Avoid binary signatures (code modification prevention)

From OWASP
Jump to: navigation, search

This is a principle or a set of principles. To view all principles, please see the Principle Category page.


Context

Mobile app developers must take into account a whole host of new risks that relate to hosting code in an uncontrolled environment. If you are hosting code in an untrustworthy environment, you are susceptible to the risk that an adversary will reverse engineer and modify your code via binary attacks [1] [2] [3] [4].

MainProjectIcon.png This content is part of a much bigger set of principles defined within the Architectural Principles That Prevent Code Modification or Reverse Engineering project.

Description

When implementing the integrity controls outlined in this document, it is critical to create controls that will not leave residual signatures behind for the adversary to find. After implementing a particular method, verify that the method will not leave a consistent binary signature across multiple instances.

Examples

For example, an organization implements a Checksum control and reuses this code across multiple instances that are invoked at various locations at runtime. An attacker identifies a unique string of bytes that identify all unique instances of a Checksum control that is executed by the code. The attacker 'plucks' out all Checksum controls within the code.

External References

[1] Arxan Research: State of Security in the App Economy, Volume 2, November 2013:

“Adversaries have hacked 78 percent of the top 100 paid Android and iOS apps in 2013.”

[2] HP Research: HP Research Reveals Nine out of 10 Mobile Applications Vulnerable to Attack, 18 November 2013:

"86 percent of applications tested lacked binary hardening, leaving applications vulnerable to information disclosure, buffer overflows and poor performance. To ensure security throughout the life cycle of the application, it is essential to build in the best security practices from conception."

[3] North Carolina State University: Dissecting Android Malware: Characterization and Evolution, 7 September 2011:

“Our results show that 86.0% of them (Android Malware) repackage legitimate apps to include malicious payloads; 36.7% contain platform-level exploits to escalate privilege; 93.0% exhibit the bot-like capability.”

[4] InfoSecurity Magazine: Two Thirds of Personal Banking Apps Found Full of Vulnerabilities, January 3 2014:

“But one of his more worrying findings came from disassembling the apps themselves ... what he found was hardcoded development credentials within the code. An attacker could gain access to the development infrastructure of the bank and infest the application with malware causing a massive infection for all of the application’s users.”