The greatest threats to the Android ecosystem
All mobile apps can be hacked. A group of hackers with enough time and dedication can gain access to, and reverse engineer, even the most secure app environment.
Android represents 80 percent of the smartphone OS market, according to ABI research, and its open development environment exposes the platform to certain unique threats from hackers and malware.
While Android security experts debate the merits of installing antivirus software on Android devices, they ignore a host of potential dangers that lurk just below the surface -- critical threats no one in our industry talks about. In an effort to strengthen the Android ecosystem for all developers, we want to shine a light on some of the most dangerous Android threats no one discusses.
A smorgasbord of risk
Android hacks come in all shapes and sizes, but the following are common exploits with the potential to unleash havoc.
- App Piracy
- Memory Hacking
- Payments Verification Manipulation
- Server Data Interpretation
- Attack App Creation
It all boils down to the fundamental problem with the Android application execution file (aka the .apk file). The Android .apk file can be easily decompiled with various apps. When you decompress (decompile) a .apk file, it converts to a DEX file so that the app can run on a Dalvik virtual machine. When you decompile the DEX file, that's where the Java code lives. And that's where the source code lives as well.
Some developers may say that they don't develop in Javacode so they're ok, or it's ok since they develop in .so library files. This is a dangerous assumption; .so files have been susceptible to reverse engineering even before Android was released. If you use IDA, a leading commercial reverse engineering tool, you can see the structure of the library and the code inside the .so files, and change the contents with a binary patch. Furthermore, there are dozens of tools available to decompile and crack Android apps simply by searching Google.
So what can you do with decompiled code?
1. App Piracy -- ripping off the source code to create a new copycat app. Remember all the Flappy Bird clones?
2. Repackaging -- inserting malware or other malicious code and repackaging, releasing into the app store. Since there is no app review process, anyone can do this. And people download wrong or bad apps all the time. A fake BBM app on Android had more than 100K downloads before it was found and shut down by Google, and it was a simple spamming app. Malware has been found in repackaged apps.
3. Memory hacking -- manipulating memory values to cheat in mobile games, etc. GameCih, Game Killer, and so on.
From a hacker's perspective, here's a few more threats common to Android apps.
4. Manipulate payment verification information to steal virtual items from apps -- Freedom, etc. are free tools that you can download and use.
5. Analyze and find what type of data gets passed to which server, then use man in the middle attacks (MITM) to hijack or change the app -- Snapchat security leak.
6. Create an attack app which can communicate with the server (since you see all the client code) to do various things, such as:
- Take the SSL certificate or PGP key to attack the server (if the certificates are not encrypted)
- Create a non SSL tunnel to see plain text data (see unencrypted versions of data)
- Attack the database query via SQL injection
- Attack the server with a DoS attack to flood the server with requests and make it unusable, don't let any other users in by tying up the server.
- By allowing server attacks, hackers can easily decrease the amount of time needed to figure out how the data structure is composed.
- With SSL certificates, if you have this certificate, there can be secondary and tertiary attacks derived from this.
Simply put, people say "it's ok since all the data lives on the server side".
However, if the data is all on the server (the locked room), the data needed to access that server is all in the client (the key). If the key can be replicated, who can say that the locked room will never be accessed by an outside person?
The greatest risk Android developers face is is the security of the app itself. Once the app has been compromised through the.apk file, the value of the developer's IP can vanish instantly.
To maintain the total security and integrity of your apps, I recommend PentaProtect from SEWorks, which provides source code obfuscation, binary obfuscation, anti-decompile protection, anti-memory hacking, library protect. Couple this with app tampering detection/monitoring service AppSecure and this is as close to bulletproof as you can get (right now anyway).
Min Pyo Hong is the founder and CEO of mobile app security service SEWORKS. With 21 years of security software experience, Hong founded and sold SHIFTWORKS (acquired by Infraware), and is the founder of WOWHACKER, a non-profit security research group. Hong actively advises corporations, NGOs, and governments on matters of digital and cyber security, and is a PhD candidate at Korea University in IAS-LAB Information Security.