Mobile Runtime Application Self-Protection (RASP)

As organizations rely increasingly on mobile applications to facilitate their business processes, the need for comprehensive and reliable mobile application security solutions has grown in parallel. To meet this demand, a new technology has emerged: mobile RASP (Runtime Application Self Protection).

Mobile RASP continuously monitors the behavior of a mobile app to protect it from data breaches, a plethora of runtime security threats (e.g., debugger, emulator and simulator attacks, function hooking or method hooking attacks, leveraging jailbroken or rooted devices, etc.) and app tampering (e.g., app repackaging, app renaming, etc.) without human intervention.

Mobile RASP is an invaluable tool in the fight against malicious activity on mobile devices. By self-monitoring its runtime environment for attacks, a mobile app with RASP can detect attempts to exploit vulnerabilities, modify the mobile application’s code, or bypass security measures.

This article explored what mobile RASP is, how it works, and the various benefits it offers for mobile application security.

RASP is a complement to other security measures, such as firewalls and antivirus software, which are typically focused on protecting the network and the underlying operating system. 

RASP is different from other security technologies in that it is integrated directly into the application, rather than being installed as a separate layer of protection. This means that it cannot be bypassed or disabled by malicious actors.

RASP provides protection at runtime, when the application is actually being used, rather than just when it is being developed or deployed. RASP works by monitoring the behavior of an application in real time and looking for suspicious activity that could indicate an attack. If it detects such activity, it can take action to prevent the attack from succeeding, such as blocking malicious input or shutting down the application. By focusing on the application itself, RASP can provide an additional layer of protection against attackers who may be able to bypass other security controls. 

Mobile RASP encompasses the technologies that allow a mobile app to continuously protect the runtime. Since mobile apps may have to operate in situations where there is poor or no network connectivity, mobile RASP must provide protections even when the mobile app is unable to “phone home.” This means that for a mobile app that is enabled with mobile RASP, security has been moved into the app. A RASP-enabled mobile app should have all the needed capabilities built-in so that it is able to monitor inputs and block those that could result in live attacks, while protecting the runtime against unwanted changes and tampering. 

Below are the current common methods that hackers will use on the runtime of a mobile app. While not comprehensive, it provides a good overview of the threat landscape for an executing mobile app.

Debuggers

A debugger allows a developer to monitor and control the execution of an application, allowing them to identify and fix bugs or other issues. 

An attacker can use a debugger to perform a variety of malicious actions. The attacker uses a debugger to attach to a running mobile app to gain access to its internal state, including memory, registers, and other sensitive information. The attacker can then use this information to perform various actions, such as modifying the program's behavior, injecting malicious code, or extracting sensitive data. 

Emulators & Simulators 

Emulator is software that allows one computer system to mimic the functions of another computer system. This can be useful for testing and development purposes, as it allows developers to run and test their mobile app code on different platforms without having to physically access those platforms. For example, a mobile app developer could use an Android emulator on a Mac. 

Simulator is software that also allows a computer to mimic the behavior of a different system. Like an emulator, a simulator can be used to run software or applications that were designed for a different platform or operating system. However, while an emulator aims to reproduce the exact behavior of the original system as closely as possible, a simulator is more focused on modeling the behavior of a system, and may not be an exact replica. 

An attacker could use an emulator or simulator to observe how a mobile app functions while it is executing because knowing how the mobile app behaves enables the attacker to build more effective attacks. A cybercriminal could use an emulator or a simulator to observe how the mobile app authenticates to backend systems. Or the emulator or simulator could be used to see how the mobile app reads and writes to the filesystem, if any encryption is used and, if so, how strong it is. Emulators and simulators can also be used to modify mobile OS behavior. For example, sending false signals from the mobile app; modifying system calls and libraries of the underlying mobile operating system; and removing security controls.

App Renaming

App renaming is the process of changing the name of a mobile application. 

A cybercriminal can use app renaming to give a malicious mobile app a more appealing or trustworthy name, making it more likely that users will download and install the mobile app. For example, an attacker might rename a malicious mobile app to mimic the name of a popular mobile application or game, in order to trick users into downloading it because they think it is legitimate. 

