保持在React Native移动应用中的秘密

huangapple go评论81阅读模式
英文:

Keeping secrets in React Native mobile app

问题

我感到有点尴尬询问这个问题,但在React Native移动应用中,您通常如何存储机密信息?据我了解,机密信息会与包一起发布到存储中,但使用逆向工程,恶意行为者可能会将其检索回来。那么如何安全地存储它呢?我已经了解到调用Lambda函数并从那里检索是一种选择。但首先如何建立对Lambda的信任(如何确保我的移动应用在调用Lambda而不是其他人)?

英文:

I feel a bit awkward to ask about that question but how do you typically store secrets in React Native mobile apps? As I understand secrets are shipped with the bundle to the store but then using reverse engineering malicious actor could retrieve it back? So how to store it safely? I've red that calling Lambda function and retrieving from there is one option. But how to enable trust with Lambda first (how to be sure that my mobile app calls Lambda and not someone else)?

答案1

得分: 1

Sure, here's the translation of the text you provided:

逆向工程

> 我感到有些尴尬问这个问题,但你通常如何在React Native移动应用程序中存储机密信息?

不要感到尴尬,因为安全地执行这项任务并不是一件微不足道的事情。实际上,这是一个非常复杂的任务。简而言之,如果你将机密信息存储在应用程序二进制文件中,最好将它们视为公开信息,因此不再是机密,因为正如你所说,恶意行为者可以对你的捆绑包进行逆向工程并提取它们:

> 据我了解,机密信息随捆绑包一起发送到商店,但使用逆向工程,恶意行为者可以将其取回吗?

是的,他们可以,而且并不那么困难,因为存在许多方法,开源工具可用于使非开发人员轻松执行它们。例如,MobSF开源工具可以用于静态逆向工程移动应用程序,如文章如何通过静态二进制分析从移动应用程序中提取API密钥中所示:

> 用于逆向工程的开源工具范围很广,我们无法在本文中详细介绍这个主题,但我们将重点介绍如何使用Mobile Security Framework(MobSF)来演示如何逆向工程我们移动应用程序的APK。 MobSF是一组开源工具,它们以吸引人的仪表板呈现其结果,但MobSF和其他地方底层使用的相同工具也可以单独使用来实现相同的结果。
>
> 在本文中,我们将使用Android Hide Secrets研究存储库,这是一个使用多种不同技术隐藏API密钥的虚拟移动应用程序。

无论使用哪种技术来隐藏移动应用程序二进制文件中的机密信息(代码混淆、字符串混淆/加密),拥有足够时间、资源和知识的攻击者都将能够检索它们。如果不能通过静态二进制分析获得,那么可以通过运行时攻击来获取。例如,通过执行中间人攻击来拦截API请求,就像我在文章如何对Android应用程序的API执行中间人攻击中所示:

> 对HTTPS通道执行中间人攻击需要攻击者有能力将代理服务器的证书颁发机构(CA)添加到运行移动应用程序的设备的信任存储中,一个常用的方法是手动将CA上传到设备,但这带来了一些挑战,可能需要对设备进行root或重新打包移动应用程序等操作。
>
> 存在一种更简单的方法,在本文中,我将展示如何使用具有可写文件系统的Android模拟器,以允许我们将代理证书直接安装到系统的信任存储中,无需root模拟器或对移动应用程序进行更改。

证书绑定可用于防止中间人攻击,但不幸的是,绑定可以通过重新打包应用程序而不实施绑定或在运行时使用Frida绕过检查来绕过。例如,你可以阅读我写的另一篇文章如何在Android应用程序上使用Frida绕过证书绑定来了解如何做到这一点:

> 今天我将展示如何使用Frida工具来在运行时挂钩移动应用程序并对代码进行仪器化,以执行成功的中间人攻击,即使移动应用程序已实施证书绑定。
>
> 绕过证书绑定并不太难,只是有点费力,允许攻击者详细了解移动应用程序与其API的通信方式,然后利用相同的知识来自动执行攻击或构建其他服务。

虽然绑定使机密信息更难以提取,但并不能百分之百地防止攻击者检索它们。

可能的解决方案

> 我听说调用Lambda函数并从那里检索是一个选项。但是如何在Lambda中建立信任(如何确保我的移动应用程序调用Lambda而不是其他人)?

你接近最佳选择之一,那就是实际上从移动应用程序中删除机密信息,但然后(正如你已经意识到的)将问题转移到后端。

现在,要解决的问题是,你的后端如何知道正在发出API请求的是确实是你的移动应用程序的真正实例,而不是机器人、自动脚本或使用像Postman这样的工具手动探测你的API服务器的攻击者。

简而言之,如果你希望从后端(Lambda函数)检索机密信息,并在移动应用程序使用时即时传递,那么后端必须只将它交付给你的移动应用程序的真正实例。这要求后端能够

英文:

Reverse Engineering

> I feel a bit awkward to ask about that question but how do you typically store secrets in React Native mobile apps?

Don't feel awkward because this isn't a trivial thing to do securely. In fact it's a very complex task to achieve. In a nutshell, if you store secrets in the app binary, you are better as treating them as public, therefore not a secret any-more, because as you say a bad actor can reverse engineer your bundle and extract them:

> As I understand secrets are shipped with the bundle to the store but then using reverse engineering malicious actor could retrieve it back?

