Post on 18-May-2018
The global reference inmobile application protection
Mobile application threats
irasara.senarathne@guardsquare.comPre-sales & services engineer
Janus vulnerability: allows hackers to modify apps without affecting their signatures
Mobile threats
• Easily, freely available• Easily accessible• Relied upon for everyday tasks – banking, commuting, entertainment etc.
However, this also means:• Wealth of sensitive info exchanged over app• Lures hackers• Just as easily accessible to hackers• Vulnerability for apps
Mobile apps are ubiquitous
Off-line: static attacks
Hackers transform the code into human readable format to find and exploit vulnerabilities
Offline: static analysis
• Analyze the application source code• Disassemblers: dexdump, baksmali• Decompilers: dex2jar + jad, JD-GUI, JEB, Procyon, CFR etc.• Resources: aapt, apktool, etc.
On-device: dynamic attacks
Hackers gather knowledge of the application’s behaviour and modify it at runtime
• Perform dynamic binary instrumentation to learn about the application’s runtime behavior
• Using debuggers such as adb, Ida Pro etc.• Subverted runtime: Xposed, Substrate, Frida• Cracking tools: Lucky Patcher
On-device: dynamic analysis
Piracy
API key extractionFinancial fraud
Cloning & IP theft Malware insertion
Credential harvesting
Mobile threats
The global reference in mobile application protection
Revenue loss Reputational damage
Fines & retributions Incident handling cost
Consequences of a hacked application
Mobile application attacks
DDOS attacks
Intellectual property theft
Reputational damage
Stealing API keys
Mobile applicationprotection
• Secure design and architecture• Proper use of the platform• Secure data storage• Secure communication• Cryptography• Authentication and session management• Code quality
• Pentesting• Secure code guiding tools• Logging code removal• ...
Secure coding practices
Good reference!OWASP Mobile Security Testing Guide: https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide#tab=Main
• Name obfuscation• String encryption• Class encryption• Asset encryption• Native library encryption• Control flow obfuscation• Arithmetic obfuscation• etc.
Protecting against code reverse engineering
• Tamper detection• Hook detection• Root detection• Debugger detection• Emulator detection• SSL pinning
Protecting against dynamic analysis attacks
Open sourceJava and Android
Part of Android SDK
CommercialSpecialized for iOSStatic protection
ProGuard DexGuard iXGuard
CommercialSpecialized for Android
Static & dynamic protection
GuardSquare, advanced mobile app protection
Obfuscation example
ORIGINAL CODE
DexGuard: obfuscation example
DECOMPILED UNPROTECTED CODE
DexGuard: obfuscation example
DECOMPILED OBFUSCATED CODE
Thank you