[TECH] Attack Methods for Anti-tamper mechanisms and its protections

Hi, this is TEAM LIAPP.
In the previous posting, we talked about the seriousness of the mobile APP tampering and the potential damage to the current tampering hacking based on the actual case.

This post will be describing the actual tampering process and the different types of protection that is required with limited resources.

- Term Definitions
* STATIC DATA
Information declared within an app or app package
ex) URL of the server to connect to, DB query, information stored as a file in the package, and other information declared as String

* Dynamic DATA
Information received through communication with the server, not within the app or app package
ex) Information required for app behavior except static DATA

To hack app tampering, it is typically done in the following order:

1. Target hacking points after analyzing the code
2. If dynamic DATA is needed to be modified, check the DATA used in the following method through APP debugging.
3. Modify logic and DATA so that the targeted logic can perform desired behavior
4. Re-Packaging to activate modified apps
5. Select the way of distributing hacked apps and distribute them

First,
Targeting for logic to hack after analysis of source code.

If you're not a script kiddie hacker who merely uses tools for hacking (low technical difficulty) without the basic knowledge of programming or code analysis, then the first order of most hacking is the analysis of the source code.

This applies to all areas including PC, mobile, etc. Especially, Android is much more vulnerable than PC and iOS in terms of difficulty of source code analysis, because the app consists of JAVA ByteCode, which is relatively easy to analyze, rather than machine language.

However, since hacking depends on the capabilities of the hacker, it is inappropriate to say that iOS with binary code is absolutely safe for source code analysis.
Since the difficulty of source analysis of the bytecode is low, it is true that there are more hacking attempts to attack Android than there are hackers trying to attack iOS.
(We will further discuss binary code as well as byte code in the future posting.)

The priority is to analyze the source code to see where the targeted changing point is and the value it needs to be changed into.

The source code is analyzed using various tools such as jasmin and dex2jar.

Secondly,
In order to acquire the hacking results I want, it is necessary to check and test which value or logic the targeted logic should be changed (ex. What changes must be made to the value of the field to determine the value you want, or which ‘if’ should be jumped).

If these values are statically defined within the source code (Static DATA), the values may be changed by referring to the static DATA. However, if these values are the values received through communication with the server and connection with other systems that can only be recognized when the APP is running, you need to go through logging the value by changing the source code or receiving the information of the communication policies and values of the server communication policies through running the APP and debugging.

Thirdly,
If the part that should be modified in order to make the value I want is determined based on the code I analyzed and the changed value is also determined through debugging, self-modification and application can be proceeded.

Fourthly,
Repackaging refers to the process of converting a modified source code back to the form of an APP to look like a normal APP.

In fifth,
Repackaging refers to the process of converting a modified source code back to the form of an APP to look like a normal APP.

As mentioned in the previous post, if the purpose of the hacking is customer information, then malicious code to change the normal app to a modulated app that the user cannot be aware of will be used. Or, if the purpose of the hacking is to hack into content provided by the service provider (e.g. free use of content, change of game character capability, etc.) or distribute the hacked app to the public bulletin board, or if the service level of the hacked app and demand is high, it will be distributed through the site providing the app for a certain amount of money.
Currently, paid hacking apps are active.