Patterns. Patterns Everywhere.

Whether it comes in the form of tessellation, tilings, or symmetry, patterns appear in everything. We are drawn to them, and have been reproducing them since antiquity, from ancient Greek meander…

独家优惠奖金 100% 高达 1 BTC + 180 免费旋转

Misconceptions about Mobile Platform Security

Many developers rely on the belief that their apps cannot be tampered with. They often lean on in-app purchases or ads to monetize their work and rely on a certain security level to provide a fun and safe playing environment to their customers. So if applications are modified, or in-app security checks can be bypassed, it can create a slew of challenges, ranging from security issues for developers and end-users to impacting brand reputation and causing public relations problems.

Basically, developers can lose customers and revenue.

Both Android and iOS platforms contain multiple strong security features, such as biometric authentication, secure local storage, and a permission system. But it’s important to note that those techniques — and even the more technical ones, like code signing and sandboxing — are primarily focused on protecting the end-user, not the app itself.

To demonstrate the misconceptions about mobile platform security, we will patch out the ads from an existing application on each platform and repackage them. We will also show how in-app purchase implementations can be bypassed with relative ease.

In this section we will show that, on both platforms, we can easily disable advertisements and fake purchases on both platforms using the following techniques:

By using these techniques, an attacker can expose the application developer to the previously mentioned risks.

To show the limitations of the built-in platform security, we looked at some of the free “Flashlight” applications available for both platforms. These apps can be used to toggle the built-in flashlight and typically have an in-app purchase option to remove ads. They will serve as an example to show how these attacks are done in practice.

Our proof of concept consists of three parts: analyzing the apps, statically patching out the ads, and bypassing in-app purchases dynamically for both applications.

First, we want to analyze the apps to figure out how the ads are loaded. To do this, we first need to download the apps to our computer.

To analyze the internal logic of applications, typically a disassembler is used and optionally a decompiler.

iOS

On iOS, we open the app in Hopper and search for function names that contain “ads”. This shows us that the class ALAdServiceis included. Googling this class brings us to the AppLovinSDK is used by this app to load the ads.

Android

We start by disassembling the APK and searching for mentions of “ad” in the code. We find the function billing.d.a(Context), shown in the screenshot below. If we decompile this function, we get something like:

For some applications, we might not directly find anything useful when searching for “ads”, or the advertisement SDK might not be publicly available. In these cases, the analysis is still possible, but a bit more digging is needed. The attacker might start by just looking through all the function names, to see if anything interesting stands out. But there are also many other ways available to analyze applications, like attaching a debugger, looking at the strings and their usages in the binary, and analyzing the call graph, among others.

Now that we understand how the ads are loaded, we will modify the apps to disable them. Since doing this changes the original application, its code signature becomes invalid. Both platforms only accept applications with valid signatures. But it’s possible to just repackage and re-sign the modified apps with our own certificates. That way we get a modified version of the app with a valid signature that can be installed on any device.

Most popular disassemblers also have an assembler built-in. This allows us to change actual instructions or values of the binary and write out the modified version of the application. By doing this, we can adjust the application logic to our liking.

iOS

During our analysis, we found theinitializeSdkWithCompletionHandlermethod, which is used to set up the ad SDK. If we modify this function to exit/return immediately (retfor ARM), we ensure the setup code is never called. Thus preventing ads from ever loading

Android

We learned that the billing.d.a(Context)method is queried to decide whether the ads should be shown. If it returns true, ads will be hidden.

In the bytecode, we see that the default falsevalue is stored as constant const/4 v0, 0x0. If we patch this constant to 0x1(true), the ads will now be hidden, even if no purchase has been made.

Note that this is just one of many ways to disable ads in this app. Alternatively, we could also create the BillingSpshared preference manually with the expected boolean value.

It would now be possible to use the modified app without ads for personal use or to distribute it. A similar attack could be used to swap out the API key of the ad service, thus stealing the ad revenue gained from anyone using the patched version.

Distributing modified apps is generally not difficult to do on either platform. For iOS, for example, a free developer account can be used to resign an application. Sometimes, the private keys of the enterprise certificate of a company leak, which can then be used to sign any iOS application for any device. Many tools exist to make this repackaging process very easy for end-users. Easily accessible third-party app stores exist on both platforms and are used to distribute repackaged apps. On jailbroken devices, the signing checks can be disabled completely, removing the need to resign modified apps altogether.

As we showed in the previous section, modifying an application and repackaging it is not difficult. Now we will show that in-app purchases on both platforms are typically just verified using one or more conditional checks that decide whether “premium” functionality has been purchased or not. These checks can be bypassed, thus unlocking the functionality without paying.

Here we will modify the application dynamically on the device itself, removing the need to repackage the application.

iOS

Our goal is to ensure that each time a transaction state is queried, we return theSKPaymentTransactionStatePurchasedstate, showing that the purchase was successful.

We launch the purchase flow in the app by pressing “GO FLASH PRO” and we see that even though the purchase window is shown, the purchase was already accepted in the background.

We now unlocked all the pro features without any purchase!

Android

On Android, the in-app purchases are handled throughInAppBillingService. Whenever a purchase is made, it returns an object containing the transaction success state and a digital signature. This signature can then be verified to check the integrity of the received purchase data.

First, it will intercept calls from our app to theInAppBillingService. It will ensure no real purchase is made and that a successful purchase object is returned. However, it’s not possible to create a valid signature for this object, since we don’t have access to the needed certificates. Instead, we just return an invalid dummy signature.

Second, the module will also hook the signature verification function to always returntrueto work around the dummy signature that was used in the previous step.

This way, when we launch the purchase flow, the fake transaction data is immediately returned, and the signature validation will succeed.

The following Xposed module is used:

Almost every app that uses in-app purchases will be built in a similar way using the same underlying APIs provided by the platform. It’s quite clear that once we figure out how to bypass in-app purchases in a single application, this can generally be extended to other applications.

For both platforms, we can download tools like LocalIAPStore (iOS) or LuckyPatcher (Android) that offer an easy user interface to bypass almost all in-app purchases without needing any reverse engineering skills. Oftentimes, the patched versions of popular applications are also available on third-party app stores or just distributed online. In these cases, an end-user can just download this patched version and use it directly, making it trivial for anyone to gain access to modified apps.

Note that the modifications shown here are very basic and will not work in every case or for other apps. Instead, these modifications are meant to serve as an educational example to show that application tampering is not difficult, and highlight what the results of these attacks might look like in practice.

The attacks mentioned above are possible because, in general, it is quite easy to analyze applications and figure out their internal logic. Using the information gathered, modifications can be made to bypass specific checks or to modify their logic.

By properly obfuscating both the semantic information (such as class names, function names, and string values) and logic (like control flow), static analysis of an application becomes much more difficult.

When used together, these protection features ensure that every part of the attack becomes significantly more laborious.

Even though both the Android and iOS platforms offer many security features, they often don’t extend to the apps themselves.

We’ve shown that cracking mobile applications on either platform is not particularly difficult. By distributing these modified versions, or providing easy-to-use cracking tools, non-technical end-users can also leverage the results of these attacks. Because a modified application can cause monetary and reputational loss, this can cause real problems for developers.

Adding proper, layered, and polymorphic protection to your application is key to raising the bar for analyzing and patching mobile applications.

Patterns. Patterns Everywhere.

Misconceptions about Mobile Platform Security

Add a comment

Related posts:

Letting go on Lofoten

Why I recommend you to read these YA books

Nobody Was Born To Be A Powerful Speaker