Categories
Support Corner

Remove Log4J calls with DashO’s Method Call Removal

Reading Time: 3 minutes

As we all know Log4j is a ubiquitous piece of software used to record activities in a wide range of systems found in consumer facing products and services. The discovery of the recent vulnerability in the Java logging package (CVE-2021-4428) This risk posed a severe threat to millions of consumer products from enterprise software to web applications. It presents risk of loss, or breach of personal information, financial loss and irreversible reputation harm. Currently, the FTC is taking action to require organizations to settle any associated risk caused by the known vulnerabilities. The FTC is now noted as using its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposures. 

A recent example of this negligence came on the back of a complaint in regards to Equifax’s failure to patch a known vulnerability which irreversibly exposed the personal identifiable information of 147 million consumers. This resulted in Equifax paying $700 million to settle the actions taken by the FTC and the consumer financial protection bureau. The risk for businesses is therefore clear, take actionable steps to remediate the vulnerability, or face litigation, breach risk and reputation damage.

In this guide, we will walk you through how you can use Method Call Removal to mitigate this vulnerability.

Method Call Removal

Method Call Removal has been available since our DashO 6.11 release.  It is mostly used for removing logging statements, but it can be used to strip any method calls we’d prefer not to have in our production release.  The only caveat is that the method definition must also be in DashO’s input.

Let’s assume Log4j is used for our application’s logging.  We might want to remove all log statements from production builds, then create special debug builds with logging enabled as needed.  Or, we might want to remove Info, Warn, and Debug messages, but retain Error or Fatal message in our production build.  This can be done using DashO’s Method Call Removal feature, without needing to adjust the Log4j configuration.

Please consider the following example:

This application logs informational messages when the app starts, and when it shuts down.  

The Log4J configuration has been organized into a global logging class:

In our DashO project, I’ll select the “LogInfo” method for method call removal:

Graphical user interface, text, application
Description automatically generated

After doing so, the application runs normally, but informational messages are no longer logged to console or written to log file.

After the app has been in production, I may need to create an obfuscated debug build for troubleshooting an issue with a specific client.  If so, I can run DashO without Method Call Removal to preserve logging calls in my debug build.

The above example can be downloaded here.


If you have any feedback on this topic or other topics you would like us to discuss in the Support Corner, please feel free to contact our Support Department.


Categories
101

Dotfuscator 101

Reading Time: 4 minutes

In this blog we will dive into Dotfuscator  as part of our 101 series – we walk you through what Dofuscator for .NET does and how this can help protect your projects. 

For those of you who are in the industry and know how this product protects your code, we appreciate the loyalty! If you are not tech savvy, but want to know a little bit more about this product, here’s our summary:

What is Dotfuscator for .NET?

Dotfuscator – by definition is a multi-functional tool that combines obfuscation, optimization while shrinking your source code, on .NET, Xamarin and Windows Platform Apps. Basically this jumbles, encrypts your code, hardening it to prevent theft. 

How does Dotfuscator work?

PreEmptive Dotfuscator for .Net provides many layers of protection for .NET users with multiple forms of obfuscation. We like to describe this as constructing the perfect sandwich.

  • First we start with the bread, in this case we will call it Renaming. Renaming obfuscation alters the variables and methods making it difficult to read or scan over to gain access to the certain parts of your source code. However, we go a little further by making things extra difficult for the typical hacker by utilizing Overload Induction™. This renames as many methods as possible to the same name instead of changing one variable one by one. To say this least – this is what makes the “bread” harden at surface level.
  • Then add the veggies: lettuce (Control Flow) and tomato (String Encryption). Control Flow uses advanced obfuscation by falsifying conditional statements. Basically it destroys the code patterns that decompilers use to recreate source code resulting in spaghetti logic to confuse anyone who tries to crack the code. Adding the tomato to this (String Encryption), hides all the strings that are present in the user’s assembly. To better explain, the typical hacker will locate string references inside the binary. Usually if the application is time sensitive, a message will pop up when time has expired – this is exactly what hackers search for inside the decompiled output indicating that they are VERY close to stealing your algorithm. Dotfuscator directly addresses this issue by allowing the user to encrypt strings in the most vulnerable part of the source code. 
  • Now comes the choice of meat (Watermarking, Pruning, Linking-Assembly Merging). Watermarking helps track unauthorized copies of the user’s project by embedding copyright information directly into .NET applications without jeopardizing runtime behavior. Pruning takes the work out for you by removing unused types, methods, fields, debugging information and non-essential metadata from a MSIL file all while processing. Dotfuscator Linking-Assembly Merger combines multiple input assemblies into one or more output assemblies – meaning it shrinks your application down alongside pruning and renaming. 
  • Next is the cheese (Tamper Detection & Defense). Dotfuscator injects code that verifies your application’s integrity during runtime and if it detects tampering, it will shut down the application, invoking random crashes. Now that’s an excellent choice of cheese! 
  • Last but not least are the condiments: mayo (Debug Detection) and mustard (Defense Using Checks). These two are prebuilt into Dotfuscator and can be injected into the .NET apps. This allows your app to detect any unauthorized uses such as debugging or tampering of any sort. Don’t be fooled, checks can do more than just the average scanning, they can react too, for example – exiting the app when tampering is found. 
  • For those who like a little extra to the sandwich, (Shelf Life) is the pickle! Shelf Life is an inventory management function that allows you to embed an expiration date, de-activation, and notification logic to your code! Now this is what we call the ultimate sandwich! 

When should you use Dotfuscator?

Whether you’re a start-up company, freelancer or an organization developing projects using .NET software, you should be using this in the development process – preferably in the beginning stages even after launches. Data breaches are no longer part of the “new normal” they are part of everyday scenarios. If you don’t protect your code from the beginning…you will likely become another data breach statistic.

Where does Dotfuscator work?

Dotfuscator is injected directly into your source code, providing a multi-layered approach by way of in-app hardening; assessing and securing where your code is vulnerable.  

Why should you use PreEmptive Dotfuscator?

PreEmptive Dotfuscator has paved the way in In-App security since 2003, that’s 19 years in the biz! Our clients range from small to large enterprises including many Fortune 500 companies of different industries from medical to government agencies. But if you still need a little more convincing, check out our client list here

For more information on how to get started, download our free trial or need further help, we encourage you to use our resources, found in our navigation bar. We hope this blog has helped you better understand Dotfuscator for .NET. We look forward to our next 101!


Categories
Press Releases

New Release: PreEmptive DashO 11.2.1

Reading Time: < 1 minute

Professional-grade Application protection With PreEmptive DashO

You asked, we delivered: Announcing a new minor release for PreEmptive DashO

Obfuscation is more than just renaming! PreEmptive DashO is a layered obfuscation approach to provide your Java, Kotlin & Android applications with the security protection you need.

In the latest update, our development team has rolled out some new enhancements, changes and bug fixes. What’s New?

Version 11.2.1 includes:

  • Enhancements
  • Validate the Modifiers input fields in the Config Editor for Include & Exclude rules
  • New option for Properties with filesystem path values that opens a system browse dialog
  • A new dropdown for Android mode projects allowing easy switching from configured build variants and their associated inputs in the Config Editor.
  • Changes
  • The Config Editor now opens the last project on startup by default
  • Bug Fixes
  • Fixed an issue where input Jars with the same name could overwrite each other, if “Merge Inputs” was unchecked.
  • Fixed an issue where the Config Editor allowed selection of some methods for Check injections in Android projects.

