Rogue Apps: Facilitating Theft from Developers and Consumers

October 10, 2018 2873 Views Sebastian Holst

That was the title of yesterday's congressional briefing organized by ACT | The App Association (in cooperation with the Congressional IP Caucus which is co-chaired by Rep. George Holding, Rep. Adam Smith, & Rep. Hakeem Jeffries).

As is often the case when presenting to different kind of audience (not software-centric), you’re forced to reorganize your thoughts – here are few that might be worth sharing.

Attendees were promised the following agenda:

Learn how rogue apps steal content;
Understand what access devices are enabling the piracy of content;
Learn about a range of app piracy methods used to exploit U.S. companies;
Gain insight into existing industry best practices and enforcement methods for combating IP piracy.

The panelists represented a nice cross-section of stakeholders.

Morgan Reed, President, ACT | The App Association (Moderator)
Tom Galvin, Executive Director, Digital Citizens Alliance
Greg Saphier, Senior Vice President, External Affairs, Motion Picture Association of America
Myself (Sebastian Holst, EVP & Chief Strategy Officer, PreEmptive Solutions)

First, I have to thank ACT (again) for their amazing work connecting software developers with their representatives (and vice versa) – and, more selfishly today, for inviting me to participate as a panelist (I always leave ACT events feeling maybe a little guilty hoping that I contributed at least as much as I took away).

Attendance

The bad news is that every representative is away campaigning in their districts – but that was actually the good news – this meant that their staff (who have heavy influence over their boss’ final positions) were free to attend – and we did indeed have a full house – with lots of questions that went beyond the scheduled time slot.

The following summary covers just two of the topics raised and my responses (I don’t want to presume to quote anyone else). I think that the fact that these topics are front of mind on Capital Hill and this audience is extremely important all by itself.

Question 1

As a developer of protection tools for software applications, can you tell us what your clients are experiencing in terms of piracy? (both consumer facing apps and enterprise software attacks)

My response: Consumer facing

There’s the obvious category of primary authors of games, reference, and “convenience” apps – apps whose algorithms or content can be readily repurposed.
We also see App development shops with specialties like (for example) consumer banking. They target smaller banks, savings & loans – these companies have a toolkit that lets them efficiently develop “custom” apps for each bank and their theft is a direct threat to their core business model.
Another category is the technology specialist that delivers niche libraries of – for example – graphics functionality – that other development organizations use. What’s interesting about these is that we see them include IP protection requirements in THEIR licensing terms to their clients, e.g. other development shops. It’s often their clients who need to work with us in order to meet their contractual obligations.

Enterprise facing

An interesting example that is uniquely enterprise is a compliance service provider that migrates massive volumes of archive files and email from any old format that a company might have used over the past 30 or 40 years. The “dictionary” of translation logic to clean up all that data is extremely valuable IP. While no one translation is all that valuable – the sum total in their library of all formats represents hundreds of person years of effort.
Any kind of simulator – automotive, flight, or any kind of “physics” engine
Illegal upgrades to equipment whose functionality is controlled by software – like cars and sophisticated measurement equipment is also an interesting piracy threat – it’s not the software but the equipment that is actually being pirated.

Question 2

So, pirates or hackers are not just ripping off content to redistribute it for a profit. Tell us more about why hackers are attacking your clients’ apps?

My response: We’ve seen a dramatic rise in hackers using apps as a means to get to the data that flows through those apps – examples include

Financial
Healthcare
General PII

As encryption has become more effectively deployed, hackers use developer tools like debuggers to access the data at the only time it isn’t encrypted – when it’s in use – in memory –

They use developer tools to see user data – but also tokens, passwords, and other sensitive data that can be used to elevate user privileges and execute unauthorized code as well.

In fact – from an engineering perspective – there is virtually no distinction between stealing content as a means to compromise systems, e.g. using a trusted brand to deliver a malicious payload versus compromising software or a device to steal valuable content like movies or games from a jailbroken Firestick.

