AI Root Shield

Created by Ahmet KAHRAMAN - Mobile Developer & Cyber Security Expert
"Security first, innovation always" 🛡️

An enterprise-grade AI-powered Ruby library that performs comprehensive cross-platform mobile security analysis. Features advanced platform-specific detection, hardware security validation, CI/CD integration, and enterprise SIEM connectivity - all without requiring a backend.

• Root & Jailbreak Detection: Comprehensive detection of rooted Android devices and jailbroken iOS devices
• Emulator/Simulator Detection: Identifies virtual devices, emulators, and simulators
• Hooking Framework Detection: Detects Frida, Xposed, Substrate, and other instrumentation tools
• Application Integrity Checks: Validates app signatures and detects repackaging/tampering
• Network Security Analysis: Identifies TLS issues, custom CAs, and MITM tools

• Android SafetyNet & Play Integrity API: Native Google security API integration
• iOS Advanced Jailbreak Detection: DYLD injection, sandbox escape, code signing validation
• Hardware Security Analysis: TEE/SE validation, biometric consistency checks
• Cross-Platform Unified Reporting: Standardized security reports across platforms

• CI/CD Security Testing Module: Automated security tests for GitHub Actions, GitLab CI, Jenkins
• Web Dashboard: Optional GUI for log analysis and risk visualization
• Risk Score Visualization: Interactive charts, timelines, and heatmaps
• SIEM/SOC Integrations: Splunk, Elastic Stack, QRadar, Sentinel, Sumo Logic, Datadog

• Certificate Pinning Helper: TLS public key pinning with common CA support
• Advanced Proxy Detection: VPN, Tor, custom DNS, and MITM appliance detection
• Enterprise Policy Management: JSON-based customizable security rules and compliance
• RASP Protection: Runtime Application Self-Protection with real-time threat blocking
• AI Behavioral Analysis: ONNX-powered behavioral pattern analysis with anomaly detection
• Hardware Attestation: Android Key Attestation and iOS Device Check integration

• Compliance Frameworks: OWASP MASVS, NIST, ISO 27001, PCI DSS, GDPR support
• Risk Scoring System: Comprehensive risk assessment with weighted factors (0-100 scale)
• Threat Intelligence: IoC extraction and attack vector identification
• CLI Tool: Command-line interface with multiple output formats
• Privacy-First: Completely offline, no data collection or external dependencies

Add this line to your application's Gemfile:

gem 'ai_root_shield'

And then execute:

$ bundle install

Or install it yourself as:

$ gem install ai_root_shield

require "ai_root_shield"

# Scan device using device logs
result = AiRootShield.scan_device("device_logs/sample.json")

puts result[:risk_score]  # => 87
puts result[:factors]     # => ["ROOT_SU_FOUND", "FRIDA_GADGET", "TLS_UNPINNED"]

require "ai_root_shield"

# Load device logs
device_logs = JSON.parse(File.read("device_logs/android_device.json"))

# Android-specific security analysis
android_results = AiRootShield.analyze_android_security(device_logs, {
  api_key: "your_safetynet_api_key",
  package_name: "com.yourapp.package"
})

puts "SafetyNet Basic Integrity: #{android_results[:safetynet][:basic_integrity]}"
puts "Play Integrity Verdict: #{android_results[:play_integrity][:device_verdict]}"
puts "Hardware TEE Available: #{android_results[:hardware_security][:tee_available]}"

# iOS-specific security analysis
ios_logs = JSON.parse(File.read("device_logs/ios_device.json"))
ios_results = AiRootShield.analyze_ios_security(ios_logs)

puts "Jailbreak Detected: #{ios_results[:jailbreak_detection][:file_system_check][:detected]}"
puts "Code Signing Valid: #{ios_results[:code_signing][:main_bundle_signed]}"
puts "Secure Enclave Available: #{ios_results[:hardware_security][:secure_enclave_available]}"

# Hardware security analysis
hardware_analysis = AiRootShield.analyze_hardware_security(device_logs, 'android')
puts "Hardware Security Score: #{hardware_analysis[:security_score]}"

# Generate unified cross-platform report
unified_report = AiRootShield.generate_unified_report(
  android_results: android_results,
  ios_results: ios_results,
  metadata: {
    app_name: "MySecureApp",
    app_version: "1.0.0",
    organization: "MyCompany"
  }
)

puts "Overall Risk Level: #{unified_report[:unified_risk_assessment][:risk_level]}"

# Custom configuration
config = {
  enable_root_detection: true,
  enable_emulator_detection: true,
  enable_hooking_detection: true,
  enable_integrity_checks: true,
  enable_network_analysis: true,
  enable_ai_behavioral_analysis: true,  # v0.2.0
  risk_threshold: 70,
  ai_confidence_threshold: 0.7  # v0.2.0
}

result = AiRootShield.scan_device_with_config("device_logs/sample.json", config)

