New APP threat: Discovering the cryptographic keys in the code or device memory and lifting it for malicious purposes

[sdog-mitre]

On behalf of Prashanth Thandavamurthy of Arxan Technologies, Inc.

New Threat

Threat Category: Application: Vulnerable Application

Threat: Discovering the cryptographic keys in the code or device memory and lifting it for malicious purpose.

Threat Origin: None

Exploit Example:

1. Practical attacks against Obfuscated Ciphers

https://www.blackhat.com/docs/eu-15/materials/eu-15-Sanfelix-Unboxing-The-White-Box-Practical-Attacks-Against-Obfuscated-Ciphers-wp.pdf

1. HIDING KEYS IN SOFTWARE

http://www.whiteboxcrypto.com/files/2012_misc.pdf

CVE Example: None

Possible Countermeasures:

1. Follow secure coding guidelines
2. Use cryptographic key protection solution such as Whitebox Cryptography to ensure - a. Cryptographic keys are not discovered at any time, and are not present in static form or in runtime memory b. Data is protected at rest, in transit and in-use
3. Protect application binary from reverse-engineering and code tampering/modification attacks
4. Leverage vulnerability/penetration testing and ensure that known risks – including those identified in the OWASP mobile top 10 list, in particular, are addressed

References: None

[sdog-mitre]

Existing threat APP-10: Poorly implemented cryptography in mobile apps (e.g., hardcoded cryptographic keys, use of insecure cryptographic algorithms) appears to cover this threat. Countermeasures in APP-10 will be enhanced to include references to specific external resources that contain guidance on the secure handling of cryptographic keys by mobile apps.