Understanding OWASP Top 10 Mobile: Lack of Binary Protections

Continuing on our journey to understand the OWASP Top 10 Mobile security threats, today we will try to know more about the last threat under the OWASP umbrella - Lack of Binary Protections.

What is Lack of Binary Protections?

A lack of binary protections within a mobile app exposes the application and it’s owner to a large variety of technical and business risks if the underlying application is insecure or exposes sensitive intellectual property. A lack of binary protections results in a mobile app that can be analyzed, reverse-engineered, and modified by an adversary in rapid fashion.

How is it exploited?

Typically, a hacker will use an automated tool to reverse engineer the code and modify it using malware to perform some hidden functionality.

It is difficult to detect that an adversary has reverse engineered an app’s code. Usually, the app owner would know about this when the same code shows up in iTunes, Google Play or any other third party app store. This detection is also by accident and not because of any policing efforts.

Are You Vulnerable to Lack of Binary Protections?

If you are hosting code in an untrustworthy environment, you are susceptible to this risk. Untrustworthy environments include mobile clients, firmware in appliances, cloud spaces, or datacenters within particular countries. A few questions to ponder over would be:

  • Can someone code-decrypt this app (iPhone specific) using an automated tool like ClutchMod or manually using GDB?
  • Can someone reverse engineer this app (Android specific) using an automated tool like dex2jar?
  • Can someone use an automated tool like Hopper or IDA Pro to easily visualize the control-flow and pseudo-code of this app?

Good Read- Understanding OWASP Top 10 Mobile Threats

How To Prevent Lack of Binary Protections?

A multifaceted and proactive approach is crucial to prevent the risks associated with the lack of binary protection.

1. Code obfuscation

Code obfuscation makes reverse engineering difficult for attackers, helping you secure your app against threats.

2. Binary hardening

By implementing robust techniques like stack protection and ASLR (Address Space Layout Randomization), you empower your app with a formidable defense against runtime attacks.

3. API security measures

Keeping secure communication and authentication processes in place helps protect APIs from exploitation.

4. Secure data storage

Ensure additional security by utilizing a combination of encryption for data stored in the mobile application and secure key management techniques.

5. Continual monitoring

By diligently monitoring the application for anomalies and swiftly implementing incident response procedures, you reassure app owners about the proactive security measures in place.

 

What is the Impact of Lack of Binary Protections?

Most of the mobile app developers or app owners do not prevent an adversary from successfully analyzing, reverse engineering or modifying the app’s binary code. Organizations should apply binary protections to a mobile app under a few different circumstances:

Analysis and Reverse Engineering

Binary protections slow down an adversary from analyzing exposed interfaces and reverse engineering code within the mobile app. All too often, the adversary will steal code and recycle it within another app for reselling.

Unauthorized Code Modification

Code modification often takes the form of repackaging or insertion of malware into existing mobile apps.

Business Impacts

Typically, a lack of binary protection will result in the following business impacts:

  • Privacy Related and Confidential Data Theft;
  • Unauthorized Access and Fraud;
  • Brand and Trust Damage;
  • Revenue Loss and Piracy;
  • Intellectual Property Theft;
  • User Experience Compromise.
Published on Nov 26, 2015
Harshit Agarwal
Written by Harshit Agarwal
Harshit Agarwal is the co-founder and CEO of Appknox, a mobile security suite that helps enterprises automate mobile security. Over the last decade, Harshit has worked with 500+ businesses ranging from top financial institutions to Fortune 100 companies, helping them enhance their security measures.
Beyond the tech world, Harshit loves adventure. When he's not busy making sure the digital realm is safe, he's out trekking and exploring new destinations.

Questions?

Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now