Secure Mobile Application
Development
Part 11: Attacker Effort & stacking.
Jahmel Harris, Technical Director
Like all client side security controls, binary protections can be bypassed by a skilled attacker. By using several of these controls together, however, it is possible to increase the effort needed to a level to deter all but the most skilled attacker with time to attack each control.
Whilst each control can be bypassed in a short amount of time, each control can help to protect the other. In the following graphs, we should the amount of "effort" required to bypass a control (this is based on input from experienced mobile application hackers).
Figure 3 - Attacker Effort (Individual Controls)
Figure 4 - Attacker Effort (Stacked)
Grading Applications
The following can be used to grade your application in each area to determine whether it is inline with high, medium or low security controls. These gradings are examples and should be expanded for specific organisations and applications.
| High | Medium | Low | |
|---|---|---|---|
| Communication | Certificate Pinning is implemented and nothing traverses a cleartext channel | All traffic is sent over TLS | Traffic is sent in cleartext or TLS/SSL has been weakened for development |
| Data Storage | Nothing sensitive stored in the client | Data is encrypted with a PIN/passcode | Sensitive data is stored within the application sandbox or removable storage |
| Binary Protection | Custom protections is use along with those provided by off the shelf software | Binary protections enabled with the use of off the shelf software | No binary protections present |
Although applications should aspire to be graded high, in reality not all applications would need this level of security.