App Integrity Protection

Security for Java Mobile Applications

Interpreted Code Protection for Mobile Applications

Java offers an efficient framework for developing and deploying enterprise and server or client-side applications. However, Java bytecode being an interpreted language, contains highly detailed metadata and debugging information which is susceptible to tampering, reverse-engineering and piracy. Free decompilers can easily decompile Java applications into near-original source code, creating a number of vulnerabilities.

Types of Applications that Require Protection Include:

  • Java Mobile Applications - Distributed desktop applications that are written in Java are susceptible to static and dynamic analysis attacks. These applications suffer from the same inherent reverse engineering issues as mobile and desktop applications written in other languages except bytecode is even easier to decompile. Supports Blackberry and Android.

Examples of Java Vulnerabilities include:

  • Theft of IP and PII: Intellectual property (IP) embedded in applications, such as a proprietary trading algorithm, is vulnerable to theft. Hackers also study application code to craft exploits to intercept client-server transactions, and gain unauthorized access to personally identifiable information (PII) or other sensitive data controlled by the application.

  • Invasion by malware: Hackers can discover exploitable vulnerabilities in code and craft malware to compromise the application layer

  • Key and credential theft: Secret keys and passwords embedded within Java applications can be easily discovered and misused

  • Tampering of security routines: Thick clients or proprietary Java software is at risk of piracy through tampering and disabling of license management, authentication, or dongle measures.

  • Tampering of thin clients: While the server and database portions of a multi-tier web application are somewhat shielded from hackers by the DMZ and perimeter security measures, the client portion is undefended in the wild. Hackers have complete visibility into the code, data, transactions, communication protocol, and execution platform of your client. It is very easy, following disassembly of unprotected Java clients, to discover internal security algorithms and transaction logic. The next step is to build exploits to tamper the client - enabling compromised transactions and deeper exploits that tunnel from the presentation tier into the logic and data tiers. If there is proprietary IP or logic in the unprotected client, you can expect that to be compromised as well.

In today’s threat environment enterprises need resilient protection of their Java application layer in order to:

  • Protect the R&D investment made in their Java software assets

  • Enhance conformance with security regulations, and

  • Minimize costly application breaches, unauthorized access and malware invasions.

GuardIT for Java - Core Features

Many Java obfuscation solutions largely rely on string encryption and variable renaming to prevent comprehensive disassembly of code. However, given the current sophisticated attack landscape, such superficial measures are easily circumvented; giving rise to the myth that Java cannot be secured.

  • Control Flow Obfuscation. This advanced obfuscation technique breaks the correlation between byte code and semantically meaningful source code constructs. This degrades the results of decompilation, this preventing recovery of Java source code and protecting applications against reverse engineering. Many low-cost obfuscators rely on select tactics to break popular decompilers. In contrast, GuardIT for Java leverages language-level properties to implement reliable, long-lived protection that is not hostage to an arms race between a protection solution and decompiler enhancements.

  • String Encryption and Variable Renaming. These commonly used techniques remove semantically meaningful variable names, strings and thus, context, from the code. This provides an additional measure of defense against decompilation and reverse engineering.

  • Developer-Friendly. GuardIT for Java directly protects compiled class files. It is integrated with popular development environments including Eclipse, IBM RAD and Ant. It is also accessible as a command line tool. Protection is easy as ‘point-and-click’ for rapid, hassle-free deployment.

  • 100% Verifiable Code. The protected application is pure, fully compliant Java byte code, and remains fully portable.


Terms of Use|Site Map

Ā© 2014 Arxan Technologies, Inc. All Rights Reserved.