By Christine Kern, contributing writer
Arxan Technologies, a mobile app security solutions provider, believes the first step in defending yourself from hackers it to think like one. The company has created a video series to help enterprises make it more difficult for hackers and fraudsters to tamper with apps. The “How to Hack an App” series includes a handful of short clips (1-2 minutes long), each demonstrating how to perform an attack with the use of readily available tools.
At the bottom of the blog page is a video, produced in conjunction with IBM. In the video Jonathan Carter, technical director of Arxan, says hackers often start with accessing unprotected binary code. Through reverse engineering, an attacker can gain sensitive information not only about your organization, but also about the design and implementation of your solution — and this information can be sold.
Carter says another area of concern is modifying the behavior of the application itself. The hacker can then spy on users, steal information, conduct fraud, or inject malware into the system.
The video also explain common attack vectors and points out the techniques don’t take a lot of effort or real skill on the part of the attacker.
The blog page also includes a series of short videos from Arxan that explains seven common techniques that hackers use to exploit applications.
- iTunes Code Encryption Bypass
- Android APK Reverse Engineering
- Algorithm Decompilation and Analysis
- Baksmali Code Modification
- Reverse Engineering String Analysis
- Swizzle with Code Substitution
- Understanding application internal structures and methods via Class Dumps
An earlier Arxan blog post “The Increased Need to Protect Mobile Apps,” presented the results of the company’s annual State of Mobile App Security report. The research showed 97 percent of the top paid 100 Android apps and 87 percent of the top 100 paid Apple iOS apps have been hacked. The study also found popular free apps had been the target of an increased number of hacks, and there had been “widespread hacking of financial services, healthcare/medical, and retail/merchant apps, largely driven by hacks of Android apps.”
Recommendations in the report include that “applications with high-risk profiles running on any mobile platform should be made tamper-resistant and capable of defending themselves and detecting threats at runtime.” Also, applications should be developed to maintain confidentiality of the application/code, and “software that is used to enable mobile wallets/payment apps (e.g., Host Card Emulation software) should be protected with secure crypto and app hardening.”
You can download the full report and view the accompanying infographic here.