+      clear_compliance_cache
+      log_audit_event("policy_updated", "Enterprise policy configuration updated")
+    end
+
+    # Get compliance violations
+    # @return [Array<Hash>] List of compliance violations
+    def compliance_violations
+      @violations.dup
+    end
+
+    # Get audit logs
+    # @return [Array<Hash>] Audit log entries
+    def audit_logs
+      @audit_logs.dup
+    end
+
+    # Clear compliance cache
+    def clear_compliance_cache
+      @compliance_cache.clear
+    end
+
+    # Export policy to JSON
+    # @return [String] Policy as JSON string
+    def export_policy
+      JSON.pretty_generate(@policy)
+    end
+
+    # Import policy from JSON
+    # @param json_policy [String] Policy as JSON string
+    def import_policy(json_policy)
+      policy_hash = JSON.parse(json_policy)
+      update_policy(policy_hash)
+    end
+
+    # Get policy statistics
+    # @return [Hash] Policy usage statistics
+    def policy_statistics
+      {
+        policy_version: @policy["version"],
+        total_violations: @violations.size,
+        violation_types: @violations.group_by { |v| v[:type] }.transform_values(&:size),
+        compliance_checks: @compliance_cache.size,
+        audit_log_entries: @audit_logs.size,
+        last_policy_update: @audit_logs.reverse.find { |log| log[:event] == "policy_updated" }&.dig(:timestamp)
+      }
+    end
+
+    private
+
+    def load_policy_from_file(file_path)
+      unless File.exist?(file_path)
+        raise ArgumentError, "Policy file not found: #{file_path}"
+      end
+      
+      policy_content = File.read(file_path)
+      policy_hash = JSON.parse(policy_content)
+      merge_with_default_policy(policy_hash)
+    rescue JSON::ParserError => e
+      raise ArgumentError, "Invalid JSON in policy file: #{e.message}"
+    end
+
+    def merge_with_default_policy(custom_policy)
+      # Deep merge custom policy with default policy
+      deep_merge(DEFAULT_POLICY.dup, custom_policy)
+    end
+
+    def deep_merge(hash1, hash2)
+      hash1.merge(hash2) do |key, old_val, new_val|
+        if old_val.is_a?(Hash) && new_val.is_a?(Hash)
+          deep_merge(old_val, new_val)
+        else
+          new_val
+        end
+      end
+    end
+
+    def validate_device_requirements(scan_result, compliance_result)
+      device_rules = @policy.dig("compliance_rules", "device_requirements") || {}
+      
+      # Check rooted/jailbroken devices
+      if !device_rules["allow_rooted_devices"] && has_root_indicators?(scan_result)
+        add_violation(compliance_result, "device_rooted", "critical", "Rooted device detected")
+      end
+      
+      if !device_rules["allow_jailbroken_devices"] && has_jailbreak_indicators?(scan_result)
+        add_violation(compliance_result, "device_jailbroken", "critical", "Jailbroken device detected")
+      end
+      
+      # Check emulators
+      if !device_rules["allow_emulators"] && has_emulator_indicators?(scan_result)
+        add_violation(compliance_result, "emulator_detected", "warning", "Emulator/simulator detected")
+      end
+      
+      compliance_result
+    end
+
+    def validate_network_security(scan_result, compliance_result)
+      network_rules = @policy.dig("compliance_rules", "network_security") || {}
+      
+      # Check VPN usage
+      if !network_rules["allow_vpn"] && has_vpn_indicators?(scan_result)
+        add_violation(compliance_result, "vpn_detected", "warning", "VPN usage detected")
+      end
+      
+      # Check proxy usage
+      if !network_rules["allow_proxy"] && has_proxy_indicators?(scan_result)
+        add_violation(compliance_result, "proxy_detected", "warning", "Proxy usage detected")
+      end
+      
+      # Check Tor usage
+      if !network_rules["allow_tor"] && has_tor_indicators?(scan_result)
+        add_violation(compliance_result, "tor_detected", "critical", "Tor usage detected")
+      end
+      
+      compliance_result
+    end
+
+    def validate_application_integrity(scan_result, compliance_result)
+      app_rules = @policy.dig("compliance_rules", "application_integrity") || {}
+      
+      # Check debug builds
+      if !app_rules["allow_debug_builds"] && has_debug_indicators?(scan_result)
+        add_violation(compliance_result, "debug_build", "warning", "Debug build detected")
+      end
+      
+      # Check repackaged apps
+      if !app_rules["allow_repackaged_apps"] && has_repackaging_indicators?(scan_result)
+        add_violation(compliance_result, "app_repackaged", "critical", "Repackaged application detected")
+      end
+      
+      compliance_result
+    end
+
+    def validate_runtime_protection(scan_result, compliance_result)
+      runtime_rules = @policy.dig("compliance_rules", "runtime_protection") || {}
+      
