Hackers actively seek out vulnerable applications especially Mobile applications for reverse engineering and other types of tampering or fraud. Application hardening is one way to protect mobile applications, making them much more difficult targets for attackers to penetrate.
Code Hardening protects your APKs and SDKs for Android and iOS from reverse engineering and automated/manual de-obfuscation by making transformations more resilient and consecutively strengthening the application integrity. Hardened code is resistant to both automated and manual analysis.
When protecting your application, Code Hardening is implicitly included in all protection transformations. It consists of hardening the code at various levels through the application of multiple layers of obfuscation and encryption.
Some of the basic techniques used in code hardening are as follows:
1. Preventing all sorts of overflows by checking inputs, and if possible, using a defensive programming methodology, such as code constraints.
2. Preventing buffer overflow
3. Avoiding using interpreters and passing data to them
4. Securing all calls to system variables
5. Using formal methods
To secure an app’s code below are the major types
1. Control Flow Obfuscation: Control flow Obfuscation will alter the structure of a mobile’s code. It’s an essential step to increase the complexity of the program’s logic, so that de compilers will not be able to parse it.
2. Arithmetic Obfuscation: Arithmetic obfuscation will effectively harden all arithmetic calculations, by replacing them with mathematical equivalents, but much harder to understand computations.
3. Code Signing: Code Signing allows operating system to check an application was not modified and is the original application. This prevents fetching “rogue” updates by checking the authenticity of such application patches and upgrades.
4. Passive App Hardening: Passive hardening is targeting the attacks based on static analysis, especially de-compilation. These techniques mainly use Obfuscation. The goal is to make extremely hard to convert the application to an understandable code, even in pseudo code. This doesn’t change the logic and behaviour of the application itself.
5. Active App Hardening: In real life attacks, hackers are using much more than Static analysis. They use dynamic analysis running the mobile application in simulated environment with debuggers and emulators. Active hardening creates runtime protection and modifies the application behaviour to respond accordingly to dynamic analysis tools if they are detected.
Besides above-described obfuscation techniques code hardening can even be further improved by hiding calls to sensitive API’s and adding additional layers like string and class encryption and in addition to the code level also resource and asset encryption. The combination of all these techniques will assure that your code is effectively hardened from both offline and on-device static analysis methods.
System hardening is a continuous process, not something you can do once and forget about it. The result of your first system hardening effort should be a baseline secure configuration. Every change and addition to your web application and infrastructure must then be tested against that baseline to ensure everything is secure.