Microsoft Has Embraced GitHub. Can GitHub Embrace Obfuscation?

June 8, 2018 854 Views Sebastian Holst

In its recent GitHub $7.5B acquisition announcement, Microsoft promised to “bring its developer tools and services to new audiences.” “New audiences” in this context mean, quite literally, GitHub’s 28 million developer users. As the “largest open source community in the world,” GitHub audiences will most surely also mean new requirements, new priorities, and new expectations – but these will also come with old biases. And there is no better example of open source bias than code obfuscation.

For the typical open source developer, obfuscation is “like a pearl onion on a banana split” – it simply does not belong (with thanks and apologies to Philip Marlowe in Raymond Chandler’s The Long Goodbye).

The argument is simple enough – there is no reason to prevent the reverse engineering of open source applications because the source code is already public. It’s like picking an unlocked door.

In addition to the sheer lunacy of the act, the benefits of open source development (access to existing code and limitless engineering resources) far outweigh any advantage that might come from jealously hiding your own handiwork from the rest of the world.

The argument is compelling – if you only concern yourself with intellectual property (IP) issues and ignore user privacy and safety.

Privacy and security obligations trump IP policy and must drive DevOps practices

There is no praise or reward for unsafe software – no matter how efficiently or innovatively developed.

Runtime application self-protection (RASP), as defined by Gartner, is a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks.

Examples of RASP attack “prevention and detection” include Android root detection, application tamper detection, and unauthorized debugger/emulator detection. These scenarios share the following important qualities:

Advanced techniques are required to evaluate and ultimately detect these runtime incidents,
Bad actors are actively upgrading their attack patterns to evade detection,
Evaluation and detection “techniques” must continuously evolve to stay ahead of evolving exploit patterns.

Increasing the time required for bad actors to dissect – and ultimately evade – RASP prevention and detection algorithms reduces the cost and complexity of effective RASP controls.

Reducing the requirement for all developers to keep up with these development patterns further reduces the cost of security and streamlines a development organization’s ability to respond quickly.

Including multiple RASP checks throughout an application with multiple detection and response layers can dramatically improve overall RASP effectiveness and extend the lifespan of RASP controls.

Privacy and safety controls typically also require audit records to demonstrate compliance. Unless carefully designed, privacy and safety compliance steps can also increase cost and reduce overall efficiency.

PreEmptive Solutions pioneered RASP before it had a name – in 2006, Dotfuscator first included Tamper detection and defense. Anti-debug, (Android) root detection, emulator detection, etc. have all followed.

What we have validated over the past 12+ years is that post-compile injection of RASP controls helps to meet each of these requirements.

Ensure advanced detection and evaluation algorithms
Minimizing development training and expertise to implement
Ensure controls can be distributed throughout systems without impeding core development schedules
Generating audit logs and other compliance evidence to meet regulatory and statutory obligations

…and what’s this got to do with obfuscation?

As mentioned above – slowing discovery (and impeding evasion) of RASP controls improves privacy and safety – while simultaneously lowering the cost and complexity of implementing those controls. The PCI Council recommends obfuscation to better secure rooted device detection, Google recommends obfuscation to impede hacks on SafetyNet, and the list goes on-and-on. Obscuring RASP controls via obfuscation is a recommended (and increasingly required) practice.

Post-compile injection lets you develop in open source – while injecting (and optionally obfuscating) your RASP controls post compile.

Is there a role for obfuscation to play in the open source community?

YES IF,

If RASP controls are required AND
Your RASP technology can be wholly injected post-compile (no logic or APIs are included in the app source code itself)

It’s the inverse of the IP scenario above. Putting your RASP control source inside your project for hackers to see would be “sheer lunacy” as the benefits of injection (improved safety and privacy for users and lower cost and complexity of security derived from injection) far outweigh any advantage that might come from dogmatically publishing source that actually has nothing to do with the application you’re building.

Like most everyone – we at PreEmptive are energized by Microsoft’s acquisition of GitHub – and we look forward to helping new audiences effectively and efficiently protect their apps and the data they process.

Free Trial

Request Quote

Request Demo

Are You Following These Top 10 App Protection Practices?

