Software reverse engineering is the process of analyzing a software system to extract the design and implementation details. Reverse engineering provides the source code of an application, the insight view of the architecture and the third-party dependencies. From a security perspective, it is mostly used for finding vulnerabilities and attacking or cracking an application. The process is carried out either by obtaining the code in plaintext or reading it through the binaries or mnemonics. Nowadays, reverse engineering is widely used for mobile applications and is considered a security risk. The Open Web Application Security Project (OWASP), a leading security research forum, has included reverse engineering in its top 10 list of mobile application vulnerabilities. Mobile applications are used in many sectors, e.g., banking, education, health. In particular, the banking applications are critical in terms of security as they are used for financial transactions. A security breach of such applications can result in huge financial losses for the customers as well as the banks. There exist various tools for reverse engineering of mobile applications, however, they have deficiencies, e.g., complex configurations, lack of detailed analysis reports. In this research work, we perform an analysis of the available tools for reverse engineering of mobile applications. Our dataset consists of the mobile banking applications of the banks providing services in Pakistan. Our results indicate that none of the existing tools can carry out the complete reverse engineering process as a standalone tool. In addition, we observe significant differences in terms of the execution time and the number of files generated by each tool for the same file.
With the introduction of smartphones in today’s ever-evolving telecom industry, mobile applications have been revolutionizing our daily lives. As per the study conducted by Lee et al. [
The rise in the use of use of mobile applications have also resulted in increase in the number of vulnerabilities in these applications. The presence of such vulnerabilities in the code eventually leads to cyber-attacks on financial applications, resulting in financial losses to banks as well as their customers. The privacy and security of these critical banking applications is of great concern as their usage is increasing rapidly. Developers must consider security requirements while developing mobile applications. Android is one of the leading and most popular mobile operating system for users as well as for businesses. For this reason, most of the developers deploy their services on android platform.
As depicted in
The focus of this research work is the in-depth analysis of reverse engineering tools for mobile applications. Mobile applications are still evolving and have limited tools for reverse engineering. Many of such tools do not provide either in-depth knowledge or the target task is achieved by using multiple tools. Furthermore, mobile being an emerging, popular and focused platform is used by most sectors to extend their services especially financial; for instance, mobile banking, telemarketing, e-commerce, social media, entertainment, and tons of others as depicted in
Our main objective of this research work is the analysis of mobile application reverse engineering tools on a data set of mobile banking applications of Pakistan. Penetration testing for web applications has been the focus of researchers in this field. However, security testing of mobile applications is a relatively new area and there is a lack of a comprehensive analysis of the tools/techniques to guide the penetration testers. The study of reverse engineering of mobile applications for the purpose of finding security issues is important. There exist several tools for reverse engineering, however, they are not properly classified and neither evaluated by the researchers for their performance and efficiency.
Following are the main contributions of this research work: A systematic collection and classification of tools used for reverse engineering of mobile applications. A systematic data collection of mobile banking applications (APK files) of the banks in Pakistan. A comprehensive study of the mobile banking applications used in Pakistan. A comprehensive analysis of the performance of the existing reverse engineering tools.
In this research work, we focus on answering the following research questions:
Smartphones, being the most popular digital devices, have allowed application developers as well as various sectors to exploit the rapid growth of telecom/IT infrastructure to reach out to more clients effectively and sell their products in a hassle-free manner. Banking organizations are also utilizing this platform for better user experience as well as effective banking. Many banks have extended their services from internet banking towards mobile banking. In the same manner, users have shifted to mobile banking due to its ease of use.
As per the State Bank of Pakistan’s report [
As the usage of mobile banking applications is increasing, it is a security risk when these applications leak information about their structure, development environment, and associated information. Cybercriminals can use reverse engineering to obtain information from mobile banking applications. During reverse engineering, the coding process is reversed [
Our work is similar in the context of comparing tools, however, we target the performance instead of conversion types. In addition, our focus is to use reverse engineering tools on a large set of mobile banking applications for extracting security-related information. As a result of our work, it will help others in identifying the best tool(s) for achieving their objective using minimum, feasible and efficient tools according to their requirement. As a result, security analyst can view the security lacks in mobile banking applications, e.g., what critical information can be extracted using reverse engineering process etc.
