Which Approach to Application Hardening Is Right for Your App?
The Importance of Mobile Application ProtectionThere’s no shortage of hacking tools and techniques or stories in the news about mobile app hacks for both iOS and Android platforms. Fortunately, those offering mobile application protection solutions have responded swiftly to these threats. Now, there are many approaches that one can leverage to harden an app out in the wild. Hardening is a key step at the end of any secure software development life cycle process, which ensures that the app is running as designed at runtime and thwarts cybercriminals’ efforts to reverse engineer the app back to source code. Which hardening approach is right for your app? To the uninformed customer, simple obfuscators are attractive because they are low in cost, require little training to use and are quick to implement. However, given the sophistication of today’s cybercriminals, it is important for app developers to look beyond the surface and take a more strategic approach to choosing a mobile application hardening solution. Below are four key factors that those responsible for app security should consider when evaluating application hardening solutions.
1. The Value of Your AppAn important factor to consider is the level of investment your company is making in an app with respect to research and development and maintenance costs. For instance, if valuable, proprietary intellectual property such as algorithms or monetizable content is embedded within the app, you should consider the loss of revenue to your company if the app is successfully hacked. If the app will be processing sensitive information such as financial transactions, account information or authorization credentials, you should consider the potential loss of revenue through fraud and collateral damage that may accrue if the app is hacked or Trojanized. Collateral damage may include not only penalties for noncompliance with regulations and necessary expenditures on security upgrades, but also the costs of crisis management communication campaigns to manage adverse publicity and restore brand value.
There is a prevalent belief that encryption and basic obfuscation techniques in and of themselves are adequate measures to protect apps. String encryption and variable renaming form a useful security layer but are inadequate when used in isolation.Also, it is important to understand that not all obfuscation and encryption tools are created equal. Obfuscation is often confused with simple method renaming techniques and basic string obfuscation technologies, which can be quickly broken and easily reversed. Any encryption wrapper that applies the same measures of protection across all the apps it secures can be broken by determined attackers. Once that happens, every application secured by that vendor is compromised. See the chart below for recommended mobile application protection techniques for low- and high-value apps.
Figure 1: Recommended Protection Techniques
2. The Scale and Sophistication of Attacks Your App Will Likely FaceMinimal protections against counterfeiting and repackaging are built into the app distribution ecosystem. These include measures such as:
- The detection of jailbreak or root conditions that enable the side-loading of applications, many of which are Trojanized;
- Monetization libraries that ensure only legitimate applications are downloaded through the app store and are correctly purchased or licensed. However, these libraries can and are often breached by cybercriminals; and
- Audit process measures to ensure only legitimate and harmless apps are placed in the app store, even though audit mechanisms to block illegitimate apps from distribution to users are far from perfect.
Figure 2: Strength of protection of basic and comprehensive hardening techniques.Attacks that systematically compromise the underlying libraries an app relies on are the fastest-growing class of attacks — and presently the most dangerous. This makes it imperative that high-value apps are able to verify the pristine nature of their entire execution environment before unlocking sensitive functionality. Obfuscation solutions that focus purely on variable renaming or string encryption can deter static reverse engineering but are not able to protect against the full spectrum of high-intensity attempts to compromise the app.