Understanding OWASP Top 10 Mobile: Lack of Binary Protections

Continuing on our journey to understand the OWASP Top 10 Mobile security threats, today we will try to know more about the last threat under the OWASP umbrella - Lack of Binary Protections.

What is Lack of Binary Protections?

A lack of binary protections within a mobile app exposes the application and it’s owner to a large variety of technical and business risks if the underlying application is insecure or exposes sensitive intellectual property. A lack of binary protections results in a mobile app that can be analyzed, reverse-engineered, and modified by an adversary in rapid fashion.

How is it exploited?

Typically, a hacker will use an automated tool to reverse engineer the code and modify it using malware to perform some hidden functionality.

It is difficult to detect that an adversary has reverse engineered an app’s code. Usually, the app owner would know about this when the same code shows up in iTunes, Google Play or any other third party app store. This detection is also by accident and not because of any policing efforts.

Are You Vulnerable to Lack of Binary Protections?

If you are hosting code in an untrustworthy environment, you are susceptible to this risk. Untrustworthy environments include mobile clients, firmware in appliances, cloud spaces, or datacenters within particular countries. A few questions to ponder over would be:

• Can someone code-decrypt this app (iPhone specific) using an automated tool like ClutchMod or manually using GDB?
• Can someone reverse engineer this app (Android specific) using an automated tool like dex2jar?
• Can someone use an automated tool like Hopper or IDA Pro to easily visualize the control-flow and pseudo-code of this app?

Good Read- Understanding OWASP Top 10 Mobile Threats

How To Prevent Lack of Binary Protections?

A multifaceted and proactive approach is crucial to prevent the risks associated with the lack of binary protection.

Code obfuscation makes reverse engineering difficult for attackers, helping you secure your app against threats.

By implementing robust techniques like stack protection and ASLR (Address Space Layout Randomization), you empower your app with a formidable defense against runtime attacks.

Keeping secure communication and authentication processes in place helps protect APIs from exploitation.

Ensure additional security by utilizing a combination of encryption for data stored in the mobile application and secure key management techniques.

By diligently monitoring the application for anomalies and swiftly implementing incident response procedures, you reassure app owners about the proactive security measures in place.

What is the Impact of Lack of Binary Protections?

Most of the mobile app developers or app owners do not prevent an adversary from successfully analyzing, reverse engineering or modifying the app’s binary code. Organizations should apply binary protections to a mobile app under a few different circumstances:

Analysis and Reverse Engineering

Binary protections slow down an adversary from analyzing exposed interfaces and reverse engineering code within the mobile app. All too often, the adversary will steal code and recycle it within another app for reselling.

Unauthorized Code Modification

Code modification often takes the form of repackaging or insertion of malware into existing mobile apps.

Business Impacts

Typically, a lack of binary protection will result in the following business impacts:

• Privacy Related and Confidential Data Theft;

• Unauthorized Access and Fraud;

• Brand and Trust Damage;

• Revenue Loss and Piracy;

• Intellectual Property Theft;

• User Experience Compromise.