Arxan Best Practices White Paper

Securing Android Applications

Arxan Technologies White Paper – Arxan protects your IP from software piracy, tampering, reverse engineering and any manner of theft.

1

Executive Summary Risk Factors & Exploits

Mobile applications are taking flight Today’s mobile applications are connected and feature-rich. They process increasingly valuable information including user credentials, digital content, enterprise proprietary information and sensitive financial data, and embody proprietary intellectual property (IP) and critical security routines. As enterprises and consumers are rapidly going mobile via smart phones, netbooks and tablets, their data and applications are going mobile as well. In particular, Android is gaining market share as adoption soars and developers are flocking to it in droves, making it the most used platform in early 2010. Android and other mobile applications are vulnerable Today’s mobile applications are a hacker’s gateway to valuable code, sensitive data and the mobile device itself. Attacks include malware, software piracy, theft of intellectual property, call/SMS fraud and data theft. Carrier and device maker business models are also at risk. Jailbreaking, for example, interferes with the carrier’s business model, and also puts every other application (and related data) in danger of reverse engineering, tampering and theft. Likewise, developers are threatened by piracy, and loss of revenues and IP. Embedded software is feature-rich Mobile applications today have rich, interactive features. Embedded software is vital to today’s new computing world, powering everything from popular gaming and DRM systems to mobile banking, medical equipment and critical infrastructure. As they approach desktop applications in terms of complexity, they become equivalently vulnerable as well. Cloud computing, rich internet applications, wireless and web capability, remote access capability, and social networking platforms emphasize this trend.

Security Recommendations for Android Apps

Attacks against all major mobile platforms - including Android, Apple iOS and Blackberry – are growing both in number and in sophistication. Most recently, Android applications are seeing a rash of attacks – regardless of whether they are Java/Dalvik bytecode or native Android application code. Business publishers of mobile applications must account for the following to successfully combat these attacks: • Ensure proper compensation for access to/usage of your application • Ensure that sensitive data (perhaps under legislative protection) is not inadvertently compromised, and all appropriate hardening standards are met. • Ensure that the application isn’t hacked with malware and re-published under a different brand Traditional methods of application security are often unable to mitigate modern threats. For example, malware is most likely to invade Smart Phones by infecting another application or posing as a benign application. Traditional security investments such as blacklist based anti-malware utilities have limited efficiency against these rapidly morphing exploits. Similarly, simple obfuscators offered some protection against reverse engineering a decade ago, but offer no barrier against today’s disassembly and analysis tools, which can trivially cut through them.

Application Hardening with EnsureIT

Simple obfuscation and code wrappers can be defeated simply. In the face of threats such as hacking, piracy, malware injection and data theft, it is critical to Guard the application INTERNALLY to fully secure these assets. Durability requires defense in depth through a variety of security technologies that act in a layered manner across platforms, and are renewable for resilience against persistent attacks. Arxan Technologies White Paper – Arxan protects your IP from software piracy, tampering, reverse engineering and any manner of theft.

3

Risk Factors for Mobile Applications

Three factors are making mobile applications in general, and Android applications in particular, a prime target for hackers today. Growing Deployment The global deployment of mobile systems continues to grow, with more than 10 billion mobile consumer devices expected in the marketplace by 2020 . This increases the reach, and profitability, of any hack on mobile applications. The Android platform is adopted most widely among developers today, followed closely by iPhone’s iOS and Java mobile edition. Symbian systems are relatively closed with more limited functionality, and therefore less vulnerable than the three leading platforms.

Greater app access via mobile devices means greater app threats across platforms: • Threats to DRM and license management for piracy • Threats to content and critical IP • Risks from malware insertion and unauthorized access Advances in Hacking Technology Hacking tools such as disassemblers, decompilers, and memory dump analyzers are becoming more capable, and easier to use. Internet forums facilitate global hacker collaboration among hackers, and ease the discovery and dissemination of system information and new exploits. Simple obfuscation methods like variable renaming, or simple encryption wrappers, are no longer any match for today’s attack tools. Further, hacks are now developed for serious financial gain, rather than just for publicity and recognition. Professional crime groups regularly leverage underground forums to put out bids for development of new hack tools. High-bandwidth internet connectivity of most mobile devices today offers easy routes to push malicious software and harvest lucrative data.