Ready to learn more about DashO? Request a quote: Request A Qoute

Categories
101

Top 3 Reasons to Use PreEmptive

Reading Time: 3 minutes

Cyber attacks are part of our everyday discussions and most likely will continue to be present throughout the next 12-18 months. With the rise in nation state attacks, and consistent expansion of IOT tools developers have to stay focused on the prescience of cyber threats. For those who followed our #DataPrivacyWeek on our social platforms, we explained that our personal lives are very much intertwined with our work lives, with many folks working remotely, we are more likely to be part of those data breaches we read in the news, as a side effect of network security risks. In this article we will dive into the primary reasons your team can benefit from PreEmptive to protect your applications. 

While we were focused on supply chain attacks, ransomware threats, we overlooked another but equally prominent risk – mobile app breaches. There were over 200 BILLION mobile application downloads in 2021 and that number will most likely increase as we progress through 2022. This means, if you’re a programmer developing an app or creating a program that consists of custom code, securing your work is more important than ever. Here are the top 3 reasons why you should use PreEmptive to add a security layer to your applications:

Reason 3: Protecting Your Hard Work

We understand the countless hours that go into coding, whether that was spent on debugging, creating or troubleshooting your code’s infrastructure, it takes hard work. Many developers have projects that have been in the works for lengths at a time and have firm deadlines to meet. So when a project is complete it feels like gold! We tend to concentrate on completing our projects and ensuring that functionality/usability is up to standard. But, security is often an afterthought. PreEmptive In-App security features have been helping programmers prevent, detect, and respond to attacks without breaking or slowing down your applications – giving you a peace of mind throughout development. Sure, we all want to complete our projects on time or earlier than expected, but if we treat our projects like we treat our phones by putting a lock on it, then that finish line will look even sweeter. 

Reason 2: Knowing the Functionality of Your Security

Data breaches are a hot topic, so searching for the right security platform has become even more of a priority. One of the factors when searching for the right security toolset – how does it actually work? PreEmptive has a layered approach when it comes to protecting your data. Think of it as building your perfect sandwich starting with the bread (obfuscation), adding the meat (renaming code), then the veggies – lettuce (string encryption), tomato (control flow) and more, topping it off with the condiments (active runtime checks) that monitors tampering, debugs, and more. Now that you know what’s in the perfect “security sandwich,” it’s imperative that you continue to test and secure after each build. This will allow you to have the confidence in your security application.

Reason 1: Becoming another Data Breach Statistic

Every month there is another data breach that is brought to our attention. Which makes you really think, are you choosing the right security platform? How do you know this platform is the right one? Assessing the needs of your company/organization or projects is the first step, next researching security options. Some promise to be “the leading” security platform or the “number one,” but PreEmptive has been in the biz since 1996. That’s over 20 years of securing your applications! Not only do we have the experience, we have hundreds of fortune 500 companies who use PreEmptive, Charles Schwab, FedEx, Census Bureau, Microsoft to name a few. If these companies trust our software, we guarantee that by using us, you won’t become another data breach victim.

In case you still need more information, we encourage everyone to read our case studies to find out how other companies found success in protecting their companies with PreEmptive. We hope this blog has eased your worries, but if you’re not sold try us with a FREE Trial


Categories
Dotfuscator Support Corner

Protecting Windows Forms Applications with Data Bound GUI Controls

Reading Time: 3 minutes

Today we will focus on data binding, but first let’s define this. Data binding allows Windows Forms applications to display and update UI controls from a data source, without having to modify source code for the control itself. 

When protecting Windows Forms applications, it is important to note how the data bound controls are constructed to determine if they will be impacted by code obfuscation.  If the controls bind to a collection of objects, original property names of that object must be preserved to correctly populate “DisplayMember” and “ValueMember” properties of the control.  When binding controls to an Enum, the original names of its members must be preserved, or the GUI control might show obfuscated names.  On the other hand, if we’re binding directly to a database table (and the table does not map to an object in source code), we don’t need any custom configurations because Dotfuscator does not mangle table and column names.

Consider the Following Example:

This simple Windows Forms application has three UI controls with different data binding techniques: a DataGridView binds to a Customer table in a database, a ListBox binds to a collection of Employee objects, and ComboBox binds to an Enum called DaysOfWeek:  

If I obfuscate with project defaults, I experience a runtime error at app startup:

This occurs because original property names of the Employee object are used in “DisplayMember” and “ValueMember” ListBox properties:

            listBox1.DataSource = employeeList;

            listBox1.DisplayMember = “Name”;

            listBox1.ValueMember = “Department”;

To Avoid the Runtime Error:

First, I’ll open my project configuration file (DotfuscatorConfig.xml) in the Dotfuscator Config Editor, and set a Rename exclusion for the properties in the Employee object:

After configuring this Rename exclusions, the application starts without the runtime exception, but the “DaysOfWeek” ComboBox appears with obfuscated names:

In order to fix this, I will configure a Rename exclusion for the members of DaysOfWeek.

After providing this Rename exclusion, the app starts without any issues or erroneous behavior.  Please also note the DataGridView, which binds to the Customer table in our database, did not require any Rename configuration to start and display correctly.

Conclusion

There are several different ways to use data binding in Windows Forms applications.  We’ve seen a few ways that data bound controls can be impacted by obfuscation.  If you experienced a runtime crash or erroneous UI behavior after applying obfuscation, please use the above steps to resolve the issue. 

The full example can be downloaded here.

If you have any feedback on this topic or other topics you would like us to discuss in the Support Corner, please feel free to contact our Support Department.

Categories
Press Releases

PreEmptive Product Updates

Reading Time: 3 minutes

We are pleased to announce the general availability of Dotfuscator 6.4, DashO 11.2 and JSDefender 2.4 for our customers.

PreEmptive has been hard at work on the latest releases of Dotfuscator, DashO, and JSDefender. The improvements are part of PreEmptive’s strategy to continuously support all products with regular updates and new features. Headlining some of the product updates are improvements to integration and usability, and bug fixes to help ensure we keep our customers happy!

Below are the highlights of each release with links to further information such as how to access the latest version, documentation, and changelogs. Free evaluations are always available for each product.

Dotfuscator 6.4

Dotfuscator Professional protects .NET applications from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, debugger detection, and tamper detection. It integrates into the development build process and operates on the .NET Intermediate Language. Dotfuscator Professional supports .NET, including .NET Core, .NET 5, Xamarin, and Mono.

The Dotfuscator Professional 6.4.0 release improves the support for default interface implementations in .NET Core 3+. Dotfuscator can now protect applications that use .NET’s default interface implementation feature, without extra configuration steps which were required before.

Additionally, the tool now provides more granular control of managed resource renaming. Users can now disable automatic resource renaming, in cases where the application loads those resources manually from strings that cannot be statically analyzed.

This version enables authenticated proxies to communicate with the PreEmptive licensing servers, which is a requirement at many enterprise customers.

The Xamarin.Android Root Check is also updated to handle new versions of Android rooting tools. 

Product Links

DashO 11.2

DashO protects Java and Android applications from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, debugger detection, and tamper detection. It integrates into the development build process and operates directly on compiled Java bytecode.

