Continuing on our journey to understand the OWASP Top 10 Mobile security threats, today we will try to know more about the last threat under the OWASP umbrella - Lack of Binary Protections.
What is Lack of Binary Protections?
A lack of binary protections within a mobile app exposes the application and it’s owner to a large variety of technical and business risks if the underlying application is insecure or exposes sensitive intellectual property. A lack of binary protections results in a mobile app that can be analyzed, reverse-engineered, and modified by an adversary in rapid fashion.
How is it exploited?
Typically, a hacker will use an automated tool to reverse engineer the code and modify it using malware to perform some hidden functionality.
It is difficult to detect that an adversary has reverse engineered an app’s code. Usually, the app owner would know about this when the same code shows up in iTunes, Google Play or any other third party app store. This detection is also by accident and not because of any policing efforts.
Are You Vulnerable to Lack of Binary Protections?
If you are hosting code in an untrustworthy environment, you are susceptible to this risk. Untrustworthy environments include mobile clients, firmware in appliances, cloud spaces, or datacenters within particular countries. A few questions to ponder over would be:
- Can someone code-decrypt this app (iPhone specific) using an automated tool like ClutchMod or manually using GDB?
- Can someone reverse engineer this app (Android specific) using an automated tool like dex2jar?
- Can someone use an automated tool like Hopper or IDA Pro to easily visualize the control-flow and pseudo-code of this app?
How To Prevent Lack of Binary Protections?
First, the application must follow secure coding techniques for the following security components within the mobile app:
- Jailbreak Detection Controls;
- Checksum Controls;
- Certificate Pinning Controls;
- Debugger Detection Controls.
Next, the app must adequately mitigate two different technical risks that the above controls are exposed to:
1. The organization building the app must adequately prevent an adversary from analyzing and reverse engineering the app using static or dynamic analysis techniques;
2. The mobile app must be able to detect at runtime that code has been added or changed from what it knows about its integrity at compile time. The app must be able to react appropriately at runtime to a code integrity violation.
What is the Impact of Lack of Binary Protections?
Most of the mobile app developers or app owners do not prevent an adversary from successfully analyzing, reverse engineering or modifying the app’s binary code. Organizations should apply binary protections to a mobile app under a few different circumstances:
Analysis and Reverse Engineering
Binary protections slow down an adversary from analyzing exposed interfaces and reverse engineering code within the mobile app. All too often, the adversary will steal code and recycle it within another app for reselling.
Unauthorized Code Modification
Code modification often takes the form of repackaging or insertion of malware into existing mobile apps.
Typically, a lack of binary protection will result in the following business impacts:
- Privacy Related and Confidential Data Theft;
- Unauthorized Access and Fraud;
- Brand and Trust Damage;
- Revenue Loss and Piracy;
- Intellectual Property Theft;
- User Experience Compromise.