Security for Android Java Mobile Applications


Java offers an efficient framework for developing and deploying enterprise and server or client-side applications. However, Java bytecode being an interpreted language, contains highly detailed metadata and debugging information which is susceptible to tampering, reverse-engineering and piracy. Free decompilers can easily decompile Java applications into near-original source code, creating a number of vulnerabilities.

Types of Applications that Require Protection Include:

  • Java Mobile Applications - Distributed applications that are written in Java are susceptible to static and dynamic analysis attacks. These applications suffer from the same inherent reverse engineering issues as mobile and desktop applications written in other languages except bytecode is even easier to decompile.
  • Web Applications with server side business logic – Thin client based web applications where logic in the Web/Business/System tier is susceptible to theft, malware insertion, unauthorized access to authentication credentials and keys

Examples of Java Vulnerabilities include:

  • Reverse Engineering: Attackers can reverse engineer a bytecode file and decompile the code after it’s downloaded to the client. This enables IP theft as well as reverse engineering of security routines or other critical routines that can be found and exploited
  • Bypass critical routines: Attackers can patch thick client binaries to bypass authentication logic or exploit restricted functionality contained in your client code. This enables attacks on your server
  • Key and credential theft: Often secret keys or authentication credentials are hardcoded into components. These are quite simple to identify, and can then be abused to launch attacks on your server
  • Easy decompilation: As an interpreted language, Java is very easy to decompile. A number of free and low-cost decompilers are widely available and automatically process bytecode to produce amazingly readable source code. Hackers can quickly decompile your bytecode, modify it to implement hacks or create counterfeits, and recompile – resulting in a hacked version of your original application
 

Arxan’s Solution for Java Mobile Applications:

Arxan’s GuardIT® protects critical functions of an application by combining advanced encryption and obfuscation with Guards® that are manipulating the bytecode. GuardIT®  for Java is based on patented technology that features various advanced obfuscation techniques. The creation of customized GuardSpec guides the insertion of various layers of protection for your Intellectual Property

In today’s threat environment enterprises need resilient protection of their Java application layer in order to:

  • Protect the R&D investment made in their Java software assets
  • Enhance conformance with security regulations, and
  • Minimize costly application breaches, unauthorized access and malware invasions.

Core Features

Many Java obfuscation solutions largely rely on string encryption and variable renaming to prevent comprehensive disassembly of code. However, given the current sophisticated attack landscape, such superficial measures are easily circumvented; giving rise to the myth that Java cannot be secured.

  • Control Flow Obfuscation. This advanced obfuscation technique breaks the correlation between byte code and semantically meaningful source code constructs. This degrades the results of decompilation, this preventing recovery of Java source code and protecting applications against reverse engineering. Many low-cost obfuscators rely on select tactics to break popular decompilers. In contrast, GuardIT for Java leverages language-level properties to implement reliable, long-lived protection that is not hostage to an arms race between a protection solution and decompiler enhancements.

  • String Encryption and Variable Renaming. These commonly used techniques remove semantically meaningful variable names, strings and thus, context, from the code. This provides an additional measure of defense against decompilation and reverse engineering.

  • Developer-Friendly. GuardIT for Java directly protects compiled class files. It is integrated with popular development environments including Eclipse, IBM RAD and Ant. It is also accessible as a command line tool. Protection is easy as ‘point-and-click’ for rapid, hassle-free deployment.

  • 100% Verifiable Code. The protected application is pure, fully compliant Java byte code, and remains fully portable.

 

Guards at work to protect Java 24/7:

GuardIT®  for Java leverages thousands of guard instances, of many types, to comprehensively safeguard your applications against revese-engineering, tampering and decompilation.

The following table summarizes the types of Guards for Java and functions performed by each of them.

Class of Defense Guard Type Function
DEFEND Obfuscation Transforms programs into code that’s difficult to disassemble and understand, but has the same functionality as the original
  Renaming Renames the symbols in the protected application to nonsense strings
  String Encryption Encrypts string literals and decryption at run -time
  Debug Info Strips debug info from the final, protected binary
  Call Hiding Uses Java reflection to hide method calls
DETECT Debugger Detection Detects whether a program has been executing in a debugging environment
  Class Encryption Transforms the input file into unreadable code
  Resource Encryption Encrypts useridentified resources in the Android APK.
  Resource Verification

Verifies resource files or shared library in the APK, at run-time, have not been altered or tampered 

  Root Detection Determines whether the device on which the application is running is rooted

 


The following exhibit summarizes the process of transforming an unprotected application into a protected application using GuardIT®  for Java.

GuardIT_for_Java_Protection_Process

 

 

Terms of Use|Site Map

© 2014 Arxan Technologies, Inc. All Rights Reserved.