Arxan Technologies White Paper – Arxan protects your IP from software piracy, tampering, reverse engineering and any manner of theft.

4

Undefended Targets Android is largely an open-source platform, so it is trivial to reverse engineer. While most applications are proprietary in theory, they often rely on system libraries or managed components that are either open source or easily disassembled. There are very few anti-tamper and anti-piracy components available in the Android Market, and none of them offer adequate robustness on their own. Thus, exploits are relatively easy to craft and disseminate. Furthermore, phone device manufacturers typically take weeks or months to update software, with the result that new exploits remain present in phone devices for long periods of time. This in turn offers a longer window of opportunity for malware attackers. Although Google has been quick to deploy its Kill switch when needed, it remains to be seen how scalable this mechanism is against rapidly morphing strains of malware.

Mobile Application Exploits

This section provides some examples of the leading types of exploits seen on mobile devices in general, and Android applications in particular. Piracy Demand for Android applications is growing, but demand for pirated applications is growing faster. The ease of decompiling and hacking Java/Dalvik code today makes even Google’s official license verification library trivial to hack, as demonstrated by Justin Case of Android Police.com . BORE (break-once-runeverywhere) scripts allow widespread piracy of applications, and can quickly decimate revenue. Google recommends that all developers use obfuscation and other hardening measures to protect their applications, and revenue, against hacking.

Brand value and trust will beimportant factors in thecompetitive mobile battleground, particularly for banking applications.

Malware Any security “hole” in software is an opportunity for a hacker to infiltrate your application and the system overall. An exploit succeeds when it can gain the ability to execute arbitrary code at a high system privilege level. Exploits in Linux kernel code (at the heart of Android) are fairly common. An example is the potent rootstrap malware exploit, developed and deployed by Jon Oberheide. Modeled along the lines of cutting edge PC malware, this is a published Android application which appears to provide movie previews. However, using native code executing out of the JNI interface in Dalvik, the exploit periodically downloads a list of newly available exploits from a web URL. It then downloads, installs and runs these exploits in native ARM code. This demonstrates how easy it is to integrate malicious functionality into a seemingly legitimate application. Likewise, it is easy for a hacker to take YOUR APPLICATION, add similar exploiting code, and republish it under your brand. Application hardening measures, which prevent reverse engineering and both prevent and flag tampering, are required to secure both Java/Dalvik and native applications against malware. Jailbreaking Jailbreaking refers to the endeavor of unlocking devices to run arbitrary applications, acquire content from arbitrary locations, or use the phone with an arbitrary carrier. Recently legitimized by an American judicial ruling and therefore increasingly popular, jailbreaking interferes with revenue and business models for the device provider, the application developers, and the subsidizing carrier. Jailbreaking also affects users themselves – for example, users of jailbroken iPhones are more susceptible to spam SMSs, since built-in security measures are bypassed.

Arxan Technologies White Paper – Arxan protects your IP from software piracy, tampering, reverse engineering and any manner of theft.

5

Data Theft Leading phone systems have massive user bases, and carry sensitive financial and personal information. Enterprise users often access business-proprietary or customer-confidential data on such devices. As a result, hackers are aggressively targeting these systems to craft both overt and covert exploits against this data. On the iPhone, thousands of user credentials such as iTunes accounts and banking accounts have been compromised via vulnerable applications or malicious banking applications, and have been linked to several million fraudulent transactions. Enterprise applications must be both tamper-evident and integrity-evident, to ensure user trust and to limit fraud

Android Exploits 101 • Exploits: an opportunity created by a security “hole” in software for instance to execute arbitrary code at a higher system privilege level –Exploits in Linux kernel code (at the heart of Android) are fairly common • Malware can take advantage of an exploit to work around capability system • Failure by phone device manufacturers to routinely update phone software means known exploits stay present • Even with updates, significant delays between discovery of exploits and their removal via updates. This creates a window of opportunity for attackers.