The proposed methodology for reverse engineering of mobile banking applications is depicted in
In this phase, the dataset of tools as well as banking applications was finalized. A large dataset was initially gathered from number of sources to grasp a better understanding of the subject. Eventually, the dataset was narrowed down to a limited number of mobile applications and tools to acquire quality results in a time-constrained fashion.
The dataset was narrowed down to a limited number of mobile applications and tools to acquire quality results in a time-constrained fashion. A dataset consisting of 42 tools and software for reverse engineering mobile applications was collected. These tools were gathered from various sources based on the literature review. We also classified these tools based on their platform for further study as we aim to study reverse engineering tools for Android platform. To limit our testbed, we selected a sample of 10 tools from our dataset. The tools were selected based on the reviews and rate of false positives. It is pertinent to mention that a mix and match of those tools were selected that offered reverse engineering of Android as well as iOS platforms. The sample of 10 out of the 42 tools is shown in
Tool | Platform | Downloaded From |
---|---|---|
Android Studio | Android | |
Apk Tool | Android | |
dex2jar | Android | |
Clutch | iOS | |
Classdump | iOS | |
Jdgui | Android | |
IDA | Android | |
Hopper | All | |
Andro Guard | Android | |
Smali/Basksmali | Android |
In this stage, data regarding banking sector used in Pakistan was collected. Information regarding banks that are registered with the State Bank of Pakistan was collected, assessed, and evaluated as per the scope of this research work. The main source of this data collection was the State Bank of Pakistan. A total of 45 banks were listed in this phase.
We analyzed the collected data of banks for the classification and further investigated the banks providing the services of Internet banking or mobile banking in Pakistan. The sole source of this information was the State Bank of Pakistan. Details of the sample analysis performed on the fragment of the data are listed in
Bank | Country of Origin |
---|---|
Allied Bank Limited | Pakistan |
Askari Bank Limited | Pakistan |
Bank Alfalah Limited | Pakistan |
Bank Al-Habib Limited | Pakistan |
Bank Islami Pakistan Limited | Pakistan |
Burj Bank Limited | Pakistan |
Citi Bank NA | US |
Deutsche Bank AG | German |
Dubai Islamic Bank Limited | Pakistan |
Faysal Bank Limited | Pakistan |
First Women Bank Limited | Pakistan |
Habib Bank Limited | Pakistan |
Habib Metropolitan Bank Limited | Pakistan |
Industrial and Commercial Bank of China | China |
Industrial Development Bank of Pakistan | Pakistan |
JS Bank Limited | Pakistan |
MCB Limited | Pakistan |
MCB Islamic Bank Limited | Pakistan |
Meezan Bank Limited | Pakistan |
National Bank of Pakistan | Pakistan |
NIB Bank Limited | Pakistan |
SME Bank Limited | Pakistan |
Samba Bank Limited | Pakistan |
Sindh Bank Limited | Pakistan |
Soneri Bank Limited | Pakistan |
Standard Chartered Bank (Pakistan) Limited | British |
Summit Bank Limited | Pakistan |
The Bank of Khyber | Pakistan |
The Bank of Punjab | Pakistan |
The Bank of Tokyo-Mitsubishi Limited | Japan |
The Punjab Provincial Co-operative Bank Limited | Pakistan |
United Bank Limited | Pakistan |
Zarai Taraqiyati Bank Limited | Pakistan |
Advans Micro-Finance Bank Limited | Pakistan |
Apna Micro-Finance Bank Limited | Pakistan |
Finca Micro-Finance Bank Limited | Pakistan |
Khushali Bank Limited | Pakistan |
Mobilink Micro-Finance Bank Limited | Pakistan |
NRSP Micro-Finance Bank Limited | Pakistan |
Pak-Oman Micro-Finance Bank Limited | Pakistan |
Tameer Micro-Finance Bank Limited | Pakistan |
The First Micro-Finance Bank Limited | Pakistan |
U Micro-Finance Bank Limited | Pakistan |
Based on information collected regarding mobile banking, APK files of those banks were acquired. There exists a total of 23 registered banks in Pakistan which provide mobile banking services. We were able to collect the APK files of 18 banks as depicted in
Bank | Platform | Internet/Mobile Banking |
---|---|---|
Allied Bank Limited | Both | Yes |
Askari Bank Limited | Both | Yes |
