-
Notifications
You must be signed in to change notification settings - Fork 0
/
Mobile Good reads.txt
112 lines (77 loc) · 6.23 KB
/
Mobile Good reads.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
Exploiting
Good reads:
https://www.varutra.com/root-detection-bypass-vulnerabilities-a-crucial-aspect-of-mobile-app-security/
https://arz101.medium.com/android-pentesting-bypassing-root-detection-37729f571eda
Mitigation
root detection
sssl pining
code obfuscation
read/write permission on external file
### Root Detection technique:
1. Implement Advanced Root Detection Techniques
Basic Root Detection involves checking for common root indicators (like the presence of su binary or rooting apps).
Root Detection Libraries: Use libraries like RootBeer, Google Play Integrity API, and SafetyNet for comprehensive root detection
2. Check for System Partition Modifications
Rooting often involves modifications to the system partition. By verifying the integrity of the system partition, you can identify rooted devices:
Check for the existence of tampered files.
Verify file signatures of critical system files like boot, init.rc, etc.
3. Block Root Access at Runtime
You can periodically check for root status throughout the app lifecycle instead of only checking during startup. If root access is detected at any point, restrict or block access to sensitive features and data.
Periodic Root Checks: Implement a background service that checks for root every time a critical feature is accessed or periodically at intervals.
4. Integrity Check with Google Play Integrity API
The Google Play Integrity API not only checks for rooting but also ensures app integrity. This is more secure than a local root check because it queries Google’s servers to verify the device and app.
Good reads:
https://www.appdome.com/how-to/mobile-app-security/jailbreak-root-detection/
https://www.cryptomathic.com/news-events/blog/application-hardening-for-mobile-banking-apps-root-and-jailbreak-detection
###SSL Pinning Bypass:
1. Obfuscate the SSL Pinning Code
To protect your SSL pinning logic from reverse engineering:
Use ProGuard or R8 to obfuscate your SSL pinning code and prevent attackers from easily finding and modifying it.
Obfuscate sensitive methods like:
SSL validation checks.
Certificate or public key storage.
2. Detect Hooking Frameworks (Frida/Xposed)
Frida and Xposed are commonly used by attackers to bypass SSL pinning by hooking into app functions. Detecting these frameworks can help you prevent SSL pinning bypasses.
Look for the presence of Frida or Xposed modules at runtime and terminate the app or block critical functionality if detected.
Good reads:
https://cheatsheetseries.owasp.org/cheatsheets/Pinning_Cheat_Sheet.html
###Code obfuscation:
1. Enable ProGuard or R8 for Obfuscation
ProGuard and R8 are official tools provided by Google to shrink, optimize, and obfuscate Android code.
Both tools rename classes, methods, and variables, making the code more difficult to read and reverse-engineer.
R8 is now the default in Android, as it is more powerful and efficient than ProGuard.
2. Obfuscate the Manifest File
Attackers often analyze the Android Manifest file to find key components like activities, services, and permissions.
Use tools like DexProtector to obfuscate entries in the manifest file, hiding key information such as component names and intent filters.
3. Obfuscate Resource Files
In addition to code, resources such as XML layouts, strings, and assets can be analyzed during static analysis.
Use resource shrinking (enabled via R8/ProGuard) to remove unused resources, and use string encryption for sensitive resource strings.
4. Obfuscate Code Flow (Control Flow Obfuscation)
Control Flow Obfuscation modifies the structure of the code in a way that makes it harder to follow the logical flow during reverse engineering.
This makes static analysis more difficult because the control flow doesn't follow a standard, readable format.
Tools like DashO or DexProtector offer control flow obfuscation features.
Good reads:
https://proandroiddev.com/how-to-prevent-hackers-from-reverse-engineering-your-android-apps-2981661ab1c2
https://wiki.owasp.org/index.php/Technical_Risks_of_Reverse_Engineering_and_Unauthorized_Code_Modification
###read/write permission on external file
1. Granting unnecessary read/write permissions can expose sensitive data to other apps or even malicious entities. Android provides two permissions related to external storage:
READ_EXTERNAL_STORAGE: Allows apps to read files from the external storage.
WRITE_EXTERNAL_STORAGE: Allows apps to modify or delete files on external storage.
Action Items:
Minimize the use of WRITE_EXTERNAL_STORAGE:
Try to avoid using WRITE_EXTERNAL_STORAGE unless absolutely necessary, especially on Android 10+ where Scoped Storage can handle many use cases without this permission.
Request permissions dynamically (at runtime):
On Android 6.0 (API level 23) and above, permissions must be requested at runtime rather than being automatically granted.
Check and revoke permissions regularly:
Use PermissionManager APIs to check the status of granted permissions and provide fallback solutions if permissions are not granted.
Good reads:
https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage
~~~~~
SSL pinning not implemented
It is recommended to Implementing SSL certificate/ public key pinning can help to avoid this type of snooping. SSL Pinning is making sure the client checks the server’s certificate against a known copy of that certificate. Implement bundle your server’s SSL certificate inside your application, and make sure any SSL request first validates that the server’s certificate exactly matches the bundle’s certificate. Implement hardening techniques
Good reads:
https://www.nowsecure.com/blog/2017/06/15/certificate-pinning-for-android-and-ios-mobile-man-in-the-middle-attack-prevention/
Root detection is not properly implemented/ Root detection bypass
It is recommended to implement root detection technique in the application. While installing the application verify if the device is rooted and accordingly allow the application to get installed in the mobile device. Ensure that the application does not work in the rooted phone. Implement hardening techniques.
Good reads:
https://www.indusface.com/learning/how-to-implement-root-detection-in-android-applications/