# Get risk level description
risk_level = AiRootShield::RiskCalculator.risk_level_description(result[:risk_score])
puts risk_level  # => "HIGH" or "CRITICAL"

# Get recommended actions
actions = AiRootShield::RiskCalculator.recommended_actions(result[:factors])
actions.each { |action| puts "→ #{action}" }

# Run security tests in CI/CD pipeline
test_results = AiRootShield.run_ci_cd_tests("device_logs/sample.json", {
  fail_on_high_risk: true,
  risk_threshold: 70,
  report_format: 'json',
  artifacts_path: './security_artifacts'
})

puts "Pipeline Result: #{test_results[:pipeline_result][:result]}"

# Generate CI/CD configuration
github_config = AiRootShield.generate_ci_config('github_actions')
File.write('.github/workflows/security.yml', github_config)

gitlab_config = AiRootShield.generate_ci_config('gitlab_ci')
File.write('.gitlab-ci.yml', gitlab_config)

# Configure SIEM connector
AiRootShield.configure_siem(:splunk, {
  api_endpoint: 'https://your-splunk-instance.com:8088',
  api_key: 'your-hec-token',
  index: 'mobile_security'
})

# Send security events to SIEM
analysis_results = AiRootShield.analyze_android_security(device_logs)
AiRootShield.send_to_siem(analysis_results, {
  device_id: 'device-123',
  user_id: 'user-456',
  app_version: '1.0.0'
})

# Configure multiple SIEM platforms
elastic_connector = AiRootShield.configure_siem(:elastic, {
  api_endpoint: 'https://your-elastic-cluster.com',
  api_key: 'your-api-key',
  index: 'ai-root-shield-events'
})

datadog_connector = AiRootShield.configure_siem(:datadog, {
  api_endpoint: 'https://api.datadoghq.com',
  api_key: 'your-datadog-api-key'
})

# Start the web dashboard
AiRootShield.start_dashboard({
  port: 4567,
  bind: '0.0.0.0'
})

# Dashboard will be available at http://localhost:4567
# Features:
# - Real-time security analysis
# - Risk score visualization
# - Interactive charts and heatmaps
# - Historical trend analysis
# - Compliance reporting

The gem includes a command-line interface:

# Basic scan
$ ai_root_shield device_logs/sample.json

# Platform-specific analysis
$ ai_root_shield --platform android --safetynet-api-key YOUR_KEY device_logs/android.json
$ ai_root_shield --platform ios --enable-jailbreak-detection device_logs/ios.json

# CI/CD mode with artifacts
$ ai_root_shield --ci-mode --format json --artifacts-path ./reports device_logs/sample.json

# SIEM integration
$ ai_root_shield --siem splunk --siem-endpoint https://splunk.com:8088 --siem-token TOKEN device_logs/sample.json

# Web dashboard
$ ai_root_shield --start-dashboard --port 8080

# Generate CI/CD configs
$ ai_root_shield --generate-ci-config github-actions > .github/workflows/security.yml
$ ai_root_shield --generate-ci-config gitlab-ci > .gitlab-ci.yml

# With options
$ ai_root_shield --format text --threshold 60 device_logs/sample.json

# Disable specific checks
$ ai_root_shield --no-emulator --no-network device_logs/sample.json

# Get help
$ ai_root_shield --help

AI Root Shield now includes advanced behavioral analysis powered by ONNX machine learning models:

• File Access Pattern Analysis: Detects unusual file system access patterns
• Sensor Data Consistency: Validates sensor data against real device behavior
• Hardware Fingerprinting: Advanced hardware characteristic analysis
• Process Behavior Analysis: Monitors process execution patterns
• Network Pattern Analysis: Analyzes network behavior for anomalies
• Timing Analysis: Detects timing-based attack indicators
• System Call Entropy: Analyzes system call distribution patterns
• Memory Access Patterns: Monitors memory usage behavior

Place your trained ONNX model at models/behavioral_model.onnx for AI-powered analysis. The system falls back to rule-based analysis if no model is available.

