The COVID-19 global pandemic has forced most companies and their employees to stay home. Despite this lack of physical mobility, people are increasingly using multiple mobile devices and applications. Out of boredom, possibly lack of awareness or various other reasons, consumers have let their guard down.
Cyber criminals are seeking out any opportunity they can to take advantage of the current circumstances and hack into devices and networks. More than ever, cybersecurity is needed.
Reverse engineering in mobile applications
As with most cybercrime, reverse engineering is on the rise. In October 2019, CNBC published an article titled Facebook Employees Turn to Hong Kong Hacker Jane Manchun Wong. It detailed how Wong (a renowned Hong Kong based hacker and software engineer) reverse-engineered applications to uncover new features in development and then publicly revealed these features before their official marketing release. The article quotes an Instagram data scientist, Colin Higgins, who tongue-in-cheek stated that Jane was a better source of what was happening in Instagram than their internal communications team. While this is all serious business, it’s difficult to not find this a bit funny. Imagine if your competitors had this window into what your company was doing.
A team led by Ohio State University recently published a research paper that surveyed more than 150,000 current Android applications using a new static analysis technique (Automatic Uncovering of Hidden Behaviors From Input Validation in Mobile Apps). Their research revealed that more than 12,076 (8.47%) of these applications had backdoor secrets and 4,028 (2.69%) contained blacklist secrets. This is shocking to say the least. The fact that almost 10% of the Android applications studied had some form of backdoor to circumvent the typical login security is an alarming statistic. How could this small team of researchers manage to uncover these secrets? Well, they used a combination of automatic dynamic analysis to discover applications of interest, and then they reverse engineered 30 identified applications to make many of the key revelations contained within the article.
Can reverse engineering reveal secrets in your mobile application?
What both of these examples have in common is the use of static analysis to do reverse engineering to facilitate the ability to extract hidden secrets in applications. Those secrets range from upcoming features to undocumented functionality which provides backdoor access to an application. Now, think of all the secrets which could be exposed in a mobile application. Questions, no doubt, arise.
Not familiar with static analysis? Watch Irdeto’s Cloakware Cate video HERE explaining how it works.
Could your team have inadvertently left in hard-coded passwords that a hacker could expose? Could the application be performing license checks that are better hidden rather than being displayed in the clear? Does your application contain technology from vendors or partners, that might reveal relationships you’d rather keep confidential?
As with many others at Irdeto, the Trusted Software team is regularly producing white papers, blogs and other pieces of content to keep you informed. This is the second blog in a series. If you missed the first blog, you can read it here. In our next blog, we’ll dive into the tools of the trade to protect your application, how these tools are applied, and how to prevent reverse engineering on your application.