7/24/2019 AppScan Reference Implementation
1/26
IBM AppScan
Reference Implementation Guide
7/24/2019 AppScan Reference Implementation
2/26
!#$%#& '(&)*+,&-*#.
Introduction
Component Integration
Brief overview of components to integration
Benefits of each component
Technical integration steps
How to perform integration
Rules
Summary
7/24/2019 AppScan Reference Implementation
3/26
/#$%#& '(&)*+,&-*#.
Component Introduction
7/24/2019 AppScan Reference Implementation
4/26
Arxan and AppScan Integration Overview
Developers followstandard lifecycle
using IBM0tools
(Worklight0,
Rational0) or third-
party tools
Design
Develop
Compile
Test
IBM AppScanassists developers to
identify vulnerabilities
in apps and facilitates
organizationsability
to enforce securityquality
Arxanenablesdevelopers or security
engineers to embed
self-defense and
tamper-resistance to
protect applicationintegrity against attacks
! !"#$%& ($)*+,#- ./(#*+$ 0)+/(( #1$ 2/3,4$ 0..4,)05/% 4,6$)-)4$7 6+/2 0%04-(,( #/ +$2$&,05/% 0%& +*%852$
.+/#$)5/%9
!
:1,$4& 0..( 0)+/(( #1$ 6*44 ()/.$ /6 +,(;(
7 6+/2 .+/( #/ 0&?0%)$& ,%#$0+$ $".4/,#(9
!"#$% '( )*+",* -**. '( )*+",*
12342566784 95: 2;6;326 78?@2A6;8@5=38 3> #2B58
C23@;D=38E F5?;< 38 #CCGD58H57
7/24/2019 AppScan Reference Implementation
5/26
Integration Components
!"#$%"& (")*"&+&,- .+&+/,
01 2+34&536# 7$58+
M3: @3 78@;425@; *NO #CCGD58 58< #2B58 78@3
@K; G+.' @3 A?; @K;6 78 D38PA8D=38
'38@23L >ALL ?D3C; 3> 27?J? 58< FA7L< 78
?;DA27@I >236 @;?=84 @3 2A8H=6; C23@;D=38
91 :$7)+&,+8 ;.< :**!36&0=$#+-
'A?@36 ?D58 D38Q4A25=38 >32 #CCGD58 @3 F;R;27I 5CC 78@;427@I 27?J?
*8>326 2;SA72;< C23@;D=38? 54578?@ 5CC78@;427@I 5R5DJ? @K5@ D58 D36C2367?; ;T;8
U95:L;??V D31 ?-67+ "@ :=A6&0*=",+3%"& ,""#-
*8>326? D2;5=38 3> #2B58 WA52
7/24/2019 AppScan Reference Implementation
6/26
Y#$%#& '(&)*+,&-*#.
Integration and ScanSteps
7/24/2019 AppScan Reference Implementation
7/26
Z#$%#& '(&)*+,&-*#.
Rule Integration
1. Acquire Arxan IBM AppScan rules via a number of different
channels:
IBM Partner World
IBM developerWorks
Arxan Account Manager
Rules are contained within an XML file pbsa.vdbthat an AppScanadministrator imports into AppScans underlying SolidDB database onthe AppScan Enterprise server
2.
Import pbsa.vdbrule database into SolidDB:dbmanager --import-only Dtransfer-staging-dir=C:\temp\ounce
In this example, we extract the VDB file into the directoryC:\temp\ounce\VDB\pbsa.vdb
7/24/2019 AppScan Reference Implementation
8/26
[#$%#& '(&)*+,&-*#.
Scan an Objective C App
1. Start AppScan Source for Analysis
2. Add the selected app to scan via the menu items:
File > Add Application
3. Add the additional scan rule set iOS-Integrity:
1.
Enter the configurationphase of the opened application;
2.
Select the propertiestab within this phase;
3.
Within these properties, select the scan rules and sets
subtab;
4.
Click on the + icon within the available rule sets;
5.
Select the iOS Integrity ruleset found within theavailable rulesets presented and click OK
4. Request a scan via the menu items:
Scan > Scan Selection
7/24/2019 AppScan Reference Implementation
9/26
\#$%#& '(&)*+,&-*#.
Rule Integration Verification
Users can verify that rules have been successfully importedinto the database by examining available rule sets:
7/24/2019 AppScan Reference Implementation
10/26]^#$%#& '(&)*+,&-*#.
RulesAvailable Rules and Examples
7/24/2019 AppScan Reference Implementation
11/26]]#$%#& '(&)*+,&-*#.
Rule Development Strategy
Rules address operational risks highlighted in Arxans
Threats to Mobile Apps in the Wild paper released inNovember 2013:
_-;DK87D5L $7?J`
_'38Q
7/24/2019 AppScan Reference Implementation
12/26]!#$%#& '(&)*+,&-*#.
