By Mark Noctor, EMEA Director of Sales, Arxan Technologies
The growth in smartphones has created, in recent years, an application-centric marketplace which is driving innovation. New businesses and business models are being developed and are opening up new revenue streams across all industries. Mobile’s increasing importance to organisations and consumers means that now more than ever there needs to be an understanding of the risks and threats facing mobile applications and the flaws in secure development.
Increasingly we are seeing that the drive to produce the next mobile application is putting considerable pressure on app developers, and it is driving them into a position to rapidly add new features due to consumer demand, at the expense of security. This is leaving them with little to no time to focus on developing the security for the applications that protect its integrity such as internal controls and protecting the code from malware insertion or intellectual property theft.
Nearly 90% of the top 230 iOS and Android applications have been hacked or tampered with in some way. This could involve circumvented security (such as removing jailbreak detection), unlocked or modified features, free pirated copies of paid versions, ad-removed versions, and applications that had been infected with malware.
Innovation should go hand-in-hand with security
App owners need to not only allow developers to keep up with the demand for new features, but must also empower them to produce innovative mobile applications that are inherently secure. Mobile devices can’t be fully trusted and therefore security must be incorporated directly into the application.
Even flawlessly coded applications are vulnerable to reverse-engineering and code tampering, allowing cyber criminals to change or modify applications to incorporate malicious code. Once an attacker has a copy of an unprotected application, it can be reversed back to its high level source code, in a process called decompilation. This is a relatively straight forward process than can be done in less than ten minutes using freely available tools on the internet.
Once an application has been decompiled it is then relatively straightforward to locate and compromise critical logic and data, if you know what you’re looking for. For instance once an attacker has located the jail-break detection code, no matter how sophisticated its logic may be, it can usually be defeated by changing a few bytes in the code.
Building a “self-defending” app
App owners and developers have a duty of care to their users to protect their data and to do so developers need to start implementing “application hardening” techniques at the beginning of the process. That is to say; insert security processes within the app that will yield self-aware, self-defending tamper-resistant applications. Some of these steps could include:
· Code Obfuscation — Defend against reverse-engineering by transforming program code and their control flows to an unintelligible form.
· Symbol stripping and renaming — Remove unused program symbols from application binaries and change easy-to-understand program symbol names that can’t be removed to irrelevant names.
· String encryption — Hide clear text string encodings through encryption
· Self-repair — Special logic that can erase attack changes made to critical code or data by restoring their original values at runtime
· Alerts — Alert local and remote servers or security management systems
When applied appropriately self-defence techniques can ensure an application is highly resilient to attacks, even on rooted or jailbroken devices, and can be independently capable of detecting whether its own state has been modified, and taking remedial actions as needed.
Currently most threats are still aimed at individual users via services such as mobile banking or social networking, but as smartphone usage continues to dominate and grow, it will only be a matter of time before we see a mobile application being used as a pivot point in to a corporate network. For either scenario, the growing attack surface from the rise in business to consumer or business to employee apps requires that the app owner must take some responsibility.
Mobile developers should proactively include application integrity protections as an essential component of application mitigation strategies. Mobile app integrity practices should be complimentary to other well-established app security practices such as secure coding.