Checksum Validation

What Is Checksum Validation?

Checksum validation is the process of verifying the integrity of a mobile app to ensure that it has not been tampered with or modified in any way. The purpose of checksum validation is to protect mobile app users from malicious software and other security threats.

What Is a Checksum?

A checksum is a simple cryptographic value calculated from a block of data that can be used to verify the integrity and authenticity of that data.  For example a checksum value calculated over image data can be used to verify the image has not been altered when transferred over the internet. 

Checksums values are generated utilizing well known algorithms that produce unique non-overlapping values based on small changes to the input data. The most common algorithms used to calculate checksums include cyclic redundancy check (CRC), message digest (MD), and secure hash algorithms (SHA). These algorithms are designed to produce a unique checksum value for each set of data, making it difficult for someone to generate a false checksum value. For example, the MD5 algorithm creates a 128-bit hash value that is unique to the input data. SHA-256, which is another popular algorithm, creates a 256-bit hash value.

A checksum algorithm works by taking the data that needs to be checked and processing it through a set of operations to generate the checksum value. Checksum algorithms use a combination of operations such as addition, subtraction, and bitwise XOR to transform the data into a unique fixed-length value.

What Is the Value of a Checksum?

Checksums provide a fast and simple way to identify data corruption, verify integrity, and validate authenticity of data through cryptographic hash comparisons. Checksums are valuable for the following key reasons.

• Integrity verification. Checksums enable the identification of unauthorized alterations or unintended modifications to data by validating it against a predetermined value.
• Tamper detection. Any attempt to tamper with the data will be exposed as the checksum will cease to match the original, unveiling any unauthorized modifications.
• Error checking. Checksum mismatches serve as indicators to identify errors that occur during transmission or storage.
• Authenticity. Matching checksums confirm the authenticity and integrity of the data, ensuring that it remains unaltered and genuine.
• Efficiency. Checksums offer a rapid and efficient means of confirming the accuracy and integrity of extensive datasets through the use of straightforward cryptographic hashing.
• Deduplication. Checksums offer a swift and efficient method of identifying duplicate data by comparing their unique hash values, making it effortless to remove any redundant information.
• Change tracking. Divergent checksums indicate that the foundational data has undergone alterations.
• File comparison. Comparing checksums with speed and efficiency allows for the swift determination of whether two files are an exact match.

How Could a Mobile App Perform Checksum Validation?

A mobile app can be configured to perform checksum verification on itself by using a checksum algorithm to compute the checksum of the app's executable code and comparing it to a pre-computed checksum value, which would have been computed using the same algorithm when the app was created. If the two codes match, it means that the data has not been modified. If the checksums do not match, it indicates that the data has been altered.

Enabling a mobile app to perform checksum validation should be part of a Mobile RASP (Runtime Application Self-Protection) solution. 

The following process outlines the steps that could be used to perform checksum verification in a mobile app.

1. Compute the checksum value. First, compute the checksum value of the mobile app's executable code using a reliable checksum algorithm. Commonly used checksum algorithms include MD5, SHA-1, SHA-256, and SHA-512.
2. Store the checksum value. Store the computed checksum value in a secure location such as a remote server or embed it within the mobile app itself. There are a variety of ways to embed the checksum, such as storing the value in a metadata file, embedding it in a binary file, or storing it in a specific location in memory. If the computed checksum value is stored within the app, use protections such as whitebox cryptography to ensure that it is resistant to attacks. 
3. Retrieve the stored checksum value. When the mobile app is launched , it should retrieve the stored checksum value from the secure location.
4. Compute the checksum value again. The mobile app should then recompute the checksum value of its executable code using the same algorithm used in step 1.
5. Compare the computed checksum value. The mobile app should compare the computed checksum value with the retrieved checksum value from step 3.
6. Take appropriate action. If the computed checksum value matches the retrieved checksum value, it means that the mobile app has not been tampered with and can proceed with normal operation. Otherwise, a defensive action should be taken, such as displaying an error message, logging an event, or exiting the app.