Back

Engineering Threat Hunting for iOS and Android

Jun 10, 2024

|

Kris Jones

Gone are the days when we can trust mobile devices to be secure out of the box. iVerify products help companies and consumers secure their data and protect the integrity of corporate systems without compromising privacy. iVerify doesn’t use invasive admin access to collect personal data stored on devices because products that promise to protect you shouldn’t be spying on you instead. 

One of our company values is transparency, specifically that we don’t build black box security. Our tools work in full view of the device user and with their explicit consent. We’ve also publicly committed to be transparent about the data we do (and do not) access from mobile devices. iVerify can’t covertly collect or analyze device data without participation from the device owner. 

This blog post and the diagram below provide a high-level technical overview of how iVerify’s data flow process works.



Data Collection 

iVerify only collects device telemetry data, extracting historical and recent telemetry for forensic analysis. To begin the process, iVerify products guide users through the steps to generate a set of diagnostic logs on iOS or Android, then submit it to iVerify for analysis. All of this is done from the mobile application. 

iOS users can create the logs by simultaneously pressing Volume Up, Volume Down, and Power. Hold for 1-1.5 seconds. The file is usually ready in about 5 minutes. The files generated by this maneuver are typically difficult to trigger and share. Because of our team’s deep working knowledge of iOS, it’s easy for iVerify users. 

The iOS files generated by Apple devices contain logs, crash data, and system configuration details, which makes them a valuable artifact for diagnosing and troubleshooting iOS issues. It gives our analysts an extensive snapshot of the device's behavior leading up to the creation of the log files and information about system usage.

On Android, iVerify helps users create a bug report using the developer options in the Android settings app and submit it to iVerify for analysis.

When these iOS and Android files are uploaded to iVerify’s cloud service, we immediately remove data stores containing personal information such as IP addresses, email addresses, and identifiable device data. We don’t want or need this information. 


Data Enrichment 

Our data pipeline is built with a serverless architecture so we can concurrently extract many large data sets from log files in seconds. We can store, process, enrich, and detect indicators of compromise (IOCs) in thousands of files every minute. This equates to roughly 450GB of diagnostic data being processed every minute! 

The data enrichment pipeline combines iVerify’s knowledge of mobile operating systems with the voluminous telemetry data stored within the diagnostic log files. Our data enrichment pipeline extracts pertinent signals from various locations including SQLite databases, crash logs, system logs, and a variation of JSON telemetry files. Because data within these files are often in dozens of different formats, we built custom parsers that create a unified format for all the data types we extract. By doing this we can combine and cross-reference data from multiple sources within the sysdiagnose file and bug report. 


Knowledge Generation 

With a central data store combining all telemetry data in one unified format, we’re also able to keep track of what a healthy device looks like, taking into account specific OS versions and device models. This helps us better identify and flag potential 0-days supported by a database of 20+ million records that tell us what ‘normal’ telemetry looks like for each device model and version. 

iVerify’s data collection and enrichment technology was built to scale, turning terabytes of unstructured diagnostic files into laser-focused datasets that can pinpoint the deep workings of an iOS or Android device. This diverse dataset, enriched and validated by our internal research team, is truly unique – the industry’s premier knowledge dataset in the fight against malicious actors targeting our most personal mobile devices.


Detections

In minutes any iVerify user can submit their telemetry for analysis. Consumers using iVerify Basic can use this functionality once every 90 days. Enterprise customers using iVerify EDR or iVerify Elite (including journalists with access from iVerify.org) have unlimited on-demand access to our forensics analysis capabilities. 

This data flow of valuable telemetry data allows us to detect IOCs by looking at device-level activity in addition to malware signatures used by traditional solutions. This is critical for catching 0-days, whose signatures are still unknown. We also flag applications with elevated privileges, analyzing stack traces, and process stats.

When malicious activity is detected, our threat hunting team uses internal tooling and our knowledge bank to create a forensic timeline for the device including what happened and when. Combined with our other forensic capabilities, this approach provides unique and detailed insight to determine if a device has been compromised and for how long. 

For enterprise customers, iVerify detection alerts are enriched with additional metrics from continuous scans to support immediate and thorough incident response. 



Contact our sales team for more information on iVerify EDR or iVerify Elite: info@iverify.io

Journalists and civil society organizations can apply for complimentary access at iVerify.org.