appscan reference implementation

7/24/2019 AppScan Reference Implementation

1/26

IBM AppScan

Reference Implementation Guide


2/26

!#$%#& '(&)*+,&-*#.

Introduction

Component Integration

Brief overview of components to integration

Benefits of each component

Technical integration steps

How to perform integration

Rules

Summary


3/26

/#$%#& '(&)*+,&-*#.

Component Introduction


4/26

Arxan and AppScan Integration Overview

Developers followstandard lifecycle

using IBM0tools

(Worklight0,

Rational0) or third-

party tools

Design

Develop

Compile

Test

IBM AppScanassists developers to

identify vulnerabilities

in apps and facilitates

organizationsability

to enforce securityquality

Arxanenablesdevelopers or security

engineers to embed

self-defense and

tamper-resistance to

protect applicationintegrity against attacks

! !"#$%& ($)*+,#- ./(#*+$ 0)+/(( #1$ 2/3,4$ 0..4,)05/% 4,6$)-)4$7 6+/2 0%04-(,( #/ +$2$&,05/% 0%& +*%852$

.+/#$)5/%9

!

:1,$4& 0..( 0)+/(( #1$ 6*44 ()/.$ /6 +,(;(

7 6+/2 .+/( #/ 0&?0%)$& ,%#$0+$ $".4/,#(9

!"#$% '( )*+",* -**. '( )*+",*

12342566784 95: 2;6;326 78?@2A6;8@5=38 3> #2B58

C23@;D=38E F5?;< 38 #CCGD58H57


5/26

Integration Components

!"#$%"& (")*"&+&,- .+&+/,

01 2+34&536# 7$58+

M3: @3 78@;425@; *NO #CCGD58 58< #2B58 78@3

@K; G+.' @3 A?; @K;6 78 D38PA8D=38

'38@23L >ALL ?D3C; 3> 27?J? 58< FA7L< 78

?;DA27@I >236 @;?=84 @3 2A8H=6; C23@;D=38

91 :$7)+&,+8 ;.< :**!36&0=$#+-

'A?@36 ?D58 D38Q4A25=38 >32 #CCGD58 @3 F;R;27I 5CC 78@;427@I 27?J?

*8>326 2;SA72;< C23@;D=38? 54578?@ 5CC78@;427@I 5R5DJ? @K5@ D58 D36C2367?; ;T;8

U95:L;??V D31 ?-67+ "@ :=A6&0*=",+3%"& ,""#-

*8>326? D2;5=38 3> #2B58 WA52


6/26

Y#$%#& '(&)*+,&-*#.

Integration and ScanSteps


7/26

Z#$%#& '(&)*+,&-*#.

Rule Integration

1. Acquire Arxan IBM AppScan rules via a number of different

channels:

IBM Partner World

IBM developerWorks

Arxan Account Manager

Rules are contained within an XML file pbsa.vdbthat an AppScanadministrator imports into AppScans underlying SolidDB database onthe AppScan Enterprise server

2.

Import pbsa.vdbrule database into SolidDB:dbmanager --import-only Dtransfer-staging-dir=C:\temp\ounce

In this example, we extract the VDB file into the directoryC:\temp\ounce\VDB\pbsa.vdb


8/26

[#$%#& '(&)*+,&-*#.

Scan an Objective C App

1. Start AppScan Source for Analysis

2. Add the selected app to scan via the menu items:

File > Add Application

3. Add the additional scan rule set iOS-Integrity:

1.

Enter the configurationphase of the opened application;

2.

Select the propertiestab within this phase;

3.

Within these properties, select the scan rules and sets

subtab;

4.

Click on the + icon within the available rule sets;

5.

Select the iOS Integrity ruleset found within theavailable rulesets presented and click OK

4. Request a scan via the menu items:

Scan > Scan Selection


9/26

\#$%#& '(&)*+,&-*#.

Rule Integration Verification

Users can verify that rules have been successfully importedinto the database by examining available rule sets:


10/26]^#$%#& '(&)*+,&-*#.

RulesAvailable Rules and Examples


11/26]]#$%#& '(&)*+,&-*#.

Rule Development Strategy

Rules address operational risks highlighted in Arxans

Threats to Mobile Apps in the Wild paper released inNovember 2013:

_-;DK87D5L $7?J`

_'38Q


12/26]!#$%#& '(&)*+,&-*#.

