A self contained security system is not secure if that system is using code that can be decompiled and then subsequently reverse engineered. There are no two ways about it. However, this won't stop developers and solution providers from attempting to create such a system. In this page, we will review examples of systems that we have come across that have proved to test this theory - and fail.
Embedded Credentials
Authentication credentials should never be stored in a binary/flash/JAVA/script that can be accessed directly, decompiled or reverse-engineered.Â
Custom 'Hashing/Encryption' Algorithms
Self-contained True/False Logic
It is quite common for an application to have an authentication form included in its workflow to perform authentication and authorization functions. When deployed properly, the program should take a users credentials, hash them into a secure non-reversable representation of themselves, and then pass that data into a second system for review and analysis. The backend system should then validate that username/password (or passwords) and return a unique session ID to the client system for temporary validation and access control. This is the standard model for client/server systems, networked operating systems and browser based applications. Unfortunately, whether due to a lack of security understanding, proper security design short comings, or because a system is designed to be an island unto itself, developers will sometimes create a scenario that can become a target for an attacker.
While not technically a security illustration, this same flaw or weakness has been found and exploited for years in most consumer software. If you have ever heard of a software 'crack' that disables registration processes in a piece of software or seen a 'keygen' generate a 'valid' registration code for a piece of software, you have witnessed how this achilles heel of a self-contained True/False system can be exploited. The same general attack strategy can be applied to authentication/authorization mechanisms that are built into a binary. The following demonstrates how this flaw can be exploited using the sample binary provided for this threat page.