SlideShare a Scribd company logo

Mobile binary code - Attack Tree and Mitigation

Download as DOCX, PDF
Sunil Paudel
Sunil Paudel

This paper proves that the mobile app's binary code is at risk. Anyone can retrieve the binary source code using the free tool like apktool. In the paper, the authors have come up with an attack tree to steal the binary code of the android mobile app doing the reverse engineering and have given the mitigation as well. The paper also has a demo where the authors have exposed the binary codes using the tool named apktool. Just for an educational purpose, the authors changed the icon of the mobile app, rebuild it using their own private key and installed it back in the android phone.

Technology
1 of 11
Lack of Binary Protections Loo Chia Feng G1301352L Sunil Paudel G1400834A Abdul Rachman G1400808F Wang Bo G1301325H
Table of Contents Introduction ....................................................................................................................................... 3 Attack Tree ......................................................................................................................................... 3 Directly steal original code: .............................................................................................................. 5 Analyze and reverse engineer a compiled mobile application code downloaded from store................. 5 Code modification/injection............................................................................................................. 6 Cryptographic key replacement .................................................................................................... 6 Method swizzling ......................................................................................................................... 6 Rogue application ........................................................................................................................ 6 Presentation layer modification using JavaScript............................................................................ 6 Mitigation........................................................................................................................................... 7 Reverse Engineering ........................................................................................................................ 7 Cryptographic key Replacement ....................................................................................................... 7 Method Swizzling: ........................................................................................................................... 7 Rogue Application ........................................................................................................................... 8 Presentation Layer modification using JavaScript .............................................................................. 8 Demo of Reverse Engineering .............................................................................................................. 8 Conclusion ........................................................................................................................................ 10 Bibliography ..................................................................................................................................... 11
Introduction We live in a mobile powered world, where nearly 7 billion mobile devices are expected to be in use by the end of 2014 and 108 billion mobile downloads are anticipated by 2017. Businesses that are most efficiently adapting to today’s “App Economy” are the most successful at deepening customer engagement and driving new revenues in this changing world. (Arxan Research, 2014) However, where business opportunities abound, opportunities for attackers abound as well. Unlike web applications, mobile software is uniquely exposed to binary risks, since application must be released to public. Attackers can directly download the application and access, compromise, and exploit binary code. For example, analyze or reverse-engineer sensitive code, modify code to change application behavior, or inject malicious code. Traditional application security practices are alone no longer sufficient to protect mobile assets from new binary vulnerabilities, since even “flawless code” can be reversed, modified, repackaged and distributed. (Arxan Research, 2013) To prevent hacking attacks on code binaries requires new security practices, binary protections. This document will define the possible hacking attacks on the code binaries and develop mitigating strategies to deal with the possible attack scenarios. Attack Tree Attack trees provide a formal, methodical way of describing the security of systems, based on varying attacks. Basically, you represent attacks against a system in a tree structure, with the goal as the root node and different ways of achieving that goal as leaf nodes. (Schneier, Schneier on Security, 1999) An attack tree (Schneier, Attack trees, 1999) is constructed by following:  Define the goal of the attack.  Check all the possibilities to achieve that goal.  Break down the possibilities in the tree diagram hierarchically.  Specify the possibilities of the path that can be followed. The main objective of our attack tree as shown in Figure 1 is to show attackers attempting alteration and obtaining of binary code. The three different possible approaches are:  Directly steal original code  Analyze and reverse engineer a mobile app downloaded from store or backup to SD card using APKoptic or Astro File Manager  Code modification/injection
Figure 1: Attack tree of binary theft protection
Directly steal original code: It can be achieved through bribery, threatening/blackmailing or hacking into the source code versioning server. Analyze and reverse engineer a mobile app downloaded from store or backup to SD card using APKoptic or Astro File Manager It can be achieved by reverse engineering using various tools which can be downloaded from the internet free of cost. The below are the steps that can be followed for reverse engineering: 1. Install the application in the device 2. Bypass the jailbreak or root detection The developer who develops the app like mobile banking may not want his app to run in jail broken or rooted devices. They might have special logic embedded in the app to detect if the device is jail broken/rooted or not. This logic has to be bypassed if we want to do reverse engineering by the use of tools such as xCon. (IBM, 2014) 3. Reverse engineering o For IOS:  If we feed the mobile app into Reverse Engineering Tool, an error is thrown saying: "The file is encrypted. The disassembly of it will likely be useless. Do you want to continue?" So first of all we have to bypass this security of apple and decrypt the content. The same can be achieved by using the tool clutch. (IBM, 2014) Clutch takes the decrypted snapshot from memory and writes it to the disk. Once we get that snapshot, we can feed into the tool (IDA PRO) and we can get the decrypted code. o For Android: The android app can be reverse engineered in two different ways:  Disassembling Transform binary Dalvik byte code (Dex) into smali (assembly code) source code using the tool such as apktool.  Decompile  Dex  Jar  Java (Tools used: Dex2jar, JDGUI)  Dex  Java (Tools used : Androguard) 4. After getting the source code, we can modify the codes for our own benefits such as: o Redirect original code methods to call other malicious code o Modify the GUI layer o Replace cryptographic key o Change the security control flows 5. Then recompile the code back and sign the application
