REX logo

LEARN

HOW TO USE REX AND WRITE SECURE CODE
Part 1: Introduction & security grading
Part 2: Transport Layer Security
Part 3: Certificate Pinning
Part 4: Data Storage
Part 5: Binary Protections
Part 6: Obfuscation
Part 7: Root/Jailbreak Detection
Part 8: Debug Protection
Part 9: Hook Detection
Part 10: Runtime Integrity Checks
Part 11: Attacker Effort & stacking
8 bit drawing of Jay

Secure Mobile Application
Development

Part 9: Hook Detection

Jahmel Harris, Technical Director

An attacker will often look to hook an application in order to modify its behaviour at runtime. This can be to remove security controls (for example, certificate pinning or root/jailbreak detection), to recover secrets such as encryption keys, to log encrypted messages pre-encryption or to make use of application functions such as to lock/unlock methods. Often, attackers will add logging statements into the code in order to understand execution flow or trace method invocations.

ReadData
EncryptData
SendData

Figure 1 - Normal Execution

ReadData
LogData
EncryptData
SendData
SendData

Figure 2 - Hooking Method

Figure 1 and Figure 2 show how an attacker can insert functions, or change functions to malicious ones by hooking the application.

Like with jailbreak and root detection, as this is a control that exists entirely on a device controlled by an attacker, we should assume that with enough effort this control can be bypassed. The goal is to understand the risk profile of our application and apply sufficient protections to be inline with this profile.

As this control does exist client side, it is likely that a tool will eventually exist that will disable the control and so novel approaches should be implemented to make it more difficult for these tools to work without considerable effort from an attacker.

iOS

iOS provides no standard way of detecting whether an application is being hooked, however there are some techniques that can be used:

  • Examining the modules and image names of libraries loaded in memory.
  • Checking the memory addresses of methods.
  • Looking for the presence of trampoline addresses or other signatures in memory.

Sample code for these checks can be found here.

Android

Android provides no standard way of detecting whether an application is being hooked, however there are some techniques that can be used:

  • Looking for common hooking frameworks such as de.robv.android.xposed.installer and com.saurik.substrate.
  • Checking pathnames in /proc/{pid}/map for suspicious libraries such as frida-agent-32.so, libsubstrate.so and XposedBridge.jar.
  • Looking for the presence of native functions introduced by the hooking frameworks.
  • Examining the stacktrace for classes used by hooking frameworks.

Sample code for these checks can be found here.

< Part 8: Debug ProtectionPart 10: Runtime Integrity Checks >