# AI analysis is automatically enabled
result = AiRootShield.scan_device('device_logs.json')
puts "AI Confidence: #{result[:ai_confidence]}"
puts "ML Emulator Score: #{result[:ml_emulator_score]}"

Enterprise-grade network security and policy management capabilities:

• Certificate Pinning Helper: Easy TLS public key pinning integration with common CA support
• Advanced Proxy Detection: Comprehensive detection of VPN, Tor, custom DNS, and MITM appliances
• Enterprise Policy Management: JSON-based customizable security rules and compliance validation
• Policy Templates: Pre-built policies for banking, enterprise, and development environments
• Compliance Reporting: Detailed violation tracking and audit logging
• Network Analysis Integration: Real-time network threat detection and assessment

# Configure enterprise policy
AiRootShield.configure_policy('examples/policies/banking_policy.json')

# Set up certificate pinning
pinning = AiRootShield.configure_certificate_pinning
pinning.add_pin('api.mybank.com', ['sha256/YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg='])

# Configure proxy detection
AiRootShield.configure_proxy_detection

# Scan with network analysis
result = AiRootShield.scan_device_with_config('device_logs.json', {
  enable_network_analysis: true,
  target_ip: '192.168.1.100',
  target_url: 'https://api.mybank.com'
})

puts "Compliance Status: #{result[:compliance][:compliant] ? 'COMPLIANT' : 'NON-COMPLIANT'}"
puts "Network Analysis: #{result[:network_analysis]}"

# Scan with enterprise policy and network security
$ ai_root_shield --policy examples/policies/banking_policy.json \
                 --enable-cert-pinning \
                 --enable-proxy-detection \
                 --target-url https://api.mybank.com \
                 --verbose device_logs.json

Runtime Application Self-Protection provides real-time threat detection and blocking:

• Anti-Debug Protection: Detects and blocks ptrace, GDB, LLDB, and other debuggers
• Anti-Tamper Protection: Monitors code integrity and detects memory patches
• Dynamic Memory Protection: Prevents Frida injection and hook attempts
• Runtime Integrity Monitor: Validates critical function hashes in real-time
• Real-Time Event Reporting: Instant alerts for security violations

# Start RASP protection
rasp = AiRootShield.start_rasp_protection(
  enable_anti_debug: true,
  enable_anti_tamper: true,
  enable_memory_protection: true,
  enable_integrity_monitor: true,
  enable_real_time_alerts: true,
  protection_interval: 1.0
)

# Register event callback
rasp.on_rasp_event do |event|
  puts "[RASP] #{event[:type]}: #{event[:message]}"
  # Take action based on threat type
end

# Check protection status
status = rasp.protection_status
puts "RASP Active: #{status[:active]}"
puts "Events Detected: #{status[:events_detected]}"

# Stop protection when done
AiRootShield.stop_rasp_protection

# Enable RASP protection during scan
$ ai_root_shield --enable-rasp --rasp-time 10 --verbose device_logs.json

# Monitor for 30 seconds with RASP
$ ai_root_shield --enable-rasp --rasp-time 30 device_logs.json

The library provides a comprehensive risk score (0-100) based on detected security factors:

• 0-20: LOW - Minimal security concerns
• 21-40: MEDIUM - Some security issues detected
• 41-70: HIGH - Significant security threats present
• 71-100: CRITICAL - Severe compromise indicators

The library expects device logs in JSON format with the following structure:

{
  "risk_score": 85,
  "factors": [
    "ROOT_BINARY_DETECTED",
    "SUPERUSER_APP_INSTALLED",
    "SELINUX_DISABLED",
    "EMULATOR_DETECTED",
    "FRIDA_SERVER_RUNNING",
    "BEHAVIORAL_ANOMALY_DETECTED",
    "ML_EMULATOR_CONFIDENCE_HIGH"
  ],
  "ai_confidence": 0.92,
  "ml_emulator_score": 0.87,
  "anomaly_indicators": [
    "SUSPICIOUS_FILE_ACCESS_PATTERN",
    "SENSOR_DATA_INCONSISTENCY",
    "ABNORMAL_TIMING_PATTERNS"
  ],
  "timestamp": 1640995200,
  "version": "0.3.0"
}

The library expects device logs in JSON format with the following structure:

{
  "platform": "android",
  "system_info": {
    "os_version": "11",
    "api_level": 30,
    "build_tags": "release-keys"
  },
  "hardware_info": {
    "model": "Pixel 5",
    "manufacturer": "Google"
  },
  "file_system": {
    "files": [
      {"path": "/system/bin/su", "permissions": "755", "owner": "root"}
    ]
  },
  "running_processes": [
    {
      "name": "system_server",
      "pid": 123
    }
  ],
  "network": {
    "proxy_settings": {"enabled": false},
    "vpn_active": false,
    "certificates": []
  },
  "hardware": {
    "device_model": "Pixel 4",
    "manufacturer": "Google",
    "sensors": ["accelerometer", "gyroscope"]
  }
}

See the examples/device_logs/ directory for complete examples.