Code modification/injection Cryptographic key replacement Applications use cryptographic key to encrypt/decrypt sensitive data. Attackers may replace the cryptographic key in order to decrypt and steal the sensitive data. Attackers may perform dataflow analysis of an application in order to identify a particular key in use. Method swizzling Method swizzling is a technique to replace or extend methods in classes that you don’t own. The attacker can take an advantage of this method to call his malicious code. Rogue application Rogue application is a malicious application which shares the same execution environment and memory resources as a target application. By the use of rogue application, the binary code of the target app can be modified. Presentation layer modification using JavaScript Presentation layer can be modified using the JavaScript to inject the malicious code and modify the binary code.
Mitigation (Carter) Review the risks to integrity and confidentiality of mobile apps from binary-level attacks and suggest few solutions to code modification and injections via the various methods below. Reverse Engineering The below steps can be incorporated to prevent the app from reverse engineering:  Remove unused program symbols (which usually convey sensitive information) from the application binaries.  Use the tool like ProGuard which shrinks, optimizes, and obfuscates the code by removing unused code and renaming classes, fields, and methods with semantically obscure names. The result is the smaller sized .apk which is difficult to do reverse engineering.  Change the easy to understand program symbol names to irrelevant names.  Encrypt the part or whole of the application when not in use and when stored in disk. Also encrypt the data within the application.  Use some special logic that can sense the use of debuggers and take appropriate action.  Use checksum to see if any cod has been tampered. Jail Break/Root Detection  Detect the existence of Cydia; Cydia is an IOS app required to install app in jail broken devices  Detect the existence of the path /private/var/stash  This is the folder created on jail broken devices  Detect non-sandboxed behavior Cryptographic key Replacement  Use dynamic keys all the time. Otherwise, the application's complier will store hardcoded keys in their raw form within the final binary. An attacker will be able to find any such key looking at the associated method calls.  If in case hardcoded key is to be used, then o Damage the static key o Repair the key just before the key is required o While using the repaired key, perform the checksum to check that the key is not tampered o After the use of the key, destroy it again Method Swizzling:  If the application is intentionally performing the swizzle, an adversary will exploit this design decision and swizzle this particular method as it will be a reliable entry point into the application. Avoid using the swizzling method.  Use of special logic that can identify the change in the code and that can take appropriate action.
Rogue Application  Use of checksum to find out if the code has been tampered  Avoid using swizzling whenever possible Presentation Layer modification using JavaScript  Perform the checksum. Compare the checksum of the files at build time to the values found at runtime.  Perform additional checksum to check if the first checksum has been tampered.  Make sure that both the checksums don't have a unique binary signature. Demo of Reverse Engineering Using the apktool, we decompiled the android apk file into snail files. For the testing purpose, we changed the icon of the android app (iMilk) and recompiled back. Steps: 1. Install the original apk in virtual android device  Command: adb install iMilk Free.apk 2. Transform the binary Dalvik byte code to smali file (it converts the apk file into the folder)  Command: apktool d iMilk Free.apk 3. Modify the codes 4. Rebuild the smali file back to apk  Command: apktool b iMilk Free iMilk_modified.apk 5. Generate the private key using keytool  Command: keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000 This example prompts you for passwords for the keystore and key, and to provide the Distinguished Name fields for your key. It then generates the keystore as a file called my-release- key.keystore. The keystore contains a single key, valid for 10000 days. The alias is a name that you will use later when signing your app. 6. Sign your app with your private key using jarsigner:  Command: jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key. keystore iMilk_modified.apk alias_name Reverse Engineering.mp4
Conclusion In conclusion, all software is made up of machine-readable code. In fact, code is what makes every program function the way it does. The code defines the software and the decisions it will make. Attacker can locate potential software code vulnerabilities and apply reverse engineering to search for patterns in the code to perform hidden functionalities. To build the binary theft protection, we examine on the conceivable methodologies for an attacker to endeavor alteration to the binary code by utilizing a within profundity examination of an attack tree conceptual diagram to break down the security of systems and subsystems. Furthermore, each subsystem is mitigated to explain on the necessary counter-measures.
Bibliography Arxan Research. (2013). State of Security in the App Economy. Arxan Research. Arxan Research. (2014). Securing Mobile Applications in the Wild with Application Hardening and Run- Time Protection. Arxan Research. Carter, J. (n.d.). Threats to Mobile Apps in the Wild. Arxan. Schneier, B. (1999). Attack trees. Dr. Dobb’s journal, 21-29. Schneier, B. (1999). Schneier on Security. Retrieved September 23, 2014, from Schneier on Security: Attack Tree: https://www.schneier.com/paper-attacktrees-ddj-ft.html

