Microsoft Has Embraced GitHub. Can GitHub Embrace Obfuscation?

June 8, 2018 2406 Views Sebastian Holst

In its recent GitHub $7.5B acquisition announcement, Microsoft promised to “bring its developer tools and services to new audiences.” “New audiences” in this context mean, quite literally, GitHub’s 28 million developer users. As the “largest open source community in the world,” GitHub audiences will most surely also mean new requirements, new priorities, and new expectations – but these will also come with old biases. And there is no better example of open source bias than code obfuscation.

For the typical open source developer, obfuscation is “like a pearl onion on a banana split” – it simply does not belong (with thanks and apologies to Philip Marlowe in Raymond Chandler’s The Long Goodbye).

The argument is simple enough – there is no reason to prevent the reverse engineering of open source applications because the source code is already public. It’s like picking an unlocked door.

In addition to the sheer lunacy of the act, the benefits of open source development (access to existing code and limitless engineering resources) far outweigh any advantage that might come from jealously hiding your own handiwork from the rest of the world.

The argument is compelling – if you only concern yourself with intellectual property (IP) issues and ignore user privacy and safety.

Privacy and security obligations trump IP policy and must drive DevOps practices

There is no praise or reward for unsafe software – no matter how efficiently or innovatively developed.

Runtime application self-protection (RASP), as defined by Gartner, is a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks.

Examples of RASP attack “prevention and detection” include Android root detection, application tamper detection, and unauthorized debugger/emulator detection. These scenarios share the following important qualities:

Advanced techniques are required to evaluate and ultimately detect these runtime incidents,
Bad actors are actively upgrading their attack patterns to evade detection,
Evaluation and detection “techniques” must continuously evolve to stay ahead of evolving exploit patterns.

Increasing the time required for bad actors to dissect – and ultimately evade – RASP prevention and detection algorithms reduces the cost and complexity of effective RASP controls.

Reducing the requirement for all developers to keep up with these development patterns further reduces the cost of security and streamlines a development organization’s ability to respond quickly.

Including multiple RASP checks throughout an application with multiple detection and response layers can dramatically improve overall RASP effectiveness and extend the lifespan of RASP controls.

Privacy and safety controls typically also require audit records to demonstrate compliance. Unless carefully designed, privacy and safety compliance steps can also increase cost and reduce overall efficiency.

PreEmptive Solutions pioneered RASP before it had a name – in 2006, Dotfuscator first included Tamper detection and defense. Anti-debug, (Android) root detection, emulator detection, etc. have all followed.

What we have validated over the past 12+ years is that post-compile injection of RASP controls helps to meet each of these requirements.

Ensure advanced detection and evaluation algorithms
Minimizing development training and expertise to implement
Ensure controls can be distributed throughout systems without impeding core development schedules
Generating audit logs and other compliance evidence to meet regulatory and statutory obligations

…and what’s this got to do with obfuscation?

As mentioned above – slowing discovery (and impeding evasion) of RASP controls improves privacy and safety – while simultaneously lowering the cost and complexity of implementing those controls. The PCI Council recommends obfuscation to better secure rooted device detection, Google recommends obfuscation to impede hacks on SafetyNet, and the list goes on-and-on. Obscuring RASP controls via obfuscation is a recommended (and increasingly required) practice.

Post-compile injection lets you develop in open source – while injecting (and optionally obfuscating) your RASP controls post compile.

Is there a role for obfuscation to play in the open source community?

YES IF,

If RASP controls are required AND
Your RASP technology can be wholly injected post-compile (no logic or APIs are included in the app source code itself)

It’s the inverse of the IP scenario above. Putting your RASP control source inside your project for hackers to see would be “sheer lunacy” as the benefits of injection (improved safety and privacy for users and lower cost and complexity of security derived from injection) far outweigh any advantage that might come from dogmatically publishing source that actually has nothing to do with the application you’re building.

Like most everyone – we at PreEmptive are energized by Microsoft’s acquisition of GitHub – and we look forward to helping new audiences effectively and efficiently protect their apps and the data they process.

Tools don’t hack apps, hackers do: Securing Android apps against Frida

Search for lockpicking and you’ll see that there’s no shortage of suppliers ready to serve locksmiths and hobbyists, each community having a perfectly legitimate need. Is there any reason to believe that burglars don’t shop the same sites?

Hackers are developers and they have a long history of enthusiastically embracing and adapting development (and DevOps) innovations to speed their work, extend their reach, and ship software – the only difference is that they’re more likely to use those development tools and platforms on YOUR software rather than on their own. Static code analysis tools, debuggers, and even public bug tracking databases are all go-to hacker resources.

Can you tell the difference? Exception or the norm?

Of course, everyone is “for security” in principle. The hard question that each organization has to answer for themselves is “how much is enough?” Over-engineering is (by definition) excessive, and over-engineering application security can, in fact, be devastating as overly-complex algorithms, architectures and processes can compromise user experience, degrade performance and slow development velocity. On the other hand, punishment is swift for organizations that cut corners and do not effectively secure their applications, their data and, most importantly their users and business stakeholders. Finding and maintaining that balance can be time consuming and, because you can never be sure you’ve gotten it exactly right, it can also be a thankless job.

JavaScript is everywhere. It’s currently the world’s most popular programming language; as noted by GitHub, JavaScript has the highest number of contributors and repositories, handily outpacing other alternatives such as Python, PHP and Ruby.

The problem with all this popularity? Massive amounts of great open-source code create opportunities for both in-house development teams and malicious actors. The sheer volume of JavaScript-based services means it’s not enough just design apps with security in mind — businesses must actively mitigate emerging threats by obfuscating critical code to frustrate hacker efforts.

Not sure where to start? Here’s what you need to know about the brewing storm of JavaScript attacks and the simplest ways to reduce your total risk.

Over a year ago we wrote instructions for migrating from ProGuard or DexGuard to DashO. Since that time, Google introduced R8, fundamentally changing the Android build process. Now, we have released PreEmptive Protection DashO for Android & Java, version 10.0 with a new Android Mode that is designed to work with R8. With this release, migrating from ProGuard or DexGuard to DashO is so simple that it almost doesn't need instructions - so we're posting new instructions to make that clear!

Welcome to our new instructions!

Before we begin, let's make sure we're all on the same page. We assume you are currently:

We are proud to announce the public release of PreEmptive Protection DashO for Android & Java v10.0, the next major version of DashO, our powerful Android & Java obfuscation and app protection product.

This release has major changes to our Android support. We've blogged about R8 and Google's build architecture changes before, and this new version of DashO works together with R8 to protect Android apps and libraries. R8 does what it is best at: minification (renaming & removal) and performance (build and runtime), while DashO provides strong protection: Control Flow, String Encryption, and runtime Checks for Tamper, Debug, Root, Emulators, and more. Together you get the best of both worlds.

To accomplish this new integration, we rethought DashO from the ground up, creating a brand new Android Mode with big changes to UI, build-time behaviors, and the way DashO integrates into a Gradle build. It's DashO unlike you've ever known it: even easier to integrate, easier to understand and configure, and easier to keep up to date as your code and Android evolve.

Microsoft Has Embraced GitHub. Can GitHub Embrace Obfuscation?

Tools don’t hack apps, hackers do: Securing Android apps against Frida

Trusted Computing: Panacea or Magical Thinking?

Can you tell the difference? Exception or the norm?

No Beans About It: Why You Need JavaScript Obfuscation

Migrating from ProGuard or DexGuard to DashO - Updated!

DashO 10: Android support, rebuilt from the ground up

Latest Blog Posts

Tools don’t hack apps, hackers do: Securing Android apps against Frida

Trusted Computing: Panacea or Magical Thinking?

No Beans About It: Why You Need JavaScript Obfuscation

Migrating from ProGuard or DexGuard to DashO - Updated!

DashO 10: Android support, rebuilt from the ground up

Twitter