Today, we released Dotfuscator v4.25, which includes, for the first time, anti-debug defense and alert capabilities. Dotfuscator Professional users can now configure Dotfuscator to inject logic to defend against the unauthorized use of a debugger in production. We’ve already previewed this capability in our Java/Android product, DashO, and this latest anti-debug feature sits alongside our other “detective controls,” including anti-tamper and shelf-life.
On one hand, a new release of Dotfuscator Professional is not big news. We’re constantly improving our products, and this is our fourth Dotfuscator Professional release in the past 12 months. But I think we’ll look back at the inclusion of the anti-debug control as a kind of watershed moment, not in a narrow sense of Dotfuscator’s evolution but in the evolution of application risk management more broadly.
Why? Here’s (some of) what’s “special,” not “just new.”
Historically, the controls to manage intellectual property theft and software piracy were wholly separate from data integrity and data protection controls. This is not true with an effective anti-debug control. Whether a hacker is trying to pirate your app, steal your data, or alter the behavior of a critical piece of infrastructure software as part of a larger crime, a production debugger is always a hacker’s weapon of choice.
As implemented inside Dotfuscator and DashO, the anti-debug control effectively mitigates both risk categories.
Consider how the following exploits that stem directly from debugger hacks cross data, operational, and IP risk boundaries:
| Debugger Hack | Resulting vulnerability and risk |
|---|---|
| Bypassing encryption and other techniques used during data transmission and/or storage exposes otherwise secured data. | View encryption functions, the values of dynamic keys, and when and how sensitive information is saved to your file systems and databases |
| Insert and modify data within your application | Security and operational breaches expose data and systems beyond any one application. |
| Trace logic and the flow of your application | Expose intellectual property for reuse and exploitation |
| View encryption functions, the values of dynamic keys and when and how sensitive information is saved to your file systems and databases | Unauthorized data access can lead to data loss, revenue loss, privacy breaches, regulatory non-compliance, and trade secret theft. |
Mitigating multiple risk categories requires that event detection and reporting be surfaced inside the dashboard(s) of choice for each stakeholder. Application stakeholders span development, operations, business, and audit functions, and each has its own analytics and monitoring requirements and preferences.
The examples highlighted in this latest Dotfuscator release include multi-tenant cloud services, and, if/when required, on-premises options are also supported. Specifically, the following screenshots show the same telemetry being published inside Microsoft’s HockeyApp and Application Insights, Google Analytics, and even Twitter. We’ve validated event capture inside Microsoft’s TFS and our PreEmptive Analytics for on-premises requirements.
On-premises application analytics supporting Dotfuscator’s anti-debug telemetry
To be effective, application risk management controls must not
These exacting requirements can only be reliably and consistently met when control implementation, testing, and monitoring are integrated throughout the application lifecycle from design to deployment and production. For modern development organizations, this translates into integration throughout a “DevOps toolchain.”
Here are concrete examples of what this means for PreEmptive Solutions’ implementation:
Injection post-compile ensures that real-time incident responses are
To learn more (and download a more detailed white paper) and/or evaluate the software described here, visit: Top 5 reasons why Dotfuscator’s new anti-debugging and anti-tamper technology is changing how developers manage risk.