Contact Us Blog Register Login
PreEmptive -
  • Home
  • Products
    • Application Protection
      • Dotfuscator for .NET
        • Overview
        • Features
        • Compare Editions
        • Xamarin Protection
        • Videos & Resources
        • Pricing
        • Downloads
      • DashO for Android & Java
        • Overview
        • Features
        • Videos & Resources
        • Pricing
        • Downloads
      • JSDefender for JavaScript
        • Overview
        • Features
        • Online Demo
        • Pricing
        • Downloads
      • PreEmptive Protection for iOS
        • Overview
  • Support
    • Product Support
      • Dotfuscator for .NET
      • DashO for Android & Java
      • JSDefender for JavaScript
      • PreEmptive Protection for iOS
    • Resources
      • White Papers
      • Glossary
      • Videos
  • Solutions
    • App Protection Solutions
      • Mobile App Protection
      • Desktop & Server App Protection
      • General Data Protection Regulation (GDPR)
      • Security Development Lifecycle
      • Application Integrity Protection
      • Mobile RASP
      • PCI Mobile Payment Acceptance Security
  • Company
    • About
      • Why PreEmptive?
      • About Us
      • Careers
      • Blog
    • Contact
    • Legal

Create More Secure Applications – Don’t Hard Code Credentials; Instead, Use Application Hardening

September 18, 2018 6176 Views Gabriel Torok
vulnerable password

Credentials are a problem for your app. Why? Because they’re a critical access gateway: If attackers get their hands on working usernames and passwords they can cause havoc — everything from stealing user accounts to compromising high-level application functions.

It’s big business; Sensor Tech Forum notes that 85 malicious apps on Google Play were stealing login credentials, while Verizon’s 2018 Data Breach Investigation Report found that 81 percent of hacking incidents used weak or stolen passwords.

And while part of the problem rests with users choosing username and password combinations that are easy to remember and easy for attackers to guess, applications have their own issue: Hard coding. From smart city software to stock trading applications, the use of hard-coded credentials saves time upfront but significantly impacts security.

Don’t become an easy mark for hackers: Here are six ways to boost credential control and reduce total risk.

Cancel the Hard Code

Hard coding is the practice of storing user credentials on the client side of applications. It’s a popular method for managing usernames and passwords because it provides utility for users — they enter their information once into a trusted service and the application takes care of the rest.

It’s also popular among hackers, since storing credentials on the client provides a stationary target: If they compromise your application, they could obtain full access to user accounts. This is especially problematic if you’re not encrypting your passwords — 10 of 80 stock trading apps tested by IOActive stored passwords on the client completely unencrypted. Even more worrisome? Tech Crunch notes that satellite communication systems across the globe use hard-coded passwords for their control systems.

The takeaway we’re hammering at here? Never store hard-coded passwords on the client-side of any application. Sure, it might save time — but it’s not worth the risk.

Opt for User Input

What’s the alternative to hard coding credentials? Have users provide them at runtime. If back-end app services require credentials for access, make them user-specific instead of service-specific. This means writing code that doesn’t store usernames or passwords — ever — and asks for this data time users access the application. Also a good idea? Double up with two-factor authentication. By adding one-time passcodes or USB keys, companies can significantly reduce the value of stolen passwords.

Disable Debugging

Debugging code is useful for developers to ensure apps are working as intended. But what happens when extra debugging information is still included once apps go live? As noted by Threat Post, leftover debugging code on HP laptops made it possible to deploy keylogging malware; app attackers can use debugging tools to view unencrypted data in memory during runtime. Even if you don’t leave the extra debugging information, consider hardening your application with anti-debug protection to make it even harder to inspect. Even if you’re not hard coding passwords, hackers could gain access to user information during runtime if they can leverage debugging tools.

Restrict Rooting

Rooted devices are risky for your applications. Why? Because attackers may root or jailbreak devices to run toolsets capable of mining your app for data or uncovering application flaws. And because rooting devices allows access to unapproved app stores and services, even legitimate users with rooted phones could compromise your application thanks to hidden keyloggers or other malware.

The result? Utilize anti-root mobile app hardening that detect the presence of rooted or jailbroken devices and prevent your app from running.

Manage Man-in-the-Middle Attacks

Attackers are always looking for ways to appear as legitimate users and evade in-app protections by using man-in-the-middle attacks. One such attack involves using false (or fraudulently obtained) security certificates to gain application access. Because your app recognizes the certificate as belonging to a trusted CA, secure request are granted and attackers may gain access. Minimize the impact of this issue with certificate pinning — associate hosts with expected public keys rather than general classification.

Attackers may also attempt to tamper with your application by adding or removing code that isn’t critical to daily operation but may provide lateral access to critical data. Since tampering takes different forms depending on malicious actor intent and specific app function, it’s worth deploying anti-tamper app hardening capable of shutting down apps or causing random crashes if tampering is detected.