So... the hacking breakthroughs for one criminal pattern (like watching illegal movies) can be equally useful to a multitude of other criminal activities – and – as such – are widely shared and valued by other classes of pirates, cyber-criminals, and nation-state actors.

There were many more questions (and answers) of course - if you’d like to learn more about this briefing and others like it - visit www.actonline.org and introduce yourself – if you have any comments or questions on the topics raised here – (or would like to learn about how PreEmptive Solutions is helping others), please do not hesitate to contact me directly.

Latest Blog Posts

Integrating DashO into a Maven Build

Maven is perhaps the most widely-used project management tool for Java. Based on the Project Object Model (POM), it is used not only for compilation of source code, but also dependency management, documentation, running tests, packaging, deployment, and more. We are frequently asked if we have a Maven plugin for running DashO. Though we do not offer a specific Maven plugin, adding DashO to your Maven-based project is surprisingly easy by leveraging Ant.

In an already digital world, the Covid-19 pandemic forced society and businesses to adopt additional modes of technology and press on for more advanced application development. Business’ focus shifted to increased remote work collaboration, streamlined contact tracing work, and enhanced consumer e-commerce connections. With little knowledge on how much longer social distancing measures will be in place, more on-demand application development options are needed to successfully maintain workplace functionality.

Gabriel Torok, Founder and CEO of PreEmptive, recently authored an article as part of the Forbes Technology Council. In it, he describes four application trends that help predict emerging expectations for the future of enterprise.

Customers occasionally ask us about adding DashO, Dotfuscator, or JSDefender to their Docker-based build processes. We do not provide pre-built Docker containers for our products, but it is relatively straightforward to create your own containers with the distributions we do provide. Historically, setting up licensing for these containers could be a challenge, but with the recent addition of Floating license support to DashO, Dotfuscator, and JSDefender, even the licensing part is straightforward.

This blog provides example Dockerfiles for each product, as a starting point for building your own containers. You will need to replace {x.y[.z]} with the appropriate major.minor[.patch] version.

Read more

Navigating the Choice Between Security and Customer Experience

Navigating the Choice Between Security and Customer Experience

Chances are, if you’ve used a mobile banking app, or bought something online, your purchase was facilitated in part by a Fiserv product. Fiserv is a global provider of financial services technology. Clients include banks, credit unions, financial companies and retailers. As a Fintech company, Fiserv provides payment and commerce enabling technology to clients in more than 100 countries, serving as an “industry standard” across the world.

In a recent article “2020 Trends in Fraud and Financial Crime Risk Management” Andrew Davies – Fiserv’s VP of Global Market Strategy writes “Criminals are even more on the offensive, constantly researching new vulnerabilities and developing fresh attack vectors. For financial institutions, that's spurred growth in both process and technology investments to keep pace.” The question that Fiserv and many other financial institutions are asking: “How do you accurately manage detecting financial crime without inhibiting the customer experience?”

“Better licensing means more flexibility,” said CTO Bill Leach during a recent presentation on the release of DashO 11 - PreEmptive’s Android and Java Protection Product. “The new floating license and product activation features allow users to provision DashO on the fly – for example, on cloud hosted build agents that don’t already have DashO preinstalled. By specifying the license key at run time, development teams can more easily automate their builds, no matter where they run.”

Revamped licensing and activation are not the only updates in this latest version—other highlights include:

Rogue Apps: Facilitating Theft from Developers and Consumers

Attendance

Question 1

Question 2

Integrating DashO into a Maven Build

Post Covid-19: 4 Application Trends You Need to Know

Dockerize PreEmptive's Products using Floating License

Navigating the Choice Between Security and Customer Experience

DashO 11 Release: Licensing, Bug Fixes, and Improved Functionality

Latest Blog Posts

GlobalMed Finds Success by Switching to JSDefender

Integrating DashO into a Maven Build

Post Covid-19: 4 Application Trends You Need to Know

Dockerize PreEmptive's Products using Floating License

Navigating the Choice Between Security and Customer Experience

Twitter