SINCON 2021 Conference — Insights Talk
Day 2 (06 Nov 2021) 4.00pm—4.45pm @ Main Room
Mobile App Hardening Against Reverse Engineering (RE) Attacks
Abstract
Mobile applications are frequently under various kinds of attacks and to fend off the ever-improving attackers, developers need to keep pushing the envelope of defensive security. Mobile security is a multi-faceted problem now, and in this talk, we want to address the deterrence against reverse engineering (RE) attacks. Often with mobile applications, the discussion on RE revolves around Runtime Application Security Protection (RASP) checks and overlooks other aspects to protect apps. In this talk, we will discuss some often overlooked techniques for mobile app hardening against RE attacks.
Against common knowledge, mobile app hardening against RE may not necessarily always involve code obfuscation or white-box cryptography, which can be a daunting task to use and integrate for even a well-resourced team. Learning from our experience, we have observed that there are other multitudes of techniques that are rather easy to implement and have significant returns that can be got before considering expensive third-party obfuscation tools. For example, replacing simple LibC calls with syscalls or having your own strcmp() custom implementation in your app can deter many automated hooking based tools. We will motivate the use of proposed techniques by using real-world mobile applications as examples and then discuss the expected benefits from each of them. We will also categorise these techniques to assist the developers to choose as per their existing threat model and making their applications more resilient.
About Gautam Arvidn Pandian
GAUTAM ARVIND PANDIAN is a security researcher with expertise in mobile applications. He has over 10 years of experience in designing secure and hardened mobile applications. He has contributed to the Android CTF challenge in r2con2020 with several niche protection mechanisms. He has successfully overseen the secure development of many applications including banking and government applications. He believes in designing security schemas that are easier to understand and develop by programmers who are not security experts. In past, Gautam has presented Android Security Symposium 2020 and SINCON 2020.
VIKAS GUPTA is a security researcher with expertise in mobile applications. He holds masters in security and mobile computing from DTU, Denmark and NTNU, Norway (Erasmus Mundus program). In over 7 years of experience, he has worked on both sides of the spectrum - in attacking and hardening mobile applications. He is a co-author of OWASP MSTG guide. He enjoys reverse engineering binaries, specially one with obfuscation. In past, Vikas has presented at Android Security Symposium, 2020 and SINCON 2020.