Android and iOS with Jail Break are able to install apps without going through the formal App Store and Market. Recently, even some ways to install apps without Jail Break were released on iOS. The abnormal app distribution raise some security issues, the threat of malicious modified app and break up of DRM. These issues came from the app manipulation using reverse engineering. If you are searching it using keywords like “android decompiler”, “iOS app modify” or “apktool”, you will find out the many ways to bypass authentication, change the game money and other incredible things.
The attacker is able to distribute the modified apps to steal user’s credentials like a password and token, or manipulate service’s features and processes. For example, on the banking app, the attacker can change the code of login process that the password will send to both of the attacker’s server and the authentication server, or when a user transfer the money to others, receiving account number would be changed into the attacker’s account. The attacker should distribute the app through Black Market, SMS or E-mail.
To protect from the modified app, there are some ways like applying anti-reverse techniques or access control to check the apps’ integrity. Anti-reverse techniques make an app to resist from the analysis and manipulation, such as code obfuscation and dynamic code downloading.
- Source code obfuscation
- Binary obfuscation
- Native library(C, C++ instead of Java)
- Core module update(Frequently change the core routine )
- Secure hardware(Trust Zone, TSM)
But, applying anti-reverse technique alone is not sufficient to prevent the service access using malicious manipulated apps. Therefore, the app’s integrity checking can be considered also. The app’s integrity checking process can be adopted to figure out whether access app was modified or not. For this, generated hash(sha-256) of app or app’s files was stored into the server, and then it will be compared with the access app’s hash to check integrity on every connection or before the sensitive feature.
App integrity check process
The service provider can keep a log of abnormal connection and notify the security warning message to user.
However, even the service provider already adopted these protections, hacker may bypass the checking process and anti-reverse technique. In my research and experience, many kinds of protections were bypassed or manipulated using debugger, memory modification or other technique. For example, if the checking process was implemented to use same integrity data on every time, hacker should save the integrity data and replay it on the network or in the app. The server would accept it as a normal access. To prevent these flaws, the core process needs to protect from the access and manipulations.
So, we can consider the secure hardware like Trust Zone, TPM and UICC instead of software modules. Integrity checking module in the hardware can control the access from the outside of chip and nobody may not access without through the preshared protocol. Moreover, it can be shared and used with other apps by standardized APIs. It would be adopted not only for the integrity checking but also for DRM module to deal with the license issue.
Next, I will post about secure hardware and how can it consist with the app integrity detection.