Contact Us Blog Register Login
PreEmptive -
  • Home
  • Products
    • Application Protection
      • Dotfuscator for .NET
        • Overview
        • Features
        • Compare Editions
        • Xamarin Protection
        • Videos & Resources
        • Pricing
        • Downloads
      • DashO for Android & Java
        • Overview
        • Features
        • Videos & Resources
        • Pricing
        • Downloads
      • JSDefender for JavaScript
        • Overview
        • Features
        • Online Demo
        • Pricing
        • Downloads
      • PreEmptive Protection for iOS
        • Overview
  • Support
    • Product Support
      • Dotfuscator for .NET
      • DashO for Android & Java
      • JSDefender for JavaScript
      • PreEmptive Protection for iOS
    • Resources
      • White Papers
      • Glossary
      • Videos
  • Solutions
    • App Protection Solutions
      • Mobile App Protection
      • Desktop & Server App Protection
      • General Data Protection Regulation (GDPR)
      • Security Development Lifecycle
      • Application Integrity Protection
      • Mobile RASP
      • PCI Mobile Payment Acceptance Security
  • Company
    • About
      • Why PreEmptive?
      • About Us
      • Careers
      • Blog
    • Contact
    • Legal

Application Protection Rule #1: Why In-House App Obfuscation & Defense Doesn’t Measure Up

August 13, 2019 1953 Views Gabriel Torok


Organizations can’t afford to leave apps unprotected. Attackers are growing more sophisticated, leveraging targeted malware campaigns and advanced evasion tactics to compromise applications and cause long-term damage. And according to Forbes, even antivirus tools designed to protect devices and software can increase overall risk: recent research found that more than 28 million Android phones were subject to security vulnerabilities thanks to insecure virus protection apps.

As a result, many companies looking to boost application protection and security without breaking their budget or introducing unexpected risk are considering in-house builds of better defenses using a combination of IT talent and publicly available tools.

The challenge? Homegrown solutions introduce the potential for DIY disasters. Let’s dig in and discover why they can’t measure up.

Constructive Criticism

More than 30 percent of DIY projects fail — typically because they take longer and are more complex than initially predicted.

Consider what seems to be a simple job: installing a ceiling fan. Sounds easy — get a ladder, mark your location and attach the fan, right? Not so fast. First, you need to ensure there’s something above the drywall to support the weight; if there isn’t, you’ll need to open up and reinforce the ceiling. Does the fan have a light? If so, you need to deal with wiring an extra switch. Once installed you need to test it — what happens if the fan makes too much noise or won’t spin properly? How do you troubleshoot the problem?

Effective application protection is even more complex. While the desired outcome — reducing the risk of compromise — is straightforward, achieving this goal requires three layers of control:

  • Preventative — Solutions such as obfuscation and encryption are required to prevent malicious access and use of data. Obfuscation requires further specialization to defeat both human and machine inspection attacks using a combination of variable and method renaming, control flow transformation and string encryption.
  • Detective — Attacks can come from multiple vectors including compromised runtimes via rooted devices, privileged utilities such as debuggers or more direct code tampering. Detective tools are essential to discover these attacks in their initial stages.
  • Responsive — To mitigate attack impact, organizations need app-specific responsive controls that can impede active exploits, modify app behavior appropriately, and report the suspicious activity.

Structurally Sound

Great app protection isn’t enough in isolation. If your DIY project requires complex implementation, impedes app functions, or hampers performance, you may create a solution that is worse than the problem you are trying to solve.

DIY work also comes with the potential of removing key structural elements necessary to meet regulatory and compliance demands. This is a common concern in DIY home renos — in their haste to make room for new plumbing or wiring, owners sometimes cut out pieces of ceiling or floor joists, creating a massive potential risk.

In app security, a similar thing happens when in-house teams attempt to simplify the problem by removing steps that are actually critical to meet evolving standards for protecting intellectual property & data, auditing, and reporting.

Ongoing Maintenance

Home-built app protection projects aren’t fire-and-forget. To ensure reliable defense they require ongoing maintenance, testing and updating. If you’re considering an in-house project, this means you need to tackle critical questions including:

  1. Who’s responsible for maintenance?

    Regular maintenance ensures reliable performance — but requires companies to allocate resources for this purpose. Will you handle this in-house or bring in outside contractors?

  2. How will it be updated?

    Hackers are developing new techniques and leveraging new vulnerabilities to break through app defenses. How often will you update your app to meet these new challenges? Will apps be exposed to risk during the update period?

  3. What if someone leaves?

    If the person or team responsible for your solution leaves the company or moves to another project, what happens to your tool?

  4. When will it be tested? How often?

    Testing — and testing, and testing — any defensive solution is key to success. When will your tool be tested? How? By whom? How often? What happens if you discover a flaw or vulnerability?