+      # Check debugging
+      if !runtime_rules["allow_debugging"] && has_debugging_indicators?(scan_result)
+        add_violation(compliance_result, "debugging_detected", "critical", "Runtime debugging detected")
+      end
+      
+      # Check hooking frameworks
+      if !runtime_rules["allow_hooking_frameworks"] && has_hooking_indicators?(scan_result)
+        add_violation(compliance_result, "hooking_detected", "critical", "Hooking framework detected")
+      end
+      
+      compliance_result
+    end
+
+    def assess_risk_thresholds(scan_result, compliance_result)
+      risk_score = scan_result[:risk_score] || 0
+      thresholds = @policy["risk_thresholds"] || {}
+      
+      risk_level = case risk_score
+                   when 0..thresholds["low"]
+                     "low"
+                   when thresholds["low"]..thresholds["medium"]
+                     "medium"
+                   when thresholds["medium"]..thresholds["high"]
+                     "high"
+                   else
+                     "critical"
+                   end
+      
+      compliance_result[:risk_assessment] = {
+        score: risk_score,
+        level: risk_level,
+        threshold_exceeded: risk_score > thresholds["high"]
+      }
+      
+      # Add violation if risk threshold exceeded
+      if risk_score > thresholds["critical"]
+        add_violation(compliance_result, "critical_risk", "critical", 
+                     "Risk score #{risk_score} exceeds critical threshold #{thresholds['critical']}")
+      elsif risk_score > thresholds["high"]
+        add_violation(compliance_result, "high_risk", "warning", 
+                     "Risk score #{risk_score} exceeds high threshold #{thresholds['high']}")
+      end
+      
+      compliance_result
+    end
+
+    def add_violation(compliance_result, type, severity, message)
+      violation = {
+        type: type,
+        severity: severity,
+        message: message,
+        timestamp: Time.now.to_f
+      }
+      
+      compliance_result[:violations] << violation
+      @violations << violation
+    end
+
+    def has_root_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("ROOT") }
+    end
+
+    def has_jailbreak_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("JAILBREAK") || factor.to_s.upcase.include?("CYDIA") }
+    end
+
+    def has_emulator_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("EMULATOR") || factor.to_s.upcase.include?("SIMULATOR") }
+    end
+
+    def has_vpn_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| 
+        factor_str = factor.to_s.upcase
+        factor_str.include?("VPN") || factor_str.include?("NETWORK_VPN_SERVICE_DETECTED")
+      }
+    end
+
+    def has_proxy_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("PROXY") }
+    end
+
+    def has_tor_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("TOR") }
+    end
+
+    def has_debug_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("DEBUG") }
+    end
+
+    def has_repackaging_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("REPACKAG") }
+    end
+
+    def has_debugging_indicators?(scan_result)
+      rasp_status = scan_result[:rasp_status] || {}
+      rasp_status.dig(:events_detected).to_i > 0
+    end
+
+    def has_hooking_indicators?(scan_result)
+      factors = scan_result[:factors] || []
+      factors.any? { |factor| factor.to_s.upcase.include?("FRIDA") || factor.to_s.upcase.include?("XPOSED") }
+    end
+
+    def log_compliance_check(scan_result, compliance_result)
+      return unless @policy.dig("reporting", "enable_audit_logs")
+      
+      log_audit_event("compliance_check", "Device compliance validation performed", {
+        device_id: scan_result[:device_id],
+        risk_score: scan_result[:risk_score],
+        compliant: compliance_result[:compliant],
+        violations_count: compliance_result[:violations].size
+      })
+      
+      # Update compliance cache for statistics
+      @compliance_cache[scan_result[:device_id]] = compliance_result
+    end
+
+    def log_audit_event(event_type, message, details = {})
+      return unless @policy.dig("reporting", "enable_audit_logs")
+      
+      audit_entry = {
+        event: event_type,
+        message: message,
+        details: details,
+        timestamp: Time.now.to_f,
+        policy_version: @policy["version"]
+      }
+      
+      @audit_logs << audit_entry
+      
+      # Clean up old logs based on retention policy
+      cleanup_old_logs
+    end
+
+    def cleanup_old_logs
+      retention_days = @policy.dig("reporting", "retention_days") || 90
+      cutoff_time = Time.now.to_f - (retention_days * 24 * 60 * 60)
+      
+      @audit_logs.reject! { |log| log[:timestamp] < cutoff_time }
+    end
+  end
+end

