During this talk, we looked at some of the typical controls that Android/iOS applications exhibit, how they work, how to spot them, and how to sidestep them. We’ll demonstrate analysis and techniques using free open source tooling such as Radare and Frida, and for some parts, we’ll use IDA Pro. And since “automation” is the buzzword of the year, we’ll discuss how to automate some of these activities, which typically take up most of the assessment window.
For more information, please visit our website at www.synopsys.com/software
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
Webinar–Mobile Application Hardening Protecting Business Critical Apps
1. Grant Douglas, Mobile Practice Director at Synopsys
Nikola Cucakovic, Senior Security Consultant at Synopsys
Protecting Business-Critical Apps
Mobile Application Hardening
6. Static analysis
Identify data of value.
Identify code of value.
Identify controls of interest.
Dynamic analysis
Identify data of value.
Identify code of value.
Identify controls of interest.
What will threat actors do?
7. Develop bypasses
Defeat any required controls.
Automate.
Build payloads
Build payloads depending on
end goal.
Distribute payloads
Possibly: distribute malicious
copies of the app, or payloads
that target the app on
rooted/jailbroken devices.
8. • Static analysis—using common tools such as Radare (r2), JEB, IDA Pro, Hopper disassembler,
etc.
• Look for interesting signatures:
• Strings
• Class names
• Method names
• Look for the use of interesting APIs (e.g., file IO APIs or networking APIs)
• Look for known vulnerable components or dependencies
• Additionally, an attacker might actually patch the application statically:
• Patch out important instruction(s)
• Modify execution flow to circumvent controls
Initial analysis
12. • Process of making an application’s logic difficult to understand by reverse engineering without
altering its overall functionality
• It's a bit like bad directions…
• Example variants:
• Function splicing
• Function merging
• Function in-lining
• Junk insertion
• Many more
Part A
Part B
Part X
Function
Function
login()
selectTheme()
updateBio()
App
void example()
{
someCall()
securityCheck();
doMath();
securityCheck();
return;
}
void doMath()
{
int a = 5, b = 6;
securityCheck();
}
void securityCheck()
{
if (app_is_hacked)
{
exit(-1);
}
}
void example()
{
someCall()
doMath();
return;
}
void doMath()
{
int a = 5, b = 6;
if (app_is_hacked)
{
exit(-1);
}
if (app_is_hacked)
{
exit(-1);
}
if (app_is_hacked)
{
exit(-1);
}
Control flow obfuscation
13.
14.
15. • Frida is a dynamic binary instrumentation (DBI) framework for multiple platforms
• Rich API provided for multiple languages
• Python
• C
• JavaScript
• Can be used to inspect and modify memory, including dynamic replacement of code
• Multiple modes of operation for iOS/Android:
• Server: rooted device is required
• Gadget: rooted device is not required
Introducing Frida
16. • Interceptor is a Frida API for replacing code inside a given process
• Allows you to sniff/log inputs and return values of functions
• Allows you to modify all those too
Frida Interceptor
17. APP
LIBRARY
access() function
Function code
1. App calls access() function
A) Function executes
B) Execution returns to app
2. Attacker hooks access() with Frida
A) Frida inserts a trampoline into access()
3. App calls access() again
A) Execution jumps to replacement code
B) Execution returns to access()
C) Then back to the app
Trampoline
Replacement
Function
Trampolines
18. • Rooting or jailbreaking is a process to gain
more control over the device
• Usually security researchers find and exploit
real vulnerabilities in the device
• Payloads typically disable a bunch of
security features
• Allows you to run untrusted code
• Allows you to do some pretty cool things
Jailbroken devices
19. • Some apps take it upon themselves to block
jailbroken devices
• Why?
• How do they know?
• Filesystem changes
• API behavioral differences
• Absence of expected controls
• Presence of installed app/packages
Jailbreak detection
22. 1. Grab the app.
2. Decompile the app and any libraries.
3. Identify target functionality.
4. Write some Frida-based attack payloads.
5. Easily circumvent basic copy-pasted controls.
Recap
23.
24. • A system call (syscall) is a way for userland code to invoke specific functionality inside kernel
space
• You don’t typically use syscalls directly, but instead you call APIs in the std lib
• For example, calling the standard library’s exit() function will in turn invoke the exit syscall on
the system (there are over 500 in total)
• We know that attackers will target the standard library (e.g., exit() or access()) to prevent us
detecting them or crashing
• Ergo, let’s skip the standard library and invoke the exit syscall from our code directly
Syscalls
28. • Detection of Frida in the loaded libraries
• Detection of Frida artefacts on disk
• E.g., config files, Frida server
• Detection of Frida in memory
• Signatures (e.g., strings, functions)
• Detection of Frida network activity (e.g., ports)
Basic Frida detection
32. • Inconsistency is favorable
• Distribute and randomize controls
• Consider adding entropy to controls
• E.g., execute N% of the time instead of 100%
• React in a multitude of different ways
• Layer your controls, protect controls with controls, etc.
• Today was just an intro. Many areas worth thinking about:
• Code packers, debugger prevention, emulation of code, patch prevention, keylogging, etc.
Secure design considerations
33. • App hardening is a cat-and-mouse game
• The controls presented are not comprehensive
• Raise the bar of difficulty
• It’s not about making it impossible—it’s about
making it not worth the time investment
• App hardening is not easy—consider using
commercial products
Closing remarks