As users rely more on mobile apps, they also put personal and employer information at risk. Application and device management measures cannot catch all malicious activity. As part of IT security, penetration testers use reverse engineering to catch app vulnerabilities before attackers do.
Mobile App Vulnerabilities
Like desktop programs, mobile apps are subject to malware. However, mobile devices are particularly vulnerable as personal communication and storage platforms using wireless carrier networks. Penetration testing must consider both server and client, and testers exploit weaknesses that could lead to unauthorized app or cloud access. Vulnerable areas include:
•Insecure wireless connection or network
•Unprotected sensitive data
•Insecure data storage and retrieval
•Hard-coded application password
The Role of Reverse Engineering
When an application’s source code is not available, the penetration tester must reverse engineer binaries as well as examine other file types. Testers reverse engineer apps in order to understand how they work and analyze their weak points. By learning how an app is supposed to function, testers can find the variances that produce vulnerabilities. This step is crucial to ensure accurate and complete test coverage.
While exercising a compiled app can expose weaknesses, a thorough assessment is impossible without dissecting the code. Further, the tester must analyze all levels from a systems view down to individual functions. This includes how the app interacts with its processing and networking environment, the trust boundaries between components, and relevant lines of code. The process can uncover malware hidden in a seemingly legitimate application. Additionally, some vulnerabilities are more visible in binary code than in source, so reverse engineering will find them first.
The Reverse Engineering Process
Reverse engineering is a manually intensive process that requires knowledge of different mobile architectures and operating systems. To effectively reverse engineer an app, testers must understand the platform it runs on. Leading systems include Apple iOS, Android, Symbian, and Windows Mobile. Testers must also be familiar with the ARM CPU that most mobile devices use. Compared with x86 processors, ARM has a reduced, fixed-width instruction set and certain memory requirements that have implications for penetration testing.
Testers must overcome multiple challenges when reverse engineering. Mobile device management imposes security limitations. Official apps are usually signed and run in sandboxes tied to user profiles and access controls. Software packages may include several distributed binaries, configuration files, and images. Each platform requires certain tools in order to decompile or disassemble code. For example, iOS testers must first jailbreak an iOS device by using a tool such as GreenPois0n to gain root access and load unauthorized test apps.
Reverse engineering involves static and dynamic test techniques. Static reversal examines apps while they are not executing, and testers can use IDA Pro or a similar tool to disassemble Symbian, Windows Mobile, and iOS apps. Android needs tools such as dex2jar and JD-GUI to convert Dalvik executables to Java and then decompile. Dynamic reversal debugs running apps and can pose a challenge as it requires external hardware or an emulator. However, testers with the proper resources can script much of the process.
The security stakes are getting higher as more malware invades apps and more people use mobile devices for work. Reverse engineering allows penetration testers to get inside an app developer’s mind and exploit vulnerabilities before the real adversaries do.
About the Author
This article was written by Megan Horner, a representative from TrainACE. Megan has been with the company a little over a year and during that time developed a passion for marketing and information technology. TrainACE is an IT training facility with a strong focus on cyber security. TrainACE actively produces advanced security courseware such as the mobile app security course.