The security of mobile banking and payment applications is deeply linked to their capacities in preventing attackers from tampering with them. Basically, app tampering means:
- Accessing the applications’ inner mechanisms
- Modifying variables either statically or dynamically
- Accessing memory used by the application
- Listening to the application’s interaction with its environment, which could include:
- Operating system’s libraries
- Operating system’s kernel
Tampering with an application modifies its integrity. Preventing the application from being tampered with (‘anti-tamper’) is one of the most important tasks to consider when hardening a mobile banking or payment application. The reason is that tampering, and eventually, modifying the application can virtually disable all the other security checks performed by the application protection system, like anti-debug, anti-jailbreak, etc.
Runtime Application Self-Protection (RASP) systems must be able to identify, react upon and prevent the wide variety of tampering tools used in mobile operating systems.
Android and IOS Tampering Tools That RASP Must Detect and Prevent
Here are some of the common reverse engineering tools used to tamper applications in iOS and/or Android:
- Class-dump I & II
- Mobile Substrate
- IDA Pro/Hex-ray
Here are some of the features that these tampering tools provide:
- Examination of the Mach-O files to detect application signatures in iOS (all class-dumb, Mach-O viewers and browsers tools)
- Extraction of the symbol table of the application (Nm)
- Access and execution of the internal functions from inside or runtime hooking (CyCript/Mobile Substrate)
- Method Tracing (Snoop-it/ Frida-trace)
- Method Hooking (Frida)
- Bypass certificate pinning (RootCloak Plus(Cydia)/Xposed)
One of the most insidious tools that can bypass many anti-tampering protections is Cycript. This tool is capable of Runtime Hooking into an application, which means exploring, modifying and calling sub-functions in running applications in iOS.
Here is a list of what several of these tools acting as instrumentation framework (Frida or Ghidra for example), are able to do:
- Process exploration
- Memory maps and inspection
- In-memory search
- Memory dump
- Runtime reverse engineering
The purpose of anti-tamper is detecting and preventing all these tampering tools.
By knowing how they operate, a RASP system must protect all the targeted components of the application.
Ciphering and File Integrity Checks
A very strong prevention method against tampering is to cipher the entire application and its components by either self-deciphering or deciphering with a secure loader. Additionally, all components of the mobile banking/payment application should be signed, either via an existing code signing technology or via self-checks for file integrity. The application could also be linked with the device, preventing it from running on other devices. Finally, all inter-process communication between the software components of the application should be ciphered.
Protecting against tampering is perhaps the most important duty of a RASP system. However, this task is very complex and can be achieved only by proprietary methods that can defeat the various tools and frameworks available for Android and iOS. Ciphering and signing the application is often the best solution.
References and Further Reading
- Read more articles about application security for mobile banking applications (2018 - today), by Martin Rupp, Stefan Hansen and more
- Internet Security Threat Report, Volume 24 (February 2019), by Symantec Corporation
- MASC Mobile App Security Core (2019), Web page by Cryptomathic