Mobile app renaming can also be used to create confusion among users, by giving multiple mobile apps similar or identical names. This can make it difficult for users to identify the mobile app they are looking for, and can lead to them accidentally downloading a malicious mobile app. 

Function or Method Hooking 

Function hooking or method hooking is a technique used by developers to modify or extend the behavior of an existing function or method. It involves the interception of function calls, systems events or messages. The code snippets that perform these interceptions are the “hooks”. Method swizzling is a method hooking technique that is used on iOS. 

In method hooking, a developer defines a new method with the same name and function signature as the original method, but with different behavior. When the code is executed, the new method is called instead of the original method, allowing the developer to modify or extend the behavior of the original method. This technique can be useful for debugging, testing, and extending the functionality of existing code. For example, a hook could be written to intercept the keyboard or mouse event messages before those inputs reach an application. 

A hacker can use function hooking, method hooking, or method swizzling to insert malicious code into a mobile app’s executable, without modifying the original source code. This allows the hacker to gain control over the mobile app’s behavior, and to perform various actions, such as stealing sensitive data, modifying the program's output, or injecting malware into the program. To protect against this type of attack, it is important to use security measures, such as code signing and obfuscation, to make it more difficult for hackers to access and manipulate a mobile app’s code.

Jailbreaking and Rooting 

Jailbreaking is the process of removing the limitations imposed by Apple on iOS mobile devices, such as iPhones or iPads. Apple puts these limitations in place in order to prevent end users from modifying the iOS operating system or installing unapproved mobile apps. 

Rooting is similar but for Android devices. Rooting is the process of allowing users of smartphones, tablets and other devices running the Android mobile operating system to attain privileged control (known as root access) over various Android subsystems. Rooting is often performed with the goal of removing limitations that carriers and hardware manufacturers put on some devices, thereby providing the latest versions of Android to devices that no longer receive official updates, or unlocking features which are otherwise unavailable to the user. 

By jailbreaking or rooting a device, an attacker can gain access to the filesystem and make changes to the operating systems. With a jailbroken or rooted device, an attacker can install malware or other malicious apps, which can steal sensitive data. Attackers also use jailbreaking or rooting to get access to sensitive data on the device, such as passwords or financial information. 

Dynamic Binary Instrumentation (DBI) Frameworks

Dynamic binary instrumentation (DBI) is a technique used in computer programming to modify the behavior of a program at runtime. It involves inserting code into a running program, without modifying the original source code, to monitor or modify the program's behavior. This is typically done by using a DBI framework, which provides tools for inserting code into a running mobile app. There are a variety of legitimate applications of DBI, including performance analysis, debugging, security analysis and reverse engineering. While dynamic binary instrumentation is commonly used by software developers and security researchers, it can also be used by attackers to insert malicious code into a program.

Man-in-The-Middle (MitM) Attacks

A man-in-the-middle (MitM) attack is a type of cyber attack where an attacker intercepts communication between two parties, impersonates both parties, and relays messages between them, without either party knowing that they are being attacked. 

In an MitM attack, the hacker effectively sits in the middle of the communication, acting as a "man in the middle" to steal sensitive information, such as passwords and credit card numbers, or to inject malicious code into the communication. 

In the context of mobile, consider that most mobile apps need to communicate with remote servers in order to function. HTTPS is most commonly used for these communications. Opportunities for hackers to initiate man-in-the-middle attacks arise when a mobile app fails to use standard authentication methods properly. For example, a mobile app may not reliably check the certificate that proves a server is what it says it is. Or it fails to properly verify its server’s hostname.

Forged certificates, session hijacking, cookie hijacking, SSL stripping, and malicious proxies are examples of MitM attack techniques. Toolkits such as Charles Proxy, Burp Suite, NMAP, mitm, Wireshark, Metsaploit are used for Man-in-The-Middle attacks. 