• Su binary presence (/system/bin/su, /system/xbin/su)
• Root management apps (SuperSU, Magisk, Superuser)
• Jailbreak files (/Applications/Cydia.app, MobileSubstrate)
• SELinux status (permissive/disabled)
• Bootloader unlock status
• Custom ROM indicators

• QEMU indicators (/dev/qemu_pipe, goldfish kernel)
• Emulator packages (Genymotion, BlueStacks, Nox)
• Missing hardware components (baseband, sensors)
• Generic device identifiers
• Virtualization processes

• Frida framework (frida-server, libfrida-gadget.so)
• Xposed framework (XposedBridge.jar, Xposed installer)
• Cydia Substrate (MobileSubstrate, libsubstrate.dylib)
• Magisk modules and hiding mechanisms
• Debugging tools (gdb, lldb, strace)

• Application signature validation
• Debug certificate detection
• Repackaging indicators (test-keys, unsigned)
• DEX file tampering (Android)
• Bundle modification (iOS)
• Code injection detection

• TLS configuration and certificate pinning
• Custom CA certificate installation
• Proxy configuration detection
• MITM tool presence (Burp Suite, Charles Proxy)
• VPN analysis for suspicious patterns

• v0.1 ✅ Static root/jailbreak checks
• v0.2 ✅ Emulator/simulator detection + TLS pinning helper
• v0.3 ✅ AI behavioral model (ONNX inference) + RASP protection
• v0.4 ✅ Advanced network security + enterprise policy management
• v0.5 ✅ Platform-specific modules + CI/CD integration + SIEM connectivity
• v1.0 ✅ Enterprise Ready - Industry policy profiles + RASP+AI hybrid detection + Multi-language bindings + Advanced alerting + LTS support

Industry-Specific Policy Profiles:

• 🏦 Fintech/Banking - PCI DSS, SOX, FFIEC compliance
• 🏥 Healthcare - HIPAA, HITECH, GDPR compliance
• 🏛️ Government - FISMA, NIST 800-53, FedRAMP compliance
• 🏢 Corporate - ISO 27001, GDPR, CCPA compliance

RASP + AI Hybrid Detection:

• Real-time threat detection (< 100ms response)
• Offline deep analysis with ML models
• AI-enhanced behavioral analysis
• Hybrid confidence scoring

Multi-Language Bindings:

• 💎 Ruby (native)
• 🐍 Python bindings
• 🟢 Node.js bindings
• ☕ Java/Kotlin bindings

Advanced Reporting & Alerts:

• Syslog integration (RFC 3164/5424)
• Webhook notifications
• Slack/Microsoft Teams integration
• Real-time alerting with rate limiting

Production Optimizations:

• Memory usage optimization
• False-positive reduction algorithms
• Performance improvements
• Scalability enhancements

Bug reports and pull requests are welcome on GitHub at https://github.com/ai-root-shield/ai-root-shield.

1. Fork the repository
2. Create your feature branch (git checkout -b feature/amazing-feature)
3. Commit your changes (git commit -am 'Add some amazing feature')
4. Push to the branch (git push origin feature/amazing-feature)
5. Open a Pull Request

The gem is available as open source under the terms of the MIT License.

• Mobile banking applications
• Payment processing apps
• Cryptocurrency wallets
• Trading platforms

• Electronic health records
• Telemedicine applications
• Medical device interfaces
• Patient data management

• Secure communication apps
• Identity verification systems
• Classified information access
• Military applications

• Corporate mobile applications
• VPN clients
• Secure document viewers
• Enterprise resource planning

• Modular analyzer system for extensibility
• Risk calculation engine with weighted factors
• Offline-first design for privacy and performance
• Cross-platform support (Android/iOS)

• Lightweight footprint (~2MB)
• Fast scanning (typically <100ms)
• No network dependencies
• Minimal memory usage

• No data collection or transmission
• All processing happens locally
• No user identification or tracking
• Transparent open-source implementation

For questions, issues, or feature requests:

• GitHub Issues: Report a bug or request a feature
• Documentation: Wiki
• Security Issues: Please email ahmetxhero@gmail.com

Ahmet KAHRAMAN is a Mobile Developer & Cyber Security Expert with 10+ years of experience in Public Sector IT.

• 🌐 Website: ahmetxhero.web.app
• 🎥 YouTube: @ahmetxhero
• 💼 LinkedIn: linkedin.com/in/ahmetxhero
• 🐤 Twitter: @ahmetxhero
• 📧 Email: ahmetxhero@gmail.com
• 🏠 Location: Ankara, Turkey 🇹🇷

Education & Expertise:

• Master's Degree in Forensic Informatics (Gazi University)
• Certified Ethical Hacker (CEH)
• Digital Forensics Expert
• Mobile Development (iOS, Android, Flutter)
• Cybersecurity & Penetration Testing

AI Root Shield - Protecting mobile applications from compromise, one device at a time. 🛡️