data/lib/ai_root_shield/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module AiRootShield
-  VERSION = "0.3.0"
+  VERSION = "0.4.0"
 end

data/lib/ai_root_shield.rb

@@ -11,12 +11,18 @@ require_relative "ai_root_shield/ai_behavioral_analyzer"
 require_relative "ai_root_shield/rasp_protection"
 require_relative "ai_root_shield/risk_calculator"
 require_relative "ai_root_shield/device_log_parser"
+require_relative "ai_root_shield/certificate_pinning_helper"
+require_relative "ai_root_shield/advanced_proxy_detector"
+require_relative "ai_root_shield/enterprise_policy_manager"
 
 module AiRootShield
   class Error < StandardError; end
 
-  # Global RASP protection instance
+  # Global instances
   @rasp_protection = nil
+  @policy_manager = nil
+  @certificate_pinning = nil
+  @proxy_detector = nil
 
   # Main entry point for device scanning
   # @param device_logs_path [String] Path to device logs JSON file
@@ -25,13 +31,26 @@ module AiRootShield
     scan_device_with_config(device_logs_path)
   end
 
-  # Scan device with custom configuration
+  # Scan device with custom configuration and policy validation
   # @param device_logs_path [String] Path to device logs JSON file
   # @param config [Hash] Configuration options
-  # @return [Hash] Risk assessment result with score and factors
+  # @return [Hash] Risk assessment result with score, factors, and compliance
   def self.scan_device_with_config(device_logs_path, config = {})
     detector = Detector.new(config)
-    detector.scan(device_logs_path)
+    scan_result = detector.scan(device_logs_path)
+    
+    # Add network security analysis if enabled
+    if config[:enable_network_analysis]
+      scan_result = enhance_with_network_analysis(scan_result, config)
+    end
+    
+    # Add policy compliance validation if policy manager is configured
+    if @policy_manager
+      compliance_result = @policy_manager.validate_compliance(scan_result)
+      scan_result[:compliance] = compliance_result
+    end
+    
+    scan_result
   end
 
   # Start RASP protection
@@ -49,21 +68,137 @@ module AiRootShield
     @rasp_protection = nil
   end
 
+  # Configure enterprise policy
+  # @param policy_config [String, Hash] Policy file path or configuration hash
+  # @return [EnterprisePolicyManager] Policy manager instance
+  def self.configure_policy(policy_config)
+    @policy_manager = EnterprisePolicyManager.new(policy_config)
+  end
+
+  # Configure certificate pinning
+  # @param config [Hash] Certificate pinning configuration
+  # @return [CertificatePinningHelper] Certificate pinning helper instance
+  def self.configure_certificate_pinning(config = {})
+    @certificate_pinning = CertificatePinningHelper.new(config)
+  end
+
+  # Configure proxy detection
+  # @param config [Hash] Proxy detection configuration
+  # @return [AdvancedProxyDetector] Proxy detector instance
+  def self.configure_proxy_detection(config = {})
+    @proxy_detector = AdvancedProxyDetector.new(config)
+  end
+
+  # Validate certificate pinning for a URL
+  # @param url [String] URL to validate
+  # @return [Hash] Validation result
+  def self.validate_certificate_pinning(url)
+    return { error: "Certificate pinning not configured" } unless @certificate_pinning
+    
+    cert_chain = @certificate_pinning.get_certificate_chain(url)
+    @certificate_pinning.validate_pin(url, cert_chain)
+  end
+
+  # Detect proxy usage for an IP address
+  # @param ip_address [String] IP address to analyze
+  # @param additional_data [Hash] Additional network data
+  # @return [Hash] Proxy detection result
+  def self.detect_proxy(ip_address, additional_data = {})
+    return { error: "Proxy detection not configured" } unless @proxy_detector
+    
+    @proxy_detector.detect_proxy(ip_address, additional_data)
+  end
+
   # Get current RASP protection instance
   # @return [RaspProtection, nil] Current RASP protection instance
   def self.rasp_protection
     @rasp_protection
   end
 
+  # Get current policy manager instance
+  # @return [EnterprisePolicyManager, nil] Current policy manager instance
+  def self.policy_manager
+    @policy_manager
+  end
+
+  # Get current certificate pinning helper instance
+  # @return [CertificatePinningHelper, nil] Current certificate pinning helper instance
+  def self.certificate_pinning
+    @certificate_pinning
+  end
+
+  # Get current proxy detector instance
+  # @return [AdvancedProxyDetector, nil] Current proxy detector instance
+  def self.proxy_detector
+    @proxy_detector
+  end
+
   # Check if RASP protection is active
   # @return [Boolean] True if RASP protection is active
   def self.rasp_active?
     @rasp_protection&.protection_status&.dig(:active) || false
   end
 
