Mobile application security threats, unfortunately, are becoming more and more prevalent. According to Verizon’s 2020 Mobile Security Index, 43 percent of organizations admitted they sacrificed mobile security in the past year, and those that did were twice as likely to experience a compromise. Hackers actively seek out vulnerable applications—especially mobile apps—for reverse-engineering and other types of tampering or fraud.
However, application hardening is one way to protect mobile applications, making them much more difficult targets for attackers to penetrate. By layering multiple types of security defenses, you can protect your applications against some of the most common types of attacks hackers use today.
In this blog post, we’ll look at the three categories of mobile threats, how hackers execute common attacks, and how code hardening layered with other app security protections can defend against attackers.
Typically, there are two main categories of mobile threats that originate from tools commonly used by hackers:
These attacks are serious, as they can target an organization's intellectual property, sensitive information contained by the code, or revenue-generating parts of the application, such as advertising and premium features. If apps remain unprotected, organizations can lose money, suffer reputational damage, or compromise valuable customer data.
For static analysis attacks, hackers typically use disassemblers or decompilers to determine if any sensitive information is exposed within the application. Dynamic attacks, on the other hand, require a test device to run applications. A malicious user, for instance, may attach a debugger tool to an application to get a memory dump, or hook the application to change the implementation of certain methods (e.g. making premium features free).
Here are a few examples of mobile security attacks hackers commonly execute:
There are many examples of these types of attacks in the wild. On Android devices, the Pokemon Go app was targeted by cheaters who spoofed the GPS coordinates on rooted devices to create a joystick within the app to alter its functionality. Even though the app developers created and implemented a simple root checker, the hackers found out how to bypass these controls. On iOS, the Photo Vault and Keepsake apps were targeted by reverse-engineering, where hackers found that access codes were stored in plain text. Using a jailbroken device, hackers navigated directories to gain access to these plain text passwords. They also implemented a hooking attack to bypass a lock screen altogether. In this case, the app developers did not implement hooking detection or static analysis prevention tools, leaving them open to these attacks.
When defending against these types of attacks, many organizations attempt to take a DIY approach to protecting their apps (for example by implementing simple jailbreak (Android), root (iOS) detection mechanisms, or debugger detection). However, hackers can easily see when these types of approaches are implemented and bypass them.
A better approach is to layer application security by using a combination of code hardening techniques and protections at runtime. Code hardening is an effective way of protecting your APKs and SDKs for Android and iOS from reverse engineering and hacking. It consists of hardening the code at various levels through the application of multiple layers of obfuscation and encryption. Hardened code is resistant to both automated and manual analysis, meaning that most of the tools of the trade for hackers are useless.
Obfuscation renders code illegible without affecting its functionality. The techniques used to obscure code in this manner vary considerably. They include:
Encryption ensures the code of the application and the data it contains cannot be accessed while the application is at rest. The encrypted code is decrypted on-the-fly when the application is executed, which guarantees that it functions as intended. To be effective, the encryption must be applied in various layers. Essential encryption techniques include string encryption, class encryption, asset encryption and resource encryption.
Application hardening is an essential part of protection that can be layered with a complementary defense against dynamic attacks called runtime application self-protection (RASP). RASP can detect runtime threats such as an application running on a rooted or jailbroken device, an attempt at modifying app behavior through hooking, etc. – and trigger the application to react in a pre-programmed manner (such as terminating a user session). What’s more, real-time threat monitoring can detect attacks on downloaded applications as they happen, so you can stop them and shore up your security defenses for future releases.