Insecure App Binary

This vulnerability happen when the compiled app has insufficient binary protections. It allows an adversary to extract secrets, such as commercial API keys, hardcoded cryptographic keys, sensitive configurations, for misuse or gain access to proprietary code, critical business logic, or pre-trained AI models embedded within the binary.

Remediation

Use code obfuscation techniques to make it harder for attackers to reverse-engineer the application and extract secrets or business logic.
Store sensitive data, such as API keys or cryptographic secrets, securely on the server side instead of hardcoding them into the app.
Implement runtime checks for app integrity, such as verifying cryptographic signatures, to detect and prevent tampering.
Use anti-debugging and anti-tampering techniques to make it difficult for attackers to analyse or modify the binary.
Sign app binaries with a strong digital signature and enforce signature validation during app installation and updates.
Encrypt sensitive assets within the app, such as pre-trained models, to prevent their extraction or misuse.

Metadata

Severity: low
Slug: insecure-app-binary

OWASP

M7:2024: Insufficient Binary Protection

Available Labs

Open Kotlin labs in SecDim Play for this vulnerability.

easy

ProGuard.android

Kotlin Easy Android Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.