Recommended

nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable codenullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable coden|u - The Open Security Community
 
nullcon 2011 - Penetration Testing a Biometric System
nullcon 2011 - Penetration Testing a Biometric Systemnullcon 2011 - Penetration Testing a Biometric System
nullcon 2011 - Penetration Testing a Biometric Systemn|u - The Open Security Community
 
Project Jugaad
Project JugaadProject Jugaad
Project Jugaadn|u - The Open Security Community
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3IJERA Editor
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Online payments threats_report_matousec
Online payments threats_report_matousecOnline payments threats_report_matousec
Online payments threats_report_matousecAnatoliy Tkachev
 
Online payments-threats-2
Online payments-threats-2Online payments-threats-2
Online payments-threats-2Anatoliy Tkachev
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.Jarrod Overson
 

Recommended

nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable codenullcon 2011 - Reversing MicroSoft patches to reveal vulnerable code
nullcon 2011 - Reversing MicroSoft patches to reveal vulnerable coden|u - The Open Security Community
 
nullcon 2011 - Penetration Testing a Biometric System
nullcon 2011 - Penetration Testing a Biometric Systemnullcon 2011 - Penetration Testing a Biometric System
nullcon 2011 - Penetration Testing a Biometric Systemn|u - The Open Security Community
 
Project Jugaad
Project JugaadProject Jugaad
Project Jugaadn|u - The Open Security Community
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3IJERA Editor
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Online payments threats_report_matousec
Online payments threats_report_matousecOnline payments threats_report_matousec
Online payments threats_report_matousecAnatoliy Tkachev
 
Online payments-threats-2
Online payments-threats-2Online payments-threats-2
Online payments-threats-2Anatoliy Tkachev
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.Jarrod Overson
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingJarrod Overson
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019Jarrod Overson
 
Unconventional Security Devices
Unconventional Security DevicesUnconventional Security Devices
Unconventional Security DevicesRoger Johnston
 
Bb31166168
Bb31166168Bb31166168
Bb31166168IJMER
 
Honey words
Honey wordsHoney words
Honey wordsSreya Sridhar PP
 
50120130406012
5012013040601250120130406012
50120130406012IAEME Publication
 
XSS Cheat Sheet
XSS Cheat Sheet XSS Cheat Sheet
XSS Cheat Sheet newedgecs
 
Class 8, 9 and 10
Class 8, 9 and 10Class 8, 9 and 10
Class 8, 9 and 10Al Imam University
 
Ns unit 6,7,8
Ns unit 6,7,8Ns unit 6,7,8
Ns unit 6,7,8Shruthi Reddy
 
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf
 
Internet security evaluation system documentation nikitha
Internet security evaluation system documentation nikithaInternet security evaluation system documentation nikitha
Internet security evaluation system documentation nikithaSusmitha Reddy
 
Create a software key logger
Create a software key logger Create a software key logger
Create a software key logger GiralFaurel
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
linkedin brainies
linkedin brainieslinkedin brainies
linkedin brainiesVincent lefebvre
 
V4I5201571
V4I5201571V4I5201571
V4I5201571krishan8018
 
IRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of CodeIRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of CodeIRJET Journal
 
u10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacobu10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji JacobBeji Jacob
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
 
Cracking
CrackingCracking
Crackingleighrlong
 
App security
App securityApp security
App securitywhitecryption
 
Mobile application security
Mobile application securityMobile application security
Mobile application securitywhitecryption
 
