Jumping to the iron age of mobile apps security

Earlier this month, I attended the Android Application Symposium in Vienna, Austria. The event was fully dedicated to security on Android phones and mobile applications. The place was fantastic in the Vienna Technical University. The room counted more than two hundred people and interesting talks covering various topics such as recent improvements in Android security, attack techniques on mobile applications or latest findings on Rowhammer attack on mobile phones.

Security in mobile is fascinating for many reasons. The first one is certainly the lack of consensus about the confidence we can have in the system. There are still a lot of black and white considerations coming with blunt statements. How many times do we hear that software security is obviously breakable and we cannot rely on it, that TEE is the only way or even that the back-end should take most of the burden.

Black and white statements often sound like early age, where simplicity attempts to hide a more complex reality. The industry is looking for the right solution. And in my humble opinion, there won’t be one unique solution but many of them. Everything starts with the OS as this defines the eco system. Android has often been subject to criticism as all dirty stuff could be executed on it. If one looks carefully at the latest Android versions, he can realise that Google and his partners have been patiently reducing the attack surface and will keep doing so. Compromised devices are now better confined with a more resilient verified boot. SELinux configuration has been hardened resulting to the application sandbox locked down. In addition, permanent online protection such as Google Safetynet or AndroidGuard are valuable technologies. Assuming a root exploit is found exploitable today, there is no guarantee that the same exploit will remain unspotted in several days since Google Safetynet is updated very regularly.

When it comes to mobile applications, your assets are at stake. Relying only on the operating system or the handset security is not enough. For the simple reason that you cannot blame a third party if your assets are compromised. You need to keep control, and adjust your security protections according to the value of your assets and the situation on the field. Using hardware features may be a solution. For some of them, this requires an implicit trust. This is the case for authentication using the fingerprint verification, as the security is mostly managed by the handset.

In all cases, software in mobile applications should be hardened. The main intention is to make any attempt of reverse engineering hard to achieve. It requires the use of an appropriate blend of software protections. Too many times, there is a confusion between the security related to the code itself and the security related to the hardening. On one hand, you have bugs or doors (mistakenly) left open in the code. They have to be avoided by proper functional security testing. On the other hand, the protections at the binary level act like the armour of your code. They won’t prevent your code to be tampered with or you core IP to be revealed, but will make it difficult and tedious.

The main learning lesson of this? Certainly that there is no space for black and white simplistic statements. Building the right security deserves some attention. A wise approach will lead you to embrace different levels of security and to monitor closely the latest developments for a dynamic way to manage your security. This is not simple but there are experts in the field. At eshard, we help you through a good understanding of the threats and we support you to pick up the suitable set of protections. We help you to build the right security.

Hugues Thiebeauld