Skip to main content

Security controls bypass or absence - Reversing Protection

Description

The application does not have anti-reverse engineering protections. Sophisticated reverse engineering tools and techniques could bypass weak security controls against reversing protection.

Impact

  • Reveal cryptographic constants and ciphers.
  • Steal intellectual property.
  • Perform attacks against back end systems.

Recommendation

  • Encrypt the executable version of the software.
  • Use additional protection against reverse engineering, a combination of obfuscation techniques.
  • Extend the same protection to software or firmware upgrades.
  • Select automated anti-reversing techniques based on which one could provide a best fit for business security goals, performance requirements, and cost sensitivity.

Threat

An attacker can perform an analysis of the final core binary to determine its source code, algorithms and resources embedded within the app to execute dubious actions.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 5.3
    • Temporal: 5.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Details

https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05j-testing-resiliency-against-reverse-engineering#owasp-masvs

Requirements