Could you suggest anti-tampering solution for .NET MAUI mobile application ?

[ThinhKVT]

Hi all,

Our team is facing with a challenge that applying anti-tampering solution for our .NET MAUI mobile application on both Android and IOS. We tried checksum bytes from assembly but it's not work on Android (IOS is normal working). Also, we tried with signature solution for Android but our customer assessed that it's not enough security. Could you give us some solution for applying anti-tampering for a mobile application ?

Thank you !

[ThinhKVT]

Anyone have solution for the problem ?

[gabsamples6]

Hi - we are facing the same issue as we have our apps pen tested and that involves several things that all pentesters do by following the owsap top 10 https://owasp.org/www-project-mobile-top-10/

all the pentesters use more or less the same tool and the biggest problem with Xamarin and now Maui are

Obfuscation
Dynamic pinning
all sorts of malware detections.. etcc..

solution
3rd party 100% and they are very very pricy .. and many dont work either

[ThinhKVT]

Hi @gabsamples6 ,

Thank you for sharing the same problem.
Could you also let me know 3rd party which you are trying ?

Thank you very much ~

[jonmdev]

Hi all,

Our team is facing with a challenge that applying anti-tampering solution for our .NET MAUI mobile application on both Android and IOS. We tried checksum bytes from assembly but it's not work on Android (IOS is normal working). Also, we tried with signature solution for Android but our customer assessed that it's not enough security. Could you give us some solution for applying anti-tampering for a mobile application ?

Thank you !

Could you explain a bit more about what threat you are trying to mitigate? I think you will have to deal with each threat on your own.

What tampering specifically are you worried about?

• Are you worried someone will modify the app and upload it to the Play/App store as a hacked version?

• Is all your authentication and logic for database server access to read or write (presuming you have one) client side vs. server side?

• Do you have API keys you need to hide within the app?

What is the specific issue?

[gabsamples6]

@jonmdev if you provide any financial application 100% the client will have the app pen tested. Even if you the dev /company is not worried about what can happen to the app, but you should, in many occasions you have to comply with pentesters reported issues.

Most of the pentesters use is a set of tools like Burp Suite and what they will do is

• Check if the app is obfuscated - (.net does not offer this out of the box) very expensive.
• Static analysis - reviewing the source code
• Dynamic analysis
• Network ones..
  etc..

So even though we can write some malware checks etc.. its a very big task.. Are we going to write obfuscation from scratch , NO!

Whether obfuscation can be decompiled or not, that is not the point, the point is
A - you satisfied the owasp guidelines
B - your client is more confident in what you provide..

and writing a comprehsive set of the utilities that cover your backside and aligns with owasp guidelines is a no starter unless you pay for a third party provider like appdome - approov etc.. and they are very very expensive..

Again - this is not about whether obfuscation is the answer but is a deterrent .

So in the end when the produce a report stating that your app is not safe and they send to the client , which goes in panic mode. than you are fu...ed..

hope this clarifies a bit .

[Kalyxt]

Whats the common tool for obfuscation of apps ? Is there some example of what you should obfuscate and how related to xamarin/MAUI ?

[ThinhKVT]

Hi @jonmdev ,

I want to explain more detail about expectation.

What tampering specifically are you worried about?
-> We are worring that anyone or hacker will modify our app with some change or malicious code, then they upload it to official store or unofficial store (other website). Unfortunately, our users download and use the modified app. We want to prevent this by notify to user if they are using tampered application in the first time login app by a popup or something like that.

Are you worried someone will modify the app and upload it to the Play/App store as a hacked version?
-> Yes. It's also a situation we want prevent.

Is all your authentication and logic for database server access to read or write (presuming you have one) client side vs. server side?
-> Yes. We have server side for authentication. The approach is prefered.

Do you have API keys you need to hide within the app?
-> Yes if possible.

Could you suggest us any solution or 3rd party ?

Thank you !

[jonmdev]

I think this is a very challenging problem you want to achieve. Obfuscation and even string/resource encryption certainly seem possible like with Babel as I posted below. But remotely verifying a hacked app is challenging, because if someone has the capacity to hack and modify your app to the extent that it will become dangerous, then the odds are they will also remove or manipulate any verification code inside it.

This is discussed at length here: https://security.stackexchange.com/questions/5570/protect-application-from-being-modified

For example, if you were to add a signature of some kind to the app that it must send to your server to confirm its identity, there is no reason hackers couldn't make the fake app send a fake verification signature to match.

Google has developed its own technology for this to verify your app is from their store though I am not sure how easy it is to integrate. Probably you will need that:

https://developer.android.com/google/play/integrity/overview

Apple offers a similar service as well:

https://developer.apple.com/documentation/devicecheck/establishing-your-app-s-integrity

Probably you will need to write some platform code presuming these classes are both in .NET already to implement those specific functions if this is necessary.

For hiding API keys (like Google Maps or something) in the code I have seen no really good solution or ideas. One is that you keep the key on a server and give it to users just as they need it, so you can rotate it periodically. Or you do something like encrypt it within your obfuscated code (eg. simple way would be base64 encode it or something). But at some point if it is must be sent by web request or something to Google, it should be trivial for a hacker to see the app make the request.

