Professional-grade Application protection With PreEmptive DashO
Announcing a new release for PreEmptive DashO.
With this new release we have overhauled and enhanced support for Spring Boot and Java web applications. In the latest update, our development team has rolled out some new enhancements, changes and bug fixes. What’s New?
Version 11.3 includes:
DashO can now accept WAR & JAR files as DashO Output
DashO now directly inputs mobile, web and desktop applications without manual steps.
Complete obfuscation support for Spring Boot.
Validate Modifiers input fields in the config editor for Include and Exclude rules.
New option for properties with filesystem path values to open a system browse dialogue.
Added native support for WAR inputs without the need for complex scripts to extract before protection and repackage after protection. The classes are automatically treated as inputs and the libraries as support libraries inside the WARs.
Added native support for Spring Boot Jar and WAR projects. The classes are automatically treated as inputs and the libraries as support libraries inside the Spring Boot Jars and WARs based on the Manifest file.
All the protection features are working now with plain WARs and Spring Boot Jars and WARs including Obfuscation, Checks, Watermarking, Signing.
The "Entry Points – Libraries" screen is now merged with the "Input" screen where Libraries, Extensible Libraries, and Spring Boot inputs can be configured with the new Handler property.
Updated the Web project wizard to easily configure plain WARs and Spring Boot Jars and WARs.
Businesses of all types rely on applications, in fact they have become the central way the majority of us live our lives. From online banking, to filing your taxes on your phone or attending a virtual doctor’s appointment. Every element of our lives is navigated by a mobile or desktop application.
It’s not just users, companies are also reliant on applications. Using them to manage central operations, production, fulfillment and marketing. Organizations use applications in a myriad of fashions, by the same token every application adds further risk.
Businesses are shifting online to meet emerging needs but are also being faced by an emerging risk landscape with expanding risk across the Internet of Things. Application protection as such is an essential component to protect every element of your organization. IP Theft, application attacks or data leakage can all have material impacts on the organization, reputation and adherence to regulations. The impact of failures in this regard can be expensive. In 2018 it was estimated that IP targeted cyber crime accounted for $50 to $60 Billion of global losses. The payment industry has established fines of up to $500K per incident for security breaches according to UCSC failure to comply for companies is clearly expensive.
With that noted, it is important to examine the tacit consequences and long term impacts of not using in app protection:
Risk of Unauthorized Access
Unauthorized Access is a critical risk for the majority of industries that handle private information, specifically personally identifiable information. If a person who is not allowed to make use of your application starts making use of it then there are more chances that the individual will commit fraud. It is hard to predict the behavior or intentions of anyone but it is essential to take every proactive step to avoid unauthorized access.
Vulnerabilities like Broken Authentication expose your applications to hackers gaining access and then committing fraud. Session management or credential management issues can easily enable hackers to gain access and commit fraud against your application. The worst part… these attacks often go unnoticed without in app protection or runtime checks. As we know the cost of breaches only goes up over time: A breach identified in 100 days costs approximately $5.99 Million, while a breach that takes longer can cost upwards of $8.7 Million.
Hackers can also use access to your application to expose sensitive datam putting end users at risk of losing their personal data or facing the downstream risks of identity theft, data leaking and doxing. All of which present a tangible threat and will likely result in financial obligations for the organization, due to negligence and failure to protect their customers. It can also be as simple as privilege escalation, a user enabling additional privileges allowing them to control aspects of the application that should not be externally leveraged. A recent example is the 2017 Accenture attack.
Risk Of Fines & Financial loss
There is a reason that the top software companies like 1Password, Google & Adobe pay over $100,000 for researchers that identify vulnerabilities within their toolsets. The bug bounty is in fact a rapidly growing industry and entire organizations exist around identifying these vulnerabilities. A recent research report from IBM identified that finance security professionals detect just 56% of incoming attacks, managing 53% of these attacks and only preventing 31% of attacks completely. Organizations don’t have a comprehensive ability to mitigate risk, even if you are using SAST / DAST / IAST and penetration testing risks can still slip through the gaps.
