If you understand your adversary, you are halfway to defeating them – or so the saying goes.
That’s why at a recent Android developers’ conference, the excellent Droidcon San Francisco, we decided to turn things around slightly. Rather than demonstrating how soft mobile apps are to reverse engineering, or diving into the technical and business risks, we wanted to get inside the mind of the hacker.
The best place to start is the hacker’s motivation, which typically falls into one of four groups.
The academic is always trying to prove a point. They aren’t after a monetary reward. Instead, they’re after the kudos of a job well done. Academic research follows three steps:
- Ask a question.
- Theorize an answer to question.
- Experiment to prove or disprove the theory.
When it comes to user security, a typical question is “can I access personal data?” Given that mobile apps are generally soft, the theory is often “yes, through the mobile app.” The academic will then set out to reverse engineer the app to prove that the theory is correct.
While an academic’s motivation is not malicious, they will publish their research. This can be embarrassing for the companies that have been attacked. And it can be doubly so, as the mainstream media trusts academic research and it often makes for a credible news story.
The criminal is after a return on investment. Simply put: they are looking to make money. That means they are after an attack that can scale; and they are willing to invest their time and energy to find an attack that can scale.
The return may come through using the mobile app to commit fraud – such as the 7-Eleven attack in Japan last year where criminals used weaknesses in the mobile app to steal money from customer accounts.
More often it is lifting personal data - credit cards or health data being the most valuable.
The intelligence services are always looking for new information to keep their citizens safe. As a recent attack on WhatsApp showed, getting access to the communications of persons of interest is highly valuable.
Modern communication is usual encrypted. Therefore, it is often easier to go after the communication prior to it entering the encrypted channel rather than to try and decode the communication stream. In security terminology this would be a man-at-the-end versus a man-in-the-middle attack.
With a soft mobile app, this is certainly the case. By using a vulnerability within a mobile app, it is often possible to insert a wiretap, syphoning out interesting communication before it has been encrypted – all without the user’s knowledge.
The freeloader is after something for nothing. These are modern equivalents of high school kids that would copy a friend’s CD onto cassette.
In the modern age of streaming video and free-to-play video games, freeloading takes a different form. It involves hacking the mobile app to remove the adverts that are funding the service or using your parent’s password to log into the streaming service.
The challenge that service providers have is that an attack isn’t limited to one user. Once an attacker has created a freeloading version of an app, they will be a “good Samaritan” and publish the app to a third-party app store; thus, allowing anyone to benefit from the attack.
Mitigating The Risk
Once you understand the hacker’s motivation, you can start to identify the assets they will be after in your mobile app. After you’ve identified what is at risk, you can take simple, practical steps to defend against the attacker. Such as using Code Protection to make your app difficult to reverse engineer, Whitebox Cryptography to securely store data within the app or Strong Authentication to stop password sharing.
To learn more, watch our full presentation from Droidcon San Francisco.
If you want to take that first practical step, use Verimatrix’s ProtectMyApp service before publishing your Android and iOS app.