Breaking Budgets

Companies know they need great cybersecurity — but they’re also worried about keeping budgets on track. Recent survey data reports a rise of nearly 20 percent in cybersecurity spending this year, compared to 2018, as organizations look to stay ahead of security threats.

So it’s no surprise that cost savings are often top-of-mind for DIY projects; while best-in-class commercial app protection tools offer leading protection and support, they may require a larger initial infosec investment. The caveat? Consider our intrepid DIY homeowners — after failing to complete projects on their own, 63 percent spend on professional help to get the job done. But they’ve already paid out of pocket for materials and invested significant time on labor, leaving them with a substantial monetary loss.

The same applies to DIY app defense: If tools don’t perform as intended, can’t close critical security gaps, or aren’t finished quickly enough, businesses are forced to spend again on outside help.

(Don’t) Do-It-Yourself

Designing and building an in-app protection tool from scratch may seem like a great idea to save time, cut costs and reduce your total risk.

Better idea? Don’t.

From inherent complexity to app integrity, ongoing maintenance and potential budget overages, it’s better to leave app obfuscation, encryption, and shielding to the experts.


Start a Free Trial

Tweet
Share

Categories

  • Dotfuscator

  • Dotfuscator CE

  • DashO

  • JSDefender

  • Press Releases

  • Mobile Protection

  • Risk Management

  • Support Corner

Latest Blog Posts

Protecting Java applications that use Jackson for JSON



JSON is a standard format for sharing objects and data within an application. When working in Java, there is no built-in support for JSON processing. There are, however, several widely-used libraries and options to choose from. In this article, we will focus on Jackson, which is one of the most popular.

Read more

Protecting C# applications that use AutoMapper



AutoMapper is an object-to-object mapping system used by many of our customers. It aims to simplify and organize code responsible for sharing instance values from an object of one type to an object of a different type.

Read more

Inventa, Wireless Technology Company, Protects their Android Application with DashO



Inventa, a Wireless Technology Company, Protects their Android Application with DashO

The Beginnings of Inventa

Having worked in the wireless mobile technology domain in the US, Anand Virani, became intrigued by the growing tech and wireless trends and wanted to explore the field more for himself. He noticed a boom in the Internet of Things (IoT) and that smartphones were becoming more central to how people interacted with each other at home, in the office, and in public places. What if there was a way phones could connect with each other without the need for Internet or cloud access? Smartphones were the future and Virani was determined to make a profitable business model based on this new trend.

Read more

Surgical Theater Protects their Medical Applications with Dotfuscator



Surgical Theater Protects their Medical Applications with Dotfuscator

How It All Started

How is flying a fighter plane similar to performing neurosurgery? They have more in common than you’d think. In 2005, Monty Avisar and Alon Geri, two Israeli fighter pilots were assigned to work with Lockheed Martin to build a $50 million F-16 Flight Simulator program for the Israeli Air Force to improve hand-eye coordination skills for their pilots during combat. Avisar took on the role of project manager and Geri served as senior engineer; the project was a success.

Four years later in 2009, the two finished their military service in Israel and moved to Cleveland, Ohio. Their experience working in virtual reality applications inspired them to wonder where this technology could also be applied. With several connections to surgeons, the two came to understand the ins and outs of operation procedures; in a similar way, surgeons were also working on a battlefield. What if surgeons could also train like fighter pilots and preview their surgical procedure, much like a fighter pilot could pre-fly their mission? The surgeons could pre-plan the operation from every angle and every approach to increase their situational awareness. And a year later, Surgical Theater was born.

Read more

Integrating DashO into a Maven Build



Maven is perhaps the most widely-used project management tool for Java. Based on the Project Object Model (POM), it is used not only for compilation of source code, but also dependency management, documentation, running tests, packaging, deployment, and more. We are frequently asked if we have a Maven plugin for running DashO. Though we do not offer a specific Maven plugin, adding DashO to your Maven-based project is surprisingly easy by leveraging Ant.

Read more

preemptive logo

767 Beta Dr. Suite A
Mayfield Village, OH 44143

Tel: +1 440.443.7200

solutions@preemptive.com

Latest Blog Posts

Protecting Java applications that use Jackson for JSON

December 30, 2020
Read more

Protecting C# applications that use AutoMapper

November 18, 2020
Read more

Inventa, Wireless Technology Company, Protects their Android Application with DashO

November 10, 2020
Read more

Surgical Theater Protects their Medical Applications with Dotfuscator

October 30, 2020
Read more

GlobalMed Finds Success by Switching to JSDefender

October 21, 2020
Read more

Twitter

@baldbeardbuild @GirlsWhoCode @baldbeardbuild thanks so much for inspiring us to be BUILDERS in our own community!… https://t.co/U6AyqPDhsa Jan 14 • reply • retweet • favorite

Copyright © 2020 PreEmptive

  • Home
  • Contact Support
  • Blog
  • Contact
Scroll to Top

PreEmptive uses cookies to improve the functionality of our website. By using this site, you agree to the use of cookies.