Protect Your Applications' Guts

Secure Software Development and Beyond

Software protection is a topic that is becoming increasingly important, especially since the emergence of ubiquitous and mobile computing. Furthermore because mobile applications are in effect becoming a means for deploying business operations, companies’ business models are more exposed to outsiders’ attacks.

We live in a personalized mobile world. Enterprises that are adapting to nowadays “app economy” are very successful at improving customer engagement (an example of such aforementioned business operations) and driving new business in this fast-changing and dynamic world. Where lots of business opportunities exist, it will be a piece of good fortune for “black hats” as well. The practice of reverse-engineering applications is a customary step for any illegal modification or sharing of software, with an aim for understanding the inner workings of  applications, fo example in order to bypass and disable embedded security mechanisms, or simply to understand “how it is done” and steal intellectual property.

App Hacking Is Quite Easy

The initial compromise takes “just couple of minutes” to complete. There exist automated tools readily available on-line to support reverse engineering. In comparison to Web environments, mobile applications live in a distributed, fragmented and mostly unregulated ecosystem. Unprotected binary codes in mobile apps can be directly accessed, examined, modified and exploited by hackers.

What Can Happen To Your Apps And Data

  • Modification of the binary in order to change the app's behavior. E.g. disabling security controls, bypassing business rules, licensing restrictions, purchasing requirements or ad displays in the mobile app — and potentially distributing the modifications as a patch, crack or even as a new application.
     
  • A malicious application performing a drive-by attack (via the run-time method known as swizzling, or function/API hooking) to compromise the target mobile app (in order to lift credentials, expose personal and/or corporate data, redirect traffic, etc.).
     
  • Identifications or exposition of sensitive information (keys, credentials, data) or vulnerabilities and flaws for broader exploitation.
     
  • Lifting or exposing proprietary intellectual property out of the application binary in order to develop counterfeit applications.
     
  • Reusing and “copying” an application, submitting it to an App Store as a competing application

How To Secure Your Software

Securing a software application does not consist in just cryptographically protecting the network communications or performing a pen-test one week before shipping. It is a long process that needs to be started as soon as or even before the actual development begins. Professor Pascal Junod pointed out the important steps that one has to care about during a typical software development lifecycle in order to ensure an acceptable level of security. Additionally, he described technical solutions able to protect an application from today’s threats.

Software vulnerability has been increasing for the last couple of decades due to the emergence of mobile applications. The "trinity of troubles", consisting of complexity, connectivity and extensibility, illustrates the security problems resulting from the current evolution. The more complex software becomes the harder it is to secure t; in particular communication and integration with other software and tools opens up new possible vulnerabilities. Due to these factors, there now is an increasingly big need for good application security, which has to be a priority from the beginning of the development process. A good practice is to nominate one person in a team as a security advisor. That person needs not be a particularly technical one; most importantly someone oversees security as a priority and brings it up when relevant decisions are made.

The Man At The End

So let's assume you have developed a piece of good software and security has been a priority from day one. You have done countless code-reviews, pen tests, every possible measure. Then your software gets hacked. Why? Secure software will attract more skilled hackers; they see it as a challenge to seek out even the smallest breaches in your code. To mitigate this from happening, you can use multiple techniques which greatly increase the effort taken to find and exploit vulnerabilities:

Prevent debugging of your software
Loading your software in a debugging environment is the first go-to method for most attackers. With some tricks you can detect when the application is running in such an environment, and thus prevent the attacker from finding vulnerabilities through debugging.

Code obfuscation
Code obfuscation complexifies the internal structure of your software, the code flow that defines the application’s execution logic. Instead of a pretty straightforward, typically linear program execution structure, obfuscated code messes up the entire program sequence, forcing the execution flow to hop around incessantly, in effect hiding the things your app is really performing. Yet the application’s behavior to the eyes of the legitimate user remains unchanged, effectively rendering the obfuscation transparent. Yet to the hacker, this protective step makes it harder to understand how the application behavior is realized by your software, which critically hinders potential attacks.

Tamper-proofing
Using several techniques, such as self-checking code, protection known as code tamper-proofing validates the integrity of your software at runtime, i.e. that no part of the code has incurred even the slightest changed. As a result attacks such as bit-flipping become harder to perform, for example to invalidate a security measure (certificate, license, etc) or any test (e.g. if, while statements) performed by the code.

Watermarking – Identify your attackers
By integrating a unique element into your software for each one of your customers, you can identify where illegally distributed code came from – and take the steps necessary to prevent it.

Protecting Your App Doesn't Have To Be Hard

Integrating those techniques can greatly increase your app's security – as long as there is no other weak link in the chain. To find out more about integrating debug prevention, code obfuscation, tamper-proofing and watermarking in the apps, we recommend checking out strong.codes whose company offers both open-source and closed-source security tools that can be easily integrated into your development process.

Watch the talk

Find the full-length presentation on the subject which Prof. Junod kindly gave at Apps with love HQ: 

Literature tip: Collberg, Nagra: "Surreptitious Software" - Addison-Wesley, 2009

Comment