[TECH] Attack Methods for Anti-tamper mechanisms and its protections

The post explains how Mobile Applications (APPs) are tampered and how it should be responded with priority.


[TECH] Attack Methods for Anti-tamper mechanisms and its protections

Hi, this is TEAM LIAPP.
In the previous posting, we talked about the seriousness of the mobile APP tampering and the potential damage to the current tampering hacking based on the actual case.This post will be describing the actual tampering process and the different types of protection that is required with limited resources.
- Term Definitions

* Static DATA
Information declared within an app or app package
ex) URL of the server to connect to, DB query, information stored as a file in the package, and other information declared as String

* Dynamic DATA
Information received through communication with the server, not within the app or app package
ex) Information required for app behavior except static DATA
To hack app tampering, it is typically done in the following order:
1. Target hacking points after analyzing the code
2. If dynamic DATA is needed to be modified, check the DATA used in the following method through APP debugging.
3. Modify logic and DATA so that the targeted logic can perform desired behavior
4. Re-Packaging to activate modified apps
5. Select the way of distributing hacked apps and distribute them
Targeting for logic to hack after analysis of source code.

If you're not a script kiddie hacker who merely uses tools for hacking (low technical difficulty) without the basic knowledge of programming or code analysis, then the first order of most hacking is the analysis of the source code.
This applies to all areas including PC, mobile, etc. Especially, Android is much more vulnerable than PC and iOS in terms of difficulty of source code analysis, because the app consists of JAVA ByteCode, which is relatively easy to analyze, rather than machine language.
However, since hacking depends on the capabilities of the hacker, it is inappropriate to say that iOS with binary code is absolutely safe for source code analysis.
Since the difficulty of source analysis of the bytecode is low, it is true that there are more hacking attempts to attack Android than there are hackers trying to attack iOS.
(We will further discuss binary code as well as byte code in the future posting.)

The priority is to analyze the source code to see where the targeted changing point is and the value it needs to be changed into.

The source code is analyzed using various tools such as jasmin and dex2jar.

In order to acquire the hacking results I want, it is necessary to check and test which value or logic the targeted logic should be changed (ex. What changes must be made to the value of the field to determine the value you want, or which ‘if’ should be jumped).

If these values are statically defined within the source code (Static DATA), the values may be changed by referring to the static DATA. However, if these values are the values received through communication with the server and connection with other systems that can only be recognized when the APP is running, you need to go through logging the value by changing the source code or receiving the information of the communication policies and values of the server communication policies through running the APP and debugging.

If the part that should be modified in order to make the value I want is determined based on the code I analyzed and the changed value is also determined through debugging, self-modification and application can be proceeded.

Repackaging refers to the process of converting a modified source code back to the form of an APP to look like a normal APP.

In fifth,
Repackaging refers to the process of converting a modified source code back to the form of an APP to look like a normal APP.
As mentioned in the previous post, if the purpose of the hacking is customer information, then malicious code to change the normal app to a modulated app that the user cannot be aware of will be used. Or, if the purpose of the hacking is to hack into content provided by the service provider (e.g. free use of content, change of game character capability, etc.) or distribute the hacked app to the public bulletin board, or if the service level of the hacked app and demand is high, it will be distributed through the site providing the app for a certain amount of money.
Currently, paid hacking apps are active.

For service providers, the biggest security threat is the hacking that happens with the distribution of hacked apps, which is one of the most important security incidents to watch out for.
While it would be great for many companies to prepare and implement all kinds of hacking defenses from the start, this is a real challenge for small and medium-sized businesses with countless limitations.
So what we need to do to safely protect the service that we've made is to prioritize the prevention of hacking, the most disruptive and potentially damaging to the service.
For a slightly extreme example, if a genius hacker hacks on his own for his own satisfaction and abuses the content of the service for free, it would not hurt the service relatively much as it is done by a single user.
In addition, these types of users will be able to be sanctioned through DB or service monitoring and legal regulations.
On the other side, however, when hacked apps are distributed and acquire numerous and unspecified users, normal users would feel damaged or unreasonable which will lead to walk away of users. The more users of hacking apps, the less return on services and the faster the normal users will exit from the service.
Finally, security is not something that can be done with preparation, so it is important to prioritize and prepare one by one, aiming to successfully prevent hacking that could eventually harm our service.
In the next post, let's talk about what needs to be focused on in order to meet both availability and security for technologies and dual services that prevent tampering.