The security community is abuzz about the risks of reverse engineering code. The overall belief is that it’s a bad thing that can lead to cloning, repackaging, IP theft, and as a springboard for other types of attacks against organizations. Most professionals believe there really isn’t much that can be done about preventing an attacker from reverse engineering their code. There are many excellent tools on the market that make the task easy and affordable to the adversary. Static analysis tools like IDA Pro and Hopper are free and cover code written in a large number of different languages beyond Java and Objective C. Dynamic analysis tools like GDB are also free and assist in understanding how code works and help discover hardcoded secrets within mobile and Internet of Things (IoT) code.
Being that as it may, there ARE things that can be done to make reverse engineer a lot more difficult to execute. You can significantly raise the bar for hackers without a lot of effort. Most Software Engineers / Security Professionals don’t have the technical background to understand or apply basic obfuscation techniques that make reverse engineering much more difficult for hackers.
I suspect that “solution bias” is driving technical communities to avoid addressing the risks of reverse engineering as it relates to the IoT devices and their mobile interfaces. Traditional security advice always recommends avoiding doing anything sensitive on a mobile device. This is wise advice and should be followed if possible. If you follow this advice, you have a lot less to worry about with respect to risks from reverse engineering.
Avoiding doing sensitive things via mobile devices is not possible when IoT devices are doing sensitive things and exposing that functionality (and associated information assets) via mobile interfaces. In this increasingly common business use-case, we are seeing IoT devices that allow users to see/do things via corresponding mobile interfaces: collect and process medical data, unlock doors, start cars, etc. Hence, the issue of reverse engineering and code tampering of IoT devices and their associated mobile app interfaces must be addressed one way or another. But let’s be realistic. IoT and mobile are happening because of the business case. Regardless of what people are afraid of, it’s coming and we’ll have to reckon with reverse code engineering now or it will bite us later.
Jonathan Carter is technical director at Arxan Technologies.