The DashO 11.2.0 release enables Include and Exclude rules to be configured via Java Annotations and Supertypes. Rules can now match classes based on the existence of methods or fields that match the criteria.
The New Project Wizard now includes settings for generating Entry Point rules based on Java annotation based criteria, including a special set of entry points for Hibernate/Java Persistence API.

Additionally, DashO now processes compiled bytecode from Java 16 (except for the record type and the Sealed Classes preview feature).

Also, Global Processing Excludes now allows for classes to never be updated by DashO.

Product Links

JSDefender 2.4

JSDefender protects JavaScript code from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, browser-based “Dev Tools” detection, and tamper detection. It integrates into the development build process and operates directly on JavaScript code. JSDefender also supports other languages that “transpile” to JavaScript, such as TypeScript. JSDefender can protect JavaScript running in the browser, on servers/workstations (e.g. NodeJS based applications), and on mobile devices (e.g. React Native applications).

The JSDefender 2.4.0 release brought several changes to the protection runtime which makes the protected code of our customers much harder to reverse-engineer.

Also, it extends the Control Flow transform with an option called “injectFakeCode” that injects fake test conditions to the control flow statements to mislead and confuse the attacker.

Additionally, the release fixes some bugs in the error script parsing of the runtime checks and in the Control Flow transform.

Product Links

Categories
Risk Management

7 Tips for Solid AppSec in 2023

Reading Time: 4 minutesAround $318 billion annually is lost to cybercrime, making digital security paramount to maintaining a safe and responsible operation. The urgency around this issue continues to flare as losses from phone hacking, data breaches, and source code theft rise each year. Unfortunately, no area is left untouched, including mobile apps.

Mobile applications continue to prove themselves as valuable assets that drive traffic, revenue, and community engagement for many organizations. Therefore, introducing the best app security measures is essential to creating a safe environment for a company’s user base. 

While online security is complex, security experts, developers, and programming gurus continue to expand on methods to secure digital infrastructure. However, this isn’t only a job for data experts. Every level — whether C-Suite, mid-level management, or IT — needs awareness of best practices regarding application security. 

An excellent place to start the conversation around in-app safety is with what’s current. Below are seven top habits, practices, tips, and trends for building a solid wall of mobile app security heading into 2023. 

Investing in the right DevSecOps is vital for sustaining a business able to withstand cyber threats and limiting code vulnerability. For more information, visit PreEmptive’s page explaining how investing in their security tools delivers both peace of mind and monetary savings over the long run. 

What Is AppSec?

AppSec is short for “application security,” and there’s no one way to go about it. Instead, it’s a systemic approach consisting of many habits. 

To build this approach, those responsible for mobile app security must stay on top of the latest trends and be aware of the best tools to bolster their online defense. 

Regarding AppSec, staying ahead of the curve is the only way to ward off threats. Because, after all, hackers and cybercriminals are constantly developing new ways of their own to exploit outdated security methods. 

What Are AppSec Best Practices?

Many parties track and record the best ways to improve and optimize application security, including strengthening source code via the IDE, limiting an app’s attack surface, creating strong passwords, and more. 

Also, it’s vital that all employees, regardless of status, are educated and brought into conversations around app security, as a unified front is the only way to achieve desired results. 

Automating app security is always recommended. Especially for organizations that can’t afford full-time security monitoring, investing in the right tools to do the job is often the best solution to this essential problem. PreEmptive offers a large variety of solutions to increase mobile app vulnerability. Their offerings perform key tasks, including securing and hardening apps across many types of source code, including Java, Android, .Net, JavaScript, and iOS. 

Two-Factor User Authentication

Most login methods require only a single-factor identification login, meaning a user only needs to provide one form of authentication to log in. While it’s necessary to have password-protected logins, going with a multi-factor authentication process is much safer. 

Users must produce multiple forms of authentication before logging in, especially for accounts holding personal and financial information. This is an easy and great way to increase security and keep users safe while using an app. 

Security Testing Throughout the Development Process

Major tech organizations, like Google, strongly advocate that developers run security tests at the end of a program’s development and through the entire process. 

Testing for weaknesses at multiple points dramatically reduces the likelihood of oversight regarding source code weakness. 

Consolidating Security Infrastructure

The more scattered a security team’s knowledge and asset bases are, the more likely threats can slip through. As a result, consolidation is a major trend, and every company should consider swapping their whole spectrum of vendors and IT solutions for one reliable method or partner. 

Unifying around one vendor also makes the security effort more efficient and easy to understand for a company’s security managers. 

Artificial Intelligent Security Tools

Data breaches are very hard to detect right off the bat. However, advances in AI-powered security tools are increasingly valuable for identifying attacks right as they happen. In this model, programs have machine learning algorithms seamlessly attached to them. The algorithms examine and alert security managers, who can then address issues immediately. 

Continued Growth in AppSec Automation

Automated applications are a must in the modern age. Speed and immediacy are critical, and fully automatic security apps are preferred.

Additionally, automated apps continuously monitor more than just potential attacks. They highlights and fix code vulnerabilities to fend off possible threats down the line. 

Government Regulation 

Laws surrounding data security began in the EU and are now spreading rapidly throughout the world. As a result, laws concerning data protection are multiplying, which places the onus on businesses to beef up security and comply. 

These regulations protect both users and companies, as data security breaches and code theft are enormously costly problems. 

Overall, regulations are predicted to continue to grow in number and scope, making it essential for organizations to know the rules. 

Increased Awareness of a Holistic Security Approach

Companies must think in terms of overarching strategy. Security across all digital and physical assets continues to merge, and analysts, developers, and executives are coming to understand that security isn’t something to compartmentalize. 

Just as a company mission needs to be a unified goal, a security approach needs to be instilled across departments, hierarchies, and geographical locations. 

Especially with increases in remote offices, the entire workforce must have a clear vision of what’s being done to secure digital assets. In addition, employees need clear communication on how every role is vital in creating a safe environment. 

Don’t Delay AppSec Implementation

Apps are among the most targeted locations of cybercrime. This makes fortifying mobile application security as crucial as routine checkups on physical assets. Therefore, companies and individuals must do all they can to incorporate the above tips into their protection strategy. 

PreEmptive’s mobile app security solutions protect from all angles: code hardening, obfuscation, security checkpoint strengthening, tamper-proofing, and more. 

Best of all, PreEmptive’s solutions seamlessly integrate into existing programs, requiring no alterations to source code. 

It’s wise to seize the day and practice vigilance by protecting essential assets before it’s too late. With the right safeguards, developers can rest easy, knowing their apps are defended. 

 


 

Categories
Dotfuscator Pro Change Log

Dotfuscator Professional Edition, Version 6.5.2- Release Date January 13, 2023

Reading Time: < 1 minute

Enhancements

  • Improved renaming of properties referenced in XAML files
  • Added a comprehensive error message when using invalid renaming schemes for Xamarin.Android projects
  • Added smart obfuscation rules for compiled XAML
Categories
DevSecOps

The State of Mobile Security in 2023

Reading Time: 4 minutesThe world of cybersecurity is still in its infancy. However, it’s a new year, and reflection is a great way to prepare for future evolutions in online defense. 

In 2022, many lessons were learned, threats were exposed, and successes were shared. From the continued issues attached to the COVID-19 pandemic to the new threats exposed by the Russian war on Ukraine to the instability in the world of cryptocurrency, throughout all of these occurrences, one thing remains clear: digital security is vital in the modern world. 