App Tampering

App tampering is the act of modifying an application or its components in order to change its behavior or bypass security measures. Attackers do this for a variety of reasons, including to remove advertising, unlock paid features, or gain access to sensitive information. 

App tampering can lead to security vulnerabilities.For example, an attacker may download a popular mobile app from a public app store, modify it using app tampering techniques, and use app renaming to mimic the name of a popular mobile app in order to trick users into thinking it is legitimate. Anti-tamper techniques are available to counter runtime attacks that rely on app tampering. 

App Repackaging

Mobile app repackaging, which is sometimes called a cloning attack, is a technique adopted to generate fake versions of legitimate mobile apps. Repackaged mobile apps are usually infected versions of popular mobile apps, carriers of malware, adware or spy-ware. Attackers download a popular mobile app, access the source code using reverse engineering, add their code–often malicious–to it, and then repackage and release the mobile app. Being able to detect app repackaging will be a necessary anti-tamper mobile RASP technique.

Rename Detection

With this capability, an executing mobile app will detect if its name was changed after it was released by its original app developer. One way to do this is for the app developer to encode the name of the APK/IPA into the mobile app before it is released and ensure that the name of the mobile app at runtime is checked against the encoded name within the API/IPA. 

Debug Detection

A mobile app with anti-debug enabled will detect if an attacker is running a debug program on the app. One way to do this is for the mobile app to detect if the debug flag has been enabled. 

Emulator Detection & Simulator Detection

A mobile app with emulator detection/simulator detection enabled will be able to determine if it is running on an emulator or simulator rather than a real device. One way to do this is to have the executing app look for private or hidden system properties that give a strong indication that the system on which the app is running is an emulator.

Jailbreak Detection & Root Detection

An iOS app with jailbreak detection will be able to determine if the device on which it is running is jailbroken. Similarly, an Android app with root detection will be able to determine if it is executing on a rooted device. There are numerous ways to enable jailbreak detection and root detection such as: performing a boot time check to determine if the processes, apps, and data are in accordance with Apple or Google guidelines; detecting modifications to the permissions for certain files and folders.

Dynamics Binary Instrumentation (DBI) Framework Detection

Enabling DBI detection in a mobile app will make it very difficult for attackers to realize the benefits of memory based attacks and will not be able to perform code tracing; alter values; game point and currencies; bypass restrictions; spoof user credentials; or reuse sessions;

Man-in-The-Middle (MiTM) Attack Detection

A mobile app in which MitM detection has been enabled will be able to discover attack techniques that rely on forged certificates, session hijacking, cookie hijacking, SSL stripping, malicious proxies, and other network-level attacks. 

Repackaging Detection

With this RASP capability enabled a mobile app will detect if it has been repackaged since the app developer released the original app, including detection whether it has been signed by the original signing certificate. App repackaging detection is often included as part of anti-tamper techniques. 

Tamper Detection

With anti-tampering enabled, a mobile should be able to self-verify that it has not been modified since being released by the app developer. A way to do this is by using checksum validation. 

Integrity Scanning

This feature should check a mobile app’s composition, data structure, data elements, and communication paths to validate the integrity and authenticity of the app, as well as to detect elements within the app, such as unknown URLs or malicious URLs,  that could be used as an attack vector.

Mobile RASP technologies provide a layer of protection against common attack vectors such as man-in-the-middle (MitM) attacks, memory based attacks that leverage DBI frameworks, debugger, emulator and simulator based attacks, app tampering and reverse engineering. Additionally, RASP can detect attempts to root or jailbreak the device, which can be a major security risk.

The benefits of mobile RASP are clear - it provides real-time detection, increased visibility, improved performance, and cost-effectiveness. Organizations can use mobile RASP to protect their mobile applications and users from malicious activity, and ensure that their applications are running securely and reliably.

If you’re looking to enhance the security of your mobile applications, mobile RASP is a great option. It provides comprehensive protection at runtime, and can detect and block malicious activity as it is happening. Blue Cedar app security provides mobile RASP. Try Blue Cedar mobile RASP today and revolutionize the security of your mobile applications!