Black Hat is a global event series that provides the security industry with the latest research, trends, and developments in the world of cybersecurity. The sessions and trainings that take place during these events are created based on the needs and interests of the global security community. Black Hat events and sessions are attended and executed by a variety of professions in the industry:
The Black Hat USA 2022 conference took place from August 10th-11th in Las Vegas. Guardsquare’s Chief Product Officer Ryan Lloyd attended the conference and connected with many attendees at the Guardsquare booth on mobile app security trends and takeaways from the presentations.
Here are the two security trends that stood out the most.
A powerful and innovative way to prevent and defend against mobile app attacks is by carrying them out yourself (or watching someone else do it). Many of the sessions at Black Hat featured presenters staging attacks from the perspective of a threat actor, or showcased responsibly disclosed exploitable vulnerabilities. A couple of good examples related to mobile were covered, Google Reimagined our Phone. It was Our Job to Red Team and Secure It, as well as Android Universal Root Exploiting xPU Drivers.
Self-engineered attacks increase your knowledge of how reverse engineering works in both iOS and Android apps. Not only can this help you prevent these attacks, but it can accurately illustrate the criticality of strong mobile app security. Take, for example, our blog The Current State & Future of Reversing Flutter™ Apps which explores the tools threat actors leverage to speed up the reverse engineering of Flutter apps.
This blog demonstrates that the tools assisting threat actors to reverse engineer Flutter apps are not difficult to develop. We also saw that with only several lines of code, the metadata information could be used to speed up the reverse-engineering process. As Flutter and other types of apps mature, reverse-engineering methods and tools will be sure to follow suit.
Another good example of how to think about security from the perspective of a threat actor is this Android App Reverse Engineering 101 workshop on GitHub. In this workshop, participants learn the foundations for reverse engineering Android applications. The lesson is focused on reverse engineering through static analysis – the process of analyzing and understanding an app by examining its code. The author of the workshop specifically states that she focused on static analysis because, “[Static analysis] tends to be a less approachable skill for people to pick up on their own, so I want to help you do it!”
There is a virtually unlimited amount of resources available online to help threat actors learn how to reverse engineer apps. If you want to get ahead of attackers, you need to learn their attack methods and modes of operation to prepare a defense plan.
The mobile threat landscape is constantly evolving. Developers need experience and dedication to keep up with new threats, especially if you have a popular, high-value app that is attractive to attackers.
Mobile app security can be thought of as a cat-and-mouse game. The attackers are the cats, and our apps are the mice. The sophistication and dedication of the skilled reverse engineering community are cats learning the mice’s hiding spots. Consequently, we mice have to stay up to date with new and innovative protection measures. In other words, the mice have to change their hiding spots and defense tactics.
An effective way to stop attacks (or stop the cat) before they happen is to continuously monitor for reverse engineering and tampering attempts in your released app. Threat monitoring allows you to identify potential threat actors, find security gaps that need fixing, and gain security knowledge to apply in future development.
An example of a monitoring tool for mobile apps is Guardsquare’s ThreatCast. A monitoring tool like ThreatCast enables developers to:
So, if a mouse had a tool that watches over its home and alerts it whenever a cat is approaching, there would probably be a lot more mice in the world.
To learn more about defending your apps against complex threats, the true dangers of an unprotected mobile app, and what security teams should look for in a protection solution, check out this interview from Security Guy TV with Guardsquare’s own Ryan Lloyd.
Executive Summary