Throughout the past year, new methods were created to boost mobile app security and the source code that serves as its foundation. Now, the mobile app security industry faces the dawn of a new year and, with it, new challenges. 

One of the best ways to boost defenses and protect digital assets is to partner with a well-established security company that protects mobile applications across different scenarios and coding languages. PreEmptive provides modern solutions that help companies defend and form proactive approaches to securing their valuable applications. 

Lessons Learned in 2022

Preparing for the future requires a meticulous study of the past. Throughout 2022, specific trends revealed systemic weaknesses and areas requiring desperate improvement. In addition, these lessons serve as important reminders of what to look for heading into 2023. 

→ Ransomware Needs to Be Taken Seriously

Ransomware is rampant and shows no signs of stopping. Although data is not yet finalized for 2022, experts determined that in 2021, a ransomware attack occurred, on average, every 11 seconds

A significant reason for this is that many businesses’ security methods – specifically when it comes to mobile app security – do not keep up with the evolving methods of hackers. 

Cybercriminals recognize weaknesses in faulty digital assets and can use them to infiltrate businesses. The rise of ransomware attacks also revealed mobile applications as a prime target. Overall, 70% of online fraud is perpetrated through mobile applications and platforms. 

Therefore, as cell phones become more ingrained in the lives of online users, it’s evident there’ll be continued increases in ransomware attacks. 

You Can’t Always Trust the Cloud

Cloud computing was once thought to be highly secure. However, in 2022, it was evident that cyber criminals have developed methods to infiltrate cloud technology that was once considered airtight. 

In 2022, a staggering 45% of all data breaches were cloud-based, each one costing around $4.3 million. Even major cloud services, like Dropbox, succumbed to cloud hackers in 2022. 

Overall, concerns grow around how criminals have evolved their strategies to manipulate user trust in Cloud data for nefarious gain. 

The Evolution of the Phish

Over the years, organizations have become adept at spotting and eliminating phishing scams via email. However, in 2022, phishing attacks  rose by 61%, and it was evident that they began to take new forms.

Now, phishing attacks have become more complex, realistic, and harder to determine. Whether used to target users on significant platforms like  Facebook or through the latest cryptocurrency scams, phishing schemes are showing clear signs of becoming more complex. 

Proper Investment in Digital Infrastructure and Security Is Key

There’s no doubt about it: investing in digital security and application security is now a key part of operation budgets all around the globe. 

Investment in mobile applications, obfuscation, and data protection continues to rise, mainly because organizations find immense value in taking preventative measures before it’s too late.

Mobile Security Predictions for 2023

1. Heightened Attacked on Mobile Devices via Ransomware

As stated above, in 2022, ransomware attacks increased, and this trajectory is only likely to continue upward heading into 2023, as Ransomware attacks are predicted to take $30 billion in the coming year. 

Attackers increasingly recognize the opportunity and monetary advantage of ransomware attacks. This is why, in 2023, it’s likely that ransomware will become a more persistent avenue of attack. 

2. Higher Demands for Top-Notch Security Tools & Talent

There’s a clear and growing need for data protection tools and professionals. 2023 will likely bring a significant push for organizations — from the federal government to small businesses — to include more help fortifying data and application security. 

Additionally, with more laws regarding data protection and user security, the data security labor force is likely to grow as companies strive to comply. Likewise, security applications and services that offer excellent, modern digital security methods are predicted to continue receiving investment and growth in the coming year. 

3. Artificial Intelligence Integrates Further Into Security Strategy 

Many organizations already rely on the power of artificial intelligence to prevent cyberattacks. Given that AI has proven an effective measure thus far, in the year to come, it’s expected that more businesses will continue implementing artificial intelligence as a key part of their data strategy. 

Machine learning tech helps identify potential weaknesses in mobile applications and alerts officials to threats in real time. Lastly, many companies will gravitate toward AI-powered cybersecurity as it continues to prove useful and offer financial benefit in identifying and mitigating data breaches.

4. Increased Data Protection Regulations 

Data privacy regulations have increased over the past decade, and experts only see them becoming more rigorous in the future. They started in places like the European Union with the General Data Protection Regulation (GDPR). Then these regulations were popularized in the United States with the California Consumer Privacy Act (CCPA). Overall, these laws guarantee institutions more extensive data protection and control for mobile users.

In 2022, a bill titled the American Privacy and Data Protection Act drew bipartisan support. However, It was not passed by Congress before the end of the year and will have to be reintroduced for further consideration. There continue to be growing calls for governing bodies to enhance privacy laws, specifically regarding user applications and how businesses harvest and process data.

What Are the Best Tools for Mobile Security in 2023

Hackers are always looking for weaknesses in application security, typically viewing source code as a common point of entry. Because of this, organizations must look for ways to continue to increase app hardening efforts, which use source code obfuscation to defend from cross-site scripting and reverse engineering attacks.

Therefore, an effective app hardening service will be crucial to building a modern defense for digital assets.

Choose the Best Help for Mobile Security in 2023

Heading into 2023, the potential impact of poor app security is severe. Whether organizations need it for Android, iPhone, or any other purpose, partnering with a service that performs app hardening and data obfuscation measures is paramount to avoid the latest risks that leave digital assets open to attackers. 

PreEmptive is a trusted leader in the fight to help organizations protect their valued assets against cybercrime. By providing a systemic and proactive approach to mobile security, PreEmptive’s comprehensive offerings can help any business arm itself with the right tools to help them thrive in the year ahead.

 


 

 

Categories
Support Corner

Support Corner: How to Leverage Custom Rules in Dotfuscator

Reading Time: 2 minutesPreEmptive has evolved through the years to handle all different types of applications and scenarios. Reasonable defaults are designed to get any project up and running, and from there we have full control over protection settings. Custom rules are one way to create simple, robust, flexible configurations — even with very complex applications.

In previous Support Corner articles, we learned about coding techniques that require a Rename exclusion to run properly after obfuscation. Sometimes, excluding just one class, method, field, or property is sufficient. But for larger, more complex applications this is usually not the case. Custom rules can help organize these exclusions into patterns for a more flexible and robust configuration. Rules can be created to exclude all descendants of a parent class or those that implement a particular interface. Rules can be created for types or members decorated with a custom attribute, or those that have a certain access modifier. Regular expressions can also be used to make custom rules based on the naming convention.

Consider the following example.

In “Protecting .NET applications that use the MVVM pattern,“ we learned that MVVM uses reflection to load properties of model classes: 

Because of this, we had to exclude those properties from Rename obfuscation to avoid a runtime error:

Rather than checking individual checkboxes for each property, I can translate this into a custom rule. Each model classes with an OnPropertyChanged method must implement INotifyPropertyChanged. Based on this, I will write a rule to exclude properties (.*) of any type (.*) that implements INotifyPropertChanged:

By making this modification, we can change or expand use of the MVVM pattern without having to update obfuscation rules. I will also apply the other obfuscation transforms String Encryption, Control Flow, Linking, and Tamper defense to secure that section of code.

The full MVVM example modified to use Custom Rules can be downloaded here.

The original Support Corner article “Protecting .NET applications that use the MVVM pattern” is here.

If you have any feedback on this topic, or other topics you would like us to discuss in the Support Corner, please contact us.

