How to Find Vulnerabilities in Mobile Apps through Reverse Engineering

As users rely more on mobile apps, they also put personal and employer information at risk. Application and device management measures cannot catch all malicious activity. As part of IT security, penetration testers use reverse engineering to catch app vulnerabilities before attackers do.

Mobile App Vulnerabilities

Like desktop programs, mobile apps are subject to malware. However, mobile devices are particularly vulnerable as personal communication and storage platforms using wireless carrier networks. Penetration testing must consider both server and client, and testers exploit weaknesses that could lead to unauthorized app or cloud access. Vulnerable areas include:

•Insecure wireless connection or network
•Unprotected sensitive data
•Insecure data storage and retrieval
•Hard-coded application password
•Application updates
•Database access

The Role of Reverse Engineering

When an application’s source code is not available, the penetration tester must reverse engineer binaries as well as examine other file types. Testers reverse engineer apps in order to understand how they work and analyze their weak points. By learning how an app is supposed to function, testers can find the variances that produce vulnerabilities. This step is crucial to ensure accurate and complete test coverage.

While exercising a compiled app can expose weaknesses, a thorough assessment is impossible without dissecting the code. Further, the tester must analyze all levels from a systems view down to individual functions. This includes how the app interacts with its processing and networking environment, the trust boundaries between components, and relevant lines of code. The process can uncover malware hidden in a seemingly legitimate application. Additionally, some vulnerabilities are more visible in binary code than in source, so reverse engineering will find them first.

The Reverse Engineering Process

Reverse engineering is a manually intensive process that requires knowledge of different mobile architectures and operating systems. To effectively reverse engineer an app, testers must understand the platform it runs on. Leading systems include Apple iOS, Android, Symbian, and Windows Mobile. Testers must also be familiar with the ARM CPU that most mobile devices use. Compared with x86 processors, ARM has a reduced, fixed-width instruction set and certain memory requirements that have implications for penetration testing.

Testers must overcome multiple challenges when reverse engineering. Mobile device management imposes security limitations. Official apps are usually signed and run in sandboxes tied to user profiles and access controls. Software packages may include several distributed binaries, configuration files, and images. Each platform requires certain tools in order to decompile or disassemble code. For example, iOS testers must first jailbreak an iOS device by using a tool such as GreenPois0n to gain root access and load unauthorized test apps.

Reverse engineering involves static and dynamic test techniques. Static reversal examines apps while they are not executing, and testers can use IDA Pro or a similar tool to disassemble Symbian, Windows Mobile, and iOS apps. Android needs tools such as dex2jar and JD-GUI to convert Dalvik executables to Java and then decompile. Dynamic reversal debugs running apps and can pose a challenge as it requires external hardware or an emulator. However, testers with the proper resources can script much of the process.

The security stakes are getting higher as more malware invades apps and more people use mobile devices for work. Reverse engineering allows penetration testers to get inside an app developer’s mind and exploit vulnerabilities before the real adversaries do.

About the Author

This article was written by Megan Horner, a representative from TrainACE. Megan has been with the company a little over a year and during that time developed a passion for marketing and information technology. TrainACE is an IT training facility with a strong focus on cyber security. TrainACE actively produces advanced security courseware such as the mobile app security course.


One thought on “How to Find Vulnerabilities in Mobile Apps through Reverse Engineering

  1. Great article. I wanted to point something out. You may already know this and fail to mention it or this is something new to you. You mentioned that something like IDA Pro is used for certain devices as you pointed out above given the purpose of discussion pertaining to your topic. Then you speak of android and its method. The method for android is very accurate, however, you can also use IDA Pro against the android as well. Especially towards its apps or apk’s. When decompiled there is a file which is named differently to each apk but ends with the extension of .so. It is my knowledge that all apk’s only contain one .so file. Consider such file as an executable file which contains many data and commands in regards to the apk prior to its installation. By using IDA Pro, one could easily take this file and go through and make necessary changes then patch the file. Once complete that file is then placed backed into its proper filing location within the apk and the apk is then compiled back. Afterwards it is signed again. This method of modding or ‘hacking’ is also known in the android community to be ‘install game hack apk’. Basically, they manipulate the apk to do other things than it was originally intended to do but the apk accepts it as ‘true’ because when installed this was the information it was given. This process is more common with apk games. An example would be with candy crush saga. Of course you can decompile the apk and search up smali/java files and make minor edits like the number of candy colors which are displayed in specific levels or how many lives you start with when opening the game. However, these are all minor mods. By using IDA, one could determing the number of lives which are displayed but change the ‘sub’ or ‘rsb’ to say something like ‘add’ or ‘NOP’. By doing this they can configure their lives to either gain one or more each time they lose, win, etc. Or they can display the lives on the screen to something like 99, yet no matter how many times they lose on a level they will always maintain 99. Now take that into consideration and imagine what more could actually be done by using something like IDA or similar.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s