# What Else Does Device Fingerprint Do?

There are a group of people on the Internet who will use technical means to break rules and make device fingerprints ineffective. The result is that the invested capital will be burned. Some small and medium-sized start-ups with weak anti-risk abilities may even lead to bankruptcy.

The device's fingerprint also needs to constantly strengthen its shield to fight against the increasingly sharp spear produced by malicious organizations.

# Introduction

In addition to describing the identity information of the device, the device fingerprint can also identify the status of the device at a certain moment, which is very important for Internet services. However, under the sun, there must be darkness. There are a group of people on the Internet who will use technical means to break rules and make device fingerprints ineffective. The result is that the invested capital will be burned. Some small and medium-sized start-ups with weak anti-risk abilities may even lead to bankruptcy.What other security capabilities can device fingerprints provide in addition to their identity recognition capabilities?

# Means of attack

As the saying goes, knowing oneself and the enemy is sure to win a hundred wars. Before answering this question, we need to know some attack methods of malicious organizations or individuals. As mentioned earlier, the generation of device fingerprints mainly depends on some attribute information of the client, including but not limited to as follows: ‍ ● Basic information on equipment ● Positioning information ● Network information, such as local cellular IP, WIFI IP, source IP, etcNext, let's take a look at some mainstream attack methods of malicious organizations or individuals.

Next, let's take a look at some mainstream attack methods of malicious organizations or individuals.

# The device info tampering software

It is a kind of malware that can destroy the uniqueness of the device fingerprint by tampering with the device information, thus making the device become a new device at some level.

As we all know, general devices have no authority to modify and affect other applications. To achieve the goal, a malicious organization or individual often needs to get higher system authority. This operation is often called jailbreak (iOS) or ROOT (Android).

After the device is authorized by higher system authority, the software can tamper with the device information at will through HOOK to turn it into a new device. This operation is usually completed by clicking the button on the device info tampering software, so the cost of manufacturing a new user to attackers is almost zero.

# Virtual environment

In recent years, with the improvement of technology and hardware, client vulnerabilities have been gradually fixed.

In the high version of the system, jailbreak and ROOT have become very difficult. Therefore, many malicious organizations or individuals also focus on the virtual environment. Virtual Environment, in short, is an environment that uses the local operating system to simulate an operating system compatible with the local machine and run software on it.

The most common virtual environment on the client is the simulator, which usually exists on the PC. It is designed to facilitate developers to obtain the same real environment as client devices as much as possible without real devices. For this reason, simulator developers also provide some convenient configurations, including but not limited to the functions of modifying device information and locating information mentioned above. This feature is often used for device tampering. Therefore, software applications running in this environment have high risks.

# Custom ROM

The full name of ROM is Read Only Memory, also known as a read-only memory image. Resetting the system is the process of writing the ROM image to the ROM.

As we all know, the Android system is open source. Google allows users to modify the memory image and customize many cool functions. However, everything has two sides. Excessive freedom also brings great harm. Because users can customize and compile the source code of the Android system at will, the API provided by the original system is no longer reliable.

Therefore, running software applications in this environment is also extremely dangerous.

# Application cracking

Before the application goes online, developers need to sign the binary file of the application and upload it to the store. Application cracking is to decompile and crack the original signed application, and restore the encrypted binary segment to what it was before encryption.

After restoration, attackers can attack the following two levels: ● Secondary packaging ● Debugging attacks

The following describes the specific attack methods.

# Secondary packaging

img

The steps of secondary packaging are unpacking, inserting/tampering code, generating a new package, re-signing and running. Tampering with the code makes the original software application code extremely unreliable, which also affects the accuracy of device fingerprints.

# Debug attacks

Debugging is originally a behavior of application developers to modify code during development. Normally, this should only happen in the development phase.

However, the signature of the binary file was destroyed after the application of cracking. Attackers also have the same permissions as developers to modify code. This is the same as secondary packaging, which also risks the business.

# Proxy attack

Among the elements that describe the uniqueness of the device, besides the device ID, there are also IP location information and network information, which can be used to accurately depict the user.

In addition to the device id, there is also IP location information and network information that can be used to accurately describe the user's location. Proxy software (such as Shadowrocket) on the market can easily forge the above information, and you can even easily obtain these tools from search engines. By watching the tutorial, even if you are a little white, you can quickly learn and use them.

In addition, the interface data of software applications may be stolen and modified through HTTP proxy.

# Virtual location

Virtual location refers to users using technical means to forge the current location information to achieve some purposes. Common business scenarios include clock-in, regional coupon collection, etc.