 


 

 

Categories
DevSecOps

Why Developers Need Source Code Obfuscation

Reading Time: 4 minutesAll coders understand the one thing they must avoid at all costs: hackers. Whether you work with JavaScript, Python, HTML, PHP, C, or C+ — protection from hackers and reverse engineers remains a top priority. 

After all, the majority of digital attacks come from weaknesses in code. 

Source code is a valuable asset and forms the infrastructure of all digital products and applications. However, when code is left open, it’s like leaving an unlocked safe in a public park. It allows nefarious actors to enter, hack, steal, or alter assets without resistance. Therefore, developers must discover and implement ways to defend their source code. 

One of the best ways to do this is to use code obfuscation techniques. 

For whatever type of code, understanding how to obfuscate it is imperative to protect intellectual property. Obfuscation is the best way for coders to keep their work safe. Because of its importance, everyone responsible for securing digital assets must know what it is and how it can help. 

For those looking to protect their source code, visit PreEmptive’s product page to check out our various obfuscation software tools. We offer a wide range of resources and tools to protect all types of source code — from mobile needs, like Android source code obfuscation, to Python source code obfuscators. 

What Is Source Code Obfuscation

The idea behind obfuscating code is simple. In essence, obfuscation is the act of taking code and complicating it so that it becomes illegible. It’s like putting code in disguise. 

Obfuscation adds in redundant and extra lines of code, making it nearly impossible to read. Specific methods even alter the commands so that the logical flow of the program is thrown off — making it incredibly difficult to decipher and debug. 

Taking the code and changing the lexical structure or control flow renders the code almost impossible for humans to understand. However, with obfuscation, the code remains legible to computer systems, which is how applications still manage work after implementing the disguise.

Many make the mistake of conflating encryption with obfuscation. Obfuscation differs from encryption because it only hides code from humans, while encryption tools incorporate methods that shroud a code’s readability from computers, requiring an entire de-encryption process. As a result, encryption adds additional steps, often slowing down programs. However, obfuscation has relatively little effect on performance. 

So that answers the question, what is code obfuscation, but what is an obfuscator? 

A code obfuscator is a tool that performs the task automatically, and how it is applied depends on the type of source code. So, depending on whether the goal is to obfuscate HTML source code or obfuscate Python source code, the obfuscator performs the process differently.

A code obfuscation tool determines which way is most effective and applies it to the style of source code. To select the best obfuscation tool, it’s essential to know the different methods of source code obfuscation; this way, security managers can knowingly pick a tool that meets their needs. 

PreEmptive develops and supplies obfuscation tools for all types of source codes. For those looking for iOS source code obfuscation, a C++ source code obfuscator, or something else, visit our website to learn more about our line of offerings. 

Different Types of Code Obfuscation

There’s no single method to obfuscate code. In fact, there are many ways coders can implement obfuscation protections. Which method is best depends on the type of code being used. 

Coders may also incorporate multiple methods to boost overall protections, making it even hard for hackers to understand and reverse-engineer code. 

It’s also important to know that these various obfuscation techniques work better depending on the type of source code. For example, the best C source code obfuscator may be different than the best Java source code obfuscator. However, it’s important to remember that certain types of obfuscation may take more significant tolls on code performance.

Rename Obfuscation

Renaming is the bread and butter of the obfuscation process and works for almost all source codes. It takes variables and methods and changes them but doesn’t alter the program execution.

This renaming process makes the code extremely hard to understand, and messages become unreadable. The process adds and subtracts variables from code strings, removing traceable patterns from those looking to hack. 

Renaming is universal and is used to obfuscate C# source code, as well as Java, iOs, and more. 

Control Flow Obfuscation

Control flow is an even more powerful method of securing code. Here, it adds and alters the case switches and recreates the entire structure of the code by inserting commands like link jump instructions. 

Control flow techniques scramble entirely the logic of a code flow, which is why it’s so effective. However, this method is more complicated and may affect performance. 

Dummy (or Dead) Code Insertion

Another obfuscation method is to insert entire strings of code and lines that aren’t part of the program. Adding dummy code is a great way to increase the difficulty of reverse engineering and is a great way to protect source code of all kinds. 

How To Remove Obfuscation

By now, we’ve answered the question, how does code obfuscation work? But what if the obfuscation needs to be removed?

Removing obfuscation is easy, but it also depends on the type of code requiring de-obfuscation. For example, a C# source code obfuscator requires a different removal process than one for JavaScript. 

Many of these de-obfuscation measures are accomplished manually. However, it’s much easier to use tools that do it automatically. 

Defend Code With the Best Source Code Obfuscation Tools

There’s no way around it: code needs the best protection possible. There are many reasons to invest in the best DevSecOps, as hacking becomes a more significant threat to digital assets every year. Anyone with online property must protect it with the best obfuscation tools available. 

PreEmptive is a global leader in developing cutting-edge tools that protect online applications. Our range of products explores the various ways to use obfuscation to defend code while keeping performance at maximum efficiency. 


 

 

Categories
Risk Management

12 Days of Holiday Hacking

Reading Time: 7 minutesIn the spirit of the twelve days of Christmas, which will be starting soon on December 25, 2022, we present to you the twelve days of hacking — a holiday month-themed look at the common hacks and attacks that hackers utilize to gain unauthorized access for financial gain, reputation and street cred, corporate and state-sponsored espionage, or just plain fun. 

Hacking is an overarching umbrella term that describes finding or exploiting weaknesses in computer systems. It may be done for nefarious purposes by black or gray hat hackers or done in the form of white hat hacking by organizations themselves who are attempting to find and fix their flaws and vulnerabilities before malicious hackers do. Hardware, software, servers, or even the people controlling these systems may all be susceptible to cyberattacks. Let’s take a look at just a few of the many tools, tactics, and methods that hackers use to gain access to our data, files, finances, lives, and sanity — and what individual users, cybersecurity professionals, and developers need to do to stay safe.

1. Malware

Malware describes any malicious software, regardless of how it works, its intent, or the way it’s distributed. Malicious can mean that it disrupts the devices or network, leaks or steals information, or otherwise gains unauthorized access to sensitive information or systems, deprives access, or circumvents security or privacy. Common types of malware include viruses, worms, trojans, ransomware, bots or botnets, adware, spyware, rootkits, file-less malware, and malvertising. There are many forms of malware and new threats are constantly evolving so the best and most reliable protection is for all of your devices to have up-to-date, comprehensive, virus protection software.

2. Phishing

Phishing attacks are when hackers try to lure you into sharing sensitive information such as account login credentials, credit card numbers, financial information, and any other sensitive data. Phishing can also be when attackers get you to infect your machine with malware. A common example of phishing attacks, especially this time of year when online shopping is at an all-time high, is for attackers to send a text message that claims there’s a delivery problem with one of your orders and includes an official-looking link where you can fix the issue. But there is no issue. It’s just an attempt to get you to provide your login information on a fake login page. Defend against phishing attacks by not clicking unexpected links in texts or emails. And if you need to log into an account, log into the website directly

3. Social Engineering

We often think of hacking as technical but psychology in the form of social engineering can also be a surprisingly successful tactic to gain sensitive information. In the context of information security, social engineering is psychologically manipulating people into doing actions or providing confidential information. In other words, social engineering is lying. Going with the flow, acting in accordance with social norms, and playing on people’s expectations are keys to this in-plain-sight deception. A simple example of social engineering would be if someone showed up at your door with a vest, clipboard, and pleasant demeanor saying they’re with the power company and need to inspect a line in the backyard, can you let them in? Many people would do it without thinking twice. After all, it looks legit. But looking legit isn’t the same as being legit. And that’s how you can prevent being a victim of social engineering — think twice, ask why, check credentials, call it in and verify. 

