![]() ![]() The range of open source tools available for reverse engineering is huge, and we really can't scratch the surface of this topic in this article, but instead we will focus in using the Mobile Security Framework(MobSF) to demonstrate how to reverse engineer the APK of our mobile app. I have wrote the article How to Extract an API key from a Mobile App with Static Binary Analysis to illustrate how easy it can be done: ![]() No matter how secure the API key has been stored, be it in the Android Keystore, encrypted, obfuscated, etc, at some point the API key will need to be in plain text to be sent on the API request header, and in this moment it will be vulnerable to be extracted via static reverse engineering, via a MitM attack or via an instrumentation framework I've also checked the other methods explained here, but they look like the API key could quite easily be retrieved thanks to reverse engineering. That's very true, it's more or less easily achieved depending on the method used to hide the API key, as per the ones you mention: I also don't want to store my key in my code, also because it could easily be retrieved via reverse engineering. So, you need to think about the who as the user your API server will be able to Authenticate and Authorize access to the data, and you need to think about the what as the software making that request in behalf of the user. The who is the user of the mobile app that we can authenticate, authorize and identify in several ways, like using OpenID Connect or OAUTH2 flows. Is it really a genuine instance of your mobile app, or is it a bot, an automated script or an attacker manually poking around your API server with a tool like Postman? The what is the thing making the request to the API server. I wrote a series of articles around API and Mobile security, and in the article Why Does Your Mobile App Need An Api Key? you can read in detail the difference between who and what is accessing your API server, but I will extract here the main takes from it: The Difference Between WHO and WHAT is Accessing the API Server It's fundamental to have a clear understand between the difference of who is in the API request versus what is making that API request, otherwise any security solution you may devise/use may not have the intended results. This is a very hard task to achieve, but not impossible one and here is where one needs to make a deep dive in mobile API security and understand the mechanics behind it. The purpose of it is to be able to send that key everytime I call a webservice that I've made, so I'm sure (or almost sure) that the call comes from the original app that I'm making and that will be published on the Play Store, and not from elsewhere. ![]() If I'm completely off here, what are some better alternatives that fulfill the above stated criteria (repeatability, statelessness)? Is it true that figuring out a linear-congruential PRNG's seed is more difficult based on the 1000th value after seeding than it is for the first value of a freshly seeded generator? If so, how many iterations are sufficient before it stops increasing the difficulty? I am wondering if my thinking here is even correct. My thinking is that reverse-engineering 1000 cycles of next = (current * multiplier + offset) & mask would be significantly more difficult that reverse-engineering just a single cycle. To make this sort of reverse engineering harder, I pull and discard a fixed number (e.g., 1000) of values from the freshly seeded PRNG before I get the "real" random number that I use. However, this type of PRNG typically uses a simple formula of next = (current * multiplier + offset) & mask, and, given a few known times and corresponding random numbers, it seems like it would be not all that hard to figure out the server secret (and then predict all future numbers in advance). Linear-congruential PRNGs produce repeatable series of numbers when initialized with the same seed, so I could seed the PRNG with the combination of time and server secret and get the first random number it produces to meet my criteria. a token generator), so it's not strictly necessary to use cryptographically secure PRNGs. The purpose of all this is not related to solving a security problem (e.g. Also, multiple server nodes (with the same server secret) need to generate the same number within a given time frame. It is possible that a server node might be asked to create such a number multiple times within the same minute, and it needs to generate the same number each time. The next minute's random number should not be easily predictable.įurthermore, I need to solve this in a stateless fashion (e.g., without storing a generated value in a database). For example, this mechanism should generate a new pseudo-random number every minute. I need to generate a repeatable pseudo-random number that is dependent on the current time and a server secret. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |