Reverse engineering tools for mobile apps emerging, expert says

When it involves mobile applications, you do not have a malware problem, you've gotten an adversary problem, in keeping with Adam Meyers, a pen tester and expert at reverse engineering different types of mobile apps.

On any given day we're going through one other platform so now we have so much to profit to stick prior to the sport.

Adam Meyers, Director of Intelligence, CrowdStrike

Meyers, director of intelligence at security startup CrowdStrike, discussed the challenges of reverse engineering applications for mobile devices. Reverse engineering tools are emerging, he said, however the process remains largely manual and often tedious, he said in a presentation recently on the 2012 SOURCE Boston conference.

Reverse engineering applications help penetration testers understand how the appliance works and discover weaknesses that may be utilized by cybercriminals in a real-world attack. It's also used to find hidden malware in the underlying code. For example, enterprises that are risk averse may decide to set up their own mobile app store, giving employees approved applications that have been vetted and whitelisted for use on their smartphone or tablet devices.

There are more than 34 million devices in use globally and, according to some estimates, a massive amount of devices are coming to market with many different patch levels. “It's a complicated problem,” he said.

 “We've got a truely big moving target,” Meyers said. “On any given day we're dealing with a different platform so we've got a lot to learn to stay ahead of the game.”

Meyers said that although mobile malware is just beginning to emerge, plenty of cybercriminals are working to locate ways to get malware to live inside the platform's kernel. “Detection and prevention is very difficult to do,” he said, because security software is restricted by manufacturers.

Meyer highlighted several applications that provide a basis for future attack types. A flashlight app that surfaced more than a year ago within the Apple iTunes store contained a hidden feature giving users tethering capabilities. A mobile application called Dog Wars surfaced at the time football star Michael Vic faced legal troubles over his role in underground dogfights. The app contained malicious Java functionality that sent a text to everyone in the user's contact list saying that the user hates animals. The app was designed by the animal care advocate organization, PETA.

“If an organization like PETA is able to do something like this, it tells you this is a pretty easy task to accomplish,” Meyer said.

Mobile platforms were built from the ground up with various security features, making reverse engineering a difficult process. Pen testers need to deal with application sandboxes, access control filters and code signing. Apple makes it especially difficult for reverse engineers because it uses FairPlay, a digital rights management (DRM) technology created for songs as the same mechanism to protect app files, Meyers said.

Tools to reverse engineer mobile apps are emerging. IDA Pro can be used for disassembling; Hex-Rays for decompiling; and dex2jar to decompile Android applications into Java source code. ProGuard is used as a Java class file shrinker and obfuscator that can be used on Android apps. There is still no way to do obfuscation on iOS, per Meyers. a device called Dumpdecrypted can dump decrypted files from encrypted iPhone applications from memory to disk. “As these items emerges and becomes more popular will see more of that,” Meyers said of automation.