The average cost of vulnerabilities for all industries is approximately $13 Million. This combines the cost of paying for fines corresponding to regulation violations, the cost of remediating the risky vulnerabilities, the expense to prevent data from being leaked and the potential cost of IP being leaked. Then let’s lay on the cost of reputation damage, Security Magazine reports that 80% of customers will not continue to leverage a bank’s services if their information is compromised… this is probably justified. Organizations are equally skeptical of services following attacks and they will follow the example of customers. But, reputation isn’t singular, organizations can also face the impact of loss of goodwill. It will impact your brand image and can prevent customers from even acknowledging the validity of your organization.
Risk of IP Loss
Intellectual property loss is likely the most pernicious risk of not using In App protection. It is often the case that applications include some form of intellectual property which could encourage competitors to copy, steal or leverage in their own applications.
Reverse engineering is a significant issue for organizations, by enabling capabilities on the client side, users and hackers can gain access to and expose more functionality through the server siege of the application. Not obfuscating code enables these users to easily interpret the intended functionality of the application and identify how to replicate this operability. One recent example is American Superconductor, a U.S based provider of clean energy solutions. In 2011 their largest customer Sinovel ignored their contract and refused to pay millions of dollars owed. The company then obtained the source code for all of the electronic components and were able to install a pirated version into their wind turbines. The violation of the IP rights and loss of revenue can incur as much as $200 Million a year in losses. Without possibility for legal resources or ability to prevent continued leverage.
IP trade theft costs organizations as much as 3% of Annual U.S. GDP.
But, what can be done to prevent these risks?
Obfuscation, PreEmptive provides a layered approach that clings to the deployed application and helps to ensure any unidentified vulnerabilities that are hidden. Reducing the likelihood of hackers identifying and leveraging them. Obfuscation also protects your IP concealing the framework and structure of your application from corporate spying and ensuring your competitors can’t repurpose your sweat equity.
For more information about in-app security, visit our products page and start protecting your apps today!
This is a new minor version of JSDefender.
In the latest update, our development team has constructed an array of new features to support the way our customers use the PreEmptive platform. The core focus of product development is to ensure we provide full support to the emerging challenges of the industry. PreEmptive is excited to release an updated version of JSDefender with a range of new features.
Version 2.5 includes:
glob input pattern matching support for the CLI.
This enables users to provide multiple input files, even from subdirectories in a single input, instead of specifying them one-by-one.
Enhanced handling of React Native Bundles
Global Object Hiding feature enabled for React Native Bundles
Resolution of small bugs and minor feature enhancements
JSDefender Samples repository created, including examples for Angular, React, Vue, React Native, Ionic, Webpack, Rollup, Electron and CLI input glob feature
A vulnerability in a widely used Apache library has caused developers to launch into a furor over the past week, but what impact does it have on your organization?
In a recent media appearance Jen Easterly (Director of America’s Cybersecurity and Infrastructure Security Agency ” noted that the vulnerability was “One of the most serious that i have seen in my entire career” and that federal officials fully expect the vulnerability to be widely exploited by sophisticated mal actors. It is assumed that the bug will have a broad impact affecting hundreds of millions of devices across the globe.
For PreEmptive users there is little to be concerned about, our tools are verified as being protected against this vulnerability. However, you might be impacted elsewhere in your development organization. Here is what you need to know about Log4J:
The affected program, Apache’s log4j, is a free and open-source logging library that a wide array of companies use. Logging libraries are implemented by engineers to record how programs run; they allow for code auditing and are a routine mechanism to investigate bugs and other functionality issues. Since log4j is free and widely trusted, companies large and small have been employing it for a multitude of tasks. So the risk is pernicious and widespread.
The vulnerability when exploited can result in shell access to a server’s system. This provides considerable risk and it is essential for teams to consider the severity of this vulnerability. Formally designated as CVE-2021-4428 the vulnerability carries a severity rating of 10/10 making it a highly risky bug. This issue is a zero-day remote code execution vulnerability which means that it allows attackers to download and run scripts on targeted servers, leaving them open to remote control. It is also relatively simple to exploit, hackers do not have to use complex tools to cause significant issues.
Are you impacted?
