Thursday, May 17, 2018

Root detection: Xamarin devs stop hackers before they begin

How important is root detection?

  • Rooted devices can be extremely dangerous: When running on a rooted device, an otherwise harmless App can unmount file systems, kill processes, or run any arbitrary command.
  • Rooted devices are plentiful: In the annual Android Security 2017 Year in Review, Google reported that its SafetyNet service identifies over 14 million rooted devices DAILY.
  • Sensitive applications must include controls to mitigate these risks: Recent PCI Security Council guidelines and NIST controls are just two notable examples where rooted device detection and response obligations are explicitly assigned to development organizations. More generally, rooted access is synonomous with unauthorized privilege escalation and is, therefore, incorporated by reference in virtually every privacy obligation developers face, e.g. GDPR, HIPAA...

What’s new for Xamarin.Android developers?

New with Dotfuscator Professional 4.35.0 and Dotfuscator Community Edition (CE) 5.35.0, developers can, for the first time, inject rooted device detection and response controls into Xamarin.Android apps (injection means the logic is inserted post-compile – no coding required).

Want to dig deep?

Read this month’s MSDN Magazine article, Detect and Respond to Rooted Android Devices from Xamarin Apps that steps you through a detailed explanation of the feature, with links to sample code.
The article takes a sample Xamarin app, TodoAzureAuth authored by Xamarin’s David Britch, and adds rooted device detection and response in a way that maps to the PCI Mobile Payment Acceptance Security Guidelines published on 9/2017.
Specifically,
  • Detect that an app is running on a rooted device (offline or on a network)
  • Abort the initial session and permanently quarantine the app in future sessions
  • Report the incident to a central compliance service
  • Obfuscate the app to prevent analysis and tampering of the above controls
  • Automatically log the above implementation to demonstrate compliance for each build

Rooted Response

The sample app highlighted in the article extends the TodoAzureAuth with the behaviors illustrated in figure 1.
Figure 1: Flow illustrating TodoAzureAuth rooted device response behavior after it has been injected with the Dotfuscator Control. Note that Root detection serves as an effective proxy for Android emulator detection as well. 

Obfuscated binaries

Dotfuscator also obfuscates the TodoAzureAuth app to prevent hackers from
  • Identifing where and how the rooted device detection and response controls are implemented
  • Reverse-engineering embedded intellectual property (IP).
Figure 2: Sample output from obfuscated version of TodoAzureAuth.

Reporting via Microsoft App Center Integration

The custom code injected by Dotfuscator connects each rooted device detection event with the app owner’s App Center account.
Figure 3: App Center integration

Automatically generated audit records

The following Build Output can be stored and used to demonstrate that specific controls were injected on any given release.
Figure 4: Auto-logging of Build Reports

Post-compile injection configured through Dotfuscator UI

All of these controls plus obfuscation are configured through the Dotfuscator UI. Once configured, Dotfuscator can be invoked automatically as part of a continuous build process ensuring that every version of every app is effectively secured. 
Figure 5: Dotfuscator configuration options.

Closing thoughts (for the week of May 7th 2018 at least)

With the latest release of Dotfuscator, Xamarin.Android developers can rely upon the same application hardening and runtime detection and response controls that classic .NET developers have been able to rely upon for anti-tamper and anti-debugger detection and response - and Android developers rely upon using our DashO for Android solution.

No comments: