Some considerations for protecting your organization’s apps
Tue 10 Nov 2015
Winston Bond, European Technical Manager at Arxan Technologies, outlines the methods and style of approach necessary to pre-secure your app…
Readily available hacker tools and techniques dominate headlines about mobile app hacks for both the iOS and Android platforms, and security solutions providers have responded with many approaches to harden an app that is “out in the wild.”
To those charged with protecting their high-value apps, hardening is a key step within any secure software development process that confirms that the app is running as designed at runtime and thwarts hackers’ efforts to reverse engineer the app back to source code.
To some, simple obfuscators are attractive because they are low in cost, require little training and are quick to implement, but given the sophistication of today’s hackers, it is important for app developers to look beyond the surface and take a more strategic approach to choosing an application hardening solution.
Below are four key factors that IT Security professionals might consider when evaluating application-hardening solutions, weary of any Target or Home Depot attack like in the US or a possible swizzle to compromise a jailbroken iOS device, and the mobile banking application running on it, or most recently Trojanised adware that infected 20,000 recoded Android apps.
Value of your applications
It might be a good idea to consider your R&D and maintenance costs for your app; for valuable proprietary intellectual property such as algorithms, or if money-generating content is embedded within the app, you should consider the potential revenue loss to your company if the app is successfully hacked. If the app processes sensitive information such as financial transactions, you probably need to consider the potential loss of revenue through fraud and potential collateral damage that could occur if the app is hacked or Trojanised. This collateral damage may include penalties for non-compliance with regulations, expenditures on security upgrades, and even costs associated with crisis management communication campaigns to manage adverse publicity and restore brand value.
There is a prevalent belief that encryption and basic obfuscation techniques are adequate measures to protect apps against hacking in themselves, but though string encryption and variable renaming form a beneficial security layer, they are inadequate when used in isolation.
Also, it is important to understand that not all obfuscation and encryption tools are created equal. Obfuscation is often confused with simple method renaming techniques and basic string obfuscation technologies, which can be quickly broken and easily reversed. Any encryption wrapper that applies the same measures of protection across all the apps it secures can be easily broken by determined hackers. Remember that once a wrapper technology is broken, every application secured by that vendor will be compromised.
The scale and sophistication of attacks your apps will likely face
Minimal protections against counterfeiting and repackaging are built into the app distribution ecosystem — including measures such as detection of jailbreak, or root conditions that enable side-loading of applications – many of which are Trojanized. Monetization libraries confirm that only legitimate applications are downloaded through an app store and that they are correctly purchased or licensed.
It is safe to assume that an organized army of hackers will be actively looking for ways to subvert your app as quickly and as comprehensively as possible
However, these libraries can and are often breached by cybercriminals. Audit processes to validate that only legitimate and harmless apps are placed in the app store and audit mechanisms to block illegitimate apps from distribution to users are far from perfect, as seen by recent iOS malware, including XcodeGhost.
Consequently, it is important to determine the scale and sophistication of attacks that you anticipate for your applications, and validate that the security solution you rely on is capable of meeting the challenge. For small-scale developers with free- or ad-supported apps, typically basic application protection will suffice, even though ad revenue may be subverted through Trojanisation.
By contrast, for business-critical enterprise applications it is safe to assume that an organized army of hackers will be actively looking for ways to subvert your app as quickly and as comprehensively as possible. Since such attacks are designed to be covert, it can take weeks or even months until evidence of a successful hack surfaces. For that reason, measures of defense against attacks have to be complemented by measures of detection and reaction. For example, deeply instrumenting an app to detect attempted attacks and react with functions such as “phone home” can provide long-lasting and durable protection.
Attacks that systemically compromise the underlying libraries an app relies on are the fastest growing class of attacks – and presently the most dangerous. This makes it imperative that high value apps are able to verify the pristine nature of their entire execution environment before unlocking sensitive functionality. Obfuscation solutions that focus solely on variable renaming or string encryption can deter static reverse engineering but are not able to protect against the full spectrum of high-intensity attempts to compromise the app.
Agility and Portability
The portable device ecosystem, spanning smartphones and tablets and wearable devices, is among the fastest growing and fastest evolving. In stark contrast to the PC ecosystem — which is dominated by only a few chipset and operating system combinations, the portable ecosystem is a combinatorial nightmare of chipsets, OSs, programming technologies and hardware functionality.
Overhead and Performance Impact
Memory footprint, power consumption and performance are important considerations in portable devices, where resources are limited and battery life is precious. All security technology will impose an additional memory footprint in storage and at run-time. It will also impose process overhead in terms of programming effort, compilation complexity and run-time execution characteristics.
That said, more sophisticated application hardening solutions can offer a stronger trade-off between performance impact and protection strength relative to free- or low-cost solutions. For example, brute-force simple obfuscation can quickly cause memory bloat and diminish execution speed, while basic check summing can adversely impact run-time performance while retaining single points of protection failure.
When apps are deployed to millions or billions of users, and/or where transaction volumes are expected to be high, it is crucial that the security solution chosen be as robust and reliable as your own app code. Obfuscating sections of the code that are sensitive to performance degradation, such as computation-intensive functions or graphics rendering routines, has an impact on runtime performance. It’s paramount to choose a protection solution that offers tunable performance vs. security tradeoff measures, and provides developers better control on size and performance of their code.
The rise of mobile computing and soaring app usage has companies of every size and caliber scrambling to keep up. With customer loyalty and revenues at stake, developers are scrambling to release cutting-edge apps with little thought for long-term security considerations. In these conditions, it is tempting to treat code hardening as a checkbox and select the cheapest, most readily downloadable tool to do the job – but let the buyer beware. If you take the time to assess the value of your applications and the available options, you’ll realize that if you have a high value app and focus solely on cost, you are likely to be “penny wise and pound foolish.”
About the Author
Winston Bond is a senior pre-sales engineer with many years of experience of working with customers in the software and semiconductor industries across Europe and worldwide. HIs technical expertise includes desktop, mobile and embedded software development and application security implementation in C++, C# and Java on Windows, .NET, Linux, Mac OSX, iOS, Android, Blackberry and various embedded platforms. Bond is the founding member of the Arxan Technologies team in Europe, with responsibility for evangelising and supporting Arxan’s suite of security solutions that protect software from reverse-engineering, tampering and hacking. Bond works with major names in banking, games, digital TV, CA/DRM and CAD software to protect their assets