The global reference inmobile application protection

Mobile application threats

irasara.senarathne@guardsquare.comPre-sales & services engineer

Janus vulnerability: allows hackers to modify apps without affecting their signatures

Mobile threats

• Easily, freely available• Easily accessible• Relied upon for everyday tasks – banking, commuting, entertainment etc.

However, this also means:• Wealth of sensitive info exchanged over app• Lures hackers• Just as easily accessible to hackers• Vulnerability for apps

Mobile apps are ubiquitous

Off-line: static attacks

Hackers transform the code into human readable format to find and exploit vulnerabilities

Offline: static analysis

• Analyze the application source code• Disassemblers: dexdump, baksmali• Decompilers: dex2jar + jad, JD-GUI, JEB, Procyon, CFR etc.• Resources: aapt, apktool, etc.

On-device: dynamic attacks

Hackers gather knowledge of the application’s behaviour and modify it at runtime

• Perform dynamic binary instrumentation to learn about the application’s runtime behavior

• Using debuggers such as adb, Ida Pro etc.• Subverted runtime: Xposed, Substrate, Frida• Cracking tools: Lucky Patcher

On-device: dynamic analysis

Piracy

API key extractionFinancial fraud

Cloning & IP theft Malware insertion

Credential harvesting

Mobile threats

The global reference in mobile application protection

Revenue loss Reputational damage

Fines & retributions Incident handling cost

Consequences of a hacked application

Mobile application attacks

DDOS attacks

Intellectual property theft

Reputational damage

Stealing API keys

Mobile applicationprotection

• Secure design and architecture• Proper use of the platform• Secure data storage• Secure communication• Cryptography• Authentication and session management• Code quality

• Pentesting• Secure code guiding tools• Logging code removal• ...

Secure coding practices

Good reference!OWASP Mobile Security Testing Guide: https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide#tab=Main

• Name obfuscation• String encryption• Class encryption• Asset encryption• Native library encryption• Control flow obfuscation• Arithmetic obfuscation• etc.

Protecting against code reverse engineering

• Tamper detection• Hook detection• Root detection• Debugger detection• Emulator detection• SSL pinning

Protecting against dynamic analysis attacks

Open sourceJava and Android

Part of Android SDK

CommercialSpecialized for iOSStatic protection

ProGuard DexGuard iXGuard

CommercialSpecialized for Android

Static & dynamic protection

GuardSquare, advanced mobile app protection

Obfuscation example

ORIGINAL CODE

DexGuard: obfuscation example

DECOMPILED UNPROTECTED CODE

DexGuard: obfuscation example

DECOMPILED OBFUSCATED CODE

Thank you