Cracking
CrackingCracking
Crackingleighrlong
 

More Related Content

What's hot

AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingJarrod Overson
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019Jarrod Overson
 
Unconventional Security Devices
Unconventional Security DevicesUnconventional Security Devices
Unconventional Security DevicesRoger Johnston
 
Bb31166168
Bb31166168Bb31166168
Bb31166168IJMER
 
XSS Cheat Sheet
XSS Cheat Sheet XSS Cheat Sheet
XSS Cheat Sheet newedgecs
 

What's hot (9)

AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is Evolving
 
How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019How Credential Stuffing is Evolving - PasswordsCon 2019
How Credential Stuffing is Evolving - PasswordsCon 2019
 
Unconventional Security Devices
Unconventional Security DevicesUnconventional Security Devices
Unconventional Security Devices
 
Bb31166168
Bb31166168Bb31166168
Bb31166168
 
Honey words
Honey wordsHoney words
Honey words
 
50120130406012
5012013040601250120130406012
50120130406012
 
XSS Cheat Sheet
XSS Cheat Sheet XSS Cheat Sheet
XSS Cheat Sheet
 
Class 8, 9 and 10
Class 8, 9 and 10Class 8, 9 and 10
Class 8, 9 and 10
 
Ns unit 6,7,8
Ns unit 6,7,8Ns unit 6,7,8
Ns unit 6,7,8
 

Similar to Mobile binary code - Attack Tree and Mitigation

idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf
 
Internet security evaluation system documentation nikitha
Internet security evaluation system documentation nikithaInternet security evaluation system documentation nikitha
Internet security evaluation system documentation nikithaSusmitha Reddy
 
Create a software key logger
Create a software key logger Create a software key logger
Create a software key logger GiralFaurel
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
IRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of CodeIRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of CodeIRJET Journal
 
u10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacobu10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji JacobBeji Jacob
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
 
Mobile application security
Mobile application securityMobile application security
Mobile application securitywhitecryption
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareTyler Shields
 
Testing software security
Testing software securityTesting software security
Testing software securityAbdul Basit
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsAaron ND Sawmadal
 
2018 android-security-udacity-morrison chang
2018 android-security-udacity-morrison chang2018 android-security-udacity-morrison chang
2018 android-security-udacity-morrison changmjchang
 

Similar to Mobile binary code - Attack Tree and Mitigation (20)

idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
 
Internet security evaluation system documentation nikitha
Internet security evaluation system documentation nikithaInternet security evaluation system documentation nikitha
Internet security evaluation system documentation nikitha
 
Create a software key logger
Create a software key logger Create a software key logger
Create a software key logger
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
linkedin brainies
linkedin brainieslinkedin brainies
linkedin brainies
 
V4I5201571
V4I5201571V4I5201571
V4I5201571
 
IRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of CodeIRJET- Obfuscation: Maze of Code
IRJET- Obfuscation: Maze of Code
 
u10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacobu10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacob
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
Cracking
CrackingCracking
Cracking
 
App security
App securityApp security
App security
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Cracking
CrackingCracking
Cracking
 
Cracking
CrackingCracking
Cracking
 
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned SoftwareBlackhat Europe 2009 - Detecting Certified Pre Owned Software
Blackhat Europe 2009 - Detecting Certified Pre Owned Software
 
Testing software security
Testing software securityTesting software security
Testing software security
 
A035401010
A035401010A035401010
A035401010
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft WindowsInvestigation of CryptoLocker Ransomware Trojans - Microsoft Windows
Investigation of CryptoLocker Ransomware Trojans - Microsoft Windows
 
2018 android-security-udacity-morrison chang
2018 android-security-udacity-morrison chang2018 android-security-udacity-morrison chang
2018 android-security-udacity-morrison chang
 

Recently uploaded

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Recently uploaded (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Mobile binary code - Attack Tree and Mitigation

