Security Issues of Cross Platform Tools

Security Issues of Cross Platform Tools

Header Image

A couple of weeks ago I answered a question on Quora about the security of cross platform tools. I try to rise about my confirmation bias when discussing these things. I won’t discuss Codename One in this context or any other specific tool. Only general ideas.

Security depends a lot on the tools involved and their level of support for security features such as certificate pinning, storage/db encryption etc. Some tools also store the code of the app as plain text or obfuscated scripting code which is still fully readable, this can have a serious impact on security.

In fact this level of insecurity spawned a thriving cottage industry of repackaging. Where people unzip the application and repackage/sign it and upload it to the store under a different package name. Then use ads/payment to earn from the stolen app. This can be very profitable to them as the time gap until detection and takedown process can be pretty long.

Reverse Engineering

Reverse engineering is possible no matter what tool you use. Cross platform tools can make this either easier or harder.

There are plenty of off the shelf tools to reverse engineer native apps. You can literally view the full UI design used by the developer and then search for the event handling code within the decompiled application. E.g. if you have a login form a hacker can find the login button, run the app and find out a lot about the process.

Here the cross platform tools divide into three distinct categories:

  • Native GUI tools — These are usually on par or worse than native apps when it comes to security. The native communication/layout is often visible via standard reverse engineering tools

  • Web tools — Cross platform tools that are based on web technologies are usually very easy to reverse engineer. To a level where a hacker can change JavaScript on the spot or even use web debugging tools to debug the app remotely

  • Lightweight Tools — Tools that render their own UI are usually more secure in that sense. Decompiler tools can’t always see some of these tools and find it really hard to deal with their UI. Such tools can be much harder to reverse engineer than native apps

Obfuscation

Obfuscation is the first line of defense against reverse engineering. It’s an essential tool to make reverse engineering harder.

Some tools and some common native 3rd party libraries, discourage obfuscation. A lot of tools limit the scope of obfuscation which is generally a bad thing to do.

Tips

Things to ask your cross platform tool vendor:

  • Is my code visible in the final binary?

  • What level of obfuscation do I have here? Is there a separately obfuscated scripting language (e.g. javascript)?

  • Can code be injected remotely? This is sometimes presented as a “feature” where you can circumvent the appstore submission process. Apple made that illegal and removed such tools in the past

  • Do you support encrypted storage/DB?

  • Do you support certificate pinning?

  • Do you use custom socket communication and not the OS level connection (this is important as there might be a low level vulnerability in a custom implementation of SSL)?
    It’s more secure to use the OS native APIs when doing networking operations

  • I disable copy and paste?

  • Can I disable the OS screenshot feature in the task manager (this isn’t possible on all OS’s)?

  • Can I detect jailbroken devices?
    Notice that this isn’t always possible and is a bit flaky

  • Do you support biometric authentication primitives

  • Who do I contact when I find something and need help?

SUBSCRIBE TO OUR MONTHLY NEWSLETTER

TWITTER

OTHER RESOURCES