Qlik Community

Knowledge

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Announcements
IMPORTANT security patches for GeoAnalytics Server available to download: READ DETAILS

An adversary can install and use repacked/modified Qlik Sense Client Managed Application in IOS or Android(Application Repackaging)

cancel
Showing results for 
Search instead for 
Did you mean: 
Rakesh_Basappa
Support
Support

An adversary can install and use repacked/modified Qlik Sense Client Managed Application in IOS or Android(Application Repackaging)

 

An adversary can install and use replaced/modified Qlik Sense Client Managed Application in IOS or Android(Application Repackaging)

 

Environment

 

Resolution

 

Application re-signing threat protection is considered best security practice and is translated by the industry as following MASVS/MSTG requirements:

MSTG-RESILIENCE-1 The app detects, and responds to, the presence of a rooted or jailbroken device either by alerting the user or terminating the app.

MSTG-RESILIENCE-3 The app detects, and responds to, tampering with executable files and critical data within its own sandbox.

MSTG-RESILIENCE-10 The app implements a 'device binding' functionality using a device fingerprint derived from multiple properties unique to the device. 

etc...

In the wild, the implementations can vary and be client-based and/or remote app and device attestations and are quite common for enterprise applications (especially in absence of MDM). See for example Slack 21.09.20.0 client-based device root check:

Block jailbroken or rooted devices on Enterprise Grid 

 

The proper way of implementing this app/device attestation is the remote one (SafetyNet for Android and similar for iOS) as the client-based check (see above for Slack) can be easily overcome with application tampering and re-signing.

Google Play Protect (GPP) is also part of the infrastructure to ensure the device is not running/installed malicious/re-signed packages. Unfortunately, local scans by GPP do not detect the app being signed by a different certificate from the one in Play Store. However, GPP prevents the upload to the Google Play Store of a re-signed application with the same package name.

Owing to aforesaid subject threat has only a physical attack vector, and the attacker needs to have access to an unlocked device. The CVSS score can be calculated as CVSS:3.0/AV/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N (1.7) Low.

 

The app can be repacked/modified only when the device is Unlocked / Rooted / JailBroken.

 

Internal Investigation ID(s)

QB-7345

Version history
Last update:
‎2022-04-02 09:33 AM
Updated by:
Contributors