  • 1. Lack of Binary Protections Loo Chia Feng G1301352L Sunil Paudel G1400834A Abdul Rachman G1400808F Wang Bo G1301325H
  • 2. Table of Contents Introduction ....................................................................................................................................... 3 Attack Tree ......................................................................................................................................... 3 Directly steal original code: .............................................................................................................. 5 Analyze and reverse engineer a compiled mobile application code downloaded from store................. 5 Code modification/injection............................................................................................................. 6 Cryptographic key replacement .................................................................................................... 6 Method swizzling ......................................................................................................................... 6 Rogue application ........................................................................................................................ 6 Presentation layer modification using JavaScript............................................................................ 6 Mitigation........................................................................................................................................... 7 Reverse Engineering ........................................................................................................................ 7 Cryptographic key Replacement ....................................................................................................... 7 Method Swizzling: ........................................................................................................................... 7 Rogue Application ........................................................................................................................... 8 Presentation Layer modification using JavaScript .............................................................................. 8 Demo of Reverse Engineering .............................................................................................................. 8 Conclusion ........................................................................................................................................ 10 Bibliography ..................................................................................................................................... 11
  • 3. Introduction We live in a mobile powered world, where nearly 7 billion mobile devices are expected to be in use by the end of 2014 and 108 billion mobile downloads are anticipated by 2017. Businesses that are most efficiently adapting to today’s “App Economy” are the most successful at deepening customer engagement and driving new revenues in this changing world. (Arxan Research, 2014) However, where business opportunities abound, opportunities for attackers abound as well. Unlike web applications, mobile software is uniquely exposed to binary risks, since application must be released to public. Attackers can directly download the application and access, compromise, and exploit binary code. For example, analyze or reverse-engineer sensitive code, modify code to change application behavior, or inject malicious code. Traditional application security practices are alone no longer sufficient to protect mobile assets from new binary vulnerabilities, since even “flawless code” can be reversed, modified, repackaged and distributed. (Arxan Research, 2013) To prevent hacking attacks on code binaries requires new security practices, binary protections. This document will define the possible hacking attacks on the code binaries and develop mitigating strategies to deal with the possible attack scenarios. Attack Tree Attack trees provide a formal, methodical way of describing the security of systems, based on varying attacks. Basically, you represent attacks against a system in a tree structure, with the goal as the root node and different ways of achieving that goal as leaf nodes. (Schneier, Schneier on Security, 1999) An attack tree (Schneier, Attack trees, 1999) is constructed by following:  Define the goal of the attack.  Check all the possibilities to achieve that goal.  Break down the possibilities in the tree diagram hierarchically.  Specify the possibilities of the path that can be followed. The main objective of our attack tree as shown in Figure 1 is to show attackers attempting alteration and obtaining of binary code. The three different possible approaches are:  Directly steal original code  Analyze and reverse engineer a mobile app downloaded from store or backup to SD card using APKoptic or Astro File Manager  Code modification/injection
  • 4. Figure 1: Attack tree of binary theft protection
  • 5. Directly steal original code: It can be achieved through bribery, threatening/blackmailing or hacking into the source code versioning server. Analyze and reverse engineer a mobile app downloaded from store or backup to SD card using APKoptic or Astro File Manager It can be achieved by reverse engineering using various tools which can be downloaded from the internet free of cost. The below are the steps that can be followed for reverse engineering: 1. Install the application in the device 2. Bypass the jailbreak or root detection The developer who develops the app like mobile banking may not want his app to run in jail broken or rooted devices. They might have special logic embedded in the app to detect if the device is jail broken/rooted or not. This logic has to be bypassed if we want to do reverse engineering by the use of tools such as xCon. (IBM, 2014) 3. Reverse engineering o For IOS:  If we feed the mobile app into Reverse Engineering Tool, an error is thrown saying: "The file is encrypted. The disassembly of it will likely be useless. Do you want to continue?" So first of all we have to bypass this security of apple and decrypt the content. The same can be achieved by using the tool clutch. (IBM, 2014) Clutch takes the decrypted snapshot from memory and writes it to the disk. Once we get that snapshot, we can feed into the tool (IDA PRO) and we can get the decrypted code. o For Android: The android app can be reverse engineered in two different ways:  Disassembling Transform binary Dalvik byte code (Dex) into smali (assembly code) source code using the tool such as apktool.  Decompile  Dex  Jar  Java (Tools used: Dex2jar, JDGUI)  Dex  Java (Tools used : Androguard) 4. After getting the source code, we can modify the codes for our own benefits such as: o Redirect original code methods to call other malicious code o Modify the GUI layer o Replace cryptographic key o Change the security control flows 5. Then recompile the code back and sign the application
