Edit: After half day, my wife’s Mac started having the same problem. I have then applied the solution that I found in the Apple
Tips for App Integrity with Arxan – AppsWorld –
Security is becoming more of an issue as time goes on. The recent progression of a UK homeland cyber security team shows the government is becoming more aware of this issue. While at AppsWorld we spoke to Mark Noctor at Arxan Technologies who’s company defend against app integrity risks and attacks.
Arxan use ‘Guards’ to protect mobile apps on the inside and outside. One method is to inject additional binary into the compiled versions of apps to stop against modification after hackers use reverse engineering. Mark believes that releasing unprotected apps is the same as releasing the source code which is venerable to modifications by a hacker.
Reverse engineering is a particular problem because so many people have jailbroken their devices. In January this year, it was recorded that 22,780,029 people were using a jailbroken iOS device, a staggering number of whom can edit the source code of apps and the system within minutes.
Many apps have been discovered by Arxan to perform a simple test to see if a device is jailbroken. If the device appears jailbroken to the app then it does not execute. However, developers have been lazy and have made the tests to obvious with names such as “isJailbroken”. Hackers can locate this test and then remove the appropriate lines, thus opening your app up to further injections.
An internal review reveals that two-thirds of banking apps surveyed have their source-code-derived symbol names exposed in the clear, without any protection. Even “flawlessly” coded applications are vulnerable to reverse-engineering and code tampering, and in an analysis of the top 35 banking applications, Arxan found that all 35 apps were vulnerable to these types of attacks.
So there is defiantly a lot to shout about at finance and banking companies. But how and when should you use Arxan Technologies?
Mark believes that developers use Arxan to protect their apps when they are passing personal data and have reached a fair user base. Developers should submit their app to Arxan who will perform app protection integrity within a set amount of time. The app should be ready for release on the app store since Arxan’s modification needs to be the very last thing.
If you are a developer, you can apply various techniques to help protect your app. Some of which are as follows:
- Rename Objective-C symbols to irrelevant names so they do not reveal vital information about the app.
- Insert self-checksum code that can check if redirect calls to the original Objective-C methods have been inserted by attackers.
- Avoid implementing security-critical operations in metadata-rich languages like Objective-C. If possible use C/C++ instead.
- Don’t rely on Apple’s signature-verification mechanism, since it is compromised on jailbroken devices.
With responsibility shifting onto developers due to the rapid pace of technology it is essential you take sufficient methods to protect your app. Whether you are at the level were you use Arxan or you are an indie developer looking out to protect your users there are technologies you can and should apply.
Advice & Help