2 min read
Mobile Banking and Payment App Anti-Tampering: What You Need to Know
Martin Rupp (guest) : 20. February 2020
Mobile banking and payment app security is deeply linked to their ability to prevent attackers from tampering with them. Basically, app tampering means:
- Accessing the applications’ inner mechanisms
- Modifying variables, either statically or dynamically
- Accessing memory used by the application
- 'Listening' to the application’s interactions with its environment. This may include:
- Files
- Drivers
- Networks
- Displays
- Devices
- The operating system's libraries
- The operating system’s kernel
Tampering with an application compromises its integrity. Preventing the application from being tampered with (mobile app anti-tampering) is one of the most important tasks to consider when hardening a mobile banking or payment application.
It's simple. Tampering, and eventually, modifying the application can virtually disable all the other security checks performed by the application protection system, like anti-debugging, anti-jailbreak, etc.
Runtime Application Self-Protection (RASP) systems must be able to identify, respond to, and prevent the wide variety of tampering tools used in mobile operating systems.
Android and IOS Tampering Tools That RASP Must Detect and Prevent
Common reverse engineering tools hackers use to tamper with applications in iOS and/or Android include:
- Class-dump I & II
- Class-dump-Z
- Class-Dump-dyld
- Dumpdecrypted
- MachoOView
- oTool
- Nm
- Radare2
- Ghidra
- Mobile Substrate
- CyCript
- Frida
- Fridpa
- Gdb
- Idb
- lldb
- bfinject
- Snoop-it
- IDA Pro/Hex-ray
- Xposed
Common features of mobile app tampering tools
- Examination of the Mach-O files to detect application signatures in iOS (all class-dumb, Mach-O viewers and browsers tools)
- Extraction of the symbol table of the application (Nm)
- Access and execution of the internal functions from inside or runtime hooking (CyCript/Mobile Substrate)
- Method Tracing (Snoop-it/ Frida-trace)
- Method Hooking (Frida)
- Bypass certificate pinning (RootCloak Plus(Cydia)/Xposed)
One of the most insidious tools that can bypass many mobile app anti-tampering protections is Cycript. This tool is capable of Runtime Hooking into an application, which means exploring, modifying, and calling sub-functions in running iOS applications
Cycript features an interactive console with a shell using a mixture of objective-C++ and JavaScript. In many scenarios, Cycript can interact with anti-tamper-protected applications that allow an attacker to call inner functions of the application, instantiating classes of the application, etc.
When several of these tools act as an instrumentation framework (Frida or Ghidra for example), they provide a range of features, including:
- Process exploration
- Memory maps and inspection
- In-memory search
- Memory dump
- Runtime reverse engineering
The purpose of mobile app anti-tampering is to detect and prevent all hackers from gaining access to sensitive information. By knowing how they operate, a RASP system must protect all the targeted components of the application.
Ciphering and File Integrity Checks
A strong anti-tampering method is to cipher the entire application and its components by either self-deciphering or deciphering with a secure loader. Additionally, all components of the mobile banking/payment application should be signed, either via an existing code signing technology or via self-checks for file integrity. You can also link the application with the device, preventing it from running on other devices.
Finally, it's important to cipher all inter-process communication between the application's software components.
Conclusion
Anti-tampering is arguably a RASP system's most important duty. However, this task is very complex and requires proprietary methods that can defeat the various tools and frameworks available for Android and iOS. Ciphering and signing the application is often the best solution.
References and Further Reading
- Read more articles about application security for mobile banking applications (2018 - today), by Martin Rupp, Stefan Hansen and more
- Internet Security Threat Report, Volume 24 (February 2019), by Symantec Corporation
- MASC Mobile App Security Core (2019), Web page by Cryptomathic