Information Security
mobile client-side
Updated Tue, 06 Sep 2022 21:46:36 GMT

What are the methods to prevent and detect front-end behavior alterations in mobile apps?


I don't know the technical possibilities of this attack, but the scenario as I will explain below sounds probable. So here it is.

I have a mobile app that does computation on the users phone and send the result to a database that can only be accessed once the user has logged in. The computation is important and can only be done on the phone (but I wouldn't want the user to alter it). For instance, retrieving users location, or taking a picture with users camera.

The problem I see here, however, is that if the user could some how reverse engineer the app, they could signup as a legit user, but still alter the data sent. They could be sending an image they want instead of the mobile app taking live pictures using the camera, or send the location they want instead of the one the mobile app fetched. So in-short, how do you prevent a front end application's behavior from changing or how could you tell the difference if it has changed. Is there a way in android to get an application id for applications that are only installed from play-store that I can keep track of in the back-end?

And what should I be reading or looking into if I want to learn more about such client side - server side interaction security (Is there a specific name to such attacks).




Solution

Is there a way in android to get an application id for applications that are only installed from play-store that I can keep track of in the back-end?

No.

If you don't control the hardware running your application, you don't control your application. Even if your application is installed from legitimate sources, nothing stops an attacker to disassemble it and learn how it works. He can install a proxy and inspect all traffic, learn the protocol and execute the transactions by hand.

From the server point of view, anything that reaches it is just a TCP connection. There's no way to know if the other side is your app running on an unmodified phone, running on a virtual machine, altered and ran on a phone, or a telnet connection that the attacker is feeding data by hand.

You can make difficult for an attacker to succeed by using SafetyNet Attestation API on the application, by obfuscating the protocol, adding Certificate Pinning, among other defenses. But in the end, this only raises the difficult of defeating your software. A dedicated attacker will be able to bypass them all.





Comments (1)

  • +0 – Ok, thanks! Do you also have suggestions for the second question. "And what should I be reading or looking into if I want to learn more about such client side - server side interaction security (Is there a specific name to such attacks)." — Jul 26, 2022 at 20:41