Prevent Mobile Malware using CryptographicValidation and Anti-Tampering — <no code required>

Image for post
Image for post

Security Best-Practices for mobile app developers

Mobile malware developers are creating malware at an increasing volume, velocity and level of sophistication. And honestly they do it pretty efficiently because like most forms of malware, these mobile malware increases aren’t going unnoticed.

The time to value and the risk vs. reward is simply too high for mobile malware developers to pass up. This has led to more mobile app developers embracing controls like anti-tampering and checksum verification to prevent mobile malware and to protect their apps.

What is mobile malware?

Mobile malware generally comes via a malicious app with the purpose of stealing information, dialing premium-rate numbers or simply making devices unusable. In many cases, a legitimate app is modified to include malicious code. The malicious version of the app then masquerades as the legitimate app, lying in wait for users to download and install the app. This can impact Android devices and iOS devices, even if they aren’t rooted or jailbroken. Malicious apps are distributed through official channels such as the AppStore, Google Play, and enterprise app stores. They of course are also downloaded through unofficial distribution sources such as the myriad of torrent sites you can find on Tor or the dark web.

So mobile malware developers get your apps by downloading them from public stores like Apple’s App Store or Google Play, or alternative app stores like Cydia, APK Mirror, APK Pure, or dozens of others. Then they use reverse engineering techniques or dynamic instrumentation tools like FRIDA to inject malicious code inside your real app, and then distribute the malware-loaded ‘replica’ of your app is if it were…you guess it….your app. You can’t easily prevent them from getting your app or even distributing your app. But, you do have control surrounding the, “fill ’em with malicious code” piece. As a mobile application developer, you can make it very difficult to modify your apps successfully by leveraging security controls like checksum verification and anti-tampering. Below are a few techniques on how you can prevent mobile malware without any coding.

Preventing Mobile Malware starts with building apps that can’t easily be tampered with or reverse engineered easily.

Prevent Mobile Malware with Checksum Validation

When you build checksum validation into your app on a no-code platform like Appdome, it builds your app with a checksum of the original, known, good version of your app. The platform then encrypts and embeds that checksum into the production build of your app. When the new app runs, it uses this checksum as an encryption key. That way if an attacker modifies your secured app and distributes it, the checksum validation process will fail and the app won’t run on the unsuspecting user’s device. Checksum validation is a feature in Appdome’s ONEShield app hardening solution.

Checksum validation uses cryptography to validate that your mobile app has not been altered since you released it.

Prevent Mobile Malware with Anti-Tampering

Anti-tampering is a feature that can be added to your app during the build process. When your app is out in the wild, the detection measures will detect if your app has been modified in any way (aka tampered with). The anti-tampering functionality will also prevent modifications of your app’s content and app binaries by encrypting your app’s application files, resources and assets.

Anti-tampering can also detect logic modifications at run-time. In the simplest terms, your app is supposed to execute following the structure A-B-C. But it has been maliciously modified and now follows the structure A-C-B or Z-A-X. The anti-tampering protection will detect the modifications and disallow the app from running. This is a great way to ensure that the app you wrote is the app being used without malware or other malicious modifications added. In short, it helps in keeping the bad peeps out.

You might ask, hey alan, why do you need both? It’s that a bit of a ‘belt and suspenders’ approach? The answer that you do need both (in fact, to build a multi-layered security defense, you should also be looking at obfuscation and data encryption as well other security features as well). So all in all, checksum validation and anti-tampering are security features that prevent unauthorized app modifications in different ways, each of which complements the other. And the reason you want a layered approach is that hackers have many many ways to compromise your app and your security defenses. So you need to stop them at every angle. To maximize effectiveness, solid security solutions combine multiple detection and prevention methods that operate on different API layers, at different trigger points or time periods, and are well distributed throughout the app.

Thanks for reading! This blog is part of a series focused on raising security awareness among mobile developers and also sharing best-practices, use cases, and new ‘no-code’ techniques for developers to build secure apps faster by automating mobile app security. All of the practical examples in this series can be found on the Appdome platform or within our Knowlege Base.

Originally published at https://www.appdome.com on July 15, 2020.

ALAN BAVOSA is VP of Security Products at Appdome, a no-code mobile app security and development platform.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store