4. Denial of Service (DoS)

A denial-of-service attack is a cyber-attack in which an attacker uses an overflow of data or network traffic to shut down access to a machine or network. Common DoS attacks include ping floods, UDP attacks, ICMP echo requests, SYN floods, ping of death — the list goes on. These attacks, like all others, are extremely common. For example, in Q3 2022, Kaspersky’s DDoS Intelligence system detected 57,116 DoS attacks. Because DoS attacks target services, preventing them is more of an issue for network administrators than individual users. And the best defense against DoS attacks is a well-documented resiliency plan, automatic network traffic monitoring, and a relationship with a mitigation provider.

5. Application Repackaging

Alright, let’s shift gears to a topic we recently covered in our Android app hacking ebook — application repackaging. This is an attack where attackers use your intellectual property (your application) against you and your customers. The way that they do this is by downloading a legitimate app from a legitimate business and then reverse engineering that application so that they can view the source code and modify it before recompiling and repackaging the application for download. Typically, the modification is a tiny change that’s undetectable to users and does something simple like emailing login credentials to an email account. Users then download the application, which looks legitimate, and use it, never the wiser that the application was compromised and is now leaking data.

Users can get a level of protection against these types of apps by only downloading known applications from trusted sources. Developers can utilize application hardening to obfuscate source code and make applications impervious to reverse engineering attempts so that hackers can’t repackage the app.

6. SQL Injection Attack

Another attack that developers in particular need to be aware of when creating applications that interface with databases is SQL injection attacks. This is a common attack where attackers use malicious SQL to gain access to sensitive company data, user lists, or private customer details. These attacks are carried out when attackers send malicious SQL statements to the database through the interfacing application, which the database interprets and runs as a command. According to the Open Web Application Security Project, injection attacks were the third most serious web application security risk in 2021. SQL injection attacks happen when unchecked commands are accepted and sent to a database, so developers can protect against these attacks by sticking to the fundamentals when coding and always validating user input to ensure it’s what’s expected.

7. Cross-Site Scripting

Somewhat similar in concept to SQL injection attacks but also unique is cross-site scripting (XSS). These attacks allow attackers to insert client-side scripts into benign and trusted websites viewed by other users. Attackers use a cross-site scripting vulnerability to get around access controls like same-origin policy. An example of cross-site scripting is a search form, where visitors send a search query to the server which then returns tampered results that will send them to compromised web pages.

To prevent XSS attacks, applications must validate input data and ensure that variable output in a page is encoded before being returned to the user. A web application firewall (WAF) can also protect against XSS attacks by filtering bots and other malicious activity that may indicate an attack, blocking attacks before scripts are executed.

8. Session Hijacking

In a session hijacking attack, a hacker takes control of a user’s browsing session to get access to personal account information, and passwords. These attacks typically happen when people are checking email or financial accounts. You can prevent session hijacking by avoiding insecure public networks or using a VPN, as well as browsing websites through an encrypted connection such as HTTPS.

9. Rootkits

Rootkits are a form of malware that hackers use to get “root” control over a device. You might wonder why anyone would willingly run a program that would give hackers this access. How would anyone be tricked into doing such a thing? Well, phishing and social engineering are just a few tactics. What if you found yourself in a situation where a “tech support person” told you to download a program from a website to fix a problem you’re having? But instead of fixing the problem, it gave that person real-time monitoring access to absolutely every single thing you did on your device. That’s what can happen with a rootkit. Again, the best way to avoid rootlets is to avoid clicking unknown links or downloading software from untrusted sources. And if you do suspect you’re infected, a malware removal tool can scan for, find, and remove rootlets.

10. Credential Reuse

Credential reuse is a big problem for many organizations. Because every service now requires users to create a unique account, many users get in the bad habit of resting login credentials between accounts for speed and simplicity — but at the expense of security. If one set of credentials becomes compromised in a data breach that may not even be the users’ fault, hackers can take that information and attempt to log in with that information across many services. Think of how many people probably use the same email and password combination for their email, eBay, Amazon, PayPal, Venmo, and everything else. Moreover, once hackers get this information, they can shut you out and cause damage well before you can stop it. What’s the best defense? A unique password for every account and strong password hygiene for every password!

11. Fake Wireless Access Points

Fake wireless access points are exactly what they sound like. A hacker finds a public spot with many people looking for and using public networks and puts up one of their own. All it takes is an official-sounding name and no-password-required and chances are that many people will hop on and browse all their private accounts while the hacker sits back and intercepts everything. The obvious way to avoid finding yourself on the wrong side of these attacks is to avoid unfamiliar public networks. And if you absolutely must use one, do not do any private browsing.

12. Ransomware

One of the most horrific attacks a person or organization can fall victim to is ransomware. Ransomware is when access to files, data, networks, or any other component of a computer system is cut off and held for ransom. Typically, hackers lock or encrypt all the data, and paying is the only way to get it back, and even then it’s only a maybe. Ransomware was a big problem in 2022 and it’s expected to get worse, with ransomware damages likely to exceed $30 billion worldwide in 2023. Preventing ransomware is possible but requires organizations to take a comprehensive approach toward security that includes, well, basically everything at the user and system level.


Protect Your Applications From Attackers With PreEmptive

There are a lot of hacks out there and effective cybersecurity measures require multiple levels of protection to adequately protect ourselves, our organizations, and our businesses. 

 

  • Implement network segmentation by spreading data out and reducing exposure during an attack.
  • Enforce the principle of least privilege (PoLP) and grant users access to only what they need and no more.
  • Backup data (personal and at an organizational level) frequently so that if worse comes to worst, you can simply wipe an infected system and restore it.
  • Educate yourself and your staff on security trends and learn how to spot nefarious activity such as phishing and unsolicited attachments.
  • Keep all software and systems patched and updated.

And if you’re a software developer, you’re perfectly positioned to create secure applications. And PreEmptive makes it easy. We’re a trusted global leader in protection tools for Desktop, Mobile, Cloud, and Internet of Things (IoT) applications. We help organizations make their applications more resistant and resilient to hacking and tampering — protecting intellectual property, sensitive data, and revenue. Get a free trial to learn more.

 


 

 

Categories
DevSecOps

Give Your Business the Gift of DevSecOps

Reading Time: 4 minutesThe holidays are here and many of us are thinking about all the wonderful gifts we’re going to be giving this year. A new fishing pole for dad, some nice jewelry for mom, and a good self-help book for that one stepbrother. Well, maybe. We’ll leave that last one up to you.

There’s one other incredible present you can give and that’s the gift of DevSecOps to your business. How does that sound? Exciting? Maybe not. But that’s actually the beauty of DevSecOps. When done right, it eliminates all the “excitement” of hacks, attacks, data breaches, and everything else that comes along with vulnerable software.

DevSecOps, also known as Development-Security-Operations, is an approach to security integration at all stages of the software development lifecycle, beginning with the initial design and extending through the integration, testing, deployment, and delivery. 

