Hooking covers a wide range of code modification methods aimed at altering the behavior of the mobile application in question. This is done by intercepting function calls, messages, or events passed between the software components. The code used for function interception is called a hook. It applies to changing the behavior of operating systems and mentioned software components as well.
Legit use cases of code hooking include extending functionality and debugging. But of course, we are here to talk about the malicious side of code hooking, which has caused headaches on many occasions. Generally speaking, there are two hooking methods to be aware of, source modification and runtime modification.
Both methods have the same end goal, app manipulation. However, the difference is in the timing. With source modification, the attacker inserts a hook before the application is in runtime by altering the library source through reverse engineering. Runtime modification, as the names states, includes inserting a hook while the application is running.
What makes code hooking even more attractive is the high availability of tools for injecting and executing malicious code. Frida, a free, dynamic instrumentation toolkit enabling software professionals to execute their own code in traditionally locked software, opens doors to malicious practices. Even though the tool's intended use is to aid developers, pen-testers, and security researchers, bad actors are present as well.
Cybercriminals, black hats, and other fraudsters are able to compromise mobile applications, inject malicious code, and alter the mobile application's behavior/logic in a malicious manner. By combining Frida and hooking, the bad guys are able to design application experiences that have the look and feel of the original application. These types of attacks usually aim at applications that have established a certain amount of trust with their users. The trick is not to make the user doubt their next step within the application. And that is how a successful mobile application attack is executed.
By injecting a malicious piece of code, the attacker is altering the application logic and changing its behavior. Hooking is a common tool for Man-in-the-Middle attacks (MitM), where the fraudster attempts to intercept the communication between the sender and the receiver of the message.
Let's take a look at a simple example to get the idea of how hooking can cause damage in a real-life scenario. MitM attacks involve three actors. The communicator – a person who is sending the information; the receiver – a person to which the communicator is attempting to send the information; and the middleman – a person intercepting the communication.
Our good actors are Alice, the communicator, and Bob, the receiver. Alice owes Bob $20 and wants to settle her debt. She logs in to her mBanking account and fills out all the necessary information to transfer the $20 to Bob; first name, last name, account number, and other details. Upon pressing the send button, Alice is not aware of Frank – the bad actor. Frank hooked the application and changed all of the vital details of the transaction in the background to receive the $20. Alice is not aware of this, and Bob is a few bucks short.
App Protector is a security solution with a Mobile-first mindset. Covering various types of mobile application security threats, providing both detection and prevention of real-time attacks, App Protector safeguards your mobile application and its users from malicious practices.
Upon detecting any type of anomaly and unusual application behavior, App Protector neutralizes the potential attack by either notifying the end-user about a suspected misuse or terminating the application at once. App Protector is able to detect whether an application is under a hooking attack, running on emulator or debugger, and jailbroken/rooted.
Online mode enables the customization of threat responses. Also, it includes an admin portal used for a tailored approach for a specific mobile application security threat. Offline mode offers a hardcoded configuration where the selection of threat responses is not available.
By integrating App Protector with your mobile application, you won't see any changes in the design of your application nor in the application logic. You're only ensuring an additional level of security, safeguarding your mobile application and the end-users.
In case you're curious, feel free to contact us - zero obligation. Our ASEE team will be happy to hear you out.