Go to the profile of SEWORKS
SEWORKS
Founded by 5-time DEFCON finalists, SEWORKS develops AppSolid.co, 100% SaaS based binary self-protection; based in SF, backed by Qualcomm.

Why Android Apps Aren’t Safe from Hacking (Part 3: Advertising Exploits)

by Jeffrey Yu

Our November research report on Google Play indicates that most Android apps on the store’s top 200 list are vulnerable to decompiling. We’ve explained why this makes apps much easier for hackers to remove license verification or unlock premium features without paying. This week, let’s look at how decompiling enables hackers to exploit an app’s advertising components.

This kind of exploit is relatively common, and has been successfully used against apps from some of the tech world’s most prominent companies. Pandora, a leading music streaming service, primarily depends on revenue from advertising spots that are integrated into a user’s playlist. However, a simple Google search reveals that hackers have figured out how to remove the advertising stream from Pandora’s app, and then uploaded these ad-free versions of Pandora online for anyone to freely download:

(Example: Pandora app with no ads)

These hacks represent enormous losses of potential revenue for Pandora and its advertising partners — not to mention the thousands of musicians Pandora shares revenue with, for the right to stream their music. And Pandora is just among the many popular advertising-dependent apps to fall victim to hackers in this way.

How It Happens

A target app is downloaded for free, decompiled, and then modified to remove/alter the few lines of code or SDK which request and display ads. (Typically, from an ad network or other ad vendor.) The modified app is then repackaged and distributed on websites or other app stores so that millions of other users can download this ad-free version.

In a similar way, hackers can also target ad networks with a rewards platform designed to increase user engagement and generate additional revenue. (Typically, a user gets awarded with virtual currency or other premium content after performing an action on behalf of the advertiser — for instance, after viewing of an ad.) However, decompilable apps which have this feature are easy targets for hackers, who can download the official app, decompile it to perform a source code analysis, identify the snippet of code that invokes rewards, and then modify the app to get multiple copies of this reward without performing any action for the advertisers. Often, hackers will invoke the same code over and over again, obtaining a mountain of rewards. Some reward networks allow users to redeem their virtual currency for physical goods from online stores like Amazon, thus enabling hackers to steal real products through this technique.

Preventing Advertising-Based Exploits

To maximize security against all the exploits described above, an app needs to have good defensive measures including binary protection, which prevents decompiling from happening in the first place. Standard source code obfuscation tools, such as ProGuard, do not prevent an app from being decompiled, and thus offers less defense than binary-level protection. We recommend developers consider our AppSolid solution, which automatically protects an app’s binary code and provides real time monitoring and remediation features.

Preventing Reward-Based Exploits

There’s two methods developers can use to help prevent exploits directed at rewards platforms:

  1. Implement server-side check by reward networks: We recommend reward networks adding a server-side check before fulfillment, to limit the amount of rewards any unique user can receive. That way, even if hackers are able to compromise the app, they still won’t be able to steal an unlimited amount of reward items. However, keep in mind that hackers can upload a compromised app online, enabling hundreds or even thousands of users to also access free rewards. So even installing a server-side check within reward networks to limit rewards won’t necessarily prevent massive losses.
  2. Implement check between reward networks server and app server: A stronger defense against reward exploits prevents a user from claiming a reward until the client side of the app checks with the app’s server, which then checks with the reward platform’s server. Similar to server-side purchase receipt verification, this enables the reward platform to limit reward claims, even when many copies of a compromised app exist.