In principle, there are two main attacks to achieve virtual location.

# Software tampering

This method often depends on jailbreak/ROOT and the simulator environment, and the target of their attacks is mainly the API related to system positioning. ‍ Therefore, risks can be identified only by detecting the runtime environment and the location API.

# GPS signal tampering

GPX file is a series of standard files that describe the device location information. System allows developers to use GPX files to simulate GPS signals and modify the GPS information received by the GPS module of the device, to achieve the purpose of virtual location. This comes from the back door that the system opens to developers. It is designed to enable developers to better simulate and run current positioning-related functions on the device. ‍ However, this convenient function has been modified by some intentional people to make some PC software or peripheral plug-ins for location cheating.

# What can we do?

After introducing several mainstream attack methods, we will talk about how to counter the attack of malicious organizations by device fingerprint.

# Detect the operating environment

The device info tampering software and virtual environment scenarios just mentioned require that the application run in virtual environments such as jailbreak/ROOT devices or simulators. Therefore, we can collect the above environmental characteristics and report them to the server, and make decisions in the business according to the environment during the business.

# Detect the malware installation

Not all malicious organizations are all masterful geeks. They often purchase some well-known device info tampering software from some individual developers or sales organizations for batch tampering.

Therefore, we can establish an application blacklist mechanism. Once it is found that this kind of blacklist application is installed on the device, it can throw risks to the business.

# Detect ROM

Details determine success or failure. Although the freedom of customized ROM is very high, the developers of malicious ROM often can not do everything without leakage. In the limited information collected by the device, we can still find some clues to prove that this ROM is non-native. Since the scheme is relatively open, the detection method will not be discussed here.

# Check signature correctness and binary integrity

To prevent the client code from being cracked, application developers will reinforce and protect the application at the code level. To achieve the goal of attack, attackers must first reinforce the application and crack the code, modify the core logic, and then repackage the application. The device fingerprint does not provide code reinforcement capabilities, which is the service scope of the reinforcement manufacturer. However, device fingerprints provide the ability to check the integrity of binary files. Based on this, device fingerprints can mark unpublished applications. Because the software application running on the device has been signed and encrypted, only attackers can crack the file. If the signature file is not leaked, it can be considered that applications that do not meet the binary file integrity verification are reconstructed after being modified or cracked by attackers, which is highly risky.

# Detect the debugging behavior

The principle of debugging is to attach the debugged process to the running target application and control the application by sending instructions.

Therefore, the behavior of detecting attaching an application is very valid. There are many detection methods, but we will not talk about them here.

# Detect the agent behavior

When using the proxy, the system creates different network interfaces and ports. At present, the system also provides relevant API interfaces to obtain proxy information.

Therefore, it is very effective to directly obtain agent information to identify agent behavior.

On the other hand, the proxy also forwards data to the proxy server, which is generally not in the local region.

Therefore, the multi-dimensional verification of the base station information, IP information, and location information can also determine whether the user is cheating by using a proxy.

# Detect the virtual location

As we mentioned earlier, virtual location has two attack modes, and we have given different protection suggestions for different modes.

# Software tampering

This method needs to rely on the jailbreak/ROOT or simulator environment and needs to use HOOK to locate related APIs to achieve the purpose of locating tampering.

Therefore, we can identify risks by detecting the operating environment and locating whether relevant APIs are HOOK.

# GPS signal tampering

The method of GPS signal tampering is relatively complex, and it can act on normal devices. As a low-authority software application, it is difficult to defuse.

As a low-privilege software application, confrontation is difficult.

Fortunately, there are more ways than difficulties. We give some suggestions as follows: ‍ ● GPS information verification. Through big data analysis, we find that in order to simplify the implementation of some virtual location software, the simulated positioning data is very rough. They may have just modified the longitude and latitude to achieve the purpose of tampering with the location. But they overlooked some details. Maintaining the same longitude and latitude for a long time and abnormal altitude and speed will greatly increase the suspicion of user virtual location.

● The geographic location information is analyzed by collecting IP address and base station information, and compared with the currently collected positioning information. If the difference is very large, it can be basically confirmed that the user uses virtual location.

# Epilogue

The road is high one-foot evil spirit is high one a unit of length. Offensive and defensive confrontation is an eternal topic. ‍ The device's fingerprint also needs to constantly strengthen its shield to fight against the increasingly sharp spear produced by malicious organizations.

: 2023/06/25 16:20:00