Does the app have intellectual property worth protecting?
Does the app access sensitive data?
Does the app contain sensitive “secrets” such as API or decryption keys?
Does the app provide an access-controlled gateway to privileged functionality or services?
Is the app running in an environment outside your direct control?
If none of these apply to your application then hardening may be unnecessary.
Other questions to consider:
What is the risk if the software/data assets are compromised?
What is the reputational risk if the app is maliciously cloned?
Does your threat model highlight any other exposures through the application?
Assuming your app fits into the “worth protecting” category, read on:
Hacking an application (.NET, Java, Android, iOS, MAUI, Unity, etc.) is easier than you think. In many cases, armed with free decompilers and debuggers, hackers can steal intellectual property, look for vulnerabilities, bypass security or licensing checks, or create counterfeit versions that steal sensitive data.
Fortunately, there are solutions that can make applications more resistant to reverse engineering, tampering, and inspection. These solutions go by many names: app hardening, obfuscation, shielding, RASP, etc. and they generally offer two types of app hardening / protection:
For small-scale developers with free- or ad-supported apps, or corporate apps that don’t contain intellectual property and don’t touch sensitive data, basic application hardening will often suffice. Below are some free options for basic app hardening:
If you are building noncommercial apps with .NET, a tool called Dotfuscator Community Edition is included in Visual Studio, and can get your team started today. About Dotfuscator Community & Visual Studio
If you are building with Java, a free tool called Proguard is available, and can get your team started. ProGuard Java Optimizer and Obfuscator
If you are building for iOS, a free tool called PPiOS-Rename is available, and can get your team started. PPiOS-Rename
These are Apps that contain intellectual property, touch sensitive data, are monetized, or gate access to valuable functionality and likely run in a low trust environment. For these apps, more sophisticated app hardening solutions (like PreEmptive’s Dotfuscator and DashO) provide increased protection with minimal performance impact and development work.
App Hardening Technique | App Hardening Type | Low Value Apps | High Value Apps | |
---|---|---|---|---|
Basic Hardening | ||||
Symbol Renaming | Passive | |||
Unused Code and Metadata Removal | Passive | |||
Comprehensive App Hardening | ||||
Control Flow Obfuscation | Passive | |||
String Encryption | Passive | |||
Binary Linking/Merging | Passive | |||
Opaque Predicate Insertion | Passive | |||
Runtime Tamper Detection and Response | Active | |||
Debugger Detection and Response | Active | |||
Root and Jailbroken Detection and Response | Active |
Development groups are often pressured to release cutting-edge apps with a rapid pace and in many cases, they have little time to address long-term security considerations. But the rise of the application as an attack vector means your brand name, customer loyalty and revenues may be at risk. Secure software development along with App hardening and other layered security measures are critical components of building more secure applications and overall IT compliance. A thorough approach considers applicable standards and regulations and implements app development best practices to enhance security for apps that process or give access to sensitive data or functionality. Of course, application hardening is meant to complement, not replace other security controls.