Application Hardening: Do you need it and if so, which approach is right?
Application hardening is an important part of any secure software development lifecycle process. Application hardening:
- Inhibits hackers’ efforts to reverse engineer an app back to source code
- Thwarts hackers’ efforts to inspect internal values, monitor, or tamper with an app
- Helps validate the app is running in a safe environment
To first discover if you should look at app hardening, here are some questions you must ask yourself:
- Does the app have intellectual property worth protecting?
- Does the app access sensitive data?
- Does the app contain sensitive “secrets” such as API or decryption keys?
- Does the app provide an access-controlled gateway to privileged functionality or services?
- Is the app running in an environment outside your direct control?
If none of these apply to your application then hardening may be unnecessary.
Other questions to consider:
- What is the risk if the software/data assets are compromised?
- What is the reputational risk if the app is maliciously cloned?
- Does your threat model highlight any other exposures through the application?
Assuming your app fits into the “worth protecting” category, read on:
Hacking an application (.NET, Java, Android, iOS, Xamarin, Unity, etc.) is easier than you think. In many cases, armed with free decompilers and debuggers, hackers can steal intellectual property, look for vulnerabilities, bypass security or licensing checks, or create counterfeit versions that steal sensitive data.
Fortunately, there are solutions that can make applications more resistant to reverse engineering, tampering, and inspection. These solutions go by many names: app hardening, obfuscation, shielding, RASP, etc. and they generally offer two types of app hardening / protection:
Passive hardening is a collection of techniques that make the application more resistant to attacks based on static analysis—particularly decompilation. It is designed to make reverse engineering back to source code materially more difficult for people and machines, but does not alter the behavior of the application.
Of course hackers don’t just use static analysis—they also run your app and use dynamic analysis tools (like debuggers) to investigate and control how it behaves at runtime. Active hardening is a collection of techniques that hinder these tools by detecting their use, and changing the application’s behavior in response. For example, they can prevent the application from running when a debugger is attached, or a jailbroken or rooted device is detected. They can also validate that the application has not been modified since it was built and packaged.
If you decide to harden your app, there are two primary levels:
- Apply basic hardening
- Apply comprehensive hardening / shielding
Low Value Apps:
For small-scale developers with free- or ad-supported apps, or corporate apps that don’t contain intellectual property and don’t touch sensitive data, basic application hardening will often suffice. Below are some free options for basic app hardening:
If you are building noncommercial apps with .NET, a tool called Dotfuscator Community Edition is included in Visual Studio, and can get your team started today. https://docs.microsoft.com/en-us/visualstudio/ide/dotfuscator
If you are building with Java, a free tool called Proguard is available, and can get your team started. https://sourceforge.net/projects/proguard/
If you are building for iOS, a free tool called PPiOS-Rename is available, and can get your team started. https://github.com/preemptive/PPiOS-Rename
High Value Apps:
These are Apps that contain intellectual property, touch sensitive data, are monetized, or gate access to valuable functionality and likely run in a low trust environment. For these apps, more sophisticated app hardening solutions (like PreEmptive’s Dotfuscator and DashO) provide increased protection with minimal performance impact and development work.
|App Hardening Technique||App Hardening Type||Low Value Apps||High Value Apps|
|Unused Code and Metadata Removal||Passive|
|Comprehensive App Hardening|
|Control Flow Obfuscation||Passive|
|Opaque Predicate Insertion||Passive|
|Runtime Tamper Detection and Response||Active|
|Debugger Detection and Response||Active|
|Root and Jailbroken Detection and Response||Active|
Development groups are often pressured to release cutting-edge apps with a rapid pace and in many cases, they have little time to address long-term security considerations. But the rise of the application as an attack vector means your brand name, customer loyalty and revenues may be at risk. Secure software development along with App hardening and other layered security measures are critical components of building more secure applications and overall IT compliance. A thorough approach considers applicable standards and regulations and implements app development best practices to enhance security for apps that process or give access to sensitive data or functionality. Of course, application hardening is meant to complement, not replace other security controls.