In Part One of this article we discussed the first category of potential binary risks associated with hack proof mobile apps.
A hack exposes a company to significant economic, legal and reputational risks. The impact of not having a hack proof app can be devastating and all-encompassing. I know it’s difficult as an app developer to get everything right. Time-to-market is critical in your attempt to stay competitive. You race against the clock to create a resilient app that is as defect-free as possible. But getting hacked can ruin everything for an app developer.
Here we continue to discuss the potential issues associated with mobile app security.
Reverse Engineering or Code Analysis
This is the second category of exploitable binary vulnerabilities, whereby mobile app binaries can be analyzed statically and dynamically. Using intelligence gathered from code analysis tools and activities, hackers can reverse-engineer the binaries. Then they can lift out valuable code, sensitive data, or proprietary IP from the application and re-use or re-package it. Reverse engineering or code analysis tactics include:
Android APK Reverse Engineering
In the case of Android apps, hackers can easily leverage an app’s binary code, via a download on Google Play, to recreate its original source code. The process entails converting the Android app into its Java bytecode equivalent, using a free tool. The tool provides a set of Java class files stored which can be used to reverse engineer the app’s code. This results in a remarkably accurate recreation of the original code. Hackers like this strategy since all they need to do is to download your app.
Algorithm Decompilation and Analysis
Here, hackers often use freely accessible tools to provide quick analysis of an unprotected app. A hacker is then able to easily counterfeit an app or steal sensitive information embedded in the app about its producer. Attackers often use this strategy as a springboard for other attacks since it’s readily available. This includes binary patching, code injection or method swizzling to conduct fraud or steal a user’s identity. App developers pay millions of dollars a year to solve problems with identity theft.
Understanding application internal structures and methods via Class Dumps
Hackers get a detailed understanding of the app’s symbols, class interfaces, and associated method prototypes by using the class dump tool. This type of attack is very useful on its own as a form of reverse engineering. Hackers use it as a stepping stone to more sophisticated attacks involving method swizzling. This is done by leading to method interception by API hooking and other unauthorized app behavior modifications. The hacker will then typically conduct fraud or identity theft against the victim.
Making Your Apps Hack Proof
With the prevalence of avenues and ease in which hackers can exploit an app via the binary code, developers need to rewire their thinking. Developers must implement self-protection security controls within the app. Many developers use traditional techniques to confirm that code is secure, via vulnerability tests on their code and remediation of areas with conventional risk. However, unless developers harden the binary code via an automated insertion of “guards,” the application is still vulnerable to prevailing risks. And with all the emulation, dynamic loading/linking, virtualization and container technologies, your applications are completely transparent at runtime for hackers to inspect.
Today, developers can harden digital code with no impact to its source code. When implemented properly, the result is a secure binary code, protecting the application from infiltration from hackers. Security remains a key area for developers to consider because of the potential risks being vulnerable could cause. After all, what good is a high-quality app if it is vulnerable to hackers?
To read the first part of this article about hack proof mobile apps, click here.
Thanks to App Developer for help in writing this article.
Leave a Reply