Risk Coverage

AppScan rules cover a number of different risks highlightedin Arxans whitepaper, Threats to Mobile Apps in the Wild:

2+34&536# D5-E FA*=+--5"& ("$&,

$;C5DJ54784 !

G:7bbL; c7@K N;K5T7325L 'K584; Z

G;DA27@I '38@23L NIC5?? !

#A@365@;< d57LF2;5J N2;5J784 /

,BC3?;< O;@K3< G7485@A2;? e

,BC3?;< +5@5 GI6F3L? /

,BC3?;< G@2784 -5FL;? ]

'2IC@3425CK7D f;I *8@;2D;C=38 ]

12;?;8@5=38 .5I;2 O3


13/26]/#$%#& '(&)*+,&-*#.

Integrity Risk Swizzle and Code Change

// Transaction-request delegate

- (IBAction)performTransaction:(id)sender

{

if([self loginUserWithUsername:username

incomingPassword:password] != true)

{

UIAlertView *alert = [[UIAlertViewalloc] initWithTitle:@"Invalid User"

message:@"Authentication Failure" delegate:self

cancelButtonTitle:@"OK" otherButtonTitles:nil];

[alert show];

return;}

// Perform sensitive operation here

}

Rules highlight

this method as

likely to be

swizzled and

modified by an

attacker


14/26]e#$%#& '(&)*+,&-*#.

Integrity Risk Security Control Bypass

NOTE: Methods that appear to return a simple yes/noresponse and appear to be doing something sensitive are

excellent candidates for simple code modification.

Rules flag any code that calls thismethod. This method is particularly

attractive for code-bypass modification.


15/26]g#$%#& '(&)*+,&-*#.

Cryptographic Key Theft

Rules flag any hardcoded keys that

could be easily found by an attackerthrough static or dynamic analysis.


16/26]Y#$%#& '(&)*+,&-*#.

Exposed String Tables

Rules flag any hardcoded strings that are sensitive in

nature.

Example strings include: hardcoded passwords;

connectivity strings; SQL statements; shell commands


17/26]Z#$%#& '(&)*+,&-*#.

Presentation Layer Modification

Rules flag any dependencies upon external HTML/JS/CSS files that may be loaded and displayed.

Code should validate these files before use.


18/26][#$%#& '(&)*+,&-*#.

Repackaging

Rules highlightcommon entrypoints

where jailbreak

detection should

occur.


19/26]\#$%#& '(&)*+,&-*#.

Exposed Data Symbols

Rules highlight interface propertiesthat will be particularly attractive for

modification or further probing.


20/26!^#$%#& '(&)*+,&-*#.

Exposed Methods

Rules highlight interface methodsthat will be particularly attractive for

modification or further probing.


21/26!]#$%#& '(&)*+,&-*#.

Automated Jailbreak Disabling

Rules highlight weak jailbreak detection

algorithms. In this case, the code shouldbe relying upon system calls instead of a

third-party library. Its also not checking for

enough things.


22/26!!#$%#& '(&)*+,&-*#.

Debugger Check

Rules highlightcommon entrypoints

where the app

should check for the

unauthorizedpresence of adebugger.


23/26!/#$%#& '(&)*+,&-*#.

Risk Mitigation Strategy

New rules highlight integrity/reverse-engineering risks that

Arxan products specialize in.

Recommended risk mitigation strategies for each differenttype of risk involve defining a corresponding Arxan Guard

for that particular risk

Guards are expressed in Arxan products through an Arxan

Guard Spec


24/26!e#$%#& '(&)*+,&-*#.


Each risk raised by a rule is mitigated by specifying a

Level 1 Arxan Guard within a Guard Specification. Belowis an example of a Guard Spec:


25/26!g#$%#& '(&)*+,&-*#.


Below is an example of a multi-layer Arxan Guard network:


26/26

Conclusions

Rules are available via many different channels:

IBM Partner World

IBM developerWorks

Arxan Account Manager

Risks are described in more detail in Arxans whitepapertitled,Threats to Mobile Apps In the Wild, released in

November 2013

Arxan mitigates all of the risks raised by these new rules.Guards work together to defend, detect, react, and alert toreverse-engineering or integrity violation events.

appscan reference implementation

Documents