Risk Coverage
AppScan rules cover a number of different risks highlightedin Arxans whitepaper, Threats to Mobile Apps in the Wild:
2+34&536# D5-E FA*=+--5"& ("$&,
$;C5DJ54784 !
G:7bbL; c7@K N;K5T7325L 'K584; Z
G;DA27@I '38@23L NIC5?? !
#A@365@;< d57LF2;5J N2;5J784 /
,BC3?;< O;@K3< G7485@A2;? e
,BC3?;< +5@5 GI6F3L? /
,BC3?;< G@2784 -5FL;? ]
'2IC@3425CK7D f;I *8@;2D;C=38 ]
12;?;8@5=38 .5I;2 O3
7/24/2019 AppScan Reference Implementation
13/26]/#$%#& '(&)*+,&-*#.
Integrity Risk Swizzle and Code Change
// Transaction-request delegate
- (IBAction)performTransaction:(id)sender
{
if([self loginUserWithUsername:username
incomingPassword:password] != true)
{
UIAlertView *alert = [[UIAlertViewalloc] initWithTitle:@"Invalid User"
message:@"Authentication Failure" delegate:self
cancelButtonTitle:@"OK" otherButtonTitles:nil];
[alert show];
return;}
// Perform sensitive operation here
}
Rules highlight
this method as
likely to be
swizzled and
modified by an
attacker
7/24/2019 AppScan Reference Implementation
14/26]e#$%#& '(&)*+,&-*#.
Integrity Risk Security Control Bypass
NOTE: Methods that appear to return a simple yes/noresponse and appear to be doing something sensitive are
excellent candidates for simple code modification.
Rules flag any code that calls thismethod. This method is particularly
attractive for code-bypass modification.
7/24/2019 AppScan Reference Implementation
15/26]g#$%#& '(&)*+,&-*#.
Cryptographic Key Theft
Rules flag any hardcoded keys that
could be easily found by an attackerthrough static or dynamic analysis.
7/24/2019 AppScan Reference Implementation
16/26]Y#$%#& '(&)*+,&-*#.
Exposed String Tables
Rules flag any hardcoded strings that are sensitive in
nature.
Example strings include: hardcoded passwords;
connectivity strings; SQL statements; shell commands
7/24/2019 AppScan Reference Implementation
17/26]Z#$%#& '(&)*+,&-*#.
Presentation Layer Modification
Rules flag any dependencies upon external HTML/JS/CSS files that may be loaded and displayed.
Code should validate these files before use.
7/24/2019 AppScan Reference Implementation
18/26][#$%#& '(&)*+,&-*#.
Repackaging
Rules highlightcommon entrypoints
where jailbreak
detection should
occur.
7/24/2019 AppScan Reference Implementation
19/26]\#$%#& '(&)*+,&-*#.
Exposed Data Symbols
Rules highlight interface propertiesthat will be particularly attractive for
modification or further probing.
7/24/2019 AppScan Reference Implementation
20/26!^#$%#& '(&)*+,&-*#.
Exposed Methods
Rules highlight interface methodsthat will be particularly attractive for
modification or further probing.
7/24/2019 AppScan Reference Implementation
21/26!]#$%#& '(&)*+,&-*#.
Automated Jailbreak Disabling
Rules highlight weak jailbreak detection
algorithms. In this case, the code shouldbe relying upon system calls instead of a
third-party library. Its also not checking for
enough things.
7/24/2019 AppScan Reference Implementation
22/26!!#$%#& '(&)*+,&-*#.
Debugger Check
Rules highlightcommon entrypoints
where the app
should check for the
unauthorizedpresence of adebugger.
7/24/2019 AppScan Reference Implementation
23/26!/#$%#& '(&)*+,&-*#.
Risk Mitigation Strategy
New rules highlight integrity/reverse-engineering risks that
Arxan products specialize in.
Recommended risk mitigation strategies for each differenttype of risk involve defining a corresponding Arxan Guard
for that particular risk
Guards are expressed in Arxan products through an Arxan
Guard Spec
7/24/2019 AppScan Reference Implementation
24/26!e#$%#& '(&)*+,&-*#.
Risk Mitigation Strategy
Each risk raised by a rule is mitigated by specifying a
Level 1 Arxan Guard within a Guard Specification. Belowis an example of a Guard Spec:
7/24/2019 AppScan Reference Implementation
25/26!g#$%#& '(&)*+,&-*#.
Risk Mitigation Strategy
Below is an example of a multi-layer Arxan Guard network:
7/24/2019 AppScan Reference Implementation
26/26
Conclusions
Rules are available via many different channels:
IBM Partner World
IBM developerWorks
Arxan Account Manager
Risks are described in more detail in Arxans whitepapertitled,Threats to Mobile Apps In the Wild, released in
November 2013
Arxan mitigates all of the risks raised by these new rules.Guards work together to defend, detect, react, and alert toreverse-engineering or integrity violation events.