think like a hacker! common techniques used to exploit mobile apps

© 2013 IBM Corporation

Arxan & IBM Present:

THINK LIKE A HACKER: COMMON TECHNIQUES TO HACK

MOBILE APPS AND HOW TO MITIGATE THOSE RISKS

© 2014 IBM Corporation

© 2014 IBM Corporation2

IBM Security Systems

Agenda

Are Mobile Apps Really At Risk?

Dissecting A Mobile App “Break In”

Mobile App Protection Techniques



Are Mobile Apps Really At Risk?



Typical Software Security Lifecycle

Design, Build, TestPlan

High-Level Risk

Assessments

Security Policy Review

Define Security

Requirements

Security

Architecture

Review

Threat modeling Static Analysis

Dynamic Testing

Penetration

Testing

Test,

Deploy

Application

Monitoring

Secure Code

Review

Secure Coding

Training

Final Functional

& Security

Testing

Produces a

“Secure”

Application with

few, known and

acceptable

vulnerabilities

BUT

…



Even Secure Mobile Apps can be Hacked

Centralized, trusted environment

• Web apps

• Data center custom apps

Distributed or untrusted

environment “Apps in the Wild”

• Mobile Apps

• Internet of Things / Embedded

• Packaged Software

Vulnerability

Analysis and

Flaw

Remediation

Vulnerability

Analysis and

Flaw

Remediation

Application

Hardening and

Run-Time

Protection

Application Environment Application Security Model

Attackers do not have easy

access to application binary

Attackers can easily access and

compromise application binary“Build It Secure” “Keep It Secure”



The Problem Is Real

• “78 percent of top 100 paid Android

and iOS Apps are available as

hacked versions on third-party

sites” (“State of Security in the App Economy”,

Arxan, 2013)

• "Chinese App Store Offers Pirated

iOS Apps Without the Need to

Jailbreak” (Extreme Tech, 2013)



What’s Happening with Hacked Apps?

The Payoff for Hackers…

• Piracy and unauthorized

distribution

• IP theft (e.g. proprietary algorithms)

via reverse engineering

• Sensitive information (e.g.

usernames, passwords, keys,

certificates)

• Bypass security controls (e.g.

authentication, encryption,

licensing, DRM, root/jailbreak

detection, ads)

• Insertion of malware or exploits in

the application and repackaging

Ratio of Malicious to Non

Malicious Fake Apps*

*Trend Micro Research: Fake Apps Feigning Legitimacy (2014)



The Problem Is Real: Mobile Malware Growth’s Logarithmic

Source: McAfee Labs Threats Report August 2014

Total Count of

Mobile

Malware

http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q2-2014.pdf



The Risk is Growing

• Increasing number of apps

• Faster release cycles

• Use of third party components /

frameworks

• Increasing functionality on client-

side

Competition

User Demand

e.g. - NFC, Host Card Emulation

• On-prem server-side software

• Improved hacking tools

Jailbreak detection avoidance

Cydia Mobile Substrate on Android



The Industry is Taking Notice

Analysts"Make application self-protection a new investment

priority, ahead of perimeter and infrastructure protection.”

”It should be a CISO top priority.” - Gartner

"It (‘application hardening and run-time protection') is a

critical component in the strategy to secure enterprise

software, embedded systems, mobile apps and the much-

bandied 'Internet of Things’." - 451

Consultants “Implement resistance against runtime manipulation

and leverage code obfuscation to complicate reverse

engineering, and use anti-tamper mechanisms” –

viaForensics Best Practices Guide



Anatomy of Attacks on Mobile Apps

Reverse-engineering

app contents

1. Decrypt the mobile

app (iOS apps)

2. Open up and

examine the app

3. Create a hacked

version

11 110 01

0 1001110

1100 001

01 111 00

11 110 01

0 0101010

0101 110

011100 00

Extract and steal

confidential data

Create a

tampered, cracked

or patched version

of the app

Release / use the

hacked app

Use malware to

infect/patch the

app on other

devices

4. Distribute

App



But isn’t My App Encrypted?

Well, yes, but …

iTunes Code Encryption Bypass

• It is easy for hackers to bypass iOS

encryption to progress a mobile app

attack.

//localhost/Users/dcathey/Documents/Trade Shows/UNC Security Symposium 2014/1 - iTunes Code Encryption Bypass Demo v0.2.mp4

//localhost/Users/dcathey/Documents/Trade Shows/UNC Security Symposium 2014/1 - iTunes Code Encryption Bypass Demo v0.2.mp4




What’s In Your App



Bank of Arxan Demo App

Login to App

Connect to Server



What’s in Your App?

It’s easy to find out …

• On iOS

class-dump



What’s in Your App?

It’s easy to find out …

• On iOS

strings




Circumventing If-Then-Else Protections

Hex Hacks



Would you Post your Source Online?

It’s close …

• Disassemblers / Decompilers

idaPro

Hopper

baksmali

… and more!

Assembly Code

Pseudo Code



A Couple of Bytes Later …

Hex’d!

• NOP out the jailbreak detection

Pseudo Code



Testing the Hack

Hacked App

Original App

Jailbreak Detection Defeated!




Swizzling



The Danger of Jailbreak

Method Swizzling is an Objective-C

Feature

Method swizzling is the process of changing the

implementation of an existing selector. It’s a

technique made possible by the fact that method

invocations in Objective-C can be changed at

runtime, by changing how selectors are mapped to

underlying functions in a class’s dispatch table.

But on jailbroken devices, method

swizzling can be used by hackers to

change your application’s behavior!



The Method Swizzling Hack

A Drive-By Hacking!

Swizzle with Code Substitution

• Hackers leverage infected code to attack

critical class methods of an application to

intercept API calls and execute

unauthorized code, leaving no trace with

the code reverting back to original form.

