Mobile App Vulnerabilities Exposed: Intro to Reverse Engineering

Mobile App Vulnerabilities Exposed: Intro to Reverse Engineering

Brian Robinson and Steven Smiley recently hosted another chapter in Corellium’s Mobile Vulnerabilities series, focused on reverse engineering for mobile security research. Watch the full webinar, or keep reading to learn more about exposing mobile vulnerabilities through reverse engineering.

Role of Reverse Engineering in Exposing Vulnerabilities

Reverse engineering refers to breaking down and exposing iOS or Android binary code to fully understand how it works and look for vulnerabilities. This involves deconstructing, analyzing, and observing mobile apps to understand their underlying function. The goal is to understand the app’s inner workings better, find hardcoded values stored within the code, identify a path to exploitation, and gain insight into the application to build scripts for exploitation.

Security researchers use reverse engineering for pentesting and to expose errors or frailties within the code that hackers could use to exploit applications. Software developers use reverse engineering to learn about other apps and mimic specific design protocols.

There are two types of reverse engineering: static and dynamic. Dynamic reverse engineering involves running the app and interacting with it in a live or virtualized environment, while static reverse engineering involves examining the source code.

Reverse Engineering Techniques and Tips

Reverse engineering consists of two techniques: decompilation and disassembly. Decompilation converts binary code into human-readable language so you can examine it. Using decompilation and various tools, depending on the level of obfuscation java code can be revealed for Android applications. Disassembly is used with iOS apps, where the machine code is converted into human-readable assembly code. It’s more complicated, and less of the code is revealed.

Android APK files are essentially zip files that you can expose using tools like APKTool. The file structure includes metadata, library files, assets, the AndroidManifest file, and SMALI code. iOS file structure contains the app binary, info.plist, framework libraries, and certificates.

The following tools are helpful for mobile reverse engineering:

Android 

  • JADX - Dex to Java Decompiler.
  • APKTool - Decode and Rebuild APK files.

iOS

  • Otool - Displays parts of object files.
  • Strings - Looks for ASCII strings in binary code.
  • Hopper Disassembler - Disassembles an executable file.
  • Others: IDA Pro, Ghidra, BinaryNinja.

Examples of Reverse Engineering on Android and iOS

The examples below will give you an idea of how reverse engineering works on Android and iOS using Corellium and other third-party tools.

Injured Android Example (Hardcoded Value)

The Android demo walkthrough revealed hardcoded values that shouldn’t be there. Steven loaded up Corellium with InjuredAndroid and loaded JADX to see some obfuscation; A, B, C, and D are shown, but E and F are hidden. You can also see some flags. Examining the code, it’s easy to see exposed information.

This example is simplified, and some flaws are right there in plain sight, but for others, you have to look harder. You can use JADX’s search feature to find exposed flags or secret keys and solve the flags in the app.

Android repackaging is another technique for testing an app that involves repackaging the application after modifying the code to bypass a security control, certificate pinning, or root detection.

Using the UnCrackable application, you can use Corellium and Frida to bypass the first protection that this application has, root detection:

  • Decompile and identify the root detection implementation we want to bypass
  • Using APKtool decompile the binary and find the SMALI code that contains the root detection methods
  • Modify the SMALI code to either return true or delete the associated logic
  • Repackage the application using APKtool
  • Re-sign the Android application
  • Install the new APK to see that the logic is bypassed

The more you look through the decompiled code, the better insight you’ll have into the application.

iOS Example

The iOS disassembly demo using iGoat-Swift IPA illustrated how to use Frida to trace the application’s functionality (sending a message) and reveal hardcoded secrets.

First, run Strings on the binary, looking for hidden or hardcoded values, and then use Hopper or Ghidra to see if you can identify what the application is doing. If you have enough information from the iOS code you can create a Frida script to exploit the functionality identified and execute those from within your virtualized devices.

The goal of reverse engineering is to gain as much information about the application as possible. Tools like Strings and oTool help you gain further insight and gather information to examine the code to write scripts or patch the binary, depending on the use case. 

Watch the full webinar on-demand now to learn more about reverse engineering with Corellium.