peshkova - Fotolia
White hat hacker Randy Westergren encountered a couple of roadblocks when he targeted the Subway Android app, from which customers can order and pay for sandwiches at the U.S. chain restaurant.
When Westergren tried to proxy requests from the app, he was first met with certificate pinning -- a security framework that not only reduces reliance on trusting others -- but also boosts man-in-the-middle attack defense.
Because certificate pinning is often employed by banking apps, Westergren's interest was piqued; he needed to take a closer look.
Through app reverse-engineering, Westergren decompiled the app and analyzed its source code, in which he found two instances of pinning.
After bypassing the pinning -- rebuilding the app and installing the modified app on his device -- Westergren was met with another roadblock, a message that said "App verification failed. Subway® app has been tampered with. Please contact support."
The Subway app, Westergren found, was using custom app signature verification to prevent the reversing of its Android Package (APK).
After this "slight delay," as Westergren called it, he bypassed the issue, again recompiled and installed the app, and was finally able to successfully proxy API requests, as he initially set out to do.
During his research, Westergren came across another interesting find, a Reddit post of a user purporting Subway purposely "crippling" the app on rooted devices. In trying to use the app, a user with a rooted device received a message saying "it appears that this device is running a modified version of Android. For your protection, you cannot log into your account with your password from this device." Westergren confirmed this, finding mentions of root detection in the app's source code.
So what does this mean for mobile app safety?
It's important to note, one user mentioned in the comments on Westergren's blog, that security is only broken for users downloading Westergren's version of the app -- not those using the legitimate Subway app from the Google Play Store. Westergren acknowledged the post, stating he only wanted to demonstrate how certificate pinning and signature verification -- while a good idea -- can be bypassed to allow the proxying of API requests made by the app.
"Sometimes I think there is a false sense of security when employing techniques found in this post," Westergren replied to a comment on his blog, "as it can make developers believe that it will keep researchers or attackers from proxying their API requests."
Westergren told SearchSecurity that while reverse engineering an app on your own device does not pose a threat to others, "the danger comes in distributing these altered APKs or being able to proxy and decrypt your own traffic while using the app. Though being able to proxy/decrypt traffic through a self-MitM attack isn't inherently malicious, it sheds light on how the app interacts with its Web API, giving an attacker the opportunity to find vulnerabilities in the API itself."
While there will likely never be a way to prevent attackers from proxying API requests, app developers can make it more difficult for attackers to achieve, Westergren told SearchSecurity. Obfuscation tools, such as ProGuard, can help hinder the process, or abstracting functionality into a complied shared object file can "significantly increase the skill level required to reverse engineer which helps weed out -- not eliminate -- those capable of reversing software."
Westergren gave props to the Subway app developers' security.
"It's great to see the increasing adoption of certificate pinning in Android apps," Westergren wrote.
Westergren told SearchSecurity he has been seeing the method used much more often lately; about 10% of the apps he has researched now use some sort of certificate pinning. Now, the trend just has to continue to make mobile app safety more the norm than the exception.
In other news
- In its transparency report for the first half of 2015, CloudFlare Inc. disclosed data about governmental requests the company received to disclose information about its customers by ways of subpoenas, court orders, search warrants, pen register/trap and trace orders, and wiretap orders. The content delivery network and DNS service provider revealed it received 50 court orders in the first half of 2015, more than the total number of court orders received in 2014, as a whole -- 2014 saw 22 court order requests in the first half of the year, 24 in the second half. These 50 court orders, of which 49 were answered, affected 2,120 domains and 96 accounts. CloudFlare published the report because "an essential part of earning the trust of our customers is being transparent about the governmental requests we receive." CloudFlare maintained in the report that it has never turned over its own nor customers' SSL keys, installed any law enforcement software or equipment on its network, terminated a customer or taken down content due to political pressure, or provided any law enforcement organization a feed of its customers' content transiting its network.
- Two Belgian researchers published a paper in preparation of a presentation at Usenix Security Symposium next month in Washington, D.C. about an attack that can break the RC4 cipher. In trial attacks, Mathy Vanhoef and Frank Piessens of the University of Leuven were able to capture victim cookies and decrypt them in less time than ever before by exploiting two known biases in the RC4 keystream. The pair decrypted a cookie within 75 hours; a second attack saw this time lowered to 52 hours. When used against WPA-TKIP, it took researchers only an hour to successfully execute. RC4, which was once used in 50% of all HTTPS instances, is now only used in approximately 30%, the researchers estimated. The pair said users should consider any protocols using RC4 to be vulnerable and recommend stopping RC4 use altogether.
- In its first ever attendee research report, Black Hat surveyed 460 past Black Hat USA attendees to learn about current and future enterprise IT trends. The survey of management and security professionals, 64% of which worked at organizations with 1,000 employees or more, found "most enterprises are not spending their time, budget and staffing resources on the problems most security-savvy professionals consider to be the greatest threats." Fifty-seven percent of respondents cited sophisticated, targeted attacks as their greatest concern, yet only 26% indicated targeted attack defense was a top IT security spending priority. Additionally, 46% of those surveyed said social engineering was a top concern, and 33% admit employees are the weakest link in today's enterprise IT defenses, yet only 31% named it as a top priority. The survey also found the Internet of Things -- which respondents ranked as the greatest concern two years from now -- was only considered a top security priority by 6%, and only 3% said it was a budget priority. Those surveyed also noted a shortage of IT resources; 73% believe their organization will suffer a major security breach in the future, yet only 27% believe they have the staff necessary to defend against current threats.
Check out the latest in mobile app security