IBM AppScan

Reference Implementation Guide

Introduction
Component Integration
Brief overview of components to integration
Benefits of each component

Technical integration steps

How to perform integration

Rules
Summary

ARXAN CONFIDENTIAL

Component Introduction

ARXAN CONFIDENTIAL

Arxan and AppScan Integration Overview

Extend security posture across the mobile applica5on lifecycle; from analysis to remedia5on and run-5me
protec5on.
Shield apps across the full scope of risks; from programming aws to advanced integrity a@acks and
malware exploits.
Build It Secure

Developers follow
standard lifecycle
using IBM tools
(Worklight,
Rational) or thirdparty tools
Design
Develop
Compile
Test

Keep It Secure

IBM AppScan
assists developers to
identify vulnerabilities
in apps and facilitates
organizations ability
to enforce security
quality

Programming aw remedia=on

Arxan enables
developers or security
engineers to embed
self-defense and
tamper-resistance to
protect application
integrity against attacks

Inform instrumenta=on of Arxan

protec=on, based on AppScan-aided
integrity risk assessment with
augmented rules

Application is free of
critical flaws and
vulnerabilities
Application protects
itself against attacks
Defends against
compromise
Detects attacks at
run-time
Reacts and alerts

Integration Components
Solu%on Components

Benet

1. Technical guide
How to integrate IBM AppScan and Arxan into
the SDLC to use them in conjunc=on

Control full scope of risks and build in
security from tes=ng to run-=me protec=on

2. Augmented IBM AppScan rules

Custom scan congura=on for AppScan to beRer Inform required protec=ons against app
iden=fy app integrity risks
integrity aRacks that can compromise even
awless code
3. Usage of Arxan protec%on tools
Informs crea=on of Arxan GuardSpec based on
AppScan-aided integrity risk assessment,
supplemented by manual analysis

Design and implement "defend", "detect",
and "react" app integrity protec=ons inside
your app, without modifying its source code

4. Tested and validated

Demonstra=on with a sample app

Helps ensure interoperability and support

Integration and Scan

Steps

ARXAN CONFIDENTIAL

Rule Integration
1. Acquire Arxan IBM AppScan rules via a number of different
channels:

IBM Partner World

IBM developerWorks
Arxan Account Manager

Rules are contained within an XML file pbsa.vdb that an AppScan

administrator imports into AppScans underlying SolidDB database on
the AppScan Enterprise server

2. Import pbsa.vdb rule database into SolidDB:

dbmanager --import-only Dtransfer-staging-dir=C:
\temp\ounce
In this example, we extract the VDB file into the directory
C:\temp\ounce\VDB\pbsa.vdb
ARXAN CONFIDENTIAL

Scan an Objective C App

1. Start AppScan Source for Analysis
2. Add the selected app to scan via the menu items:
File > Add Application
3. Add the additional scan rule set iOS-Integrity:
1. Enter the configuration phase of the opened application;
2. Select the properties tab within this phase;
3. Within these properties, select the scan rules and sets
subtab;
4. Click on the + icon within the available rule sets;
5. Select the iOS Integrity ruleset found within the
available rulesets presented and click OK

4. Request a scan via the menu items:

Scan > Scan Selection
ARXAN CONFIDENTIAL

Rule Integration Verification

Users can verify that rules have been successfully imported
into the database by examining available rule sets:

ARXAN CONFIDENTIAL

Rules
Available Rules and Examples

ARXAN CONFIDENTIAL 10

Rule Development Strategy

Rules address operational risks highlighted in Arxans
Threats to Mobile Apps in the Wild paper released in
November 2013:
<Business Risk>
<Opera=onal Risk>
<Technical Risk>

<Conden=ality Risk>

<Integrity Risk>

<Reverse Engineering and

Code Analysis Risk>

<Code Modica=on /
Injec=on Risk>
ARXAN CONFIDENTIAL 11

Risk Coverage
AppScan rules cover a number of different risks highlighted
in Arxans whitepaper, Threats to Mobile Apps in the Wild:
Technical Risk

