Security researchers reverse-engineer code to find security risks in programs. They also use the technique to understand malicious applications and disrupt them.
But researchers aren't the only ones doing this: bad actors also want to find software flaws through reverse engineering. "Both reverse-engineer code to find vulnerabilities," said Wesley McGrew, director of cyber operations at Horne Cyber, a cybersecurity risk discovery company. "The difference is what they do with that vulnerability information."
Hackers use the information to attack an application, and they take apart programs to create malicious versions of them. There are many applications they can use to inspect a binary piece of software and answer questions about it.
Although reverse engineering presents a serious risk to applications, many apps are reaching the market without any safeguards against the practice. In a study of 30 mobile financial apps, 97% suffered from a lack of binary protection, making it possible to decompile the apps and review the source code. The study was conducted by the Aite Group on behalf of Arxan Technologies.
In addition, the study said, all the apps tested failed to implement application security that would have obfuscated the source code. "Obfuscation happens post-development," said Aaron Lint, chief scientist and vice president for research at Arxan. "The code is transformed by a tool that keeps the semantics of the code but makes it more difficult for reverse-engineering tools to interpret."
When the apps studied by Aite and Arxan were decompiled, all kinds of sensitive information was exposed, including API URLs, API keys, and API secrets hard-coded into the apps. Also exposed were URLs for nonstandard port numbers and development servers used by developers for testing and QA, as well as several private keys that were hard-coded into the apps' files and located in their subdirectories, making it possible to crack the private key passwords.
To counter reverse-engineering attacks, security teams need to know what tools are available and how they work. Here are the top ones to consider.
IDA Pro
IDA Pro from Hex-Rays is considered by industry insiders to be the top reverse-engineering tool, not only because of its price tag, but because of its feature set. "An IDA Pro license costs thousands and thousands of dollars, but it's worth it. It's a fantastic piece of software," Horne Cyber's McGrew said.
Written in C++, IDA Pro is an interactive disassembler that runs on Microsoft Windows, macOS, and Linux.
In recent times, the program's place as the one to beat has been challenged. "A lot of mid-tier tools are challenging IDA Pro because they can be less than a tenth of the price of that expensive tool," Arxan's Lint said. Hex-Rays does offer a free version of IDA, but it lacks all the features in the latest version of the program, v. 7.0; doesn't support all the processors and file formats found in 7.0; and lacks technical support.
Ghidra
Ghidra made headlines earlier this year when the NSA open-sourced the reverse-engineering framework. It supports Windows, macOS, and Linux. Its feature set includes disassembly, assembly, decompilation, graphing, and scripting.
In addition, it supports an array of process instruction sets and executable formats that can run in either interactive or automated modes. What's more, the program is customizable by writing plugins or scripts using Python or Java.
"There is no major feature of Ghidra that does not already exist in current software reverse-engineering tools," McGrew said. "The biggest difference is that Ghidra is free for everyone, has a complete feature set, and has the best user interface in the market."
Binary Ninja
Binary Ninja, made by Vector 35, prides itself on its ease of use, making automation easier and more approachable than other solutions in the market. It supports 64-bit Linux Ubuntu, macOS 10.13, and 64-bit Windows 10, as well as PE.COFF, ELF, Mach-O, .NES, and raw binary files.
Currently, it doesn't have a decompiler, but it plans to add one in an upcoming "advanced" version of the program.
Although easy to use, the software has had some problems gaining acceptance in the reverse-engineering community. When speaking with colleagues over the past year, "I've found that many either haven't heard of Binary Ninja or have found it hard to figure out how to incorporate it as a tool in their daily work," Erika Noerenberg, a senior malware analyst and reverse engineer in the threat research group of LogRhythm Labs, said during a presentation at BSidesCharm last year.
Versions of Binary Ninja are available for student and personal use for $149, and a commercial edition costs $599.
Hopper
Hopper is a disassembler for macOS and Linux. It can disassemble, decompile, and debug 32- and 64-bit executables. The Mac version uses the Cocoa framework, while the Linux edition uses Qt 5.
Hopper includes an SDK so you can extend your features, and even write your own file and CPU support. In addition, most of the software's features can be invoked from Python scripts, giving you the flexibility to transform binaries.
To make procedures easy to understand, when triggered the program will display a graphical representation of the control flow graph, which can also be exported as a PDF file. Hopper offers a personal license tied to a user for $99 and computer license tied to single machine for $129.
Radare2
Radare2 was the top open-source tool for reverse engineering before the NSA decided to release Ghidra. It's a command-line-based program, so its learning curve can be steep, but over the years a web interface and a graphical interface, called Cutter, have been developed for it.
"It's very capable, but it's more difficult to use compared to Ghidra," McGrew said.
The software includes a disassembler and supports local and remote debuggers. It can run on Linux, BSD, Windows, OSX, Android, iOS, Solaris, and Haiku, and can be scripted in Python, JavaScript, Go, and others. In addition, it supports more than 15 file formats, including WinRAR and raw binary, and some 33 instruction sets, including Intel x86 and ARM.
ApkTool
ApkTool focuses on reverse engineering third-party, closed, binary Android apps. The open-source program can decode resources to nearly their original form, making changes in them, and rebuilding them back to binary APK/JAR.
The project-like file structure used by the disassembler and its use of automation makes using the app easier than some other offerings on the market. Java 7 is required to use the program.
Detection is key
Application developers and security teams need to include control mechanisms in their coding to detect reverse-engineering attacks. Otherwise, all sensitive data handled by an app will be at risk of compromise.
To lower the risk of vulnerabilities being identified and ultimately exploited, organizations must adopt a comprehensive approach to application security—including app shielding against reverse engineering, encryption, and threat analytics—and ensure their developers receive adequate secure programming training and implement security in the software development lifecycle when writing the code.
How is your team fighting against reverse engineering? Share your experiences in the comments below.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
