© 2013 IBM Corporation
Arxan & IBM Present:
THINK LIKE A HACKER: COMMON TECHNIQUES TO HACK
MOBILE APPS AND HOW TO MITIGATE THOSE RISKS
© 2014 IBM Corporation
© 2014 IBM Corporation2
IBM Security Systems
Agenda
Are Mobile Apps Really At Risk?
Dissecting A Mobile App “Break In”
Mobile App Protection Techniques
© 2014 IBM Corporation3
IBM Security Systems
Are Mobile Apps Really At Risk?
© 2014 IBM Corporation4
IBM Security Systems
Typical Software Security Lifecycle
Design, Build, TestPlan
High-Level Risk
Assessments
Security Policy Review
Define Security
Requirements
Security
Architecture
Review
Threat modeling Static Analysis
Dynamic Testing
Penetration
Testing
Test,
Deploy
Application
Monitoring
Secure Code
Review
Secure Coding
Training
Final Functional
& Security
Testing
Produces a
“Secure”
Application with
few, known and
acceptable
vulnerabilities
BUT
…
© 2014 IBM Corporation5
IBM Security Systems
Even Secure Mobile Apps can be Hacked
Centralized, trusted environment
• Web apps
• Data center custom apps
Distributed or untrusted
environment “Apps in the Wild”
• Mobile Apps
• Internet of Things / Embedded
• Packaged Software
Vulnerability
Analysis and
Flaw
Remediation
Vulnerability
Analysis and
Flaw
Remediation
Application
Hardening and
Run-Time
Protection
Application Environment Application Security Model
Attackers do not have easy
access to application binary
Attackers can easily access and
compromise application binary“Build It Secure” “Keep It Secure”
© 2014 IBM Corporation6
IBM Security Systems
The Problem Is Real
• “78 percent of top 100 paid Android
and iOS Apps are available as
hacked versions on third-party
sites” (“State of Security in the App Economy”,
Arxan, 2013)
• "Chinese App Store Offers Pirated
iOS Apps Without the Need to
Jailbreak” (Extreme Tech, 2013)
© 2014 IBM Corporation7
IBM Security Systems
What’s Happening with Hacked Apps?
The Payoff for Hackers…
• Piracy and unauthorized
distribution
• IP theft (e.g. proprietary algorithms)
via reverse engineering
• Sensitive information (e.g.
usernames, passwords, keys,
certificates)
• Bypass security controls (e.g.
authentication, encryption,
licensing, DRM, root/jailbreak
detection, ads)
• Insertion of malware or exploits in
the application and repackaging
Ratio of Malicious to Non
Malicious Fake Apps*
*Trend Micro Research: Fake Apps Feigning Legitimacy (2014)
© 2014 IBM Corporation8
IBM Security Systems
The Problem Is Real: Mobile Malware Growth’s Logarithmic
Source: McAfee Labs Threats Report August 2014
Total Count of
Mobile
Malware
© 2014 IBM Corporation9
IBM Security Systems
The Risk is Growing
• Increasing number of apps
• Faster release cycles
• Use of third party components /
frameworks
• Increasing functionality on client-
side
Competition
User Demand
e.g. - NFC, Host Card Emulation
• On-prem server-side software
• Improved hacking tools
Jailbreak detection avoidance
Cydia Mobile Substrate on Android
© 2014 IBM Corporation10
IBM Security Systems
The Industry is Taking Notice
Analysts"Make application self-protection a new investment
priority, ahead of perimeter and infrastructure protection.”
”It should be a CISO top priority.” - Gartner
"It (‘application hardening and run-time protection') is a
critical component in the strategy to secure enterprise
software, embedded systems, mobile apps and the much-
bandied 'Internet of Things’." - 451
Consultants “Implement resistance against runtime manipulation
and leverage code obfuscation to complicate reverse
engineering, and use anti-tamper mechanisms” –
viaForensics Best Practices Guide
© 2014 IBM Corporation11
IBM Security Systems
Dissecting A Mobile App “Break In”
© 2014 IBM Corporation12
IBM Security Systems
Anatomy of Attacks on Mobile Apps
Reverse-engineering
app contents
1. Decrypt the mobile
app (iOS apps)
2. Open up and
examine the app
3. Create a hacked
version
11 110 01
0 1001110
1100 001
01 111 00
11 110 01
0 0101010
0101 110
011100 00
Extract and steal
confidential data
Create a
tampered, cracked
or patched version
of the app
Release / use the
hacked app
Use malware to
infect/patch the
app on other
devices
4. Distribute
App
© 2014 IBM Corporation13
IBM Security Systems
But isn’t My App Encrypted?