Security Recommendations for Android Applications

A multi-pronged strategy is needed to secure Android applications. First, organizations should keep their Android software current with the latest updates, so that they minimize the window of opportunity for a hacker to take advantage of an exploit. Second, organizations should protect their apps. This applies to any entity publishing an Android app, from enterprises to small businesses, and can be used to protect business models, the associated intellectual property (IP) as well as the company’s brand. Android applications can be hardened to tampering to secure license management, sensitive IP and the integrity of code. Information about and recommendations regarding application hardening are below. Third, enterprises can consider application vetting and white listing services as it is an approach to insuring that malware free applications get loaded onto phones. Traditional anti-malware security is also another option in that it provides some control with firewalls, but given the nature of the risk, its an open question as to whether this technology can keep up with the threats.

A Closer Look at the Android License Server The Android Market License Server is new free Google service for paid Android applications in order to authenticate them for consumers. Here’s how it works: • The server grants application license requests made via the Android Market Client on devices • The Android Market Client requests license status from the Android Market License Server. • The return response is signed using a private key unique to each application account. A public key is embedded in the application for validating the signature. • Licensing library APIs provide flexible choice of policy and application behavior based on policy results.

Arxan Technologies White Paper – Arxan protects your IP from software piracy, tampering, reverse engineering and any manner of theft. 6

Platform-Provided Measures are Good, but Need Defense in Depth to Harden Code While Google provides some basic security features for Android applications, they are not effective in isolation, and can be defeated relatively easily. In fact, Google recommends that developers –effectively - obfuscate their code to fully secure against attack. It is important to note that not all obfuscation solutions are effective. Free and low-cost obfuscators can typically be easily defeated. Protections must be layered, with measures that include, but are not limited to, obfuscation. The table below provides a detailed discussion of requirements, threats, and best practices to comprehensively harden code.

“The attacks we’ve seen so far are also on all applications that have neglected to obfuscate their code, a practice we strongly recommend.” - Google

Recommendation/Feature

Functionality

Threat

Defense Best Practices

Application must be signed by developer

Signature is verified at run-time Signatures can be forged by to check app integrity replacing both public key and hash

License Verification Library

Ensures an application is prop- Simple hack to disable the verifi- Secure assets checked during erly purchased before it will run cation, thus allowing application license verification, using strong anti-reverse engineering and piracy anti-tamper measures, including but not limited to obfuscation. Use layered protections – not a single envelope.

AT&Ts Android limits downloads to Android market applications, and disallows deletion of preloaded applications

Aims to ensure that only legitimate applications are acquired, and watchdog applications remain functional

Make applications self-hardened, Jailbroken phones will bypass these measures. Also, walled so users can rely on trustworthy gardens may be broken through experience. application development errors.

Kill and push

Disable malware, and push desirable updates

Kill message can be blocked, and Use preventive measures push feature may be misused. against tampering and RE to complement Google’s reactive measures.

Applications request functional capabilities upon installation

User has visibility into the extent No active policing to ensure of resources and privilege the application is behaving well with application will have the resources it has access too. Applications (including compromised applications) can even request to “brick” the phone!

Use robust, app-internal antitamper and tamper-evident measures

Comprehensive application hardening is crucial to prevent compromise of your application and maintain brand value and trust.

Arxan Technologies White Paper – Arxan protects your IP from software piracy, tampering, reverse engineering and any manner of theft.

