Execution Flow
1) Explore
[Identify application with attack potential] The adversary searches for and identifies a mobile application that could be exploited for malicious purposes (e.g. banking, voting, or medical applications).
Technique
- Search application stores for mobile applications worth exploiting
2) Experiment
[Debug the target application] The adversary inserts the debugger into the program entry point of the mobile application, after the application's signature has been identified, to dump its memory contents.
Technique
- Insert the debugger at the mobile application's program entry point, after the application's signature has been identified.
- Dump the memory region containing the now decrypted code from the address space of the binary.
3) Experiment
[Remove application signature verification methods] Remove signature verification methods from the decrypted code and resign the application with a self-signed certificate.
4) Exploit
[Execute the application and evade Root/Jailbreak detection methods] The application executes with the self-signed certificate, while believing it contains a trusted certificate. This now allows the adversary to evade Root/Jailbreak detection via code hooking or other methods.
Technique
- Optional: Hook code into the target application.
Prerequisites
A debugger must be able to be inserted into the targeted application.
Skills Required
Knowledge about Root/Jailbreak detection and evasion techniques.
Knowledge about runtime debugging.
Resources Required
The adversary must have a Rooted/Jailbroken mobile device with debugging capabilities.
Mitigations
Instantiate checks within the application code that ensures debuggers are not attached.
Related Weaknesses
CWE-ID |
Weakness Name |
|
Active Debug Code The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information. |
References
REF-625
Android Rooting: Methods, Detection, and Evasion
San-Tsai Sun, Andrea Cuadros, Konstantin Beznosov.
http://lersse-dl.ece.ubc.ca/record/310/files/p3.pdf?subformat=pdfa REF-626
Who owns your runtime?
Jose Lopes.
https://labs.nettitude.com/blog/ios-and-android-runtime-and-anti-debugging-protections/#hooking REF-627
Android Root Detection Bypass by Reverse Engineering APK
Suresh Khutale.
https://resources.infosecinstitute.com/topic/android-root-detection-bypass-reverse-engineering-apk/ REF-628
PiOS: Detecting Privacy Leaks in iOS Applications
Manuel Egele, Christopher Kruegel, Engin Kirda, Giovanni Vigna.
https://www.ndss-symposium.org/wp-content/uploads/2017/09/egel.pdf
Submission
Name |
Organization |
Date |
Date release |
CAPEC Content Team |
The MITRE Corporation |
2020-12-17 +00:00 |
|