Well, yes, but …
iTunes Code Encryption Bypass
• It is easy for hackers to bypass iOS
encryption to progress a mobile app
attack.
© 2014 IBM Corporation14
IBM Security Systems
Dissecting A Mobile App “Break In”
What’s In Your App
© 2014 IBM Corporation15
IBM Security Systems
Bank of Arxan Demo App
Login to App
Connect to Server
© 2014 IBM Corporation16
IBM Security Systems
What’s in Your App?
It’s easy to find out …
• On iOS
class-dump
© 2014 IBM Corporation17
IBM Security Systems
What’s in Your App?
It’s easy to find out …
• On iOS
strings
© 2014 IBM Corporation18
IBM Security Systems
Dissecting A Mobile App “Break In”
Circumventing If-Then-Else Protections
Hex Hacks
© 2014 IBM Corporation19
IBM Security Systems
Would you Post your Source Online?
It’s close …
• Disassemblers / Decompilers
idaPro
Hopper
baksmali
… and more!
Assembly Code
Pseudo Code
© 2014 IBM Corporation20
IBM Security Systems
A Couple of Bytes Later …
Hex’d!
• NOP out the jailbreak detection
Pseudo Code
© 2014 IBM Corporation21
IBM Security Systems
Testing the Hack
Hacked App
Original App
Jailbreak Detection Defeated!
© 2014 IBM Corporation22
IBM Security Systems
Dissecting A Mobile App “Break In”
Swizzling
© 2014 IBM Corporation23
IBM Security Systems
The Danger of Jailbreak
Method Swizzling is an Objective-C
Feature
Method swizzling is the process of changing the
implementation of an existing selector. It’s a
technique made possible by the fact that method
invocations in Objective-C can be changed at
runtime, by changing how selectors are mapped to
underlying functions in a class’s dispatch table.
But on jailbroken devices, method
swizzling can be used by hackers to
change your application’s behavior!
© 2014 IBM Corporation24
IBM Security Systems
The Method Swizzling Hack
A Drive-By Hacking!
Swizzle with Code Substitution
• Hackers leverage infected code to attack
critical class methods of an application to
intercept API calls and execute
unauthorized code, leaving no trace with
the code reverting back to original form.
© 2014 IBM Corporation25
IBM Security Systems
Last Step: Distribute App
• Put on non-iOS / Android app stores;
many with no/limited review process – Hundreds of apps stores globally – Blackberry, Cross-
Platform, Manufacturer-specific App Stores (Sansung,
Cisco, etc.), Operator/Carrier App Stores (China mobile, T-
Mobile, etc.)
• Apple App Store has review process, but
there are ways to get thru it – In review process, automated tool evaluates legitimacy of
apps
– But, owner of app can hide what the app is doing
– …or can distribute via an enterprise deployment model
(B2E)
• Three options for Android App distribution
– none have formal review process– Offer via Google play
– Release via your website
– Release via email
– Note: Android users are warned that they are downloading from an
unofficial store – unless they enable automatic downloads
Sample App Stores
There are a number of ways to distribute hacked apps
© 2014 IBM Corporation26
IBM Security Systems
The Hacker’s Toolbox
Category Example Tools
App decryption /
unpacking / conversion
• Clutch
• APKTool
• dex2jar
Static binary analysis,
disassembly,
decompilation
• IDA Pro & Hex Rays (disassembler/decompiler)
• Hopper (disassembler/decompiler)
• JD-GUI (decompiler)
• Baksmali (disassembler)
• Info dumping: class-dump-z (classes), nm (symbols), strings
Runtime binary analysis • GDB (debugger)
• ADB (debugger)
• Introspy (tracer/analyzer)
• Snoop-It (debugging/tracing, manipulation)
• Sogeti tools (dump key chain or filesystem, custom ramdisk boot, PIN brute force)
Runtime manipulation,
code injection, method
swizzling, patching
• Cydia Substrate (code modification platform) (MobileHooker, MobileLoader)
• Cycript / Cynject
• DYLD
• Theos suite
• Hex editors
Jailbreak detection
evasion
• xCon, BreakThrough, tsProtector
Integrated pen-test
toolsets
• AppUse (custom "hostile" Android ROM loaded with hooks, ReFrameworker runtime
manipulator, reversing tools)
• Snoop-It (iOS monitoring, dynamic binary analysis, manipulation)
• iAnalyzer (iOS app decrypting, static/dynamic binary analysis, tampering)
© 2014 IBM Corporation27
IBM Security Systems
Mobile App Protection Techniques
© 2014 IBM Corporation28
IBM Security Systems
Can you say: Ob-fu-sca-tion!
Confuse the Hacker
• Dummy Code Insertion
• Instruction Merging
• Block Shuffling
• Function Inlining
• … and More!
Turns this
into this …
© 2014 IBM Corporation29
IBM Security Systems
Preventing Reverse Engineering
Other Techniques
• Method Renaming
• String Encryption
• … and More!
String not
found
Where did
it go?
© 2014 IBM Corporation30
IBM Security Systems
Preventing Tampering
Common Techniques
Jailbreak
Detection
Am I on a
jailbroken
device?
Checksum -- Has the
binary changed?
If so, let me know so I can do something about it!
Method SwizzlingDetection --
Is someone hijacking my code?
Debug Detection
Is a Debugger Running?
© 2014 IBM Corporation31
IBM Security Systems
Some Best Practices
… and Other Considerations
• It’s more than just obfuscation – use multiple techniques
• Take action upon detection (e.g. phone home, fail, limit functionality)
• Add some variability (e.g. frequency of use, techniques used)
• Update internal policies related to SDLC ensuring binary risks are
covered
• Don’t show your cards to the hacker
© 2014 IBM Corporation32
IBM Security Systems
Steps to Protect an Application with Arxan
Arxan
GuardSpec
Original
App(to be released)
Arxan
Guards
Arxan Protection
Engine (Guard Injection Engine)
Protected
App(now ready for
release)
Identify risks and define
what requires protection.
Defines which Guards
to place in mobile app
to protect the app and
where to place them.
Engine automates
insertion of Guard
Network in the app
during the normal
build process, without
a need to modify
source code. Many different Guard types;
thousands of Guard instances.
Protected version of app
with Guards dissolved
into binary, cannot be
identified or isolated.
1
2
34
Arxan Application Protection
© 2014 IBM Corporation33
IBM Security Systems
World’s Strongest App Protection, Now Sold & Supported by IBM
Benefit of your existing trusted relationship with IBM
• Arxan’s technology now available from IBM: Sales, Solution, Services, Support from
IBM, with close collaboration between IBM and Arxan to ensure your success
• Leverage your existing procurement frameworks and contract vehicles (IBM Passport
Advantage, ELAs, Perpetual License, Elite Support, etc) for purchasing Arxan products
and take advantage of your relationship pricing and special discounts from IBM
Leverage Arxan as part of comprehensive solution portfolio from
IBM to holistically secure mobile apps, with value-adding validated
integrations
• Enables unique ‘Scan + Protect’ application security strategy and best practice for
building it secure during development (AppScan) and keeping it secure deployed
“in the wild” (Arxan)
• Value-adding Arxan integrations, validations, and interoperability testing with other
IBM products (e.g., IBM AppScan, IBM Trusteer, IBM Worklight)
© 2014 IBM Corporation34
IBM Security Systems
NEXT STEP: Contact your IBM representative or email
[email protected] for more information
Webinar participants eligible for Free Evaluation of “Arxan Application Protection for IBM Solutions”Now offered as part of IBM’s Security Portfolio
Special Offers to Webinar Participants
Curious how your app binary is exposed to hacking? Get Free Assessment of your app’s binary exposures in 9 categories
© 2014 IBM Corporation35
IBM Security Systems
Additional Resources
Arxan/IBM White Paper: Securing
Mobile Apps in the Wild
http://www.arxan.com/securing-mobile-apps-in-the-wild-with-app-
hardening-and-run-time-protection/
How to Hack An App
https://www.youtube.com/watch?v=VAccZnsJH00