Posted: 20 Sep 2018 6:13 EDT Last activity: 3 Oct 2018 0:17 EDT
NO HOOK DETECTION
We got the following issue in the report while running the penetration testing and the Recommendation to follow. We had raised an SR for this issue and got a reply from supportupdates team saying that it is a enhancement to product functionality and will need to be posted to the Pega Support Community (PSC). This is a priority implementation for our client and please address this as soon as possible. Thanks in advance.
NO HOOK DETECTION:
The mobile application could be manipulated in such a way that it would be possible to intercept the communications between the application and the back-end web services, extract sensitive encryption keys from memory, or bypass potential security controls such as root detection. Recommendation:It is recommended that the Pega Android application implements hook detection functionality that attempts to identify whether or not the application is being hooked or is running on a device where it may be targeted with hooks. This can be accomplished by implementing functionality that tries to find artefacts left by or identify the presence of hooking frameworks.
Various hook detection techniques for Android are described below.
Techniquies: Suspicious Files and Folders, Known Malicious Applications, Inspect the Application's Memory, Check For Native Methods That Should Not Be Native, Inspect Stack Trace For Suspicious Calls.