Application security moving to center stage on mobile platforms

By Steve Ragan
http://www.thetechherald.com
Sep 13 2010, 04:10

When it comes to application security, it's up to developers to find all the holes a criminal will exploit. Some are obvious, others are a bit more complex, but the task to close them rests purely on the development side of things.

Closed development on an open platform
When dealing with application development, the platform is the first consideration. Windows, Macintosh, and Android are the top platforms for development and, on some levels, each of them has some form of open base to develop on.

Apple recently loosened some of its development restrictions, and Microsoft has moved to place its SDL content on Creative Commons. Both moves allow developers an opportunity to build security into their products. While Microsoft is still a desktop-only platform, for the most part, many experts watching the mobile industry expect Windows Mobile 7 to change some of that.

Google’s Android platform is the elephant in the room. While open and completely community driven, there are thousands of applications running on Android that are closed source. To protect those applications, Google released its Licensing Service.

Google’s Licensing Service, which is still in the infancy stages, is a great offering to the development community when it comes to copy protection. Yet, the Licensing Service is easily defeated, depending on how it is implemented.

Case in point, when word started to spread that the Google Licensing Service was easily cracked, allowing an enterprising criminal to bypass the new Android Market licensing server, it wasn’t a failure on Google’s part. It was a failure on the development side of things.

Developers who implemented the Licensing Server, but failed to use an implementation of their own design - opting instead to use the one that served as a sample only - while leaving the source code in an un-obfuscated form, invited anyone with the knowledge and time to spend an opportunity to crack their software.

This is one of the problems causing some debate in the development world. Is it okay to close the source of an application if it is developed on an open-source platform?

Some would argue that it isn’t, open is open. Businesses will argue that they have a right to protect their intellectual property. They’re both right. Finding the middle ground is where the resolution lies, according to many developers The Tech Herald spoke to in recent weeks.

Protection is in the hands of the creator
As mentioned, the development teams that create the applications are the ones ultimately responsible for security. Not only do they need security to protect their products, they also need the security to protect their customers as well.

We recently spoke to Vince Arneja, vice president of product management at software security vendor Arxan, on the subject. Arxan offers development tools that aim to protect software from IP theft, such as reverse engineering, as well as piracy by protecting licensing systems and algorithms. While we here at The Tech Herald are by no means DRM fans, we do agree that developers have a right to protect their work from outright theft.

Arxan has been around for years. Originally funded by the NSA and founded in 2001, its offerings focus on protecting the application without adding needless code to the source or disruption to the SDLC. The process of protection centers around a layered network of guards, as Arxan calls them, which use a mix of things from obfuscation to checksums to protect the application.

For example, if an application was altered the checksums would not match, and the code could be restored to original settings. This prevents many attacks that circumvent licensing, as well as those that would attach other unknown functions.

The flagship Arxan platform, GuardIT, which centers on desktop development, was recently joined by EnsureIT, aimed at the Android Platform. EnsureIT hardens Android applications that run in the Dalvik virtual machine and call into native code via the Android Native Development Kit (NDK).

The takeaway from the conversation with Arxan was that, as the Android platform grows in popularity, more energy will need to be spent to protect the software and the consumer. While you would expect that from a company selling the tools to make this happen, there is no denying that they are correct.

Piracy and other application attacks
Piracy is a major concern for application developers, whether it comes to piracy because someone wants a program at zero cost (outright theft) or because they want to reverse the code and steal the IP. In both cases, developers can use hardening solutions, such as those offered by Arxan, to protect against those types of attack.

On the Android platform, the largest concern is Malware that targets the device, and the information stored on it or given to it by the consumer. When it came to this angle, we had to agree with Arxan’s chief technology officer (CTO), Kevin Morgan, who wrote that there is a serious need for vetting when it comes to mobile applications, especially those on Android.

“Why? Simple: the bulk of these applications are from "boutique" developers or development shops, and there is absolutely no vetting of what exactly these applications do. The potential for Malware in these applications is enormous,” Morgan wrote on his blog.

While Android-based Malware isn’t a critical reality yet, it does exist, and there have been cases where it was deployed to consumer devices. As an example, a malicious Android application was discovered recently that racked up huge amounts of SMS charges in Russia.

The application, while not available on the Android Market, was freely available online. These external applications are a risk, and many of them could be developed to mimic unprotected and legitimate applications.

Imagine a banking application that looked and acted like the one you expected, only that buried deep within the source code was an additional function that stole your credentials or forced you to text message long distance carriers. How long would it be before you would catch this malicious application? How long would a criminal need to collect their stolen information and cash from the rogue messages?
Yet a situation like this, while unlikely to play out as imagined, would be prevented if the original banking application that was cloned used some of the protections available to developers. Arxan’s product offers several layered protections, this is true, but even its CTO has told developers countless times to obfuscate code, a basic layer of protection that is a known best practice when it comes to development.
Tim Bray on the Android Developer’s Blog wrote some time ago that the best attack on those who target applications “is to make their work more difficult and expensive, while simultaneously making the legal path to products straightforward, easy, and fast.”

This is why hardening the code is an important step. If you target all the likely avenues of attack in a given product, you can make things frustrating for the attacker, who will then give up and move on. This protects both the development team producing the application and the customers using it. Solutions from vendors like Arxan augment the known development standards, offering creative strategies for product defense.

We’re curious.

If you are an Android developer, or developer on any other platform, what are some of the steps you recommend for protecting source code? If you have used services from vendors like Arxan, how would you rate them? Does Google need a stronger stance on applications that are allowed to run on its Android platform?

Leave a comment below if you have the time, or simply email security@theherald.com with your suggestions and thoughts.