Apache Log4j is a ubiquitous tool, most of the largest platforms across the internet are tied up with this vulnerability, and there are an array of lists that show just how widespread this impact might be. However, at this point it is difficult to gain a comprehensive understanding of the direct impact, but it includes popular websites: Apple, Twitter, Amazon, Linkedin, CloudFlare and more.
These organizations are rapidly working on releasing patches to protect their users against vulnerabilities but the discovery of the vulnerability was simultaneous for security teams and hackers, so exploitation attempts are already under way and increasing exponentially. Since December 11th there have already been over 800,000 attacks leveraging this exploit and it is only likely to get worse. Since the vulnerabile systems are critical assets such as servers, it is likely that the threat level will continue to be severe for the short term and it is essential that organizations take every step possible to mitigate risk.
Ready to add another layer of security to your applications try PreEmptive: Free Trial
Change Log – Version 2.5.0 – Release Date Dec 14, 2021
jsdefender-cli: add glob input pattern matching to the CLI to be able to provide multiple input files located even in subdirectories; it can be enabled with the --glob CLI flag or with the glob config file field; an ignore pattern can be provided via the ignore input field
jsdefender-cli: add the --outdir CLI flag to configure the output folder; it complements the existing outDir config file field
jsdefender-metro-plugin: better handling of React Native bundles
jsdefender-metro-plugin: add support for Global Object Hiding in React Native
jsdefender-core: fix proxy configuration issues on Windows machines
jsdefender-cli: fix the issue where the protection fails if the inputs are paths with subfolders; now the output will keep the original folder structure and will be put into the specified outDir
jsdefender-cli: display the correct error messages if the CLI parameters or the configuration are incorrect
jsdefender-cli: add the missing es2016, es2017, es2018, es2019, and es2020 as the possible values to the existing es5 and es2015 values to the --estarget CLI flag
We are pleased to announce the general availability of Dotfuscator 6.4, DashO 11.2 and JSDefender 2.4 for our customers.
PreEmptive has been hard at work on the latest releases of Dotfuscator, DashO, and JSDefender. The improvements are part of PreEmptive’s strategy to continuously support all products with regular updates and new features. Headlining some of the product updates are improvements to integration and usability, and bug fixes to help ensure we keep our customers happy!
Below are the highlights of each release with links to further information such as how to access the latest version, documentation, and changelogs. Free evaluations are always available for each product.
Dotfuscator Professional protects .NET applications from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, debugger detection, and tamper detection. It integrates into the development build process and operates on the .NET Intermediate Language. Dotfuscator Professional supports .NET, including .NET Core, .NET 5, Xamarin, and Mono.
The Dotfuscator Professional 6.4.0 release improves the support for default interface implementations in .NET Core 3+. Dotfuscator can now protect applications that use .NET’s default interface implementation feature, without extra configuration steps which were required before.
Additionally, the tool now provides more granular control of managed resource renaming. Users can now disable automatic resource renaming, in cases where the application loads those resources manually from strings that cannot be statically analyzed.
This version enables authenticated proxies to communicate with the PreEmptive licensing servers, which is a requirement at many enterprise customers.
The Xamarin.Android Root Check is also updated to handle new versions of Android rooting tools.
DashO protects Java and Android applications from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, debugger detection, and tamper detection. It integrates into the development build process and operates directly on compiled Java bytecode.
The DashO 11.2.0 release enables Include and Exclude rules to be configured via Java Annotations and Supertypes. Rules can now match classes based on the existence of methods or fields that match the criteria. The New Project Wizard now includes settings for generating Entry Point rules based on Java annotation based criteria, including a special set of entry points for Hibernate/Java Persistence API.
Additionally, DashO now processes compiled bytecode from Java 16 (except for the record type and the Sealed Classes preview feature).
Also, Global Processing Excludes now allows for classes to never be updated by DashO.
The JSDefender 2.4.0 release brought several changes to the protection runtime which makes the protected code of our customers much harder to reverse-engineer.
Also, it extends the Control Flow transform with an option called “injectFakeCode” that injects fake test conditions to the control flow statements to mislead and confuse the attacker.
Additionally, the release fixes some bugs in the error script parsing of the runtime checks and in the Control Flow transform.