Arxan - Mobile Security Solution
73 views
Skip to first unread message
Raphael de Almeida
Apr 14, 2016, 8:23:17 AM4/14/16
to OWASP Mobile Top 10 Risks
Hi Guys,
I'd like to know if any of you have already faced Arxan solution in a mobile app security analysis?
Thansk and best regards.
Raphael Denipotti
Anto Joseph
Apr 14, 2016, 1:09:10 PM4/14/16
to OWASP Mobile Top 10 Risks
Hi Raphael ,
I have worked with Arxan and analyzing an application protected by arxan depends on what all features of arxan has been used in what all parts of the application.
Generally , i was able to work with a binary which had control flow obfuscation , root detection, string encryption etc . Some cases like class renaming cant be reversed because the classes need not be descriptive when it needs to be run in the Android Run-time . There are de-compiler protections as well , but i could successfully de-compile most of the code using off the shelf tools , but you will have to use a mix of everything. Also , there is protection against re-packaging by using some checksums , but all these are valid depending on the kind of protection the developer implements in the guard-spec file .
Thanks,
Anto
Javi D R
Apr 14, 2016, 1:11:01 PM4/14/16
to Anto Joseph, OWASP Mobile Top 10 Risks
Interesting topic... What about memory? Is data encrypted there or can it be tampered?
--
You received this message because you are subscribed to the Google Groups "OWASP Mobile Top 10 Risks" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-1...@owasp.org.
For more options, visit https://groups.google.com/a/owasp.org/d/optout.
Anto Joseph
Apr 14, 2016, 1:17:29 PM4/14/16
to Javi D R, OWASP Mobile Top 10 Risks
I believe you are referring to memory as the process run-time , if yes , when you dump the memory , you can see interesting objects and strings . Use the MAT tool with the hprof file . I am not sure if there is a feature to encrypt in memory , but in a realistic scenario , at one point , it has to be in clear-text in mem .
If you are referring to the application sandbox , there is no special encryption applied unless the developer specifies so . You could encrypt any assets using arxan and write code to use this asset/file with the regular java apis ( FileStream .. ) ,but when you extract the apk and look at the asset , it will appear encrypted .
Thanks,
Anto
Javi D R
Apr 14, 2016, 1:22:18 PM4/14/16
to Anto Joseph, OWASP Mobile Top 10 Risks
Yes, i refer to run time process. I mean, if i access a memory segment using cycript, data is encrypted or is in in clear?
Anto Joseph
Apr 14, 2016, 1:27:12 PM4/14/16
to Javi D R, OWASP Mobile Top 10 Risks
You can dump the classes information using Cycript . But there is a run-time hook detection feature which aims to detect the presence of a debugger and takes evasive actions . You will have to subvert this check first . In my experience , i haven't found the memory segment to have encrypted content , but it may be a feature that a developer could implement , but again , a process to carry out its functionality should have access to its strings / resources in clear text in memory . so at one point in mem , it will be available as clear-text anyways .
Raphael de Almeida
Apr 14, 2016, 1:52:26 PM4/14/16
to Anto Joseph, Javi D R, OWASP Mobile Top 10 Risks
So Anto... can you tell us the name of the app that had the Arxan feature. I'm studying anti-tamper solutions and it would be great for research purposes to see this solution in the "real world".
Thanks again.
Raphael Denipotti.
Anto Joseph
Apr 14, 2016, 2:13:38 PM4/14/16
to Raphael de Almeida, Javi D R, OWASP Mobile Top 10 Risks
Hi Raphael ,
It was for a client project which i am not allowed to share as per my NDA . However , you can always request for a product demo with Arxan or you could look at their client list , which could give you a good idea of what all apps may have arxan protection :) Good Luck with your research .
Thanks,
Anto
Raphael de Almeida
Apr 14, 2016, 2:40:46 PM4/14/16
to Anto Joseph, Javi D R, OWASP Mobile Top 10 Risks
Thanks a lot!!
Scott King
Apr 14, 2016, 2:47:18 PM4/14/16
to Anto Joseph, Raphael de Almeida, Javi D R, OWASP Mobile Top 10 Risks
Depending on the content of your research you may want to look at how we do this.
We aren't comparing code of two applications or code level execution but are looking for anomalies in device behavior when your app is running. You can embed our threat detection in your app to make it cyber safe. We are looking for cyber activity via OS vulnerabilities or over the network.
Anto Joseph
Apr 14, 2016, 2:55:24 PM4/14/16
to Scott King, Javi D R, OWASP Mobile Top 10 Risks, Raphael de Almeida
Interesting Approach Scott. Do you have a sample app you could share which demonstrates these features?
Thanks,
Anto
Thanks,
Anto
Scott King
Apr 14, 2016, 3:10:02 PM4/14/16
to Anto Joseph, Javi D R, OWASP Mobile Top 10 Risks, Raphael de Almeida
Yes. Our own app zIPS does this. Our customers asked for a headless version so we created an SDK to embed the threat detection in another app and labeled it zIAP (Zimperium In-App Protection).
There are a couple of videos we created recently on attacks in the wild
Leech Trojan https://youtu.be/2BjzdjhZdPI
CVE 2015 1805 zero day https://youtu.be/tlYSynMEv5E
This video shows the embedded SDK in a bitcoin app https://drive.google.com/open?id=0B1NYK_036V7ISUZUNVQzbkEwUzg
Anto Joseph
Apr 14, 2016, 6:58:39 PM4/14/16
to Scott King, Javi D R, OWASP Mobile Top 10 Risks, Raphael de Almeida
Thanks Scott.
Raphael de Almeida
Apr 15, 2016, 7:35:55 AM4/15/16
to Anto Joseph, Scott King, Javi D R, OWASP Mobile Top 10 Risks
Thanks a lot Scott!!
Reply all
Reply to author
Forward
0 new messages