Bank Alfalah Limited | Both | Yes |
Bank Al Habib Limited | Both | Yes |
Dubai Islamic Limited | Both | Yes |
Faysal Limited | Both | Yes |
Habib Metro Bank | Both | Yes |
JS Bank Limited | Both | Yes |
MCB Limited | Both | Yes |
National Bank of Pakistan | Both | Yes |
Samba Bank Limited | Both | Yes |
Silk Bank Limited | Both | Yes |
Soneri Bank Limited | Both | Yes |
SCB(Pakistan) Limited | Both | Yes |
Summit Bank Limited | Both | Yes |
The Bank of Punjab | Both | Yes |
United Bank Limited | Both | Yes |
MCB Islamic Bank Limited | Both | Yes |
We assessed the collected mobile applications on the reverse engineering tools for their implementation details as well as the performance of the tools. A total of 18 mobile banking applications (APKs) were assessed on the test bed of reverse engineering tools under a common environment.
Following are the main observations of our experiments: None of the CLI tools were able to perform the complete reverse engineering process on a mobile banking application. Most tools only translate from one format to another. External tools were required to view the generated files. Only one tool could handle the obfuscation, for all other tools, external de-obfuscation script was required to deobfuscate the code. The Apk tool generated many files, however, another tool was required for reading and extraction through directories. The Dex2jar tool was unable to reconvert/recompile its own translated code. The Jadx tool attempted to deobfuscate the code, however, it was not completely successful. The Enjarify tool produced better results compared to the other tools, however, it was time-consuming as it continued processing even when errors were encountered. Some tool despite encountering an error continued their job. The error information is logged in a text file.
For answering our research questions, we observed the following three parameters: Time complexity Error generation Resulting number of files
We tested the tools for their time complexity based on similar behaviors under a common environment on the banking applications testbed.
We observed that none of the tools were able to achieve the reverse engineering task as a standalone tool. Many tools just decompiled/disassembled the apk file and another tool was needed to view the source code. In addition, some tools were dependent upon other packages while others were complex to setup.
The existing tools claimed to make the reverse engineering process easy, however, they did not offer a user-friendly interface for analysis of the results. Most of them simply helped to view the already decompiled/disassembled files. Similarly, the performance of these tools was slow as the user had to wait for the tool to process and show the results.
To answer this research question, we have recorded the execution times of each tool on each mobile banking application. As shown in
In addition to the time complexity, we also observed whether a tool terminates or continues the reverse engineering process after encountering an error, as depicted in
We observed the number of files generated by each tool for each mobile application in our dataset. It was observed that despite running similar commands, the number of files generated was different by different tools.
In this research work, we carried out an in-depth analysis of the existing well-known reverse engineering tools for the android mobile application platform in terms of their time complexity, error handling behavior, and the number of files generated. For our dataset, we selected a total of 18 mobile banking applications of the banks providing mobile banking services in Pakistan. Our results demonstrated that the tools produce different results during the reverse engineering process for the same mobile application (apk file), i.e., the number of files and directory structure produced is different. Also, there exists significant differences in the error handling methodology of the tools. Similarly, we found significant differences in the execution time of various tools for the same APK files. In future, a similar analysis of the GUI-based reverse engineering tools can be performed to evaluate their performance and help the researchers/security experts in choosing the tools for reverse engineering.