IBM AppScan
Reference Implementation Guide
�Introduction
Component Integration
Brief overview of components to integration
Benefits of each component
Technical integration steps
How to perform integration
Rules
Summary
ARXAN
CONFIDENTIAL
�Component Introduction
ARXAN
CONFIDENTIAL
�Arxan and AppScan Integration Overview
Extend
security
posture
across
the
mobile
applica5on
lifecycle;
from
analysis
to
remedia5on
and
run-5me
protec5on.
Shield
apps
across
the
full
scope
of
risks;
from
programming
aws
to
advanced
integrity
a@acks
and
malware
exploits.
Build
It
Secure
Developers follow
standard lifecycle
using IBM tools
(Worklight,
Rational) or thirdparty tools
Design
Develop
Compile
Test
Keep
It
Secure
IBM AppScan
assists developers to
identify vulnerabilities
in apps and facilitates
organizations ability
to enforce security
quality
Programming
aw
remedia=on
Arxan enables
developers or security
engineers to embed
self-defense and
tamper-resistance to
protect application
integrity against attacks
Inform
instrumenta=on
of
Arxan
protec=on,
based
on
AppScan-aided
integrity
risk
assessment
with
augmented
rules
Application is free of
critical flaws and
vulnerabilities
Application protects
itself against attacks
Defends against
compromise
Detects attacks at
run-time
Reacts and alerts
�Integration Components
Solu%on
Components
Benet
1.
Technical
guide
How
to
integrate
IBM
AppScan
and
Arxan
into
the
SDLC
to
use
them
in
conjunc=on
Control
full
scope
of
risks
and
build
in
security
from
tes=ng
to
run-=me
protec=on
2.
Augmented
IBM
AppScan
rules
Custom
scan
congura=on
for
AppScan
to
beRer
Inform
required
protec=ons
against
app
iden=fy
app
integrity
risks
integrity
aRacks
that
can
compromise
even
awless
code
3.
Usage
of
Arxan
protec%on
tools
Informs
crea=on
of
Arxan
GuardSpec
based
on
AppScan-aided
integrity
risk
assessment,
supplemented
by
manual
analysis
Design
and
implement
"defend",
"detect",
and
"react"
app
integrity
protec=ons
inside
your
app,
without
modifying
its
source
code
4.
Tested
and
validated
Demonstra=on
with
a
sample
app
Helps
ensure
interoperability
and
support
�Integration and Scan
Steps
ARXAN
CONFIDENTIAL
�Rule Integration
1. Acquire Arxan IBM AppScan rules via a number of different
channels:
IBM Partner World
IBM developerWorks
Arxan Account Manager
Rules are contained within an XML file pbsa.vdb that an AppScan
administrator imports into AppScans underlying SolidDB database on
the AppScan Enterprise server
2. Import pbsa.vdb rule database into SolidDB:
dbmanager --import-only Dtransfer-staging-dir=C:
\temp\ounce
In this example, we extract the VDB file into the directory
C:\temp\ounce\VDB\pbsa.vdb
ARXAN
CONFIDENTIAL
�Scan an Objective C App
1. Start AppScan Source for Analysis
2. Add the selected app to scan via the menu items:
File > Add Application
3. Add the additional scan rule set iOS-Integrity:
1. Enter the configuration phase of the opened application;
2. Select the properties tab within this phase;
3. Within these properties, select the scan rules and sets
subtab;
4. Click on the + icon within the available rule sets;
5. Select the iOS Integrity ruleset found within the
available rulesets presented and click OK
4. Request a scan via the menu items:
Scan > Scan Selection
ARXAN
CONFIDENTIAL
�Rule Integration Verification
Users can verify that rules have been successfully imported
into the database by examining available rule sets:
ARXAN
CONFIDENTIAL
�Rules
Available Rules and Examples
ARXAN
CONFIDENTIAL
10
�Rule Development Strategy
Rules address operational risks highlighted in Arxans
Threats to Mobile Apps in the Wild paper released in
November 2013:
<Business
Risk>
<Opera=onal
Risk>
<Technical
Risk>
<Conden=ality
Risk>
<Integrity
Risk>
<Reverse
Engineering
and
Code
Analysis
Risk>
<Code
Modica=on
