Mobile app security has become the buzzword in today’s technological landscape and requires focused efforts from developers while developing or managing mobile apps. As a plethora of mobile apps flood the app market, so do security threats and vulnerabilities afflicting them. Reverse engineering is one such threat, which can have serious repercussions for businesses from compromises on intellectual property and revenue loss. Developers should inculcate security features in apps to handle this threat expeditiously and protect their app from inadvertent sabotage.
What is Reverse Engineering?
Reverse engineering is a process of obtaining the original source code and other resources that go into making an APK file from the binary. Through tools available in the market, DEX files can be decompiled to JAR files, and then to Java source code. This can be used by your competitors to see app’s functionalities threadbare and even copy some features stealthily. Hackers may use this technique to access premium features of your app by bypassing the authentication process. Game cheats may use it to gain an unfair advantage over their competing peers.
Debuggers, like SoftIce and OllyDbg, are used to trace the flow of programs, through which the entire business logic of the app can be replicated in another pseudo-application. This can be infected with malware and distributed. Innocuous users downloading the app are thus compromised and their sensitive private data is stolen.
Handling Reverse Engineering
Since app security essentially enhances the confidence that consumers repose on your product, it is essential for developers to adopt best practices to protect mobile apps from reverse engineering. Some such practices include:
- Choice of programming language matters a lot. C/C++ should be used to code functionalities which are business critical. Android apps are usually written in Java, which can easily be decompiled, compared to C/C++. Using NDK to write crucial code natively into the .so files and compiling them makes the process of reverse engineering highly cumbersome.
- Storing the code chunks on the server side with proper encryption techniques is also one of the ways in which reverse engineering can be checked. Secure APIs should be used to handle the communication between app and server.
- It is always recommended to store business logic in an encrypted form. Code obfuscation done intelligently can really help in tackling reverse engineering so that your code is only a piece of scrambled code to a hacker trying to crack your app’s logic.
- Use a powerful hashing algorithm, like PBKDF2 or bcrypt, to store sensitive information, like passwords. This makes their decryption and further misuse impossible.
- Secure the user credentials in an encrypted format. Never store them in the device/external storage/app environment. Such data when stored in an unencrypted format can be easily accessed/modified using USB connected to the mobile device.
- Database should be secured with strong encryption algorithms, like AES-256 Encryption to enhance data security.
- API keys should be secure and hidden and never be hard-coded or stored in resource folders. This way code can be easily unzipped and API decompiled to access the key.
Proguard:
An open-source cross-platform tool written in Java, it helps secure mobile applications using a licensed server, thereby making it difficult to reverse a code. 4 key methods are used to ensure complete security:
- Shrink: It specifically identifies classes, fields or methods which are unused and removes them
- Optimization: It analyses and optimizes the bytecode of methods, thereby reducing their sizes and making them faster
- Obfuscation: It changes the names of classes, fields and methods to some meaningless, unheard-of, difficult-to-crack names
- Pre-verification: It adds pre-verification information to the classes required by JME, Java 6 or higher versions
Debugger detection techniques:
These techniques can be utilized to proactively look for debuggers. Some of the techniques are:
- CheckRemoteDebuggerPresent() Windows API: Checks if the specified process is being debugged
- NtGlobalFlag Debugger Detection: This is a simple anti-reversing method used to detect a debugger
- IsDebuggerPresent() Windows API: Checks if the calling process is being debugged through a user-mode debugger
Other techniques (Among a host of others) are:
- OllyDbg INT3 Exception Detection
- OllyDbg OutputDebugString() Format String Vulnerability
- OllyDbg PE Header Parsing DoS Vulnerabilities
- PEB ProcessHeap Flag Debugger Detection
Obfuscate values when storing on mobile:
Data present in applications provide a goldmine of information. But what is an application if it doesn’t have data? This is where obfuscation helps navigate the data protection game smartly. Encryption, tokenization or data masking could be undertaken to ensure that data is converted in a different format or structure and stored securely. It focuses on storing data in the form of some algorithm or complex structure. Raw data storage is avoided.
Be careful while implementing SSL:
An SSL certificate is a digital certificate that helps authenticate the identity and encryption of a resource. Understandably, mobile app developers implement SSL certificates for better code security. This is done by defining several methods in a class that implements SSLSocketFactory interface (in the case of Android). But since such methods accept different kinds of certificates, a man-in-the-middle attack is highly likely. When data packets pass through these certificates, their confidentiality could also be at stake as connections can be breached by an expert hacker with the help of self-signed certificates. Hence caution is advised while working with SSLs.
AppSealing, a One-Stop Solution for App Security
AppSealing’s security solutions provide end-to-end protection to mobile apps, handling various security vulnerabilities, including reverse engineering, effectively. Using AppSealing, developers all over the world secure their mobile app through DEX, SO, and DLL file encryption, thus rendering the app’s code “unreadable” in the event of an attack.
AppSealing’s Runtime Application Self Protection (RASP) protects apps on runtime with binary protection, anti-debugging, and anti-decompile. Hash validation of all the components and modules of the app ensures a robust environment and integrity protection.
AppSealing detects rooted devices and android emulators accessing an app and blocks its launch to “sanitize” its usage. This no-code approach has minimal impact on memory usage, CPU, or battery performance. Just upload the APK and within 10 minutes, a comprehensive security layer is applied on your app.
Contemporary security issues require state-of-the-art security solutions. Move over your traditional security methods and adopt AppSealing as your preferred security solutions provider!
Start your Free Trial Now- http://bit.ly/apply-security-now
Or Contact our security experts for more information.