Why You Need to Address Both Static and Dynamic Attacks

Much like an artist deconstructs and analyzes a masterpiece to comprehend the methods used by the original creator, an attacker dissects code to unravel its intricacies. Reverse engineering a mobile application involves analyzing the compiled app to extract details about its source code. The primary objective of this process is to gain a comprehensive understanding of the code. This goal encompasses the potential threat of intellectual property theft or creating fraudulent app versions for malicious purposes.

Differentiating reverse engineering from tampering

Reverse engineering should not be confused with tampering which, on the other hand, refers to the act of modifying a mobile app—be it the compiled app itself or its ongoing processes or environment—to influence its behavior. For instance, if an app refuses to operate on your rooted test device, hindering certain tests that you need to run, you may need to make adjustments to, or tamper with, the app's behavior in such scenarios.

Reverse engineering can be broadly classified into static and dynamic analysis.

Static analysis: Debugging without execution

Static analysis debugs compiled code without running the application. In this process, attackers use static code analyzers - software that examines the code - to look for weaknesses.

Why do attackers perform static attacks?

An attacker can have diverse objectives. Some examples could be:

• Identifying backend connections
• Stealing intellectual property
• Identify client-side logic and weaknesses
• Understand how data is handled, and stored for exploitation.

Harvesting valuable data involves searching for hard-coded or plain-text information with the risk being unauthorized access to sensitive data. Understanding app permissions and interactions through static analysis is crucial for exploiting data sharing, potentially leading to leaks or enabling malware creation. Intelligence gathering on the app's code aims to modify, bypass security controls, or alter workflows.

Methodology

The steps to analyze an application statically often include the use of decompilers and disassemblers to extract or disassemble compiled APKs. Analyzing the source code is done either manually or automatically using a tool. For example, in Android, this involves extracting or disassembling compiled APKs through Android decompilers like JADX, bytecode viewer, JAD, CFR, etc

Dynamic analysis: Actively running and scrutinizing

Dynamic analysis involves analyzing a mobile app by actively running its binary and observing it to identify weaknesses or vulnerabilities.

Why do hackers perform dynamic attacks?

Unlike static analysis, which may struggle to uncover certain data storage issues, dynamic analysis readily exposes persistently stored information and assesses the adequacy of its protection. Dynamic analysis can reveal many insights, a few examples include:

1. Business logic flaws
2. Weak input validation and improper input/output encoding, particularly as data is processed through one or multiple services

Methodology

Application assessment can take various forms, including side-loading, re-packaging, or direct attacks on the installed version.

Attackers have a wide range of tools at their disposal to allow them to carry these out. Two major categories include debuggers and hooking tools:

1. Debuggers enable reverse engineers to analyze specific functions by executing and halting the application at set points. This allows attackers to identify the parts of the code that perform critical operations such as authenticating users, encrypting or decrypting data, sending information to or receiving information from a server, etc.
2. Hooking allows attackers to modify the intended behavior of applications at runtime. Hooking can be used for a wide variety of goals such as bypassing SSL pinning implementations as part of an attempt to intercept and analyze the communication between applications and backend servers, dumping decrypted data from memory, and circumventing license checks.

Utilizing tools for debugging involves extracting .class files from the deployed application during runtime. Examples of some tools commonly used are: ADB, Frida, and JDWP. The JDWP protocol for example is extensively employed for real-time app debugging through standard IDEs. JDWP offers several commands to:

• Extract all loaded class files.
• Retrieve all methods and their details within a class file.
• Print real-time stack information while the application is in execution.

Monitoring HTTP requests and responses is a prevalent method for detecting potential exposure of sensitive information to APIs, granting additional access, or revealing details about backend servers. Networking applications tools facilitate the logging of all requests and responses, either from the device or a specific IP address.

Guardsquare’s complete protection strategy addresses both static and dynamic attacks

Defending against static and dynamic analysis and attacks necessitates a multi-layered security approach. Guardsquare provides comprehensive protection for mobile applications, effectively defending them against both static and dynamic analysis and potential attacks. The integration of Guardsquare's solutions seamlessly aligns with development processes, augmenting Android and iOS applications and SDKs with multiple layers of protection.

Guardsquare’s products, DexGuard for Android and iXGuard for iOS, address both static and dynamic threats through code hardening techniques, encryption and automated RASP checks.

Through the implementation of multiple layers of different obfuscation techniques and encryption, both automated and manual static analysis become challenging and cost-intensive. The primary objective of obfuscation is to increase the intricacy of understanding code from a static analysis perspective. Various obfuscation techniques, including encryption and the implementation of Runtime Application Self-Protection (RASP), contribute to establishing multilayered protection essential for mitigating dynamic threats.

For dynamic analysis threats, Guardsquare adopts RASP (Runtime Application Self-Protection) solution. RASP mechanisms actively monitor the integrity of applications and their environments in real time. A comprehensive mobile app security strategy should incorporate runtime application self-protection (RASP) to thwart attackers aiming to analyse your app's functionality for reverse engineering and compromise.

Among others, RASP can detect the following essential runtime checks:

1. Root detection - checks if your application is on a rooted device
2. Debug detection - checks if your application can be debugged or is being debugged
3. Emulator detection - checks if your application is running on an emulator
4. Virtual environment detection - checks if your application is running inside a virtual environment
5. Tamper detection - Detects binary tampering on your application
6. Certificate checking - checks whether your application is still signed with the original certificate from the publication
7. File checking - validates the integrity of a specified list of files
8. Hook detection - This checks for the presence of hooking frameworks and safeguards user code from function hooks

Developers can seamlessly integrate RASP checks into their app's code using DexGuard and iXGuard, ensuring the inclusion of protection mechanisms while maintaining the flexibility to exclude specific code sections for optimized performance. By harnessing DexGuard and iXGuard to inject unique RASP checks with each new build, coupled with continuous monitoring through ThreatCast, your app's security posture is maximized, safeguarding your application against sophisticated threats.