Yes, they can and isn't that difficult, because a lot of approaches exist, and open source tools are available to make executing them easy enough for non developers. For example, the MobSF open-source tool can be used for static reverse engineer a mobile app as shown in the article How to Extract an API key from a Mobile App with Static Binary Analysis:

> The range of open source tools available for reverse engineering is huge, and we really can't scratch the surface of this topic in this article, but instead we will focus in using the Mobile Security Framework(MobSF) to demonstrate how to reverse engineer the APK of our mobile app. MobSF is a collection of open source tools that present their results in an attractive dashboard, but the same tools used under the hood within MobSF and elsewhere can be used individually to achieve the same results.
>
> During this article we will use the Android Hide Secrets research repository that is a dummy mobile app with API keys hidden using several different techniques.

No matter which technique is used to hide the secret in a mobile app binary (code obfuscation, string obfuscation/encryption) an attacker with enough time, resources and knowledge will be able to retrieve it. If not with static binary analysis then with a runtime attack. For example, by performing MitM attack to intercept the API requests as I show on the article How to MitM Attack the API of an Android App:

> Performing a MitM attack against an HTTPS channel requires the capability for the attacker to be able to add the proxy server Certificate Authority (CA) into the Trust Store of the device running the mobile app and a popular approach is to manually upload the CA to the device, but this comes with some challenges, that may require to root the device and/or repackage the mobile app.
>
> An easier way exists, and in this article I will show how to use an Android Emulator with a writable file system that will allow us to install the proxy certificate directly into the system trusted store, without the need to root the emulator or make changes in the mobile app.

Certificate pinning can be used to prevent MitM attacks, but unfortunately pinning can be bypassed by repackaging the app without the pinning implementation or by using Frida at runtime to bypass the check. For example, you can another article I wrote on How to Bypass Certificate Pinning with Frida on an Android App to learn how you can do it:

> Today I will show how to use the Frida instrumentation framework to hook into the mobile app at runtime and instrument the code in order to perform a successful MitM attack even when the mobile app has implemented certificate pinning.
>
> Bypassing certificate pinning is not too hard, just a little laborious, and allows an attacker to understand in detail how a mobile app communicates with its API, and then use that same knowledge to automate attacks or build other services around it.

While pinning makes it more difficult to extract a secret it doesn't full-proof them from being retrieved by attackers.

Possible Solutions

> I've red that calling Lambda function and retrieving from there is one option. But how to enable trust with Lambda first (how to be sure that my mobile app calls Lambda and not someone else)?

You are close to one of the best options that is to in fact remove secrets from being shipped inside a mobile app, but then (as you already realised) you shift the problem to the backend.

Now, the problem to solve is how will your backend know that what is making the API request is indeed a genuine instance of your mobile app, not a bot, an automated script or an attacker manually poking around your API server with a tool like Postman.

In a nutshell if you want a secret retrieved from a backend (your lambda function) and have it delivered just-in-time of being used by your mobile app, then it's required that the backend only delivers the same to genuine instances of your mobile app. This requires for the backend to be able to determine that the mobile app is not under attack, not running on a root or jail broken device, that isn't attached to a debugger or running in an emulator. This is a lot of attack vectors to cover and requires the backend to have realtime visibility to the running mobile app environment.

I will recommend you to read my accepted answer to the question How to use an API from my mobile app without someone stealing the token where the Runtime Secrets Protection seems your best option.

Do You Want To Go The Extra Mile?

In any response to a security question I always like to reference the excellent work from the OWASP foundation.

For APIS

OWASP API Security Top 10

> The OWASP API Security Project seeks to provide value to software developers and security assessors by underscoring the potential risks in insecure APIs, and illustrating how these risks may be mitigated. In order to facilitate this goal, the OWASP API Security Project will create and maintain a Top 10 API Security Risks document, as well as a documentation portal for best practices when creating or assessing APIs.

For Mobile Apps

OWASP Mobile Security Project - Top 10 risks

> The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. Through the project, our goal is to classify mobile security risks and provide developmental controls to reduce their impact or likelihood of exploitation.

OWASP - Mobile Security Testing Guide:

> The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security development, testing and reverse engineering.

答案2

得分: 0

我会说这取决于你想要做什么。

如果你想要比较值,例如,你可以使用非对称算法对你的秘密进行哈希,然后比较哈希值,通过这种方式在应用程序中没有明文存储任何内容。

另一种解决方案是使用对称算法和秘密密钥进行哈希和反哈希操作,这种方式下没有秘密密钥就无法查看字符串的内容。但是,这种解决方案也带来了同样的问题,即如何存储秘密密钥?

你可以查看 crypto-js 库来处理这两种情况。

我个人常用的一些解决方案是配置库,比如 Firebase 配置。它允许你不在应用程序中存储任何东西。

英文:

I would say it depends on what you want to do.

If you want to compare values for example you can hash your secret with asymmetric algorithm and the compare the hash, by this way nothing is store in clear in the app.

Other solution is to use symmetric algorithm with secret key to hash and un-hash, by this way without the secret nobody can see the content of the string.
But with this solution we arrive with the same problem, where to store the secret?

You can look at crypto-js library for these two cases.

Something I personally use are config libraries like Firebase config.
It allows you to not store anything on the app.

huangapple
  • 本文由 发表于 2023年5月18日 05:07:29
  • 转载请务必保留本文链接:https://go.coder-hub.com/76276200.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定