Introduction to Cryptographic Key Protection

Cryptography is at the heart of data security, and it has become an indispensable protection mechanism for securing data within mobile applications.

Cryptographic keys are commonly used to:

  • Maintain confidentiality of digital assets;
  • Enforce software product licensing;
  • Bind data to devices and applications;
  • Prove identity;
  • Secure communication against eavesdroppers;
  • Facilitate financial transactions.

How Keys Are Used to Protect Mobile Payments

Increasingly, consumers are demanding faster and richer mobile experiences that allow for offline functionality. Consumer demand has resulted in mobile app requirements for secure, offline data storage of sensitive assets. For example, Android’s Host-based Card Emulation (HCE) allows the user to conduct offline credit card purchases and mobile wallet transactions. An HCE solution stores a limited-use key (LUK) within a local data store on the user’s mobile device. The LUK allows the user to conduct financial transactions in a secure manner while the phone is offline through the use of Triple Data Encryption Standard (DES).

Why Offline Data Stores Attract Cybercriminals

By examining the steps of conducting an offline transaction, we can understand how and where cybercriminals strike and steal sensitive financial data, or the keys associated with that data, in order to conduct fraud. Let’s review the steps below:

  • Step 1: Users register their mobile app with the credit card issuer’s server when they first log into the app. In response, the server generates a user key. This key permits the server to confidentially communicate anything sensitive to the mobile app in a way that ties that data to that specific user. After the user completes registration, the server generates an LUK and encrypts it using the user key.
  • Step 2: The server transmits the LUK to the mobile payment app. The mobile payment app stores the LUK locally on the device within private key storage. The storage itself is typically encrypted using a separate set of encryption and decryption keys that are dynamically generated and are dependent upon physical characteristics of the device.
  • Step 3: The user conducts an offline financial transaction and the mobile app’s HCE pulls the LUK out of local storage and uses the LUK as a form of identity to another NFC-enabled device, such as another users’ phone. Other sensitive information embedded on the credit card will also be stored and utilized from the local storage device as part of the offline financial transaction.

There are many potential points of fraud associated with the offline data store. Protecting the local store and underlying LUK from a malicious hacker’s prying eyes is of paramount importance.

Apps may also store other sensitive information within the offline data store to facilitate rich interactive experiences. Typical examples of useful offline information include financial transaction histories or passwords. In the event that the information becomes compromised, cybercriminals may be able to perform identity theft or bypass local security controls embedded in the app to conduct their own transactions.

How Keys Are Hacked

Within a mobile environment, cybercriminals can reverse engineer sensitive code that stores, transmits or processes encryption keys within the mobile device. Reverse engineering is extremely valuable to cybercriminals because it can immediately clarify the nature of the mobile app’s encryption as well as how the encryption or decryption keys are formed. Reverse engineering can also lead to a greater understanding of the nature of the algorithms used for encryption or decryption connected to the original sensitive content contained within that local store.

Attackers typically take the following steps to understand keys and their associated encryption algorithms:

1. Performing Static Analysis

Utilizing freely available, easy-to-use and fairly sophisticated tools like IDA Pro or Hopper, cybercriminals perform static analysis. These tools are very useful in identifying and understanding the nature of a mobile app’s cryptographic key protection. They permit the criminal to identify binary signatures within the mobile app’s code that reveal the presence of common encryption libraries like OpenSSL or CommonCrypto. For example, binary analysis may lead to the identification of an AES S-Box. Malicious hackers can then cross-reference the S-Box to an AES encryption algorithm used by the mobile app. Within an HCE, this type of intelligence greatly assists in understanding how the LUK is being encrypted and stored.

2. Performing Dynamic Analysis

When static analysis doesn’t give cybercriminals all the information they need, they can perform dynamic analysis. This might be a requirement if the app uses dynamic method invocation or heavy obfuscation. Method swizzling and method hooking are very effective attack vectors that criminals leverage to see runtime method invocation sequences to popular encryption implementations. Typically, this type of runtime intelligence allows malicious hackers to immediately determine the specific algorithm behind an encryption.

Furthermore, this allows malicious actors to determine whether an encryption key is dynamic or static in nature and how that key is formed at runtime. Depending upon the nature of the method interception, it may also be possible to steal the unencrypted data before it is encrypted. In the previous HCE example, cybercriminals can use method hooking to intercept at runtime any method calls to particularly popular Java cryptographic libraries. Once they see the runtime method invocations of these libraries, they immediately understand how local encryption of that keystore occurs.

