Contact Us Blog Register Login
PreEmptive -
  • Home
  • Products
    • Application Protection
      • Dotfuscator for .NET
        • Overview
        • Features
        • Compare Editions
        • Xamarin Protection
        • Videos & Resources
        • Pricing
        • Downloads
      • DashO for Android & Java
        • Overview
        • Features
        • Videos & Resources
        • Pricing
        • Downloads
      • JSDefender for JavaScript
        • Overview
        • Features
        • Online Demo
        • Pricing
        • Downloads
      • PreEmptive Protection for iOS
        • Overview
  • Support
    • Product Support
      • Dotfuscator for .NET
      • DashO for Android & Java
      • JSDefender for JavaScript
      • PreEmptive Protection for iOS
    • Resources
      • White Papers
      • Glossary
      • Videos
  • Solutions
    • App Protection Solutions
      • Mobile App Protection
      • Desktop & Server App Protection
      • General Data Protection Regulation (GDPR)
      • Security Development Lifecycle
      • Application Integrity Protection
      • Mobile RASP
      • PCI Mobile Payment Acceptance Security
  • Company
    • About
      • Why PreEmptive?
      • About Us
      • Careers
      • Blog
    • Contact
    • Legal

Put the Protection in the App

July 2, 2019 2021 Views Gabriel Torok


Untrusted Environments, Valuable Apps? Put the Protection in the App.

IT environments are evolving. Disappearing are the days of in-house, fixed-endpoint, limited access server stacks — replaced instead by a combination of private and public cloud solutions, mobile applications and IoT devices.

As noted by research firm IDC, public cloud spending now outpaces all other IT infrastructure with a growth rate topping 10 percent year-over-year, while Statista reports that users downloaded more than 178 billion apps in 2017 alone — and are on track to break 250 billion over the next few years.

What does this mean for organizations? That application environments are quickly moving beyond the purview of in-house IT, exposing both apps and network services to steadily growing risk. It creates a paradox: Companies can’t deny the benefits of third-party environments and application partnerships, but also can’t ignore the threat of app and data compromise or reverse-engineering and tampering.

Outside the comfort and control of in-house networks, apps must learn to fend for themselves: Here’s a crash-course in the art of software self-defense.

Clear and Present Danger

Application environments outside direct company control present significant risk. Consider a recent Wired piece, which notes that “hundreds of millions of records” containing unprotected Facebook user data were recently discovered on Amazon servers. Uploaded by Facebook app developers, this dangerous data trail showcases the speed of security risk: Information moved easily from Facebook itself to app developer networks to plaintext storage solutions.

Insecure app environments also pose physical risk: As reported by AutoBlog, after the Chicago Car2Go app was compromised approximately 100 cars were stolen, and some were used to commit crimes. This is the nature of mobile applications — accessibility trumps environmental security but opens software to the possibility of vulnerability exploitation or code modification.

Put simply? Applications — and their data — now exist across insecure environments as a matter of course but lack the internal security controls necessary to defend themselves.

Underlying Causes

The simplest explanation for rapidly increasing application security risk? Mobile app adoption. As noted above, hundreds of billions of apps are now downloaded each year by consumers and companies now recognize that apps are the key to staying competitive in a mobile-first world.

But the rush to develop and deploy apps naturally impacts security: According to recent survey data, most financial applications come with significant security flaws including insecure data storage, insufficient cryptography or the potential for code tampering. And in many cases, developers aren’t taking advantage of security options that already exist — as noted by Help Net Security, two-thirds of iOS applications don’t use App Transport Security (ATS) controls, which help ensure encrypted connections between apps and servers.

Also problematic? The decreasing efficacy of traditional defenses such as endpoint security tools. In fact, recent research found that 42 percent of all endpoints are unprotected at any given time, 70 percent of breaches originate at the endpoint and 100 percent of all endpoint security measures eventually fail. The result? Even supposedly “protected” environments aren’t foolproof — apps brought behind corporate failsafes and firewalls are never risk-free.

Wax On, Wax Off

In the Karate Kid, protagonist Daniel LaRusso spends a not-insignificant amount of time waxing his teachers’ car, frustrated that he’s not mastering the karate techniques he so desperately wants to learn. Spoiler alert: He’s been training the whole time, developing myriad skills — from patience and persistence to the physical movements necessary to ward off potential attackers.

Effective application protection across insecure environments demands a similar level of dedication and diversification to ensure apps are prepared to handle both everyday issues and master emerging challenges.

So what does this look like in practice?

First, organizations must recognize that any environment — including internal server stacks — is potentially hostile. What’s more, both application front- and back-ends are at risk, especially if apps aren’t just used on public networks but are also hosted in redundant data centers across multiple countries. Finally, companies must address the growing complexity, cost and confusion that surrounds emerging app compliance standards and regulations; traditional defenses no longer qualify as “due diligence” in a data-driven, mobile-first environment.