/
Injec=on
Risk>
ARXAN
CONFIDENTIAL
11
�Risk Coverage
AppScan rules cover a number of different risks highlighted
in Arxans whitepaper, Threats to Mobile Apps in the Wild:
Technical
Risk
Expression
Count
Repackaging
Swizzle
With
Behavioral
Change
Security
Control
Bypass
Automated
Jailbreak
Breaking
Exposed
Method
Signatures
Exposed
Data
Symbols
Exposed
String
Tables
Cryptographic
Key
Intercep=on
Presenta=on
Layer
Modica=on
Applica=on
Decryp=on
2
ARXAN
CONFIDENTIAL
12
�Integrity Risk Swizzle and Code Change
Rules highlight
this method as
likely to be
swizzled and
modified by an
attacker
// Transaction-request delegate
- (IBAction)performTransaction:(id)sender
{
if([self loginUserWithUsername:username
incomingPassword:password] != true)
{
UIAlertView *alert = [[UIAlertView
alloc] initWithTitle:@"Invalid User"
message:@"Authentication Failure" delegate:self
cancelButtonTitle:@"OK" otherButtonTitles:nil];
[alert show];
return;
}
// Perform sensitive operation here
}
ARXAN
CONFIDENTIAL
13
�Integrity Risk Security Control Bypass
Rules flag any code that calls this
method. This method is particularly
attractive for code-bypass modification.
NOTE: Methods that appear to return a simple yes/no
response and appear to be doing something sensitive are
excellent candidates for simple code modification.
ARXAN
CONFIDENTIAL
14
�Cryptographic Key Theft
Rules flag any hardcoded keys that
could be easily found by an attacker
through static or dynamic analysis.
ARXAN
CONFIDENTIAL
15
�Exposed String Tables
Rules flag any hardcoded strings that are sensitive in
nature.
Example strings include: hardcoded passwords;
connectivity strings; SQL statements; shell commands
ARXAN
CONFIDENTIAL
16
�Presentation Layer Modification
Rules flag any dependencies upon external HTML/JS/
CSS files that may be loaded and displayed.
Code should validate these files before use.
ARXAN
CONFIDENTIAL
17
�Repackaging
Rules highlight
common entrypoints
where jailbreak
detection should
occur.
ARXAN
CONFIDENTIAL
18
�Exposed Data Symbols
Rules highlight interface properties
that will be particularly attractive for
modification or further probing.
ARXAN
CONFIDENTIAL
19
�Exposed Methods
Rules highlight interface methods
that will be particularly attractive for
modification or further probing.
ARXAN
CONFIDENTIAL
20
�Automated Jailbreak Disabling
Rules highlight weak jailbreak detection
algorithms. In this case, the code should
be relying upon system calls instead of a
third-party library. Its also not checking for
enough things.
ARXAN
CONFIDENTIAL
21
�Debugger Check
Rules highlight
common entrypoints
where the app
should check for the
unauthorized
presence of a
debugger.
ARXAN
CONFIDENTIAL
22
�Risk Mitigation Strategy
New rules highlight integrity/reverse-engineering risks that
Arxan products specialize in.
Recommended risk mitigation strategies for each different
type of risk involve defining a corresponding Arxan Guard
for that particular risk
Guards are expressed in Arxan products through an Arxan
Guard Spec
ARXAN
CONFIDENTIAL
23
�Risk Mitigation Strategy
Each risk raised by a rule is mitigated by specifying a
Level 1 Arxan Guard within a Guard Specification. Below
is an example of a Guard Spec:
ARXAN
CONFIDENTIAL
24
�Risk Mitigation Strategy
Below is an example of a multi-layer Arxan Guard network:
ARXAN
CONFIDENTIAL
25
�Conclusions
Rules are available via many different channels:
IBM Partner World
IBM developerWorks
Arxan Account Manager
Risks are described in more detail in Arxans whitepaper
titled,Threats to Mobile Apps In the Wild, released in
November 2013
Arxan mitigates all of the risks raised by these new rules.
Guards work together to defend, detect, react, and alert to
reverse-engineering or integrity violation events.
ARXAN
CONFIDENTIAL
26