  • 6. Code modification/injection Cryptographic key replacement Applications use cryptographic key to encrypt/decrypt sensitive data. Attackers may replace the cryptographic key in order to decrypt and steal the sensitive data. Attackers may perform dataflow analysis of an application in order to identify a particular key in use. Method swizzling Method swizzling is a technique to replace or extend methods in classes that you don’t own. The attacker can take an advantage of this method to call his malicious code. Rogue application Rogue application is a malicious application which shares the same execution environment and memory resources as a target application. By the use of rogue application, the binary code of the target app can be modified. Presentation layer modification using JavaScript Presentation layer can be modified using the JavaScript to inject the malicious code and modify the binary code.
  • 7. Mitigation (Carter) Review the risks to integrity and confidentiality of mobile apps from binary-level attacks and suggest few solutions to code modification and injections via the various methods below. Reverse Engineering The below steps can be incorporated to prevent the app from reverse engineering:  Remove unused program symbols (which usually convey sensitive information) from the application binaries.  Use the tool like ProGuard which shrinks, optimizes, and obfuscates the code by removing unused code and renaming classes, fields, and methods with semantically obscure names. The result is the smaller sized .apk which is difficult to do reverse engineering.  Change the easy to understand program symbol names to irrelevant names.  Encrypt the part or whole of the application when not in use and when stored in disk. Also encrypt the data within the application.  Use some special logic that can sense the use of debuggers and take appropriate action.  Use checksum to see if any cod has been tampered. Jail Break/Root Detection  Detect the existence of Cydia; Cydia is an IOS app required to install app in jail broken devices  Detect the existence of the path /private/var/stash  This is the folder created on jail broken devices  Detect non-sandboxed behavior Cryptographic key Replacement  Use dynamic keys all the time. Otherwise, the application's complier will store hardcoded keys in their raw form within the final binary. An attacker will be able to find any such key looking at the associated method calls.  If in case hardcoded key is to be used, then o Damage the static key o Repair the key just before the key is required o While using the repaired key, perform the checksum to check that the key is not tampered o After the use of the key, destroy it again Method Swizzling:  If the application is intentionally performing the swizzle, an adversary will exploit this design decision and swizzle this particular method as it will be a reliable entry point into the application. Avoid using the swizzling method.  Use of special logic that can identify the change in the code and that can take appropriate action.
  • 8. Rogue Application  Use of checksum to find out if the code has been tampered  Avoid using swizzling whenever possible Presentation Layer modification using JavaScript  Perform the checksum. Compare the checksum of the files at build time to the values found at runtime.  Perform additional checksum to check if the first checksum has been tampered.  Make sure that both the checksums don't have a unique binary signature. Demo of Reverse Engineering Using the apktool, we decompiled the android apk file into snail files. For the testing purpose, we changed the icon of the android app (iMilk) and recompiled back. Steps: 1. Install the original apk in virtual android device  Command: adb install iMilk Free.apk 2. Transform the binary Dalvik byte code to smali file (it converts the apk file into the folder)  Command: apktool d iMilk Free.apk 3. Modify the codes 4. Rebuild the smali file back to apk  Command: apktool b iMilk Free iMilk_modified.apk 5. Generate the private key using keytool  Command: keytool -genkey -v -keystore my-release-key.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000 This example prompts you for passwords for the keystore and key, and to provide the Distinguished Name fields for your key. It then generates the keystore as a file called my-release- key.keystore. The keystore contains a single key, valid for 10000 days. The alias is a name that you will use later when signing your app. 6. Sign your app with your private key using jarsigner:  Command: jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore my-release-key. keystore iMilk_modified.apk alias_name Reverse Engineering.mp4
  • 9.
  • 10. Conclusion In conclusion, all software is made up of machine-readable code. In fact, code is what makes every program function the way it does. The code defines the software and the decisions it will make. Attacker can locate potential software code vulnerabilities and apply reverse engineering to search for patterns in the code to perform hidden functionalities. To build the binary theft protection, we examine on the conceivable methodologies for an attacker to endeavor alteration to the binary code by utilizing a within profundity examination of an attack tree conceptual diagram to break down the security of systems and subsystems. Furthermore, each subsystem is mitigated to explain on the necessary counter-measures.
  • 11. Bibliography Arxan Research. (2013). State of Security in the App Economy. Arxan Research. Arxan Research. (2014). Securing Mobile Applications in the Wild with Application Hardening and Run- Time Protection. Arxan Research. Carter, J. (n.d.). Threats to Mobile Apps in the Wild. Arxan. Schneier, B. (1999). Attack trees. Dr. Dobb’s journal, 21-29. Schneier, B. (1999). Schneier on Security. Retrieved September 23, 2014, from Schneier on Security: Attack Tree: https://www.schneier.com/paper-attacktrees-ddj-ft.html