3. Formulating Malicious Applications

Generating a malicious app that will act as the conduit for encrypted and desired data that the legitimate app has encrypted and stored on a target device. Prior to the third step, attackers have a solid understanding of how to decrypt the local data store because they know the underlying encryption and decryption algorithm, the key generation strategy and the associated key. Often, apps use simple techniques to generate and utilize keys that are stored on the local device. This makes the job of decryption particularly easy for cybercriminals.

In the previous HCE example, cybercriminals replace the legitimate form of the app with a malicious version that successfully decrypts the local store when the app is executed. Upon execution, the app immediately decrypts the local store and transmits the LUK and other sensitive information needed to mimic the credit card to the criminal’s server. Then, the app resumes normal execution and the victim will be none the wiser of the transmission to a third party. The criminal receives the LUK and is then able to conduct fraud by impersonating the victim’s credit card.

To create a very realistic-looking but malicious version of the original mobile app, the attacker will typically leverage repackaging or binary patching to make as few changes as required to the original.

4. Distributing Malicious Apps

There are a number of different ways to distribute malicious versions of apps to their intended victims. Some ways are easier than others. On Android, it can be done directly via email, websites or app stores. In iOS, cybercriminals may exploit the iOS Enterprise Deployment Model, use the central iTunes store or distribute via other enterprise stores available to end users.

There are a number of attack vectors that allow for easy substitution of legitimate apps with malicious versions. WireLurker is an excellent example of an iOS vulnerability that allows the attacker to silently replace a legitimate version of the app with a malicious version. At the same time, the malicious app obtains access to all the residual encrypted data left by the legitimate app.

In the previous HCE example, malicious hackers may distribute the malicious version of the Android app by tricking the victim into downloading it via email or phishing.

Best Practices for Cryptographic Key Protection

Below are some highly effective strategies that will help raise the bar significantly in preventing cryptographic key theft, especially when using keys in hostile environments:

  • Use Encryption Keys Without Binary Signatures: At some point within a mobile app’s code, encryption or decryption keys are exposed in memory or in the data store of the mobile device just before the app uses that key for encryption or decryption. This universal feature of cryptography gives malicious hackers an excellent opportunity to steal that key if they can recognize it. Criminals can also steal hard-coded keys via static analysis or runtime keys via dynamic analysis attack vectors. In the example above, theft of the plaintext LUK keys may be possible through method hooking or swizzling, and it would result in financial fraud.
  • Use Encryption Algorithm Implementations Without Binary Signatures: Conventional encryption libraries follow fairly standard binary patterns and implementations that are predictable to cybercriminals. These malicious actors can perform static analysis to quickly identify binary patterns that will immediately reveal the nature of the underlying encryption algorithms being used. Organizations may try to outsmart cybercriminals with surface-level obfuscation through method renaming, but this does not prevent them from identifying the underlying encryption that is being used when the organization employs a standard encryption library implementation like OpenSSL or CommonCrypto.
  • Apply White-Box Cryptography in Lieu of Standard Cryptographic Implementations: To stop cybercriminals from reverse engineering a mobile app’s encryption, your organization should leverage a white-box cryptography solution that combines mathematical obfuscation in conjunction with classic code obfuscation. Together, these two forms raise the bar to high levels for criminals trying to identify keys or algorithm implementations via static and dynamic analysis.

White-box cryptography must protect static keys, which are embedded in applications when they ship; dynamic keys, which are generated on the fly at runtime; and sensitive user data. Ideal white-box cryptography characteristics include:

  • Algorithmic Strength: This is a proven approach that is resistant to known attacks on white-box cryptography implementations. If possible, ask for validation by external third-party security firms that have cryptography expertise.
  • Performance Friendliness: White-box cryptography can result in performance penalties during key transformation steps. The performance should be tunable to meet performance requirements.
  • Ease of Use: Often, white-box cryptography replaces existing or skeleton code that uses an industry implementation. It should be easy to replace existing encryption code with a white-box or equivalent solution.
  • Portability: Ideally, white-box cryptographic solutions should be based on solutions that are written in C since the language is highly portable to all platforms and compatible with all application hardening techniques.
  • Universal Support: White-box cryptography solutions should support all major cryptography algorithms commonly prescribed today.

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…