Alternatively you keep the API key on your server and let the server make the requests, but then everything must go through your server adding latency. And this doesn't actually stop someone from abusing the API unless perhaps you throttle it or have some other detection on your server.

I am interested by this subject too as I am trying to solve my own security. All of this stuff is quite annoying to be honest to deal with. No perfect solutions and all time consuming.

[ThinhKVT]

Thank you very much @jonmdev for your suggestion.

We also had tried Babel for obfuscator solution and appreciate it. But Babel is currently not supporting for anti-tampering. We are finding any solution or 3rd party which support anti-tampering. In the reference you gave, we had tried with generate hashstring from .dll file (after extract from .ipa) for authentication. But the solution is only work on IOS, not work on Android because we don't have any solution to read .dll file on Android. Do you know this ? And have any idea ?

[jonmdev]

@jonmdev if you provide any financial application 100% the client will have the app pen tested. Even if you the dev /company is not worried about what can happen to the app, but you should, in many occasions you have to comply with pentesters reported issues.

Most of the pentesters use is a set of tools like Burp Suite and what they will do is

* Check if the app is obfuscated -  (.net does not offer this out of the box) very expensive.
* Static analysis - reviewing the source code
* Dynamic analysis
* Network ones..
  etc..

Again - this is not about whether obfuscation is the answer but is a deterrent .
hope this clarifies a bit .

Yes it clarifies but again, I think we have to look at each task separately in terms of what you want. So for example, you mention obfuscation. Android builds can be obfuscated with the built in R8 Code Shrinker in project settings. As per Android:

https://developer.android.com/build/shrink-code

This "removes unused code and resources; obfuscation, which shortens the names of your app’s classes and members; and optimization, which applies more aggressive strategies to further reduce the size and improve the performance of your app. This page describes how R8 performs these compile-time tasks for your project and how you can customize them."

So obfuscation is already included in Android builds with Visual Studio, unless this is somehow inadequate?

I do not see any built in obfuscation option for iOS or Windows, so we would need different solutions for those.

I searched and found this which summaries Windows/iOS/Android:

https://github.com/shingming/MauiBitMono

He suggests based on the link there that obfuscation is not necessary for iOS based on Apple's own security already implemented. For Android he also just suggests enabling R8 and that is all.

His project seems to offer working Windows obfuscation that can be added to MAUI. Would you be interested to test it to see if it still works? Maybe that solves another OS for this. Not sure if iOS truly needs obfuscation or not.

I looked also into Runtime Application Self-Protection (RASP) strategies and there is an Android package here: https://github.com/securevale/android-rasp

One could copy paste some of the code over to Maui Android for Android there (to block run if rooted device, emulator, etc.). Android code goes pretty easily into .NET from my experience. Or maybe it will be simpler to work from basic code snippets in doing so to block emulators/roots like:

https://stackoverflow.com/questions/1101380/determine-if-running-on-a-rooted-device
https://stackoverflow.com/questions/2799097/how-can-i-detect-when-an-android-application-is-running-in-the-emulator

For iOS RASP there is this though I don't know iOS well enough to know how easy it would be to just copy/paste over some of the key points: https://github.com/talsec/Free-RASP-iOS

Or similarly if it is just to stop emulators/roots:

https://stackoverflow.com/questions/6530364/how-to-detect-that-the-app-is-running-on-a-jailbroken-device
https://stackoverflow.com/questions/16804382/detect-ios-simulator-vs-ios-device

Is there any other protection you need besides obfuscation or blocking emulators/roots? Again, I think each step must be looked at separately since I don't think there is any one simple system that can do everything in all OS here.

For example, if you want the code to check itself at runtime and confirm it has not been modified, I am not sure of the best way to do that. Maybe someone has an idea?

If you want a paid comprehensive solution, this looks not toooo expensive and supports .NET MAUI 8 for all OS including code/resource encryption on the higher license which could be nice. Also integrates seemingly simply by nuget packages:

https://www.babelfor.net/products/babel-obfuscator/
https://docs.babelfor.net/nuget-package

[gabsamples6]

@jonmdev
I totally agree that each step must be looked separately hence why there are separate points in the owasp guidelines..
its such a vast area and its as you know a "cat and mouse" game

Rasp- roots etc..
There are plenty of packages but many are not .net and either you have to build the bindings.. try to convert to .net.

We do check
IsDeviceRooted()
IsRunningAVirtualDevice()
IsDebugMode()
AllowsBackup();
etc..

• KnownRootAppsPackages
• dangerousones
• clockingones..
• SuPaths
• TestKeys
• etc..

Obfuscation
R8 we had lots of issues with Maui and obfuscation - all those cheap ones didnt work for us . The ones the worked the cost was very very high.

Our big issue still is obfuscation and dynamic pinning..

[williamchenicon]

R8 only applys to the Java code, we still need obfuscation for c#

[ThinhKVT]

Anyone has new idea for the problem?

[ThinhKVT]

Anyone has any idea. We grateful for your suggestions.

[williamchenicon]

any update?

[jonmdev]

any update?

Have you tried Babel? Not free and maybe expensive but they have a demo project also now for Maui.

https://docs.babelfor.net/examples/general-samples/obfuscate-.net-maui