Put the Protection in the App

July 2, 2019 465 Views Gabriel Torok

Untrusted Environments, Valuable Apps? Put the Protection in the App.

IT environments are evolving. Disappearing are the days of in-house, fixed-endpoint, limited access server stacks — replaced instead by a combination of private and public cloud solutions, mobile applications and IoT devices.

As noted by research firm IDC, public cloud spending now outpaces all other IT infrastructure with a growth rate topping 10 percent year-over-year, while Statista reports that users downloaded more than 178 billion apps in 2017 alone — and are on track to break 250 billion over the next few years.

What does this mean for organizations? That application environments are quickly moving beyond the purview of in-house IT, exposing both apps and network services to steadily growing risk. It creates a paradox: Companies can’t deny the benefits of third-party environments and application partnerships, but also can’t ignore the threat of app and data compromise or reverse-engineering and tampering.

Outside the comfort and control of in-house networks, apps must learn to fend for themselves: Here’s a crash-course in the art of software self-defense.

Clear and Present Danger

Application environments outside direct company control present significant risk. Consider a recent Wired piece, which notes that “hundreds of millions of records” containing unprotected Facebook user data were recently discovered on Amazon servers. Uploaded by Facebook app developers, this dangerous data trail showcases the speed of security risk: Information moved easily from Facebook itself to app developer networks to plaintext storage solutions.

Insecure app environments also pose physical risk: As reported by AutoBlog, after the Chicago Car2Go app was compromised approximately 100 cars were stolen, and some were used to commit crimes. This is the nature of mobile applications — accessibility trumps environmental security but opens software to the possibility of vulnerability exploitation or code modification.

Put simply? Applications — and their data — now exist across insecure environments as a matter of course but lack the internal security controls necessary to defend themselves.

Underlying Causes

The simplest explanation for rapidly increasing application security risk? Mobile app adoption. As noted above, hundreds of billions of apps are now downloaded each year by consumers and companies now recognize that apps are the key to staying competitive in a mobile-first world.

But the rush to develop and deploy apps naturally impacts security: According to recent survey data, most financial applications come with significant security flaws including insecure data storage, insufficient cryptography or the potential for code tampering. And in many cases, developers aren’t taking advantage of security options that already exist — as noted by Help Net Security, two-thirds of iOS applications don’t use App Transport Security (ATS) controls, which help ensure encrypted connections between apps and servers.

Also problematic? The decreasing efficacy of traditional defenses such as endpoint security tools. In fact, recent research found that 42 percent of all endpoints are unprotected at any given time, 70 percent of breaches originate at the endpoint and 100 percent of all endpoint security measures eventually fail. The result? Even supposedly “protected” environments aren’t foolproof — apps brought behind corporate failsafes and firewalls are never risk-free.

Wax On, Wax Off

In the Karate Kid, protagonist Daniel LaRusso spends a not-insignificant amount of time waxing his teachers’ car, frustrated that he’s not mastering the karate techniques he so desperately wants to learn. Spoiler alert: He’s been training the whole time, developing myriad skills — from patience and persistence to the physical movements necessary to ward off potential attackers.

Effective application protection across insecure environments demands a similar level of dedication and diversification to ensure apps are prepared to handle both everyday issues and master emerging challenges.

So what does this look like in practice?

First, organizations must recognize that any environment — including internal server stacks — is potentially hostile. What’s more, both application front- and back-ends are at risk, especially if apps aren’t just used on public networks but are also hosted in redundant data centers across multiple countries. Finally, companies must address the growing complexity, cost and confusion that surrounds emerging app compliance standards and regulations; traditional defenses no longer qualify as “due diligence” in a data-driven, mobile-first environment.

Giving apps the protection they need to self-defend means skipping the search for a catch-all, fire-and-forget solution and instead taking a layered approach using techniques such as:

Encryption — Even if attackers gain access, encrypted data reduces the potential of a large-scale data breach. Protect sensitive data when it’s stored, in-transit and in some cases, if possible in-use.
Passive App Protection and Obfuscation — Fake left, go right. Make it hard for hackers to find what they’re looking for in your code by removing and renaming human readable symbols, converting common instructions into less obvious but still valid constructs, altering logic to break decompliers, etc. This will frustrate hackers attempts to decompile and debug your application. Also, an application that is difficult to reverse engineer and probe is harder to attack, and it is more difficult to steal its intellectual property or create its evil app clone.
Active App Protection — Are attackers attempting to tamper with your code? Access it with a rooted device? Debug it? Run it in an emulator? Reverse engineer it? Applying In-App Active Protection can provide critical visibility into app behavior, allowing your team to investigate further, limit app access or terminate sessions altogether.

