In the course of penetration tests [ #link to article ] Limes Security very often also analyses client applications. It is irrelevant whether these are installed and executed on a computer system, a smartphone or an embedded system. Again, and again, the experts at Limes succeed in extracting sensitive data such as passwords, cryptographic keys, internal IP addresses or similar from the given code. One of the applied tools, used to read C# applications like an open book is ILSpy (https://github.com/icsharpcode/ILSpy).
ILSpy is freely available and makes it very easy to decompile, modify and recompile C# applications. This allows an attacker to read an application’s code almost as the developer did. This way, secret data can be found and read.
If we keep in mind that Powershell also can be added to our toolset, even more is possible. It offers many ways to interact with the extracted code, such like: to load and execute C# assemblies directly. The Limes specialists have included this function in ILSpy, making it possible to load and execute specific methods. This way, for example, decryption routines, connectors, signature schemes or the like can be abused directly from the client application.
Unfortunately, it’s not always clear to developers that their code can easily be reverse engineered. How difficult it is to get the source code from a compilation depends strongly on the development language. Languages like C# and Java – and thus also Android apps – make it very easy for any experienced programmer to regain the source code. The reason for this is because C# and Java do not directly compile into machine code, but into Intermediate Language code. Although this makes it easier to execute the code on different systems, it also facilitates the reverse engineering process described above. Languages such as C and C++ are compiled directly into machine code, which results in a much greater effort to reverse engineer them.
Throughout the whole development cycle, it must be ensured that the source code contains no sensitive data such as passwords, cryptographic keys or similar. For this, automated tools can be used which search for certain keywords, such as password, key or the like and highlight these in code reviews (e.g. SonarQube, Lint, Parasoft, Klocwork). It also makes sense to develop code under the assumption that it is freely available, and everyone can read it. By keeping in mind, that compiled code is not a secret by default, the chance of leaking sensible data can be reduced.
Limes Security offers special trainings on “Software security in C#”. Contact us today!