Mobile Binary Review: AKATI Sekurity Secures Financial App Against Exploits
AKATI Sekurity's binary review identified critical mobile app vulnerabilities for a financial institution, enabling crucial security improvements.
Discovered critical threats like Root Detection Bypass and SSL Pinning Bypass in the institution's iOS and Android app binaries.
Performed in-depth binary analysis of application code, data storage, secure communications, and anti-tampering controls.
Enabled the client to remediate these flaws, significantly boosting app security and protecting user data and trust.
Client’s Challenge
A financial institution sought to proactively evaluate and enhance the intrinsic security of their key mobile applications through an in-depth binary review. The primary objective was to identify vulnerabilities within the mobile app binaries themselves (specifically QA Release Builds with Root Detection enabled), assess the associated risks, and receive actionable recommendations for remediation. The engagement aimed to uncover weaknesses within the application code and structure that could be exploited, leading to compromise of the application's integrity, data, or user trust.
AKATI Sekurity's Solution
AKATI Sekurity was engaged to conduct a comprehensive mobile application binary security review targeting two Android and two iOS mobile applications (covering both business and retail functions). Our consultants utilized a systematic approach involving both automated tools and in-depth manual analysis. This rigorous process encompassed several stages:
Phase 1: Application Analysis and Deconstruction:
This initial phase focused on understanding the mobile application binaries. This included examining the application package, its structure, dependencies, and how it was built to lay the groundwork for a thorough security assessment.Phase 2: In-depth Binary Security Assessment:
This core phase involved a meticulous examination of the application binaries to identify and validate security vulnerabilities. Key activities included:
Analyzing code obfuscation and encryption practices to determine the resilience of the code against reverse engineering and unauthorized analysis.
Evaluating protections against tampering, debugging, and reverse engineering, such as root/jailbreak detection and anti-debugging mechanisms.
Examining secure network communications between the application and the server, focusing on protocols like SSL/TLS and the implementation of mechanisms like certificate pinning.
Reviewing secure storage mechanisms for sensitive data on the device to prevent unauthorized data access or leakage.
Assessing permissions and API security usage within the application to ensure adherence to the principle of least privilege and identify potential misuse.
Phase 3: Reporting and Remediation Guidance:
The final phase involved compiling all findings, detailing identified vulnerabilities with their risk levels, and providing clear, actionable recommendations to remediate weaknesses and enhance the overall security of the mobile application binaries.
This methodology was designed to provide a deep understanding of the mobile applications' security from the binary level upwards.
Key Services/Technologies Used
Mobile Application Binary Security Review (Android & iOS)
Static and Dynamic Application Security Testing (SAST/DAST) focused on binaries
Code Obfuscation and Encryption Analysis
Evaluation of Anti-Tampering, Anti-Debugging, and Anti-Reverse Engineering Controls
Secure Communication Protocol Review (SSL/TLS, Certificate Pinning)
Secure Data Storage Assessment (on-device)
Application Permission and Local API Usage Review
The Results/Impact
The binary security review successfully identified a range of critical, severe, and moderate threats within the tested mobile applications. Key findings directly related to the binary analysis included:
3 Critical Vulnerabilities : Root Detection Bypassed , SSL Pinning Bypassed , Lack of Code Obfuscation
2 Severe Vulnerabilities : Excessive Application Permission, Exported Components Without Permission
2 Moderate Vulnerabilities : Unintended Data Leakage – Application Backgrounding, Side Channel Leakage Through Pasteboard
The identification of these vulnerabilities highlighted significant risks. These included the potential for malicious actors to execute actions with root-level privileges by bypassing detection, intercept sensitive communications via Man-In-The-Middle (MITM) attacks due to bypassed SSL pinning, easily reverse engineer application code due to lack of obfuscation, gain unauthorized access to data or functionalities through excessive permissions or improperly exported components, and exploit data leakage through application backgrounding or the pasteboard.
AKATI Sekurity provided a detailed report outlining these findings, their potential impact, and specific, actionable recommendations for remediation for each vulnerability. This enabled the client to prioritize and address the identified security weaknesses directly within their application binaries, significantly strengthening their security posture and protecting critical data and user trust.
