July 5, 2020

    How Application Hardening Prevents Common Mobile App Security Issues

    Mobile application security threats, unfortunately, are becoming more and more prevalent. According to Verizon’s 2020 Mobile Security Index, 43 percent of organizations admitted they sacrificed mobile security in the past year, and those that did were twice as likely to experience a compromise. Hackers actively seek out vulnerable applications—especially mobile apps—for reverse-engineering and other types of tampering or fraud. 

    However, application hardening is one way to protect mobile applications, making them much more difficult targets for attackers to penetrate. By layering multiple types of security defenses, you can protect your applications against some of the most common types of attacks hackers use today.

    In this blog post, we’ll look at the three categories of mobile threats, how hackers execute common attacks, and how code hardening layered with other app security protections can defend against attackers.

    Two categories of mobile threats

    Typically, there are two main categories of mobile threats that originate from tools commonly used by hackers: 

    • Static analysis:  In these types of attacks, malicious users attempt to decompile or disassemble applications offline, on a local machine. During a static attack, a hacker may look at your organization’s source code, and attempt to reverse engineer it to understand how the app functions. From there, they may look for further security vulnerabilities within the application or sensitive information to extract.
    • Dynamic analysis and runtime attacks: These are attempts at understanding the way in which an application works or at modifying its intended behavior at runtime. Usually, the hacker will run an app on a test device, where they may try to modify the way in which the application functions using hooking frameworks, or try to gain insight into his inner workings using a debugger. For example, a hacker may try to hook a function of the application to make a license check always run true in order to gain unauthorized access to an app.

    These attacks are serious, as they can target an organization's intellectual property, sensitive information contained by the code, or revenue-generating parts of the application, such as advertising and premium features. If apps remain unprotected, organizations can lose money, suffer reputational damage, or compromise valuable customer data.

    How hackers execute mobile attacks

    For static analysis attacks, hackers typically use disassemblers or decompilers to determine if any sensitive information is exposed within the application. Dynamic attacks, on the other hand, require  a test device to run applications. A malicious user, for instance, may attach a debugger tool to an application to get a memory dump, or hook the application to change the implementation of certain methods (e.g. making premium features free).

    Here are a few examples of mobile security attacks hackers commonly execute: 

    • API key extraction: Hackers can access the application’s source code and search for API keys. By extracting these keys, the hacker can use them in their own application to use  a paid service for free. Or, attackers can distribute API keys publicly, which can result in a loss of money for the targeted company.
    • Cloning, malware insertion, and IP theft: In these attacks, hackers download an app and modify it to inject malware, distribute clones, steal IP, disable license checks, and more. They often distribute cloned apps in an app marketplace, fooling legitimate users into thinking the copy is the actual application.
    • Piracy and credential harvesting: If an attacker downloads an app, modifies, and distributes it, they can send a user’s credentials to their own backend server to steal data or gain access to services for free. In some cases, hackers redistribute these credentials for profit.

    There are many examples of these types of attacks in the wild. On Android devices, the Pokemon Go app was targeted by cheaters who spoofed the GPS coordinates on rooted devices to create a joystick within the app to alter its functionality. Even though the app developers created and implemented a simple root checker, the hackers found out how to bypass these controls. On iOS, the Photo Vault and Keepsake apps were targeted by reverse-engineering, where hackers found that access codes were stored in plain text. Using a jailbroken device, hackers navigated directories to gain access to these plain text passwords. They also implemented a hooking attack to bypass a lock screen altogether. In this case, the app developers did not implement hooking detection or static analysis prevention tools, leaving them open to these attacks.

    How application hardening defends against attacks

    When defending against these types of attacks, many organizations attempt to take a DIY approach to protecting their apps (for example by implementing simple jailbreak (Android), root (iOS) detection mechanisms, or debugger detection). However, hackers can easily see when these types of approaches are implemented and bypass them.

    A better approach is to layer application security by using a combination of code hardening techniques and protections at runtime. Code hardening is an effective way of protecting your APKs and SDKs for Android and iOS from reverse engineering and hacking. It consists of hardening the code at various levels through the application of multiple layers of obfuscation and encryption. Hardened code is resistant to both automated and manual analysis, meaning that most of the tools of the trade for hackers are useless.  

    Obfuscation renders code illegible without affecting its functionality. The techniques used to obscure code in this manner vary considerably. They include: 

    • Name obfuscation: The replacement of readable identifiers in the code by difficult to decipher alternatives
    • Control flow obfuscation: The modification of the logical structure of the code to make it less predictable and traceable 
    • Arithmetic obfuscation: The conversion of simple arithmetic and logical expressions into complex equivalents.

    Encryption ensures the code of the application and the data it contains cannot be accessed while the application is at rest. The encrypted code is decrypted on-the-fly when the application is executed, which guarantees that it functions as intended. To be effective, the encryption must be applied in various layers. Essential encryption techniques include string encryption, class encryption, asset encryption and resource encryption.

    Application hardening is an essential part of protection that can be layered with a complementary defense against dynamic attacks called runtime application self-protection (RASP). RASP can detect runtime threats such as an application running on a rooted or jailbroken device, an attempt at modifying app behavior through hooking, etc. – and trigger the application to react in a pre-programmed manner (such as terminating a user session). What’s more, real-time threat monitoring can detect attacks on downloaded applications as they happen, so you can stop them and shore up your security defenses for future releases.

     

    Guardsquare

    Discover how Guardsquare provides industry-leading protection for mobile apps.

    Request Pricing

    Other posts you might be interested in