The Best Defense

The sheer volume and variety of applications makes it clear: Companies must assume every environment is untrusted. This isn’t an academic exercise — application breaches present serious risks to growth models and bottom lines across both technology and physical resource stacks.

Bottom line? Don’t rely on application environments to protect and secure your app. Instead, preemptively apply the protection directly into the app allowing it to secure itself wherever, whenever with both passive and active self-defense.

DashO 10: Android support, rebuilt from the ground up

We are proud to announce the public release of PreEmptive Protection DashO for Android & Java v10.0, the next major version of DashO, our powerful Android & Java obfuscation and app protection product.

This release has major changes to our Android support. We've blogged about R8 and Google's build architecture changes before, and this new version of DashO works together with R8 to protect Android apps and libraries. R8 does what it is best at: minification (renaming & removal) and performance (build and runtime), while DashO provides strong protection: Control Flow, String Encryption, and runtime Checks for Tamper, Debug, Root, Emulators, and more. Together you get the best of both worlds.

To accomplish this new integration, we rethought DashO from the ground up, creating a brand new Android Mode with big changes to UI, build-time behaviors, and the way DashO integrates into a Gradle build. It's DashO unlike you've ever known it: even easier to integrate, easier to understand and configure, and easier to keep up to date as your code and Android evolve.

Organizations can’t afford to leave apps unprotected. Attackers are growing more sophisticated, leveraging targeted malware campaigns and advanced evasion tactics to compromise applications and cause long-term damage. And according to Forbes, even antivirus tools designed to protect devices and software can increase overall risk: recent research found that more than 28 million Android phones were subject to security vulnerabilities thanks to insecure virus protection apps.

As a result, many companies looking to boost application protection and security without breaking their budget or introducing unexpected risk are considering in-house builds of better defenses using a combination of IT talent and publicly available tools.

The challenge? Homegrown solutions introduce the potential for DIY disasters. Let’s dig in and discover why they can’t measure up.

Currently charging up the hype cycle slope? The rush to become a “technology-forward” organization.

But delivering on digital transformation potential demands more than buzzwords — along with C-suite support, end-user buy in and robust data defense, companies must develop “protection-forward” strategies to secure the IT front line: Applications.

Tech-Forward Trends

What is a technology-forward organization? One that prioritizes digital transformation — the ongoing shift away from cumbersome physical processes and outdated IT solutions to always-connected, digitally-enabled services that empower user access and data analytics to drive long-term ROI.

When properly implemented, tech-forward strategies pay big dividends: As noted by Forbes, businesses like Target and Best Buy — both at risk of going under just a few years ago — have substantially improved both performance and revenue by leaning into digital solutions. According to Tech Republic, 66 percent of business leaders now plan to implement digital transformation strategies and expect them to drive 17 percent ROI over the next year.

Earlier this month, I had come across Scott Hanselman’s excellent blog post, What's better than ILDasm? ILSpy and dnSpy are tools to Decompile .NET Code where he had shared his insights on the strengths and limitations of a laundry list of reverse engineering and debugging tools. In the comments that followed, someone had asked for an obfuscation recommendation for those times when a developer wants to protect their code against reverse-engineering (a reasonable question to be sure).

Unfortunately, comments had been disabled by that point, and so I had sent an email to Scott that mapped Dotfuscator’s anti reverse-engineering/tamper/debugging capabilities to the collection of developer tools that he had covered.

Before I start, I would like to thank PreEmptive for inviting me to write a guest post.

I would like to start my blog with a discussion about the growing cyber threats all over the world. I assume readers are well aware of cyber threats and how they are addressed by people, process, and technology. The continuous planning and advancement of security in the cyber world including but not limited to applications is an interesting read. Here, in my blog, I would like to discuss how companies can support mobile application security for better and safer use of stored data.

Put the Protection in the App

Untrusted Environments, Valuable Apps? Put the Protection in the App.

Clear and Present Danger

Underlying Causes

Wax On, Wax Off

The Best Defense

DashO 10: Android support, rebuilt from the ground up

Application Protection Rule #1: Why In-House App Obfuscation & Defense Doesn’t Measure Up

Deliver on Digital Transformation Potential with App Protection-Forward Strategies

Tech-Forward Trends

Reverse-Engineering Tools Are Awesome; Except When You Don’t Want Them To Be

Is your Mobile App GDPR Compliant? Learn how to secure your App

Latest Blog Posts

DashO 10: Android support, rebuilt from the ground up

Application Protection Rule #1: Why In-House App Obfuscation & Defense Doesn’t Measure Up

Deliver on Digital Transformation Potential with App Protection-Forward Strategies

Reverse-Engineering Tools Are Awesome; Except When You Don’t Want Them To Be

Is your Mobile App GDPR Compliant? Learn how to secure your App

Twitter