The proliferation of mobile devices has created an app-centric global marketplace which is driving innovation, new businesses and business models, and opening up new revenue streams across all industries. Its increasing importance to organisations and consumers means that now more than ever, there needs to be an understanding of the risks and threats facing mobile application development.
In a study of the top applications for iOS and Android, Arxan found that 90% of the top 230 applications had been hacked or tampered with in some way. This could involve circumvented security (such as removing jailbreak detection), unlocked or modified features, free pirated copies of paid versions, ad-removed versions, and applications that had been infected with malware.
Increasingly, we are seeing the drive to produce the next mobile application is putting considerable pressure on app developers and is driving them into a position to rapidly add more features, at the expense of security. This is leaving them with little to no time to focus on developing the security for the applications that protects its integrity such as internal controls and protecting the code from malware insertion or intellectual property theft.
Security shouldn’t stifle innovation
App owners need to not only allow developers to keep up with the demand for new features, but also empower them to produce innovative mobile applications that are inherently secure. Mobile devices can’t be fully trusted and therefore security must be incorporated directly into the application.
Even flawlessly coded applications are vulnerable to reverse-engineering and code tampering, allowing cyber criminals to change or modify applications to incorporate malicious code. In a different study, 30 banking applications on the Android market were found to be vulnerable to these types of attack. Once an attacker gets hold of an unprotected application, it can be reversed back to its high level source code, in a process called decompilation. This is a relatively straight forward process, which can be done using freely available tools on the internet.
Once an application has been decompiled it is then relatively straightforward to locate and compromise critical logic and data, if you know what you’re looking for. As an example, in some banking applications there is jail-break detection, which would prevent users from accessing the application on a device that has been compromised. Once an attacker has located the jail-break detection code, no matter how sophisticated its logic may be, it can usually be defeated by changing a few bytes in the code.
Security needs to be built into the process; it is not a one click solution
App owners and developer have a duty of care to their users, and in order to protect their data, developers need to start implementing “application hardening” techniques at the beginning of the process; ensuring it becomes second nature in the process. That is to say, insert security processes within the app that will yield self-aware, self-defending and tamper-resistant applications. Some of these steps may include:
- Code Obfuscation – Defend against reverse-engineering by transforming program code and their control flows to an unintelligible form
- Symbol stripping and renaming – Remove unused program symbols from application binaries and change easy-to-understand program symbol names that can’t be removed to irrelevant names
- String encryption – Hide clear text string encodings through encryption
- Self-repair – Special logic that can erase attack changes made to critical code or data by restoring their original values at runtime
- Alerts – Alert local and remote servers or security management systems.
When applied appropriately self-defence techniques, such as the above, can ensure an application is highly resilient against attacks, even on rooted or jailbroken devices, and independently be capable of detecting whether its own state has been modified, and taking remedial actions as needed.
Currently most threats are aimed at the individual, but as smartphone usage continues to grow, it will only be a matter of time before we see a mobile application be used as a pivot point in to a corporate network. Mobile developers must proactively include application integrity protection as an essential component of application mitigation risk strategies. Mobile application integrity practices of course should be complimentary to other well-established app security practices such as secure coding.