Mobile-apps source code is not a protected asset
It is interesting to see how companies and organizations believe that their mobile application source code is a protected asset. Protected asset due to compiled code files. With just a few tools and technics, it is surprisingly easy to decompile and withdraw a mobile application's source code.
NB! These are tools and techniques ethical and malicious hackers use. This post will give an insight from the perspective of a pentester.
I will in this blogpost give a brief insight on how.
By installing a mobile application to your phone, a file (APK, XAPK, IPA & APPX) gets downloaded and saved locally on your phone. This file is the source of the gold.
Using an automated all-in-one mobile application (Android/iOS/Windows) penetration testing tool such as the Mobile Security Framework (MobSF), you can just by few clicks decompile the code and get insights into folders, files, and code. By the use of Static Application Security Testing (SAST), often referred to as source code analysis, it’s a way of analyzing source or binary code for potential security and quality problems. It can also be used to re-engineering the source code from its compiled file.
Step 1:
Install and run MobSF, see link on requirements and installation.
Step 2:
Upload compiled file to MobSF and run Static Application Security Testing (SAST). In this example, I have uploaded an APK file (file for Android mobile apps) UnCrackable Mobile Apps v.1 from GitHub.
Step 3:
Go to Scan Option and under Decompiled code. Here you can download the source code or view it in your browser.
What are some of the take-aways?
- Source code is not protected as a compiled file
- Decompiling enables discovery and exploitation of weaknesses in the programmed source code, which can lead to the possibility of gained access to IT-infrastructure and systems owned by the organization beyond the application itself.