Giving apps the protection they need to self-defend means skipping the search for a catch-all, fire-and-forget solution and instead taking a layered approach using techniques such as:

  • Encryption — Even if attackers gain access, encrypted data reduces the potential of a large-scale data breach. Protect sensitive data when it’s stored, in-transit and in some cases, if possible in-use.
  • Passive App Protection and Obfuscation — Fake left, go right. Make it hard for hackers to find what they’re looking for in your code by removing and renaming human readable symbols, converting common instructions into less obvious but still valid constructs, altering logic to break decompliers, etc. This will frustrate hackers attempts to decompile and debug your application. Also, an application that is difficult to reverse engineer and probe is harder to attack, and it is more difficult to steal its intellectual property or create its evil app clone.
  • Active App Protection — Are attackers attempting to tamper with your code? Access it with a rooted device? Debug it? Run it in an emulator? Reverse engineer it? Applying In-App Active Protection can provide critical visibility into app behavior, allowing your team to investigate further, limit app access or terminate sessions altogether.

The Best Defense

The sheer volume and variety of applications makes it clear: Companies must assume every environment is untrusted. This isn’t an academic exercise — application breaches present serious risks to growth models and bottom lines across both technology and physical resource stacks.

Bottom line? Don’t rely on application environments to protect and secure your app. Instead, preemptively apply the protection directly into the app allowing it to secure itself wherever, whenever with both passive and active self-defense.


Start a Free Trial

Tweet
Share

Categories

  • Dotfuscator

  • Dotfuscator CE

  • DashO

  • JSDefender

  • Press Releases

  • Mobile Protection

  • Risk Management

  • Support Corner

Latest Blog Posts

Protecting Java applications that use Jackson for JSON



JSON is a standard format for sharing objects and data within an application. When working in Java, there is no built-in support for JSON processing. There are, however, several widely-used libraries and options to choose from. In this article, we will focus on Jackson, which is one of the most popular.

Read more

Protecting C# applications that use AutoMapper



AutoMapper is an object-to-object mapping system used by many of our customers. It aims to simplify and organize code responsible for sharing instance values from an object of one type to an object of a different type.

Read more

Inventa, Wireless Technology Company, Protects their Android Application with DashO



Inventa, a Wireless Technology Company, Protects their Android Application with DashO

The Beginnings of Inventa

Having worked in the wireless mobile technology domain in the US, Anand Virani, became intrigued by the growing tech and wireless trends and wanted to explore the field more for himself. He noticed a boom in the Internet of Things (IoT) and that smartphones were becoming more central to how people interacted with each other at home, in the office, and in public places. What if there was a way phones could connect with each other without the need for Internet or cloud access? Smartphones were the future and Virani was determined to make a profitable business model based on this new trend.

Read more

Surgical Theater Protects their Medical Applications with Dotfuscator



Surgical Theater Protects their Medical Applications with Dotfuscator

How It All Started

How is flying a fighter plane similar to performing neurosurgery? They have more in common than you’d think. In 2005, Monty Avisar and Alon Geri, two Israeli fighter pilots were assigned to work with Lockheed Martin to build a $50 million F-16 Flight Simulator program for the Israeli Air Force to improve hand-eye coordination skills for their pilots during combat. Avisar took on the role of project manager and Geri served as senior engineer; the project was a success.

Four years later in 2009, the two finished their military service in Israel and moved to Cleveland, Ohio. Their experience working in virtual reality applications inspired them to wonder where this technology could also be applied. With several connections to surgeons, the two came to understand the ins and outs of operation procedures; in a similar way, surgeons were also working on a battlefield. What if surgeons could also train like fighter pilots and preview their surgical procedure, much like a fighter pilot could pre-fly their mission? The surgeons could pre-plan the operation from every angle and every approach to increase their situational awareness. And a year later, Surgical Theater was born.

Read more

Integrating DashO into a Maven Build



Maven is perhaps the most widely-used project management tool for Java. Based on the Project Object Model (POM), it is used not only for compilation of source code, but also dependency management, documentation, running tests, packaging, deployment, and more. We are frequently asked if we have a Maven plugin for running DashO. Though we do not offer a specific Maven plugin, adding DashO to your Maven-based project is surprisingly easy by leveraging Ant.

Read more

preemptive logo

767 Beta Dr. Suite A
Mayfield Village, OH 44143

Tel: +1 440.443.7200

solutions@preemptive.com

Latest Blog Posts

Protecting Java applications that use Jackson for JSON

December 30, 2020
Read more

Protecting C# applications that use AutoMapper

November 18, 2020
Read more

Inventa, Wireless Technology Company, Protects their Android Application with DashO

November 10, 2020
Read more

Surgical Theater Protects their Medical Applications with Dotfuscator

October 30, 2020
Read more

GlobalMed Finds Success by Switching to JSDefender

October 21, 2020
Read more

Twitter

@baldbeardbuild @GirlsWhoCode @baldbeardbuild thanks so much for inspiring us to be BUILDERS in our own community!… https://t.co/U6AyqPDhsa Jan 14 • reply • retweet • favorite

Copyright © 2020 PreEmptive

  • Home
  • Contact Support
  • Blog
  • Contact
Scroll to Top

PreEmptive uses cookies to improve the functionality of our website. By using this site, you agree to the use of cookies.