• United States




Mobile app reversing and tampering

Sep 05, 20163 mins
AndroidMobile SecuritySecurity

Mobile applications are, well, applications. And like any application they need to be protected. I’ve been blogging about attacks on mobile like mobile malwaremobile pharming and mobile phishing and I even wrote a blog on data at rest encryption for mobile. This blog will take a very high level look at a topic that can get very deep very quickly, mobile app risks related to reversing and tampering.

Anything can be hacked. Any code can be reversed or tampered with especially on a jailbroken or rooted mobile device. In some cases, prevention isn’t the goal of the app developer, but instead it’s modifying the economics of an attack. 

Making the act of attempting to hack something extremely complex, lengthy and resource intensive is not something an attacker is happy to see. It’s like stealing a car. If your car is locked, has an alarm system, a lock on the steering wheel, a GPS tracker and a switch that shuts off the fuel pump if it is started incorrectly, it will slow down a thief and in most cases make them move on. But it won’t stop a motivated thief with time and resources. This is especially true if you left your keys on the roof or the thief brought a tow truck.

Motivations for hacking mobile apps

When you think about hacking a mobile device you might intuitively think about an attacker trying to get a better understanding of the device so they can reverse it and build their own, similar, possibly malicious, masquerading version. Maybe they want to modify the logic so that they can bypass certain controls like authentication. Or perhaps they are just looking to steal sensitive data. In all these cases you would be correct. But there is a forth and perhaps lesser thought of motivation.

As apps become more advanced they often have richer logic flows. That logic likely interacts with an organization’s backend IT infrastructure. Hacking an app can put sensitive processes, systems, networks and data in the hands of an attacker that can be used to attack traditional IT assets. 

Mitigating mobile app hacking

When it comes to mobile applications, making it difficult to reverse an app, tamper with an app or even use a debugger with an app, dramatically impacts the economics of an attack.

  • Leveraging a compiler that generates obfuscated code makes it extremely challenging for disassemblers to make sense of the code and its flow; here is an article on Stack Overflow on this topic
  • Encrypting application files, resources and assets makes changes to the application logic more difficult and can even prevent a modified app from running if the logic has been tampered with
  • Creating an app that is debugger aware can help mitigate reverse engineering when connecting an app to a debugger; here is a video covering the hacking of an Android game app using a popular debugger

Mobile apps have already become mission critical to organizations around the world. Their level of access, the sensitive data they contain and the negative ramifications that can come from a malicious, masquerading version are high. As such, mobile app protection, from the perspective of app development, is something that all security professionals should consider when evaluating their security posture.



Over the last two decades Brian Contos helped build some of the most successful and disruptive cybersecurity companies in the world. He is a published author and proven business leader.

After getting his start in security with the Defense Information Systems Agency (DISA) and later Bell Labs, Brian began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee and Solera Networks. Brian has worked in over 50 countries across six continents and is a fellow with the Ponemon Institute and ICIT.

The opinions expressed in this blog are those of Brian Contos and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.