How to Hack any Mobile Application: It’s Easier than You Think!

We live in a mobile, personal world, where more than 1.5 billion new mobile phones ship each year. Businesses that are most efficiently adapting to today’s “app economy” are the most successful at deepening customer engagement and driving new revenues in this ever-changing world. Where business opportunities abound, opportunities for “black hats” that conduct illicit and malicious activity abound as well.

 

Mobile app hacking is becoming easier and faster than ever before. Let’s explore why:

  • It’s fast: Industry research found that in 84 percent of cases, the initial compromise took “just minutes” to complete.
  • It’s relatively easy: There are automated tools readily available in the market to support hacking, and many of them are available for free!
  • Mobile apps are “low-hanging fruit”: In contrast to centralized Web environments, mobile apps live “in the wild,” on a distributed, fragmented and unregulated mobile device ecosystem. Unprotected binary code in mobile apps can be directly accessed, examined, modified and exploited by attackers.

Hackers are increasingly aiming at binary code targets to launch attacks on high-value mobile applications across all platforms. For those of you who may not be familiar, binary code is the code that machines read to execute an application — it’s what you download when you access mobile apps from an app store like Google Play.

Exploitable Binary-based Vulnerabilities

Well-equipped hackers seek to exploit two categories of binary-based vulnerabilities to compromise apps:

Code Modification or Code Injection:

This is the first category of binary-based vulnerability exploits, whereby hackers conduct unauthorized code modifications or insert malicious code into an application’s binaries. Code modification or code injection threat scenarios can include:

  • A hacker or hostile user, modifying the binary to change its behavior. For example, disabling security controls, bypassing business rules, licensing restrictions, purchasing requirements or ad displays in the mobile app — and potentially distributing it as a patch, crack or even as a new application.
  • A hacker injecting malicious code into the binary, and then either repackaging the mobile apps and publishing it as a new (supposedly legitimate) app, distributed under the guise of a patch or a crack, or surreptitiously (re)installing it on an unsuspecting user’s device.
  • A rogue application performing a drive-by attack (via the run-time method known as swizzling, or function/API hooking) to compromise the target mobile app (in order to lift credentials, expose personal and/or corporate data, redirect traffic, etc.)

Reverse Engineering or Code Analysis:

This is the second category of exploitable binary vulnerabilities, whereby mobile app binaries can be analyzed statically and dynamically. Using intelligence gathered from code analysis tools and activities, the binaries can be reverse-engineered and valuable code (including source code), sensitive data, or proprietary IP can be lifted out of the application and re-used or re-packaged. Reverse engineering or code analysis threat scenarios may include:

  • A hacker analyzing or reverse-engineering the binary, and identifying or exposing sensitive information (keys, credentials, data) or vulnerabilities and flaws for broader exploitation.
  • A hacker lifting or exposing proprietary intellectual property out of the application binary to develop counterfeit applications.
  • A hacker reusing and “copy-catting” an application, and submitting it to an app store under his or her own branding (as a nearly identical copy of the legitimate application).

You can see examples of these hacks “brought to life” on YouTube and a summary of Binary Exploits is provided in our graphic below. Whether your organization licenses mobile apps or extends your customer experience to mobile technology, the norm is that hackers are able to trivially invade, infect and/or counterfeit your mobile apps. Consider the following:

Reverse Engineering or Code Analysis (Confidentiality) - Code Modification or Code Injection (Integrity)Pin

B2C Apps Eight of the top 10 apps in public app stores have been hacked, according to Arxan State of Security in the App Economy Research, Volume 2, 2013. This means that anyone developing B2C apps shouldn’t assume that mobile app store-provided security measures are sufficient. Often these security measures rely on underlying assumptions, such as the lack of jailbroken conditions on the mobile device — an unsafe and impractical assumption today.
B2E Apps In the case of enterprise-internal apps (B2E), conventional IT security measures such as mobile device management (MDM) and application policy wrappers can be valuable tools for device management and IT policy controls for corporate data and application usage, but they aren’t designed to protect against application-level hacking attacks and exploits.

Time to Secure Your Mobile App

With so much of your organizational productivity riding on the reliable execution of your apps, and such a small a barrier for hackers to overcome superficial threat protection schemes, you could face significant risk unless you step up the protection of your application. It’s time to build trust in apps not just around them.

Application Hardening and Run-Time Protection are mission-critical security capabilities, required to proactively defend, detect and react to attempted app compromises. Both can be achieved with no impact to source code, via an automated insertion of “guards” into the binary code. When implemented properly, layers of guards are deployed so that both the application and the guards are protected, and there’s no single point of failure. Steps one can take to harden and protect apps at run-time are readily available.

Recent history shows that despite our best efforts, the “plumbing” of servers, networks and end-points that run our apps can easily be breached — so isn’t it high-time to focus on the application layer, as well?

Watch our YouTube video below to learn more about the importance of mobile security protection. And for the latest trends in mobile application security, consult our Ponemon Institute blog and companion report, titled “2017 State of Mobile & Internet of Things (IoT) Application Security.” We also encourage you to test-drive our mobile application security testing solution by signing up for a free trial of IBM Application Security on Cloud today.

7 thoughts on “How to Hack any Mobile Application: It’s Easier than You Think!”

  1. roofing contractor Littleton says:

    525533 816998Hello super schner Webblog den ihr da habt. Bin gerade ber die Google Suche darber gestolpert. Gefllt mir echt super gut. macht weiter so. MFG Martina 319418

  2. what is devsecops says:

    687773 172372Appropriate humans speeches should seat as properly as memorialize about the groom and bride. Beginer sound system about rowdy locations need to always not forget currently the glowing leadership of a speaking, which is ones boat. best man speeches brother 236988

  3. الفيس says:

    756023 820931Hmm is anyone else having problems with the images on this weblog loading? Im trying to figure out if its a difficulty on my end or if its the weblog. Any responses would be greatly appreciated. 819419

  4. CICD says:

    353862 980458Wow that was strange. I just wrote an extremely long comment but following I clicked submit my comment didnt appear. Grrrr effectively Im not writing all that more than once again. Regardless, just wanted to say great blog! 456429

  5. wholesale ombre bob wig cheap says:

    256361 399163Ich kenne einige Leute, die aus Kanadakommen. Eines Tages werde ich auch dorthin reisen Lg Daniela 249338

  6. 토토 says:

    685479 307175Your weblog has the same post as an additional author but i like your much better.~:; 413807

  7. Regression Testing says:

    599759 948278I like this internet internet site very a lot, Its a truly nice post to read and get information . 944732

Leave a Reply

Knowasiak

FREE
VIEW