by Brian Contos, AppDome VP of Customer Engagement and IDG Contributor
Mobile applications are, well, applications. And like any application they need to be protected. I’ve been blogging about attacks on mobile like mobile malware, mobile pharming and mobile phishing and I even wrote a blog on data at rest encryption for mobile. This blog will take a very high level look at a topic that can get very deep very quickly, mobile app risks related to reversing and tampering.
Anything can be hacked. Any code can be reversed or tampered with especially on a jailbroken or rooted mobile device. In some cases, prevention isn’t the goal of the app developer, but instead it’s modifying the economics of an attack.
Making the act of attempting to hack something extremely complex, lengthy and resource intensive is not something an attacker is happy to see. It’s like stealing a car. If your car is locked, has an alarm system, a lock on the steering wheel, a GPS tracker and a switch that shuts off the fuel pump if it is started incorrectly, it will slow down a thief and in most cases make them move on. But it won’t stop a motivated thief with time and resources. This is especially true if you left your keys on the roof or the thief brought a tow truck.
Motivations for hacking mobile apps
When you think about hacking a mobile device you might intuitively think about an attacker trying to get a better understanding of the device so they can reverse it and build their own, similar, possibly malicious, masquerading version. Maybe they want to modify the logic so that they can bypass certain controls like authentication. Or perhaps they are just looking to steal sensitive data. In all these cases you would be correct. But there is a forth and perhaps lesser thought of motivation.
As apps become more advanced they often have richer logic flows. That logic likely interacts with an organization’s backend IT infrastructure. Hacking an app can put sensitive processes, systems, networks and data in the hands of an attacker that can be used to attack traditional IT assets.
Mitigating mobile app hacking
When it comes to mobile applications, making it difficult to reverse an app, tamper with an app or even use a debugger with an app, dramatically impacts the economics of an attack.
- Leveraging a compiler that generates obfuscated code makes it extremely challenging for disassemblers to make sense of the code and its flow; here is an article on Stack Overflow on this topic
- Encrypting application files, resources and assets makes changes to the application logic more difficult and can even prevent a modified app from running if the logic has been tampered with
- Creating an app that is debugger aware can help mitigate reverse engineering when connecting an app to a debugger; here is a video covering the hacking of an Android game app using a popular debugger
Mobile apps have already become mission critical to organizations around the world. Their level of access, the sensitive data they contain and the negative ramifications that can come from a malicious, masquerading version are high. As such, mobile app protection, from the perspective of app development, is something that all security professionals should consider when evaluating their security posture.