Skip to main content

Security controls bypass or absence - Reversing Protection

Description

The application does not have anti-reverse engineering protections. Sophisticated reverse engineering tools and techniques could bypass weak security controls against reversing protection.

Impact

  • Reveal cryptographic constants and ciphers.
  • Steal intellectual property.
  • Perform attacks against back end systems.

Recommendation

  • Encrypt the executable version of the software.
  • Use additional protection against reverse engineering, a combination of obfuscation techniques.
  • Extend the same protection to software or firmware upgrades.
  • Select automated anti-reversing techniques based on which one could provide a best fit for business security goals, performance requirements, and cost sensitivity.

Threat

Anonymous attacker performing an analysis of the final core binary to determine its source code, algorithms and resources embedded within the app to execute dubious actions.

Expected Remediation Time

⌚ 450 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 5.3
    • Temporal: 5.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The source code includes a rename Obfuscation method

private void calculatePay(a b){
while(b.c()){
b.a(true);
c.a();
b(c);
}
}

Non compliant code

A simple example showing a possible obfuscation procedure

//Code before obfuscation
private void calculatePay(SpecialList clientGroup){
while(clientGroup.HasMore()){
clientGroup.getNext(true);
client.updatePay();
makePay(client);
}
}

Details

https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05j-testing-resiliency-against-reverse-engineering#owasp-masvs

Requirements