https://wiki.owasp.org/index.php?action=history&feed=atom&title=Create_unpredictable_defenses_%28code_modification_prevention%29Create unpredictable defenses (code modification prevention) - Revision history2026-04-20T21:43:03ZRevision history for this page on the wikiMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Create_unpredictable_defenses_(code_modification_prevention)&diff=172182&oldid=prevJonathan Carter: Created page with "{{Template:Principle}} Category:OWASP Reverse Engineering and Code Modification Prevention Project Category:Principle __NOTOC__ <br> = Context = Mobile app developers ..."2014-04-09T23:18:46Z<p>Created page with "{{Template:Principle}} <a href="/index.php?title=Category:OWASP_Reverse_Engineering_and_Code_Modification_Prevention_Project&action=edit&redlink=1" class="new" title="Category:OWASP Reverse Engineering and Code Modification Prevention Project (page does not exist)">Category:OWASP Reverse Engineering and Code Modification Prevention Project</a> <a href="/index.php/Category:Principle" title="Category:Principle">Category:Principle</a> __NOTOC__ <br> = Context = Mobile app developers ..."</p>
<p><b>New page</b></p><div>{{Template:Principle}}<br />
[[Category:OWASP Reverse Engineering and Code Modification Prevention Project]]<br />
[[Category:Principle]]<br />
__NOTOC__<br />
<br><br />
= Context =<br />
Mobile app developers must take into account a whole host of new risks that relate to hosting code in an uncontrolled environment. If you are hosting code in an untrustworthy environment, you are susceptible to the risk that an adversary will reverse engineer and modify your code via binary attacks <sup>&#91;[[#ReferenceItem1|1]]&#93;</sup> <sup>&#91;[[#ReferenceItem2|2]]&#93;</sup> <sup>&#91;[[#ReferenceItem3|3]]&#93;</sup> <sup>&#91;[[#ReferenceItem4|4]]&#93;</sup>.<br />
<br />
[[File:MainProjectIcon.png|30px|link=https://www.owasp.org/index.php/OWASP_Reverse_Engineering_and_Code_Modification_Prevention_Project]] This content is part of a much bigger set of principles defined within the [https://www.owasp.org/index.php/Architectural_Principles_That_Prevent_Code_Modification_or_Reverse_Engineering Architectural Principles That Prevent Code Modification or Reverse Engineering] project.<br />
<br />
= Description =<br />
When invoking a particular integrity control at runtime, it is critical to assign a probability of execution to each control invocation. By assigning probabilities of execution to a particular control instance, you are creating integrity defenses that are unpredictable to the adversary. Furthermore, you avoid the "break-once-run-anywhere" scenario outlined below.<br />
<br />
= Examples =<br />
For example, an organization implements Checksum control "A" that is verifying the code integrity of another Checksum control "B". Checksum control "B" is verifying the integrity of a particularly sensitive method within the app. In order to modify this method, the attacker must modify the method, Checksum control "B", and Checksum control "A" in order to allow for a successful crack. If you reduce the probability of execution of "A", "A" may not always check the integrity of "B". In implementing this behavior, the adversary may think they have successfully cracked the mobile app by modifying the protected method along with Checksum control "B". Due to the reduced probability-of-execution feature, the attacker has overlooked that "B" will occasionally check "A". The adversary has created a crack that is unreliable and will not work across all instances of the mobile app in the wild.<br />
<br />
= External References =<br />
<span id="ReferenceItem1">[1] Arxan Research: [https://www.arxan.com/assets/1/7/State_of_Security_in_the_App_Economy_Report_Vol._2.pdf State of Security in the App Economy, Volume 2], November 2013:<br />
:''“Adversaries have hacked 78 percent of the top 100 paid Android and iOS apps in 2013.”''</span><br />
<span id="ReferenceItem2">[2] HP Research: [http://www8.hp.com/us/en/hp-news/press-release.html?id=1528865#.UuwZFPZvDi5 HP Research Reveals Nine out of 10 Mobile Applications Vulnerable to Attack], 18 November 2013:<br />
:''"86 percent of applications tested lacked binary hardening, leaving applications vulnerable to information disclosure, buffer overflows and poor performance. To ensure security throughout the life cycle of the application, it is essential to build in the best security practices from conception."''</span><br />
<span id="ReferenceItem3">[3] North Carolina State University: [http://www.csc.ncsu.edu/faculty/jiang/pubs/OAKLAND12.pdf Dissecting Android Malware: Characterization and Evolution], 7 September 2011:<br />
:''“Our results show that 86.0% of them (Android Malware) repackage legitimate apps to include malicious payloads; 36.7% contain platform-level exploits to escalate privilege; 93.0% exhibit the bot-like capability.”''</span><br />
<span id="ReferenceItem4">[4] InfoSecurity Magazine: [http://www.infosecurity-magazine.com/view/36376/two-thirds-of-personal-banking-apps-found-full-of-vulnerabilities/ Two Thirds of Personal Banking Apps Found Full of Vulnerabilities], January 3 2014:<br />
:''“But one of his more worrying findings came from disassembling the apps themselves ... what he found was hardcoded development credentials within the code. An attacker could gain access to the development infrastructure of the bank and infest the application with malware causing a massive infection for all of the application’s users.”''</span></div>Jonathan Carter