Despite the rising costs and impact of application compromise — recent data found that 58 digital records are stolen every second and breaches cost companies an average of $3.6 million — many best practices and procedures for securely designing, developing, testing and protecting applications are largely ad-hoc. As noted by Tech Republic, in fact, exactly ZERO percent of organizations say their security needs are fully met by their current infosec strategy, down from just 11 percent last year.

Some respondents pointed to a lack of skilled resources while others cited budget constraints, but regardless of origin the outcome is clear: Hastily-designed app protection procedures that don’t meet current needs and can’t keep up with evolving demands.

Need a helping hand with your application protection process? We’ve compiled some of the best practices of leading-edge companies into a top-10 list. Let’s get started.

DashO v9.0 is out, and it has a new major version number for a very good reason: we've made some major improvements!

Java 9 and 10 support, including module support

In DashO v8.4, we introduced "provisional" Java 9 support, and we published an article describing our Java 9 roadmap. Java 9 support was provisional because there were cases where DashO would process a Java 9 app in a way that DashO thought was correct but would actually result in a broken app. As part of our commitment to the "principle of least surprise", we didn't want users to discover those issues by accident, so we made Java 9 support require an opt-in.

As of DashO 9, Java 9 (and 10) support is no longer provisional; it is a fully-supported feature, without an opt-in - and without surprises. There are a few edge cases, still, but those will generate build warnings or errors, as appropriate.

Now is the time to seriously look at how you are protecting and securing your applications

The U.S. National Institute of Standards and Technology (NIST) has published two data-security focused documents in as many months.

In June 2018, NIST published guidance on assessing requirements for securing unclassified information (NIST Special Publication 800-171A Assessing Security Requirements for Controlled Unclassified Information).

In July 2018, SPECIAL PUBLICATION 1800-1 Securing Electronic Health Records on Mobile Devices was published offering a practical guide to meeting the specialized security and privacy obligations that come with the management of health records on mobile devices.

JSON is a widely used format for sharing objects and data within an application. To protect .NET applications that serialize and deserialize JSON objects, you should be aware of some special considerations.

Consider a basic Employee class:

All apps are vulnerable. That’s the takeaway from a recent Trustwave report, which found that 100 percent of web applications could be compromised in a cyberattack. Combined with the uptick in mobile malware, account takeover fraud and blockchain-based attacks, companies spend most of their time fending off new attacks while trying to keep current apps up and running.

The result? It’s easy to assume that when applications aren’t directly under attack, they’re effectively safe. The truth? More code handling more data increases the risk of “leaky apps” — applications which unwittingly expose sensitive data to prying eyes.

Here’s how you plug the holes.

Microsoft Has Embraced GitHub. Can GitHub Embrace Obfuscation?

Are You Following These Top 10 App Protection Practices?

Announcing DashO v9.0

Java 9 and 10 support, including module support

Latest NIST Publications Reinforce the Importance of Application Hardening in Securing Data

Now is the time to seriously look at how you are protecting and securing your applications

Protecting .NET applications that use JSON objects

"Leaky Apps” Are Draining Your Data — Here’s How You Plug the Hole

Latest Blog Posts

Are You Following These Top 10 App Protection Practices?

Announcing DashO v9.0

Latest NIST Publications Reinforce the Importance of Application Hardening in Securing Data

Protecting .NET applications that use JSON objects

"Leaky Apps” Are Draining Your Data — Here’s How You Plug the Hole

Latest News

Dotfuscator Adds Rooted Device Controls to Meet Exceptional Xamarin.Android Demand

Microsoft Build 2018

PreEmptive Solutions Launches GDPR Compliance Relief Program

Protecting Your Xamarin Apps with Dotfuscator

Third Major Dotfuscator Community Edition Release in 12 Months Expands Real-time Defense and Streamlines Xamarin Integration

Twitter

App Protection Blogs

Microsoft Has Embraced GitHub. Can GitHub Embrace Obfuscation?

Java 9 and 10 support, including module support

Now is the time to seriously look at how you are protecting and securing your applications

Latest Blog Posts

Latest News

Twitter