Security vulnerabilities in the Dutch Apps market

hacker-attack-500x318New Year’s Eve 2013 – Snapchat social network hacked: 4.6 million users database stolen.

Snapchat case is the most recent example of a new kind of security threat that represents one of today’s bigger security risk. The attacker was able to reverse engineer the mobile application, to guess the behavior of the communication protocol with the server, and to find loopholes in its flow.

The diffusion of mobile applications, as an extension of a web service, has widened the attack surface: the brand new option is to reverse engineering the Mobile Application in order to attack the web service.

All the informations the attacker needs are enclosed in the Mobile Application; it is just a matter of how hard the developers tried to hide it.

Software reverse engineering can be done in 2 possible ways (assuming of course you do not have the source code of the application):

  • Static Analysis, or Dead Listing Approach;
  • Dynamic Analysis, or Live Approach;

The Dead Listing Approach was perfect back in the days, when the applications were small and simple, for example DOS or Z-80 application. Nowadays this approach fits perfectly to Mobile Applications; all the findings presented in this paper are the result of a very quick and basic static analysis. A better and deeper reversing of the code is possible proceeding further with a dynamic analysis (and will be the matter of a future paper).

This kind of analysis is used by crackers to hack the application itself; according to an Arxan research (State of Security in theApp Economy:“Mobile Apps Under Attack”) more than 90% of top paid mobile apps have been hacked. 92% of Top 100 paid apps for Apple iOS and 100% of Top 100 paid apps for Android were found to have been hacked.

In this paper we are exploring the possibilities offered by this kind of analysis in order to achieve a malicious attack against the web service that is behind the mobile application.

There are three possible targets we are going to hit:

  • reverse engineering the communication protocol with the server (the backend API entry points);

  • reversing the application authentication process (username/password used by the app to authenticate, local SSL certificate/password)

  • gathering as much reserved informations as possible from the code, that represents a threat for the target.

Key findings

The research was based on 10 highly popular free apps for Android, built and distributed by Dutch companies. Among them, there are hotel reservation apps (Booking.com), Online Banking apps (ABN AMRO, ING, RABOBANK). As soon as I cannot publish details that could lead to malicious attacks, I will just summarize the results of this analysis. Some of the companies involved in this research will be contacted to be warned against a potential security issue.

Communication protocol: 8 application out of 10 do not hide at all the communication protocol entry points with the server. It is possible to reconstruct all the protocol flow, even if such protocol is not public.

Application authentication process: 4 out of 10 applications simply contain the unencrypted credential to authenticate with the server.

Sensible information: 8 applications out of 10 contain unencrypted API Keys, like Facebook, Twitter, Google Maps, Flurry Analytics, Google Analytics.

Protection against reverse engeneering: 10 application out of 10 did not use any advanced application protection techniques, like assets encryption or tamper detection.

Conclusion:

In one case the reverse engineering allowed me to create in no time a “cloned” application, able to create new users, to login and to query the main database, exactly the same way the official application does. For an attacker this could lead to automate penetration testing tools, DOS attacks, and probably sensitive data theft.

Apparently the mobile application market is still in his youth; mobile app protection is not a strategic priority and there is not enough focus on protecting the integrity of mobile apps against tampering/reverse-engineering attacks. In the following months probably we will see many more attacks, similar to the Snapchat one, and this is probably the only way to let the industry focus more on this issue.

sergio@studio-sg.net

Advertisements

About sergiogiucastro

Software developer, IT security expert, having fun for more then 15 years of professional experience, from Windows95 to Android :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: