feat: debugger detection added

ha-ja · theDeniZ · commit 2cccc5ce7488 · 2025-03-19T08:51:30.000+01:00
* add DebuggerDetection.swift * add DebuggerDetection to ThreatDetectionCenter * add debugger detection view to SecurityToolkitExample * add documentation for isDebuggerAttached * fix typo: isDebuggerAttached -> isDebuggerDetected * Comment made even more clear * hasTracerFlagSet() additionally made private * No explicit Darwin import needed and therefore rmd no explicit Darwin import needed and therefore removed * Use of optional bool for isDebuggerDetected return Use of optional bool for public function isDebuggerDetected. This decision is the result of a joint discussion that took place in the associated PR #10 : #10 Motivation: No exception should be thrown. It should be communicated that something went wrong in the decision-making process and that no clear statement can be made. Decision: We now return nil in an unclear case. nil: The detection process did not produce a definitive result. This could happen due to system limitations, lack of required permissions, or other undefined conditions.
diff --git a/SecurityToolkitExample/SecurityToolkitExample/Resources/en.lproj/Localizable.strings b/SecurityToolkitExample/SecurityToolkitExample/Resources/en.lproj/Localizable.strings
@@ -5,6 +5,8 @@
 "threat.hooks.description" = "Intercept system or application calls and then modify them (modify the return value of a function call for example)";
 "threat.simulator.title" = "Simulator";
 "threat.simulator.description" = "Running the application in a simulator";
+"threat.debugger.title" = "Debugger";
+"threat.debugger.description" = "A tool that allows developers to inspect and modify the execution of a program in real-time, potentially exposing sensitive data or allowing unauthorized control.";
 
 // MARK: Threat List
 "threat.list.title" = "Protection";
diff --git a/SecurityToolkitExample/SecurityToolkitExample/Sources/ThreatStatus.swift b/SecurityToolkitExample/SecurityToolkitExample/Sources/ThreatStatus.swift
@@ -22,6 +22,11 @@ struct ThreatStatus: Hashable {
             description: R.string.localizable.threatSimulatorDescription(),
             isDetected: ThreatDetectionCenter.isSimulatorDetected
         ),
+        ThreatStatus(
+            title: R.string.localizable.threatDebuggerTitle(),
+            description: R.string.localizable.threatDebuggerDescription(),
+            isDetected: ThreatDetectionCenter.isDebuggerDetected
+        ),
     ]
 }
 
diff --git a/Sources/DebuggerDetection.swift b/Sources/DebuggerDetection.swift
@@ -0,0 +1,25 @@
+import Foundation
+
+// MARK: - Internal
+internal final class DebuggerDetection {
+    
+    static func threatDetected() -> Bool? {
+        hasTracerFlagSet()
+    }
+}
+
+// MARK: - Private
+fileprivate extension DebuggerDetection {
+    
+    /// Check P_TRACED flag from Darwin Kernel
+    /// if the process is traced
+    private static func hasTracerFlagSet() -> Bool? {
+        var info = kinfo_proc()
+        var mib: [Int32] = [CTL_KERN, KERN_PROC, KERN_PROC_PID, getpid()] // Kernel info, process info, specific process by PID, get current process ID
+        var size = MemoryLayout.stride(ofValue: info)
+        
+        let unixStatusCode = sysctl(&mib, u_int(mib.count), &info, &size, nil, 0)
+        
+        return unixStatusCode == 0 ? (info.kp_proc.p_flag & P_TRACED) != 0 : nil
+    }
+}
diff --git a/Sources/ThreatDetectionCenter.swift b/Sources/ThreatDetectionCenter.swift
@@ -14,6 +14,21 @@ public final class ThreatDetectionCenter {
         SimulatorDetection.threatDetected()
     }
     
+    /// Will check if your application is being traced by a debugger.
+    ///
+    /// - Returns:
+    ///   `true`: If a debugger is detected.
+    ///   `false`: If no debugger is detected.
+    ///   `nil`: The detection process did not produce a definitive result. This could happen due to system limitations, lack of required permissions, or other undefined conditions.
+    ///
+    /// A debugger is a tool that allows developers to inspect and modify the execution of a program in real-time, potentially exposing sensitive data or allowing unauthorized control.
+    ///
+    /// ## Notes
+    /// Please note that Apple itself may require a debugger for the app review process.
+    public static var isDebuggerDetected: Bool? {
+        DebuggerDetection.threatDetected()
+    }
+    
 	
 	// MARK: - Async Threat Detection
 	
@@ -22,6 +37,7 @@ public final class ThreatDetectionCenter {
         case rootPrivileges
         case hooks
         case simulator
+        case debugger
     }
 	
 	/// Stream that contains possible threats that could be detected
@@ -40,6 +56,10 @@ public final class ThreatDetectionCenter {
                 continuation.yield(.simulator)
             }
             
+            if DebuggerDetection.threatDetected() ?? false {
+                continuation.yield(.debugger)
+            }
+            
             continuation.finish()
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,11 @@ struct ThreatStatus: Hashable {`
`22`	`22`	`description: R.string.localizable.threatSimulatorDescription(),`
`23`	`23`	`isDetected: ThreatDetectionCenter.isSimulatorDetected`
`24`	`24`	`),`
	`25`	`+ ThreatStatus(`
	`26`	`+ title: R.string.localizable.threatDebuggerTitle(),`
	`27`	`+ description: R.string.localizable.threatDebuggerDescription(),`
	`28`	`+ isDetected: ThreatDetectionCenter.isDebuggerDetected`
	`29`	`+ ),`
`25`	`30`	`]`
`26`	`31`	`}`
`27`	`32`