//localhost/Users/dcathey/Documents/Trade Shows/UNC Security Symposium 2014/2 - Swizzle with Code Substitution Demo v0.2.mp4

//localhost/Users/dcathey/Documents/Trade Shows/UNC Security Symposium 2014/2 - Swizzle with Code Substitution Demo v0.2.mp4



Last Step: Distribute App

• Put on non-iOS / Android app stores;

many with no/limited review process – Hundreds of apps stores globally – Blackberry, Cross-

Platform, Manufacturer-specific App Stores (Sansung,

Cisco, etc.), Operator/Carrier App Stores (China mobile, T-

Mobile, etc.)

• Apple App Store has review process, but

there are ways to get thru it – In review process, automated tool evaluates legitimacy of

apps

– But, owner of app can hide what the app is doing

– …or can distribute via an enterprise deployment model

(B2E)

• Three options for Android App distribution

– none have formal review process– Offer via Google play

– Release via your website

– Release via email

– Note: Android users are warned that they are downloading from an

unofficial store – unless they enable automatic downloads

Sample App Stores

There are a number of ways to distribute hacked apps



The Hacker’s Toolbox

Category Example Tools

App decryption /

unpacking / conversion

• Clutch

• APKTool

• dex2jar

Static binary analysis,

disassembly,

decompilation

• IDA Pro & Hex Rays (disassembler/decompiler)

• Hopper (disassembler/decompiler)

• JD-GUI (decompiler)

• Baksmali (disassembler)

• Info dumping: class-dump-z (classes), nm (symbols), strings

Runtime binary analysis • GDB (debugger)

• ADB (debugger)

• Introspy (tracer/analyzer)

• Snoop-It (debugging/tracing, manipulation)

• Sogeti tools (dump key chain or filesystem, custom ramdisk boot, PIN brute force)

Runtime manipulation,

code injection, method

swizzling, patching

• Cydia Substrate (code modification platform) (MobileHooker, MobileLoader)

• Cycript / Cynject

• DYLD

• Theos suite

• Hex editors

Jailbreak detection

evasion

• xCon, BreakThrough, tsProtector

Integrated pen-test

toolsets

• AppUse (custom "hostile" Android ROM loaded with hooks, ReFrameworker runtime

manipulator, reversing tools)

• Snoop-It (iOS monitoring, dynamic binary analysis, manipulation)

• iAnalyzer (iOS app decrypting, static/dynamic binary analysis, tampering)



Mobile App Protection Techniques



Can you say: Ob-fu-sca-tion!

Confuse the Hacker

• Dummy Code Insertion

• Instruction Merging

• Block Shuffling

• Function Inlining

• … and More!

Turns this

into this …



Preventing Reverse Engineering

Other Techniques

• Method Renaming

• String Encryption

• … and More!

String not

found

Where did

it go?



Preventing Tampering

Common Techniques

Jailbreak

Detection

Am I on a

jailbroken

device?

Checksum -- Has the

binary changed?

If so, let me know so I can do something about it!

Method SwizzlingDetection --

Is someone hijacking my code?

Debug Detection

Is a Debugger Running?



Some Best Practices

… and Other Considerations

• It’s more than just obfuscation – use multiple techniques

• Take action upon detection (e.g. phone home, fail, limit functionality)

• Add some variability (e.g. frequency of use, techniques used)

• Update internal policies related to SDLC ensuring binary risks are

covered

• Don’t show your cards to the hacker



Steps to Protect an Application with Arxan

Arxan

GuardSpec

Original

App(to be released)

Arxan

Guards

Arxan Protection

Engine (Guard Injection Engine)

Protected

App(now ready for

release)

Identify risks and define

what requires protection.

Defines which Guards

to place in mobile app

to protect the app and

where to place them.

Engine automates

insertion of Guard

Network in the app

during the normal

build process, without

a need to modify

source code. Many different Guard types;

thousands of Guard instances.

Protected version of app

with Guards dissolved

into binary, cannot be

identified or isolated.

1

2

34

Arxan Application Protection



World’s Strongest App Protection, Now Sold & Supported by IBM

Benefit of your existing trusted relationship with IBM

• Arxan’s technology now available from IBM: Sales, Solution, Services, Support from

IBM, with close collaboration between IBM and Arxan to ensure your success

• Leverage your existing procurement frameworks and contract vehicles (IBM Passport

Advantage, ELAs, Perpetual License, Elite Support, etc) for purchasing Arxan products

and take advantage of your relationship pricing and special discounts from IBM

Leverage Arxan as part of comprehensive solution portfolio from

IBM to holistically secure mobile apps, with value-adding validated

integrations

• Enables unique ‘Scan + Protect’ application security strategy and best practice for

building it secure during development (AppScan) and keeping it secure deployed

“in the wild” (Arxan)

• Value-adding Arxan integrations, validations, and interoperability testing with other

IBM products (e.g., IBM AppScan, IBM Trusteer, IBM Worklight)



NEXT STEP: Contact your IBM representative or email

[email protected] for more information

Webinar participants eligible for Free Evaluation of “Arxan Application Protection for IBM Solutions”Now offered as part of IBM’s Security Portfolio

Special Offers to Webinar Participants

Curious how your app binary is exposed to hacking? Get Free Assessment of your app’s binary exposures in 9 categories



Additional Resources

Arxan/IBM White Paper: Securing

Mobile Apps in the Wild

http://www.arxan.com/securing-mobile-apps-in-the-wild-with-app-

hardening-and-run-time-protection/

How to Hack An App

https://www.youtube.com/watch?v=VAccZnsJH00

http://www.arxan.com/securing-mobile-apps-in-the-wild-with-app-hardening-and-run-time-protection/

https://www.youtube.com/watch?v=VAccZnsJH00