Button Up

How to hide a weak spot in an application

Michael Kalinichenko
Michael Kalinichenko
StarForce Technologies CEO
5 Dec 2018
It is hard to image modern society without gadgets. Many mobile applications have become an integral part of our life. Apps are used everywhere. People order everything from a taxi to food in mobile apps. They also actively use communication and navigation apps and make online payments. Generally, mobile applications are always with us on tablets and smartphones.

Some of the widely used apps are mobile banking apps. Mobile banking apps let you perform many of the banking functions directly from your device. Tasks ranging from checking bank account to transferring funds, and from paying bills to depositing checks: everything can be pulled up by a banking app.

Such applications are usually protected with passwords. Users are accustomed to the fact that the more complex the password is, the better the protection is. Let’s consider whether this is indeed so.

Just because the application is password protected doesn’t mean it could not be hacked. For example, one of the complex passwords is a password based on biometric data. Biometric authentication is a technology that analyzes individuals’ biological and behavioral traits to automatically recognize and verify their identity and provide access to the system (e.g., online or mobile banking). Examples of physiological characteristics include fingerprints, iris, retina, face, vein patterns, and even ear structure. It seems that the biometric authentication system is quite complicated and it is rather difficult to forge an individual ‘password’, because biometric authentication technologies are based on the unique characteristics of the human body.

However, apps are vulnerable not at the time of user’s authentication, but after the data transfer from the server to the application.

User and hacker access to information systems

From the client’s point of view, the procedure is as follows. The user enters his/her username and password that are sent to the server, where the information is checked. Then the server verifies the user’s identity. This process is called user authentication. After successful authentication, the server provides access to system resources to the user. Authorization occurs after successful authentication.

Sometimes authentication or authorization processes take place fully or partly on the client side, for example, in a mobile application. In this case, the system becomes vulnerable to hacking, for instance, when server authenticates the user and then gives the green light to the mobile application. If a hacker detects a weak spot in the code of the mobile application where response from server is hidden, he/she can easily modify the code and use the application for his/her own purposes.

In some cases, in order to get access to confidential information, it is enough to replace a single bit in the application code.

The application code contains a comparison of the answer from the server with some constant that means successful authorization. After a successful check, the money is withdrawn. In this process, a hacker just needs to replace the test for equality with the test for inequality. The codes of these two commands, for example, on an ARM processor, differ only in one bit.

If hacker changes the important bit from 0 to 1, the program assumes that the authorization is successful Then it does not matter how complicated the password is: a hacker can get access to the application without it, and all the previous protection algorithms lose their importance.

The key point in such an attack is that the architecture of the information system is vulnerable if even a part of the authorization process is performed on the client’s side.

Protection method

It is not always possible to change the architecture of the system, so the only solution is to complicate the reverse engineering of the application. Obfuscation is a programming technique in which the code is intentionally complicated to prevent reverse engineering and deliver difficult-to-read code to the hacker.

StarForce has developed two products, StarForce C ++ Obfuscator

StarForce C++ Obfuscator and StarForce Crypto

StarForce Crypto , to protect the source code of the application.

StarForce C++ Obfuscator complicates reverse engineering. The solution is used for software that requires high level of protection, for example, for software that contains DRM keys or other sensitive data. StarForce C++ Obfuscator is recommended for protection of the C++ source code for any operating system.

The main feature of the solution is that it supports more than 30 code obfuscation methods that can be switched on and off independently of each other and can be fine-tuned. The main methods that are used in StarForce C ++ Obfuscator are masking the variable access, mixing the code execution graph, insertion of dummy links to the execution graph, duplication of graph branches, and dynamic graph branching.

Another product is StarForce Crypto that protects code sections and data that represent intellectual property and are crucial from a business perspective. The solution provides reliable protection by eliminating any possible ways of understanding the logic of the application.
StarForce Crypto can be used for protecting Windows applications that can be distributed on CD/DVD discs, USB drives and over the Internet, against hacking, modification and reverse engineering.
It is possible to provide extra protection for the application by using a special technology that binds the protected application to a CD/DVD disc, a PC or a server, with the help of other StarForce products.

StarForce Obfuscator and StarForce Crypto protect the most important bit in the application code, thereby preventing valuable information from falling into the hackers’ hands.


Back to the list