Mobile Banking and Payment App Hardening: Anti-Tamper

The security of mobile banking and payment applications is deeply linked to their capacities in preventing attackers from tampering with them. Basically, app tampering means:

• Accessing the applications’ inner mechanisms
• Modifying variables either statically or dynamically
• Accessing memory used by the application
• Listening to the application’s interaction with its environment, which could include:
• Files
• Drivers
• Networks
• Displays
• Devices
• Operating system’s libraries
• Operating system’s kernel

Tampering with an application modifies its integrity. Preventing the application from being tampered with (‘anti-tamper’) is one of the most important tasks to consider when hardening a mobile banking or payment application. The reason is that tampering, and eventually, modifying the application can virtually disable all the other security checks performed by the application protection system, like anti-debug, anti-jailbreak, etc.

Runtime Application Self-Protection (RASP) systems must be able to  identify, react upon and prevent the wide variety of tampering tools used in mobile operating systems. 

Android and IOS Tampering Tools That RASP Must Detect and Prevent 

Here are some of the common reverse engineering tools used to tamper applications in iOS and/or Android:

• Class-dump I & II
• Class-dump-Z
• Class-Dump-dyld
• Dumpdecrypted
• MachoOView
• oTool
• Nm
• Radare2
• Ghidra
• Mobile Substrate
• CyCript
• Frida
• Fridpa
• Gdb
• Idb
• lldb
• bfinject
• Snoop-it
• IDA Pro/Hex-ray
• Xposed

Here are some of the features that these tampering tools provide: 

• Examination of the Mach-O files to detect application signatures in iOS (all class-dumb, Mach-O viewers and browsers tools) 
• Extraction of the symbol table of the application (Nm)
• Access and execution of the internal functions from inside or runtime hooking (CyCript/Mobile Substrate)
• Method Tracing (Snoop-it/ Frida-trace)
• Method Hooking (Frida)
• Bypass certificate pinning (RootCloak Plus(Cydia)/Xposed)

One of the most insidious tools that can bypass many anti-tampering protections is Cycript. This tool is capable of Runtime Hooking into an application, which means exploring, modifying and calling sub-functions in running applications in iOS.

Cycript features an interactive console with a shell using a mixture of objective-C++ and JavaScript. In many scenarios, Cycript is able to interact with anti-tamper protected applications that allow an attacker to call inner functions of the application, instantiating classes of the application, etc.

Here is a list of what several of these tools acting as instrumentation framework (Frida or Ghidra for example), are able to do:

• Process exploration
• Memory maps and inspection
• In-memory search
• Memory dump
• Runtime reverse engineering

The purpose of anti-tamper is detecting and preventing all these tampering tools.

By knowing how they operate, a RASP system must protect all the targeted components of the application. 

Ciphering and File Integrity Checks

A very strong prevention method against tampering is to cipher the entire application and its components by either self-deciphering or deciphering with a secure loader. Additionally, all components of the mobile banking/payment application should be signed, either via an existing code signing technology or via self-checks for file integrity. The application could also be linked with the device, preventing it from running on other devices. Finally, all inter-process communication between the software components of the application should be ciphered. 

Conclusion

Protecting against tampering is perhaps the most important duty of a RASP system. However, this task is very complex and can be achieved only by proprietary methods that can defeat the various tools and frameworks available for Android and iOS. Ciphering and signing the application is often the best solution. 

References and Further Reading

• Read more articles about application security for mobile banking applications (2018 - today), by Martin Rupp, Stefan Hansen and more
• Internet Security Threat Report, Volume 24 (February 2019), by Symantec Corporation 
• MASC Mobile App Security Core (2019), Web page by Cryptomathic