Below are the current common methods that hackers will use on the runtime of a mobile app. While not comprehensive, it provides a good overview of the threat landscape for an executing mobile app.
A debugger allows a developer to monitor and control the execution of an application, allowing them to identify and fix bugs or other issues.
An attacker can use a debugger to perform a variety of malicious actions. The attacker uses a debugger to attach to a running mobile app to gain access to its internal state, including memory, registers, and other sensitive information. The attacker can then use this information to perform various actions, such as modifying the program's behavior, injecting malicious code, or extracting sensitive data.
Emulators & Simulators
Emulator is software that allows one computer system to mimic the functions of another computer system. This can be useful for testing and development purposes, as it allows developers to run and test their mobile app code on different platforms without having to physically access those platforms. For example, a mobile app developer could use an Android emulator on a Mac.
Simulator is software that also allows a computer to mimic the behavior of a different system. Like an emulator, a simulator can be used to run software or applications that were designed for a different platform or operating system. However, while an emulator aims to reproduce the exact behavior of the original system as closely as possible, a simulator is more focused on modeling the behavior of a system, and may not be an exact replica.
An attacker could use an emulator or simulator to observe how a mobile app functions while it is executing because knowing how the mobile app behaves enables the attacker to build more effective attacks. A cybercriminal could use an emulator or a simulator to observe how the mobile app authenticates to backend systems. Or the emulator or simulator could be used to see how the mobile app reads and writes to the filesystem, if any encryption is used and, if so, how strong it is. Emulators and simulators can also be used to modify mobile OS behavior. For example, sending false signals from the mobile app; modifying system calls and libraries of the underlying mobile operating system; and removing security controls.
App renaming is the process of changing the name of a mobile application.
A cybercriminal can use app renaming to give a malicious mobile app a more appealing or trustworthy name, making it more likely that users will download and install the mobile app. For example, an attacker might rename a malicious mobile app to mimic the name of a popular mobile application or game, in order to trick users into downloading it because they think it is legitimate.
Mobile app renaming can also be used to create confusion among users, by giving multiple mobile apps similar or identical names. This can make it difficult for users to identify the mobile app they are looking for, and can lead to them accidentally downloading a malicious mobile app.
Function or Method Hooking
Function hooking or method hooking is a technique used by developers to modify or extend the behavior of an existing function or method. It involves the interception of function calls, systems events or messages. The code snippets that perform these interceptions are the “hooks”. Method swizzling is a method hooking technique that is used on iOS.
In method hooking, a developer defines a new method with the same name and function signature as the original method, but with different behavior. When the code is executed, the new method is called instead of the original method, allowing the developer to modify or extend the behavior of the original method. This technique can be useful for debugging, testing, and extending the functionality of existing code. For example, a hook could be written to intercept the keyboard or mouse event messages before those inputs reach an application.
A hacker can use function hooking, method hooking, or method swizzling to insert malicious code into a mobile app’s executable, without modifying the original source code. This allows the hacker to gain control over the mobile app’s behavior, and to perform various actions, such as stealing sensitive data, modifying the program's output, or injecting malware into the program. To protect against this type of attack, it is important to use security measures, such as code signing and obfuscation, to make it more difficult for hackers to access and manipulate a mobile app’s code.
Jailbreaking and Rooting
Jailbreaking is the process of removing the limitations imposed by Apple on iOS mobile devices, such as iPhones or iPads. Apple puts these limitations in place in order to prevent end users from modifying the iOS operating system or installing unapproved mobile apps.
Rooting is similar but for Android devices. Rooting is the process of allowing users of smartphones, tablets and other devices running the Android mobile operating system to attain privileged control (known as root access) over various Android subsystems. Rooting is often performed with the goal of removing limitations that carriers and hardware manufacturers put on some devices, thereby providing the latest versions of Android to devices that no longer receive official updates, or unlocking features which are otherwise unavailable to the user.
By jailbreaking or rooting a device, an attacker can gain access to the filesystem and make changes to the operating systems. With a jailbroken or rooted device, an attacker can install malware or other malicious apps, which can steal sensitive data. Attackers also use jailbreaking or rooting to get access to sensitive data on the device, such as passwords or financial information.