+  # Get comprehensive security status
+  # @return [Hash] Security status across all components
+  def self.security_status
+    {
+      version: VERSION,
+      rasp_active: rasp_active?,
+      policy_configured: !@policy_manager.nil?,
+      certificate_pinning_configured: !@certificate_pinning.nil?,
+      proxy_detection_configured: !@proxy_detector.nil?,
+      components: {
+        rasp: @rasp_protection&.protection_status,
+        policy: @policy_manager&.policy_statistics,
+        certificate_pinning: @certificate_pinning&.pinning_status,
+        proxy_detection: @proxy_detector&.detection_statistics
+      }
+    }
+  end
+
   # Get version information
   # @return [String] Current version
   def self.version
     VERSION
   end
+
+  private
+
+  # Enhance scan result with network security analysis
+  # @param scan_result [Hash] Original scan result
+  # @param config [Hash] Configuration options
+  # @return [Hash] Enhanced scan result
+  def self.enhance_with_network_analysis(scan_result, config)
+    network_analysis = {}
+    
+    # Add proxy detection if configured
+    if @proxy_detector && config[:target_ip]
+      proxy_result = @proxy_detector.detect_proxy(config[:target_ip], config[:network_data] || {})
+      network_analysis[:proxy_detection] = proxy_result
+      
+      # Add proxy indicators to risk factors if detected
+      if proxy_result[:proxy_detected]
+        scan_result[:factors] ||= []
+        proxy_result[:proxy_types].each do |type|
+          scan_result[:factors] << "NETWORK_#{type.upcase}_DETECTED"
+        end
+      end
+    end
+    
+    # Add certificate pinning validation if configured
+    if @certificate_pinning && config[:target_url]
+      pinning_result = validate_certificate_pinning(config[:target_url])
+      network_analysis[:certificate_pinning] = pinning_result
+      
+      # Add certificate pinning failure to risk factors if invalid
+      unless pinning_result[:valid]
+        scan_result[:factors] ||= []
+        scan_result[:factors] << "CERTIFICATE_PINNING_FAILED"
+      end
+    end
+    
+    scan_result[:network_analysis] = network_analysis unless network_analysis.empty?
+    scan_result
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ai_root_shield
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Ahmet KAHRAMAN
@@ -149,9 +149,12 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.9'
-description: An AI-powered Ruby library that performs on-device compromise detection
-  for mobile applications without requiring a backend. Detects root/jailbreak, emulators,
-  hooking frameworks, and provides behavioral risk analysis.
+description: An AI-powered Ruby library that performs comprehensive on-device compromise
+  detection for mobile applications. Features include root/jailbreak detection, emulator
+  detection, hooking framework detection, application integrity checks, advanced network
+  security analysis with certificate pinning and proxy detection, enterprise policy
+  management, AI behavioral analysis, and RASP protection - all without requiring
+  a backend.
 email:
 - ahmetxhero@gmail.com
 executables:
@@ -168,16 +171,22 @@ files:
 - Rakefile
 - examples/device_logs/clean_device.json
 - examples/device_logs/rooted_android.json
+- examples/policies/banking_policy.json
+- examples/policies/development_policy.json
+- examples/policies/enterprise_policy.json
 - exe/ai_root_shield
 - lib/ai_root_shield.rb
+- lib/ai_root_shield/advanced_proxy_detector.rb
 - lib/ai_root_shield/ai_behavioral_analyzer.rb
 - lib/ai_root_shield/analyzers/emulator_detector.rb
 - lib/ai_root_shield/analyzers/hooking_detector.rb
 - lib/ai_root_shield/analyzers/integrity_checker.rb
 - lib/ai_root_shield/analyzers/network_analyzer.rb
 - lib/ai_root_shield/analyzers/root_detector.rb
+- lib/ai_root_shield/certificate_pinning_helper.rb
 - lib/ai_root_shield/detector.rb
 - lib/ai_root_shield/device_log_parser.rb
+- lib/ai_root_shield/enterprise_policy_manager.rb
 - lib/ai_root_shield/rasp_protection.rb
 - lib/ai_root_shield/risk_calculator.rb
 - lib/ai_root_shield/version.rb
@@ -206,5 +215,6 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 rubygems_version: 3.6.9
 specification_version: 4
-summary: AI-powered mobile device compromise detection library
+summary: AI-powered mobile security library with advanced network security and enterprise
+  policy management
 test_files: []