Expression Count

Repackaging

Swizzle With Behavioral Change

Security Control Bypass

Automated Jailbreak Breaking

Exposed Method Signatures

Exposed Data Symbols

Exposed String Tables

Cryptographic Key Intercep=on

Presenta=on Layer Modica=on

Applica=on Decryp=on

2
ARXAN CONFIDENTIAL 12

Integrity Risk Swizzle and Code Change

Rules highlight
this method as
likely to be
swizzled and
modified by an
attacker

// Transaction-request delegate
- (IBAction)performTransaction:(id)sender
{
if([self loginUserWithUsername:username
incomingPassword:password] != true)
{
UIAlertView *alert = [[UIAlertView
alloc] initWithTitle:@"Invalid User"
message:@"Authentication Failure" delegate:self
cancelButtonTitle:@"OK" otherButtonTitles:nil];
[alert show];
return;
}

// Perform sensitive operation here

}

ARXAN CONFIDENTIAL 13

Integrity Risk Security Control Bypass

Rules flag any code that calls this
method. This method is particularly
attractive for code-bypass modification.

NOTE: Methods that appear to return a simple yes/no

response and appear to be doing something sensitive are
excellent candidates for simple code modification.
ARXAN CONFIDENTIAL 14

Cryptographic Key Theft

Rules flag any hardcoded keys that

could be easily found by an attacker
through static or dynamic analysis.

ARXAN CONFIDENTIAL 15

Exposed String Tables

Rules flag any hardcoded strings that are sensitive in

nature.
Example strings include: hardcoded passwords;
connectivity strings; SQL statements; shell commands

ARXAN CONFIDENTIAL 16

Presentation Layer Modification

Rules flag any dependencies upon external HTML/JS/

CSS files that may be loaded and displayed.
Code should validate these files before use.

ARXAN CONFIDENTIAL 17

Repackaging

Rules highlight
common entrypoints
where jailbreak
detection should
occur.

ARXAN CONFIDENTIAL 18

Exposed Data Symbols

Rules highlight interface properties

that will be particularly attractive for
modification or further probing.

ARXAN CONFIDENTIAL 19

Exposed Methods

Rules highlight interface methods

that will be particularly attractive for
modification or further probing.

ARXAN CONFIDENTIAL 20

Automated Jailbreak Disabling

Rules highlight weak jailbreak detection
algorithms. In this case, the code should
be relying upon system calls instead of a
third-party library. Its also not checking for
enough things.

ARXAN CONFIDENTIAL 21

Debugger Check

Rules highlight
common entrypoints
where the app
should check for the
unauthorized
presence of a
debugger.

ARXAN CONFIDENTIAL 22

Risk Mitigation Strategy

New rules highlight integrity/reverse-engineering risks that
Arxan products specialize in.
Recommended risk mitigation strategies for each different
type of risk involve defining a corresponding Arxan Guard
for that particular risk
Guards are expressed in Arxan products through an Arxan
Guard Spec

ARXAN CONFIDENTIAL 23

Risk Mitigation Strategy

Each risk raised by a rule is mitigated by specifying a
Level 1 Arxan Guard within a Guard Specification. Below
is an example of a Guard Spec:

ARXAN CONFIDENTIAL 24

Risk Mitigation Strategy

Below is an example of a multi-layer Arxan Guard network:

ARXAN CONFIDENTIAL 25

Conclusions
Rules are available via many different channels:

IBM Partner World

IBM developerWorks
Arxan Account Manager

Risks are described in more detail in Arxans whitepaper

titled,Threats to Mobile Apps In the Wild, released in
November 2013
Arxan mitigates all of the risks raised by these new rules.
Guards work together to defend, detect, react, and alert to
reverse-engineering or integrity violation events.

ARXAN CONFIDENTIAL 26