5

A pentest was made to our mobile app (Android and iOS version) and we received feedback stating that jailbreak/root detection was ineffective because it was relatively easy to reverse engineer the application and change the return value of the method that checks whether the device is rooted/jailbroken.

Should we apply code obfuscation to our native apps? What's the course of action here?

Pros:
 - Proprietary code will stay safer from theft
- This will add an extra layer of security so most attackers will desist, preventing them from modifying the app in malicious ways (other than changing jailbreak/root detection)

Cons:
 - Dedicate time to implement obfuscation methods
- Risk of breaking the app

Perhaps in the case of iOS we could "manually" obfuscate the jailbreak detection of the code to make it look more generic / look like something else, so the attacker doesn't know what it is and thus can't modify the code since a jailbroken device is needed to do this. But that would still leave us with the android issue.

Victor
  • 189
  • 1
  • 6

2 Answers2

3

Quick note: latest versions of android (or one coming soon?) now have jailbreak protection built-in, and you can specify that you don't want your app installed on any jail-broken devices.

This is a bit outside of my immediate area of expertise, but I think I have a good answer for you anyway. Like anything else, it's all about the cost/benefit analysis, and unfortunately only you can do that. We can run through that real quick, but bear in mind that I'm not actually asking you to answer these questions here. You're welcome to, but I'm just trying to guide you through the sorts of questions I would ask myself to answer your question.

  1. You are attempting to detect jailbreaking for a reason. Why? What loss are you seeking to prevent by stopping your app from running on jailbroken devices? Are you losing revenue from a single customer? Or are you potentially leaking confidential documents or protected information?
  2. What percentage of your users do you expect to have the technical ability and motivation to reverse-engineer your app so that they can defeat your jailbreaking-detection and run your app on a jailbroken device?

To give two extreme examples: if your app is a game and the potential loss to your company is ad-revenue or in-game currency sales because the person who reverse engineers your app can get everything for free, then this is probably not worth more than 5 minutes to secure on your end. The reason is because so few people have the technical know-how to accomplish these things, and the loss-per-person is so small, even the time you took to write this question already cost you more than the potential loss.

On the other hand, if your app is a document reader for documents classified as the highest level of secrecy by the NSA, and foreign governments are going to be trying to break into it to steal our most valuable secrets (not that the NSA has any secrets anymore), then code obfuscation is not secure enough.

The answer depends on your own balance of cost/benefit. Your risk is probably in the middle of these two extreme cases. Ultimately though, I think only you can answer your question.

Time for a risk assessment

I think that by the time you get to "Should we obfuscate our code to prevent competitors from reverse-engineering our software?" you are past the point of needing a penetration test. Instead, what you need is a risk assessment. I think this is now a business question, not a security question, because you are now entering legal territory. Competitors trying to take a part your systems is a different kind of problem. Taking some steps on the technical side to discourage such behavior is probably reasonable, but ultimately you might be better served with some intrusion detection and a good set of lawyers. It sounds like this effort may be forgetting about the flip side of security: some security measures are legitimately not worth the effort, and all security steps must be weight against their cost to the business. Your business needs to decide where that balance between security and cost of maintenance is in your particular case.

Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
  • If you are the NSA jailbreak detection is pointless. Overcoming it would be trivial for your adversaries. It makes much more sense for ad-revenue based where a lot of users technical ability stops at running jail break instructions from a website. – Hector Nov 13 '17 at 10:40
  • Apparently we are detecting jailbreak because we were advised to do so in another pentest. The risks would be having external users checking how the application is built (perhaps even try to phish credentials by uploading a modified version of the app), plus competitors may check it to see how it's engineered. It shouldn't really have security issues since the app is just a brainless client. The chances of having an actual user of the app modifying it to change whatever results the app may show are rather low. – Victor Nov 13 '17 at 10:47
  • @dasjkdj Someone uploading a modified version of the app sounds like a completely different problem: I don't see how that is possible without them gaining access to your apple/google account, which they shouldn't be able to do via reading your source code. Every security measure has a cost which must be weighed against its benefit. No system is ever 100% secure. Eventually the answer is "this is a reasonable level of security and we're going to stop securing things now". If someone **really** wants to reverse engineer your app then code obfuscation is only going to do so much. – Conor Mancone Nov 13 '17 at 11:22
  • @dasjkdj I have an edit for you. – Conor Mancone Nov 13 '17 at 11:43
  • Thanks for your answer/comments @ConorMancone, they were helpful to say the least :) the risk assessment sure is a good point – Victor Nov 13 '17 at 11:44
  • 2
    Can I just add that root detection on Android is trivial to bypass. You can just use a generic tool like Magisk Hide. – ScottishTapWater Nov 13 '17 at 11:52
3

Some of the methods in this project -- https://github.com/scottyab/rootbeer -- are advanced-enough for most needs. However, r2frida and many other reversing methods will likely find a way around even these advanced root-detection mechanisms.

Ideally, you are looking for both anti-rooting and anti-hooking -- http://d3adend.org/blog/?p=589

Also, you are incorrect that hiding the code will prevent reversers from finding the anti-rootkit code paths. They are relatively-obvious. Secondly, you are also incorrect about requiring a jailbroken device to detect anti-jailbreak mechanisms. There have been numerous posts on this forum and others which demonstrate that repackaging an app with library shims to a jailed iOS device allows for full anti-jailbreak detection methods. There are even a few apps in the official Apple App Store, such as syssecinfo, that also provide jailbreak detection and library-shim discovery.

Leveraging a secure-mobile platform and the basics will achieve mid-term and long-term success greater than jailbreak and root detection. One of the best ways to ensure an iOS device remains secure is to install nothing to it. One of the best ways to ensure an Android device remains secure is to start with a base platform such as Copperhead OS and also do not install anything to it. If you can code review every app being installed to the device, then maybe apps can be used from a secure perspective. Additionally, setting your devices up for DFIR triage and taking situational snapshots is highly-recommended to verify the long-term security of these platforms.

atdre
  • 18,885
  • 6
  • 58
  • 107