New APP threat: copying, distributing and re-publishing the application illegally

[sdog-mitre]

On behalf of Prashanth Thandavamurthy of Arxan Technologies, Inc.

New Threat

Threat Category: Application: Vulnerable Application

Threat: Copying, distributing and re-publishing the applications illegally.

Threat Origin: None

Exploit Example:

1. Trend Micro Research Paper - Fake Apps Feigning Legitimacy

http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fake-apps.pdf

1. Play Drone: Columbia University Engineering Team Finds Thousands of Secret Keys in Android Apps - A Measurement Study of Google Play

http://www.cs.columbia.edu/~nieh/pubs/sigmetrics2014_playdrone.pdf

1. Repository contains the code used for Play Drone project by Columbia University

https://github.com/nviennot/playdrone

CVE Example: None

Possible Countermeasures:

1. Follow secure coding guidelines
2. Download the apps from official stores
3. Ensure security controls are built into application to protect against code analysis and reverse-engineering attacks
4. Ensure security controls are built into application to protect against code tampering attacks and malware insertion
5. Leverage vulnerability/penetration testing and ensure that known risks – including those identified in the OWASP mobile top 10 list, in particular, are addressed

References: None

Additional Information: Hackers are increasingly targeting binary code to launch attacks on high-value mobile applications. A few easy steps and widely available (and often free) tools make it easy for adversaries to directly access, compromise, and exploit application’s code -

a. Analyze or reverse-engineer the binary, and identify or expose sensitive information (keys, credentials, data) or vulnerabilities and flaws for broader exploitation

b. Lift or expose proprietary intellectual property out of the application binary to develop counterfeit applications

c. Modify the binary to change its behavior. For example, disabling security controls, bypassing business rules, licensing restrictions, purchasing requirements or ad displays in the mobile app — and potentially distributing it as a patch, crack or even as a new application

d. Inject malicious code into the binary, and then either repackage the apps and publish it as a new (supposedly legitimate) app, distribute under the guise of a patch or a crack, or surreptitiously (re)install it on an unsuspecting user’s device

[sdog-nist]

We feel this threat is already addressed by APP-14: Repackaging or impersonating a benign app to contain malicious functionality.