When it comes to mobile applications, you don’t have a malware problem, you have an adversary problem, according to Adam Meyers, a pen tester and expert at reverse engineering various kinds of mobile apps.
On any given day we’re dealing with a different platform so we’ve got a lot to learn to stay ahead of the game.
Adam Meyers, Director of Intelligence, CrowdStrike
Meyers, director of intelligence at security startup CrowdStrike, discussed the challenges of reverse engineering applications for mobile devices. Reverse engineering tools are emerging, he said, but the process remains largely manual and sometimes tedious, he said in a presentation recently at the 2012 SOURCE Boston conference.
Reverse engineering applications help penetration testers understand how the application works and discover weaknesses that can be used by cybercriminals in a real-world attack. It’s also used to find hidden malware in the underlying code. For example, enterprises that are risk averse may decide to set up their own mobile app store, giving employees approved applications that have been vetted and whitelisted for use on their smartphone or tablet devices.
There are more than 34 million devices in use globally and, according to some estimates, a massive amount of devices are coming to market with many different patch levels. “It’s a complicated problem,” he said.
“We’ve got a really big moving target,” Meyers said. “On any given day we’re dealing with a different platform so we’ve got a lot to learn to stay ahead of the game.”
Meyers said that although mobile malware is just beginning to emerge, plenty of cybercriminals are working to find ways to get malware to live inside the platform’s kernel. “Detection and prevention is very difficult to do,” he said, because security software is restricted by manufacturers.
Meyer highlighted several applications that provide a basis for future attack types. A flashlight app that surfaced more than a year ago in the Apple iTunes store contained a hidden feature giving users tethering capabilities. A mobile application called Dog Wars surfaced at the time football star Michael Vic faced legal troubles over his role in underground dogfights. The app contained malicious Java functionality that sent a text to everyone in the user’s contact list saying that the user hates animals. The app was designed by the animal care advocate organization, PETA.
“If an organization like PETA is able to do something like this, it tells you this is a pretty easy task to accomplish,” Meyer said.
Mobile platforms were built from the ground up with various security features, making reverse engineering a difficult process. Pen testers need to deal with application sandboxes, access control filters and code signing. Apple makes it especially difficult for reverse engineers because it uses FairPlay, a digital rights management (DRM) technology created for songs as the same mechanism to protect app files, Meyers said.
Tools to reverse engineer mobile apps are emerging. IDA Pro can be used for disassembling; Hex-Rays for decompiling; and dex2jar to decompile Android applications into Java source code. ProGuard is used as a Java class file shrinker and obfuscator that can be used on Android apps. There is still no way to do obfuscation on iOS, according to Meyers. A tool called Dumpdecrypted can dump decrypted files from encrypted iPhone applications from memory to disk. “As this stuff emerges and becomes more popular will see more of that,” Meyers said of automation.