Obfuscate Operations

If attackers can see code, they can modify it. They’re constantly looking for ways to discover the location of sensitive application code or disable key app protections. This is made more problematic by the rise of open-source and custom-built mobile APIs which enable developers to quickly build and deploy applications but may also come with easily-exploitable vulnerabilities that provide accidental app transparency.

Here, the name of the game is obfuscation. Code obfuscation tools can help protect your application by renaming files to encrypting strings, inserting dummy code and introducing false conditional statements, in turn frustrating attackers hoping to access and manipulate critical data such as runtime user credentials.

Harden Your App, Protect its Credentials

Harden your application to make it a difficult target for hackers by eliminating the use of hard-coded credentials and leveraging user-provided data at runtime. Add anti-debug, anti-tamper, and anti-root protection to any apps running in an untrusted environment (mobile, client, or public server). Also, manage man-in-the-middle attacks to shore up defense and obfuscate operations to frustrate hacker efforts.


Start a Free Trial

Tweet
Share

Categories

  • Dotfuscator

  • Dotfuscator CE

  • DashO

  • JSDefender

  • Press Releases

  • Mobile Protection

  • Risk Management

  • Support Corner

Latest Blog Posts

Protecting Java applications that use Jackson for JSON



JSON is a standard format for sharing objects and data within an application. When working in Java, there is no built-in support for JSON processing. There are, however, several widely-used libraries and options to choose from. In this article, we will focus on Jackson, which is one of the most popular.

Read more

Protecting C# applications that use AutoMapper



AutoMapper is an object-to-object mapping system used by many of our customers. It aims to simplify and organize code responsible for sharing instance values from an object of one type to an object of a different type.

Read more

Inventa, Wireless Technology Company, Protects their Android Application with DashO



Inventa, a Wireless Technology Company, Protects their Android Application with DashO

The Beginnings of Inventa

Having worked in the wireless mobile technology domain in the US, Anand Virani, became intrigued by the growing tech and wireless trends and wanted to explore the field more for himself. He noticed a boom in the Internet of Things (IoT) and that smartphones were becoming more central to how people interacted with each other at home, in the office, and in public places. What if there was a way phones could connect with each other without the need for Internet or cloud access? Smartphones were the future and Virani was determined to make a profitable business model based on this new trend.

Read more

Surgical Theater Protects their Medical Applications with Dotfuscator



Surgical Theater Protects their Medical Applications with Dotfuscator

How It All Started

How is flying a fighter plane similar to performing neurosurgery? They have more in common than you’d think. In 2005, Monty Avisar and Alon Geri, two Israeli fighter pilots were assigned to work with Lockheed Martin to build a $50 million F-16 Flight Simulator program for the Israeli Air Force to improve hand-eye coordination skills for their pilots during combat. Avisar took on the role of project manager and Geri served as senior engineer; the project was a success.

Four years later in 2009, the two finished their military service in Israel and moved to Cleveland, Ohio. Their experience working in virtual reality applications inspired them to wonder where this technology could also be applied. With several connections to surgeons, the two came to understand the ins and outs of operation procedures; in a similar way, surgeons were also working on a battlefield. What if surgeons could also train like fighter pilots and preview their surgical procedure, much like a fighter pilot could pre-fly their mission? The surgeons could pre-plan the operation from every angle and every approach to increase their situational awareness. And a year later, Surgical Theater was born.

Read more

Integrating DashO into a Maven Build



Maven is perhaps the most widely-used project management tool for Java. Based on the Project Object Model (POM), it is used not only for compilation of source code, but also dependency management, documentation, running tests, packaging, deployment, and more. We are frequently asked if we have a Maven plugin for running DashO. Though we do not offer a specific Maven plugin, adding DashO to your Maven-based project is surprisingly easy by leveraging Ant.

Read more

preemptive logo

767 Beta Dr. Suite A
Mayfield Village, OH 44143

Tel: +1 440.443.7200

solutions@preemptive.com

Latest Blog Posts

Protecting Java applications that use Jackson for JSON

December 30, 2020
Read more

Protecting C# applications that use AutoMapper

November 18, 2020
Read more

Inventa, Wireless Technology Company, Protects their Android Application with DashO

November 10, 2020
Read more

Surgical Theater Protects their Medical Applications with Dotfuscator

October 30, 2020
Read more

GlobalMed Finds Success by Switching to JSDefender

October 21, 2020
Read more

Twitter

@baldbeardbuild @GirlsWhoCode @baldbeardbuild thanks so much for inspiring us to be BUILDERS in our own community!… https://t.co/U6AyqPDhsa Jan 14 • reply • retweet • favorite

Copyright © 2020 PreEmptive

  • Home
  • Contact Support
  • Blog
  • Contact
Scroll to Top

PreEmptive uses cookies to improve the functionality of our website. By using this site, you agree to the use of cookies.