And you might say that it’s a “popular gift” this year. A survey of more than 500 DevSecOps professionals in the United States found that 73% of organizations intend on increasing their total investment in application security in 2023. The total global market for DevSecOps is expected to be $17 billion by 2026.

Below are a few key features your DevSecOps approach needs to include so that your business can enjoy the peace of mind that comes with having a secure software development lifecycle process and knowing that your holiday won’t be spoiled by hackers.

 

Build Security Into the Software Requirements

Security needs to be an intentional, active part of the software development process from the beginning, not an afterthought once the project is nearly complete. And one strategy to ensure that it is a priority from the beginning is for development teams to document software security requirements alongside the functional requirements. This helps to build security into the program right from the start.

Authentication and password management, authorization and role management, network and data security, encryption and key management — these are just a few of the key areas that need to be securely accounted for when project requirements are hashed out. It’s not enough to simply accomplish the task — it has to be done in such a way that companies’ and customers’ data is protected.

 

Test Early and Test Often

Imagine that you’re building a house and the plumber just finished installing all the piping. Would you want them to turn on the water and test the pipes before the drywall crew sealed up all the walls? Just in case there was a leak? It’s a whole lot easier to find and fix it now than wonder why the hardwood floors are wet the third day after moving in.

Engineering software is the same way. Code is only as secure as its most insecure component. So in addition to building security into the specs, make sure that your testing process includes security testing, too — often and early.

 

Make Application Security Part of the Life Cycle

Security isn’t a checkbox on a list, rather it’s the watermarked paper that the list is written upon. It’s the fortified walls from which you sit and check off the items on the list. It’s the verifiable, magnetic ink in the pen you use to check the boxes. It’s the notary stamp on the checklist document when you’re finished. And when creating software, security needs to be a fundamental aspect of the framework itself.

There are a few ways to accomplish this. Keep the development team aware of all current best security practices; account for it in ​​the planning, architecture, production, and development stages; consider using security specialists or providers to bring agility and expertise into QA cycles.

 

Automate Security in the Development and Testing Processes.

The number of vulnerabilities that can and do affect applications is far too vast for any one person or team to simply know and remember while they’re coding. And the very idea of trying is inefficient because we have tools that do it for us. And isn’t that the whole purpose of coding anyway?

DevSecOps tools like PreEmptive make it easy. Our obfuscation solutions for .NET, Java, JavaScript, Android, and iOS ensure that your applications are more resistant and resilient to hacking and tampering to protect intellectual property, sensitive data, and revenue.

 

Continue Protection After Deployment

Engineering the software to do everything the specs call for is just the start. Then it has to go out into the world and not only function but also not break. And not give up the keys to the kingdom in the form of a data breach. How do you do that? Implement safety protocols that continue after the software is deployed.

Runtime app self-protection is one way to ensure your apps detect and block hackers’ attempts to gain access to source code, find vulnerabilities, create exploits, and all the other malicious activities they’re not supposed to do.

 

Make DevSecOps Work for You in 2023 With PreEmptive

 

An ironclad DevSecOps process is totally achievable with PreEmptive. Android, .NET, Java and more — we’re professional app shielding. Helping organizations all over the world protect their apps and customer data from passive and active attacks is what we do. We can do it for you, too.

Request a free trial and let us show you how to make your holidays merry and bright with the industry’s best DevSecOps solution!

 


 

 

 

Categories
Support Corner

Support Corner: Protecting React Native Apps

Reading Time: 3 minutesWe’ve recently worked with a handful of customers in the process of creating React Native apps. As with other mobile development frameworks, it is relatively easy to reverse engineer and tamper with React Native apps. For this reason, it’s essential to secure your organization’s IP and data before publishing. In the following article, we’ll discuss how to do so using PreEmptive.

React Native apps are primarily written in JavaScript, then packaged as an APK, AAB, or IPA file for deployment. Once the app is installed on a device, the end user can extract an APK and see the bundled JavaScript file within the “assets” directory. The bundle will be minified during the build, but this can easily be unminified and formatted by a text editor such as Nodepad++ with JSTool. Doing so would reveal API calls, keys, and sensitive strings:

JavaScript can also interface with Native Java modules. Java is compiled and embedded in the APK as one or more classes.dex file(s). A tool such as ByteCode viewer can decompile the classes.dex to reveal sensitive IP within Java source:

Leaving code exposed in such a way is quite dangerous. A hacker could clone the app, infiltrate back-end systems, initiate a data breach, and more. Luckily, PreEmptive can protect the code embedded in the APK. JSDefender for JavaScript can protect the JavaScript bundle. DashO Java obfuscator can protect the Java code.

JSDefender’s Metro plugin and DashO’s Gradle plugin integrate protection directly into our build.

metro.config:

build.gradle:

When building the React Native project

>npx react-native run-android 

or 

>gradlew clean assembleRelease or bundleRelease


PreEmptive can be seen running in the build output:

After this build, binary is hardened against decompilation, reverse engineering, and tampering:

The full source code sample can be downloaded here.

In order to run the sample:

  • Download the JSDefender (trial or commercial) Core and Metro npm packages. 
  • Configure the JSDefender license key in jsdefender.config.json. 
  • Install and register PreEmptive DashO (trial or commercial) on your machine.
  • Run npm install within the directory. 

If you have feedback on this topic or any other topics you would like us to discuss in the Support Corner, please contact us.

 

 

 

 

Categories
Risk Management

Holiday Hacking — What Are the Trends?

Reading Time: 3 minutesThe holidays are here and many of us are taking time off work. But do you know who doesn’t go on vacation? Hackers. In fact, security breaches and attempted attacks go up this time of year. Ecommerce sales increase, so there’s more opportunity to steal financial information. And a lot of people take time off work, leaving organizations less able to respond quickly to security alerts as they happen.

Here, we’ll look at the characteristics and trends of hacks and attacks that happen during the holiday season, including what threats are most prevalent, how they happen, and the consequences of overlooking cybersecurity measures. And we’ll also provide a few tips for reducing your risks so that your holidays stay merry and bright.

 

Teams Are Understaffed

During the holidays, businesses and organizations are especially susceptible to cybersecurity attacks. Security firm Cybereason wrote in a 2021 report that ransomware attacks occur more frequently on weekends and holidays. One of the primary reasons is the human element — many people take time off work leaving fewer team members present to detect and respond to threats.

When people are out of the office, response times go up, or are paused altogether. Responsibilities may be handled by others who are less experienced and unable to respond with the same speed and thoroughness. And when you consider that many large organizations use third-party vendors to monitor technology infrastructure, it’s one added level for a diffusion of responsibility to creep in.

 

Ransomware Threats Are Increased

Ransomware attacks are happening with accelerating frequency, affecting both individual consumers and major corporations alike. Even states aren’t safe, with Montenegro’s government recently finding itself on the receiving end of an attack. And, for hackers, a long holiday weekend is a great time for a ransomware attack. Why? See the above — teams are running on skeleton crews, and ransomware attacks often need time to spread throughout a network. And there’s no better time than when resources are spread thin.