7

Key Components of Application Hardening Sophisticated Protection Obfuscators that simply rely on renaming variables and method names, or encryption measures that simply wrap a binary in a single one-size-fits-all wrapper are unable to effectively secure your code. As Android developers are rapidly discovering, today’s advanced disassemblers easily lift out simplistic auto-obfuscate measures. To be effective, obfuscation must use deep control-flow level transformation of the code, in a manner that interoperates securely with compiler optimizers and yet does not adversely impact run-time performance. Encryption measures must also be deeply built into the code. Multi-layered protection, which includes a variety of protection technologies including anti-debug, self-healing and anti-tamper, are required to ensure durability in the field. Diversity of Protection One-click, auto-applied protection is attractive because it is low cost and easy to apply. However, it is also easy to disable, since a breach of an unrelated application using the same protection product will usually result in a breach of your application as well. Protection must be unique to your application (indeed, ideally to a specific release of your application) to provide durability in the field. Protection is most effective when it is closely intertwined with your application logic and functionality, rather than superficially applied. Cross Platform Support Android code is developed using a combination of Java and native development. Traditional hardening tools are challenged in this mixed environment - Java obfuscators cannot secure native code, and vice-versa. For effective protection, an application hardening tool must uniformly support native, managed and mixed applications. Secure Update Capability The ability to securely push updates to patch flaws gives your application longevity in the field, and promotes user trust. Simple updates are vulnerable to differential attacks and rollbacks – secure updates ensure that attackers cannot analyze a patch to discover vulnerabilities in the old or new version of your application. Publishers will also typically want to limit reliance on the Google kill switch, since it is not infallible and its use often results in adverse publicity. The ability to self-update allows a publisher to be independent in their ability to recall or upgrade their application.

Hardening Mobile Applications with EnsureIT

Arxan’s Guard technology protects software intrinsically. Multi-layered Guard networks provide active and configurable protection against tampering, reverse engineering, code injection, and any form of unauthorized use. In addition to traditional static defenses such as obfuscation, we provide dynamic protection via patented “Guards”. Guards are small security modules that are inserted directly into the application. Each type of Guard protects against a specific threat (such as tampering) or provides a specific defense mechanism (such as self-healing). Guards protect your product and each other, forming a complex multi-layered Guard network that is extremely difficult to defeat. As a result, Arxan protection software not only defends against compromise but also actively detects and reacts to attacks Arxan’s EnsureIT delivers full featured Guard-based protection to embedded and mobile applications. Hardening remains intrinsic to the code, and provides rugged, resilient and real-time protection against static, dynamic and virtualized attacks. Durable and easy to deploy, EnsureIT allows applications, such as those on mobile applications for the Android™, iPhone® and Blackberry™, to actively defend, detect and react against attempted attacks.

Arxan Technologies White Paper – Arxan protects your IP from software piracy, tampering, reverse engineering and any manner of theft.

8

EnsureIT requires no changes to source code, and supports a broad range of emulators and devices. Specifically, EnsureIT supports applications for the ARM processor, and is compatible with the entire Google development platform and all Android runtime platforms versions. Arxan’s GuardIT for Java secures Java code in a manner that securely yet performance-efficiently interoperates with optimizations performed by the Android SDK tools. The result is best-of-breed IP protection that is durable and resilient, provides control of performance impact, and neatly fits into the software development lifecycle.

Android Threats and Arxan Mitigations Threat

Arxan Primary Mitigations

Arxan Secondary Mitigations

Benefits and Notes

Disable license management Anti-tamper/ checksum

Anti-RE via obfuscation, encryption and more

Can force the application to auto-update via customized reaction to tampering.

Reverse Engineering (RE)

Obfuscation

Diversification

Secures native, managed and mixed applications

Code/malware injection

Checksum

Self-healing (repair)

Customizable reaction when compromise is detected

Credential Theft

Anti-debug

Patch-and-repair

Credentials stored encrypted, except when actually in use.

IP theft and trojanization of app

Anti-RE and anti-code injection measures as discussed Strong security, with low perabove formance impact

More Information Arxan helps secure products against piracy, counterfeiting, tampering and unauthorized access across desktop, server and embedded applications. For more information about Arxan and other Arxan products, please contact us at [email protected] or visit our website at www.arxan.com. All Content and Arxan Trademarks (including logos and service marks) are protected by Copyright and Patents and are the property of Arxan Technologies. ALL RIGHTS RESERVED, as specified at www.arxan. com/legal/index.

Arxan Technologies White Paper – Arxan protects your IP from software piracy, tampering, reverse engineering and any manner of theft.

1