As mobile applications get more complex, so does the need for more secure applications. Smartphones have made their way into every facet of our lives and have become a repository of sensitive personal information.
It is no wonder smartphones have become a prime target for threat agents. OWASP has ranked Code Tampering 8th out of the top 10 risks to mobile application security.
This article explains Code Tampering and its effect on mobile application security.
Code Tampering implies altering a mobile application’s source code with malicious intent and repackaging it to mimic the original. These apps are then posted onto third-party app stores with the intention that smartphone users, unaware of the risks, might install them.
Threat agents may also employ phishing attacks to trick users into installing them into their devices.
Cybersecurity becomes an issue between developers and threat agents, each trying to outdo the other. Two of the most popular mobile app stores, Google Play, and Apple’s App Store, have also had a fair share of malicious apps that have made it past their security check and have been downloaded by millions.
As a mobile developer, employing anti-tampering measures into an application’s source code should be high on your priority list.
Why is Code Tampering a Problem?
Mobile code tampering can have severe consequences for app developers and application publishers. If effective code tampering risk prevention is not taken seriously, it could lead to a loss of intellectual property.
Malicious versions operating under the illusion of your brand can access sensitive user data, which can then be exploited to commit financial and identity fraud. Remember the reputational damage your company can suffer from the same.
Here are a few scenarios of the effects of malicious versions of apps whose existence has been made possible due to improper code tampering risk prevention:
- Fake banking apps mimic the original and steal users’ financial information.
- Malicious gaming apps that can circumvent security checks in place to make in-game purchases to syphon money from users.
- Malicious apps are repackaged to look legit and injected with malware to gain access to the backend servers or entire IT systems.
Code Tampering Vulnerability Scale
Technically, almost all mobile applications are at risk of code tampering. Mobile applications do not run in safe and secure environments the same as web applications do. Threat agents can easily alter the code’s environment and tinker with the application.
That being said, there are steps you can take to make it difficult for threat agents to reverse engineer and tamper with your code. The key here is to assess the criticality of your mobile application and the business impacts of code tampering and then take a call if code tampering risk prevention is worth the extra cost in development time and money.
Impacts of Code Tampering
The overall impact of mobile code tampering depends on the type of application you own and develop. Apps developed for the Financial and Banking verticals will have significantly higher consequences when in comparison to applications for the gaming or entertainment verticals.
The impact of code tampering on apps can range from benign to serious losses in revenue and reputation based on the malicious agent’s capabilities and intents.
Examples of Code Tampering
Let’s look at two examples of the extremes of what code tampering is capable of.
1. Gaming Apps
If you have played a few free-to-play mobile games, you would have observed that a lot of these games are designed in such a way that to be successful in them, you have to make in-app purchases.
Threat agents understand how addictive gaming can be and exploit this phenomenon. They can reverse engineer the game’s original source code and repackage it to bypass the conditional jumps required to verify if an in-app purchase was successful.
They can also embed spyware into the code. On the surface, the end user enjoys all the perks of the paid features of the game for free, while in the background, the threat agents, with the help of spyware, can steal your identity and other sensitive private information.
This is where things get serious. Banking apps typically process sensitive data that an attacker could use. An attacker could create a forgery of the app that sends the user’s personally identifiable information (PII) and username/password to a third-party site.
As recently as 2022, India’s largest national bank – the State Bank of India’s mobile app YONO, was exploited by scammers to gain user credentials that were then used to wipe out their savings.
How to Prevent Code Tampering?
While it is important to note that no application is tamper-proof, you can take steps to mitigate these risks. The key is to employ a wide range of code tampering risk prevention techniques. These include the following:
Increase Code Complexity by Using Obfuscation Techniques:
Obfuscation can make it harder for threat agents to understand the app’s code flow and logic, thus reducing the number of attack vectors that can be exploited. While it’s not foolproof, it can significantly increase the time a threat agent will need to mount an attack, giving mobile developers ample time to react.
Here are a few Obfuscation techniques mobile developers should employ:
- Reduce Runtime Manipulations: In iOS, developers can increase code complexity by using C/C++ libraries, which easily integrate with Objective to mitigate changes in runtime manipulations. In Android, avoid using JNI to call libraries in other programming languages.
- Employ Trace Checks: Monitoring process status flags, comparing Ptrace attack return values, or comparing program time stamps can be used to warn developers if apps are being tracked by debuggers or debugger tools.
- Stripping Binaries: Stripping Binaries from low-level app functions can make it difficult for a threat agent to reverse engineer an app.
Avoid Simple Logic:
Simple logic tests used in the app are more prone to attacks. Enforce privileges when a session is untrusted, write code that prevents data from being decrypted, and use authentication to protect data until a session is deemed trusted.
Employ Anti-Code Tampering Techniques:
Preventing threat agents from reverse engineering an app makes it less susceptible to code tampering.
Here are a few techniques you can employ:
- Use CheckSums: Complex checksums can flag any attempts by threat agents to disable any checks or alter code.
- Rooting or jailbreak detection: Employ detection algorithms that detect if a mobile application is in a jailbroken or rooted environment.
- Cross-verify Digital signatures: Signatures and keys in shared cryptographic libraries should always be cross-checked and verified.
- Function caller verification: Any changes in the intended flow of function calls can be prevented by adding additional authorization and verification protocols to the source code.
- You can also add a code to wipe user data and other sensitive information if any code tampering is detected.
No application is 100% secure. That said, as mobile application developers, the power to mitigate said risks depends entirely on you. As project managers, impossible deadlines will leave no choice but to adopt the principle of “If it’s not broken, don’t touch it.” The onus of developing secure mobile applications rests not just on the app developers but the management of the entire SDLC as well. Ensure the necessary checks and failsafe methods from conception until the said code is released to ensure no tampering.