Phishing Goes Way Up

With Black Friday just around the corner, it is expected to hit $158 billion in sales this year in the United States. In addition to intercepting or otherwise stealing payment information, attackers have gotten creative in other ways by impersonating shipping companies such as DHL, FedEx, and UPS and sending emails or text messages about a problem with a package. Since many people are sending or receiving packages this time of year, many employees fall victim and may end up providing personal information, such as login and password credentials or bank information in an attempt to remedy the fake problem.

 

How You Can Prepare & Respond

Before you slow down for the holidays, take a moment to make sure you’re prepared. All businesses and organizations should have incident response plans and review them before the holidays to ensure protocols and contact information are all current. If there are gaps, they can be addressed. Don’t allow yourself to get in a situation where you find out late in the evening that the server is down and only Bob can fix it, but nobody has Bob’s current cell phone number.

Additionally, even though the holidays are a time when many people relax, security teams should stay vigilant about vulnerabilities by assigning specific personnel to monitor security alerts as they’re announced and apply all necessary patches without delay.

Finally, one of the most important steps organizations can take is to conduct phishing simulation training so employees can identify malicious attachments and links. Hackers have become quite sophisticated in their phishing attempts and it’s not simply about being easily fooled. Advocate or implement, depending on your position, company-wide training about phishing.


Stay Secure With PreEmptive

When you secure your applications with PreEmptive, you’re locking hackers out. They can try — and they do — but they fail. And then they move on to easier targets. It’s why over 300,000 users and 5,000 corporate clients spanning virtually every industry in over 100 countries trust PreEmptive for software security that reduces the risks of hacks and data breaches.

  • The largest mobile carriers in the world utilize our mobile protection solutions
  • We’ve been the industry leader in obfuscation and in-app security for 20+ years
  • PreEmptive is the only third-party technology embedded into Visual Studio, which makes it subject to Microsoft’s regression tests, code audits and security reviews.

 

Want to see how you can hit the sweet spot between cost, convenience, and functionality with PreEmptive? Schedule a fast-and-free, no-obligation demo to see how PreEmptive integrates seamlessly with your development process to maximize data security while saving time and money.


 

Categories
Risk Management

A Review on JavaScript Security in 2022

Reading Time: 4 minutesAmong developers, JavaScript is a popular programming language for web application development due to its flexibility, interactivity, and user experience. A Stack Overflow survey shows that over 67% of developers use JavaScript. Also, more than 95% of websites use this language.

But from a security point of view, JavaScript is the fourth most vulnerable programming language, just behind Java, PHP, and C. Much can go wrong with JavaScript, from malicious attacks to insecure user inputs. 

The potential risks include stealing a user’s session, redirecting a session, modifying data, and tricking users into performing unintended actions. JavaScript’s source code vulnerabilities also allow for data exploitation. How can you address these JavaScript vulnerabilities and make your web applications secure in 2022 and next year?

Common JavaScript Vulnerabilities and How They Manipulate Data

Below is the list of common Javascript vulnerabilities and how they can steal or manipulate your data:

→ Vulnerabilities in Source Code

As JavaScript is an interpreted programming language and not a compiled one, a single obfuscation method won’t protect your application against hackers

Other vulnerabilities include developers’ widespread use of libraries and software packages in the application code. There can be potential hidden vulnerabilities in the packages, which hackers can use to exploit the code later on.

→ Cross-Site Scripting (XSS) Vulnerability

How JavaScript interacts with the Document Object Model (DOM) on the web page can become a potential security concern, allowing for script embedding and execution on client computers across the internet. 

XSS attacks allow web applications to accept unintended or untrusted scripts on a webpage without proper validation.

The XSS attack involves the hacker interacting with the user through reverse engineering or requesting them to visit a particular page. Next, the browser executes the untrusted script, and the attack completes successfully.

Server-Side Injection Vulnerability

On the server side, injection attacks are more common. They exploit query parameters in SQL databases to execute arbitrary JavaScript instructions on an application. 

The applications that usually pass string functions like setTimeout(), eval(), and setInterval() are more vulnerable to injection attacks. An attacker can create an id string parameter to retrieve all tables from the database or write in the database.

Hijacking Session Data

The client-side JavaScript on a browser accepts all content that a web application returns to a browser. This also includes cookies containing sensitive data, such as users’ session IDs. A common way for an XSS attack is intercepting the session ID and sending it to the hacker. In this way, the hacker is able to hijack the session.

How to Improve JavaScript Security During Development

There are certain preventative measures you can take to avoid vulnerabilities and increase your JavaScript application security:

 

1. Conduct Regular Scans on Your Code

Audit your application code regularly to find potential vulnerabilities. In addition, write test units to ensure your code behaves as you want it to and executes securely. 

Also, use scanning tools to regularly scan your application code and identify potential vulnerabilities in third-party libraries and packages. So, you can remove them before they can be exploited. Do a regular patch and update your libraries.

2. Perform Proper Input Validation

To prevent XSS attacks, perform proper validation and sanitization of user input to ensure it only consists of acceptable characters. For example, you can allow the phone number field to include only numbers and a dash or parentheses. 

Don’t allow unexpected character input. Use methods such as innerText, a secure way to manipulate DOM. This method escapes malicious content, thus preventing DOM-based XSS attacks.

To prevent malicious SQL injections, you must also perform input validation. If it fails the test, the SQL query won’t be executed. Another way to deter potential injection attacks is to replace concatenations with prepared statements or parameterized queries. 

Basically, the parameterized queries can extract the SQL syntax from the input parameters. 

An excellent way to enhance server-side security is to use server application protection. It will integrate seamlessly with your JavaScript application build to prevent both active and passive attacks.

3. Escape or Encode Insecure Data

Any XSS attack relies on input data containing special characters in underlying JavaScript. The browser views these characters as part of the web page code rather than as a value to display during execution. 

This enables the hacker to get out of the text field and provide extra browser-side code for execution. To prevent this type of attack, any time your browser-supplied user input returns a response, replace the special characters with an escape code. 

For instance, replaced the < and > characters to delimit HTML entities with &lt; and &gt;. This will prevent the browser from interpreting these characters as HTML entities, forcing it to display them.

4. Secure Cookie Transmission

It is a bad security practice to expose session IDs in logs, error messages, or URLs. This causes issues like session hijacking, fixation, and cross-site request forgery (CSRF). The CSRF attack tricks the browser to execute malicious requests to other websites in the background by using the clients’ session cookies.

A technique to prevent this kind of attack is to introduce tokenization for client-server interaction. Upon establishing a session, a token must be generated for each form on the site and sent with each request while the user is present on the website.

Another way to secure cookie transmission is to use HTTP-only cookies. This attribute won’t allow the browser to provide access to cookies through DOM. It will also prevent client-side script attacks from accessing session IDs from the cookies.


Wrapping Up

JavaScript is a popular programming language, but its source code is visible to anyone with a browser. It has other potential pitfalls as well. The recommended best security practice to prevent hackers from exploiting JavaScript vulnerabilities is to keep both the client and server sides secure. 

This approach prevents the risk of malicious content while validating the client to improve end-user results. The client-side validation will inform users of issues with their input, while server-side validation ensures that only trusted data makes its way to the JavaScript application.

A good security practice is to obfuscate your JavaScript code to prevent hackers from reverse engineering, finding vulnerabilities, and debugging. 

PreEmptive JSDefender can help you obfuscate your code, making it difficult for malicious attacks to exploit JavaScript security and modify or steal your code. Register today to get a free trial!