Your apps may be getting hacked – Why should you care? What can you do?

July 25, 2016 4009 Views Gabriel Torok

Today more than ever, applications are mobile and can be run worldwide. And many useful apps access sensitive data and have value-added functionality within them (such as trade secrets). Because traditional firewall type attacks are much more difficult today, hackers are increasingly targeting both consumer and enterprise mobile and desktop apps as a newer attack vector. So, those apps may be at risk from theft of IP/underlying sensitive data, malware injection and more advanced targeted threats.

Is your application at risk? Answer these two questions first.

Does your app contain trade-secrets or intellectual property such as unique algorithms or monetizable value that could create revenue loss if successfully hacked?
Does your app process sensitive information that should be protected from unauthorized access to safeguard the privacy or security of an individual or organization?

If the answer to both is no, then you may be less at risk to hacking, theft and tampering. You can stop reading.

If the answer is yes to either, then you should strongly consider “hardening” your application by incorporating enhanced security state checking, code obfuscation and encryption before it is released. These steps will complicate the reverse-engineering, debugging and tampering process and increase resistance against compromise and exploitation. They will help move a DevOps process to a DevSecOps process.

Why is this necessary?

Because of free and easily available tools, reverse engineering of code has become a common practice for outsiders wanting to understand how to compromise an application, to bypass security checks and controls or get at underlying data. For some applications, unmanaged access to source code can also pose material risks including application vulnerability exposure, increased likelihood of system attack, theft of intellectual property, privacy violations, and revenue loss through circumvention of usage and other metering enforcements. Techniques such as obfuscation and encryption can make it materially harder to reverse engineer code by breaking the reverse engineering tools and/or making the output extremely hard for a human to follow.

In addition, applications can be made to be resistant to tampering. This might involve automatically inserting overlapping and redundant checks to determine if an application was modified in any way. Or detecting if an application is begin run in a jailbroken device that might compromise some of the safety guarantees. Exploitation of applications can take many forms. For example, by using a debugger on a production application, a hacker without any special privileges can:

Read data from your application
Insert and modify data inside your application
Interrupt the flow your application
Expose logic and flow of your application
Bypass application logic

The hacker could view encryption functions and the values of dynamic keys and observe when and how sensitive information is saved to file systems and databases. Or, they might modify and release a tampered version of an application to bypass controls (such as license checks), or inject malware code to collect and transmit data, etc.

An effective debugger detection, defense, and mitigation strategy might include:

Detection: Inject overlapping and hard-to-remove logic to detect unauthorized application execution within a debugger.
If true:

Process termination: immediately kill the app, or force it to run in a reduced capacity OR
Execute a custom method: invoke local code to intelligently and contextually defend and mitigate threats AND/OR
Transmit an alert message: deliver telemetry in real-time with a payload including application and runtime stats and any additional custom telemetry that you may require.

The same techniques could be applied to tampered apps, apps running on a jailbroken device and other conditions that could lead to an app’s integrity being compromised.

For sensitive or high value applications, organizations in virtually every industry are incorporating application hardening and obfuscation into their DevSecOps process. Because many of these techniques are applied at the binary level they can be difficult or error-prone to apply manually. Fortunately, an application hardening and obfuscation tool can easily be added to the end of your build process making your apps more resistant to reverse engineering and hacking.

What now?

If you are building with .NET, a free tool called Dotfuscator Community Edition is included in Visual Studio can get your team started today. https://msdn.microsoft.com/en-us/library/dd551423.aspx

If you are building with Java, a free tool called Proguard is available and can get your team started. https://sourceforge.net/projects/proguard/

If you are building for iOS, a free tool called PPiOS-Rename is available and can get your team started. https://github.com/preemptive/PPiOS-Rename

Of course, commercial full featured solutions are also available at https://www.preemptive.com/preemptive-protection

Protecting Java applications that use Spring Framework Core

DashO has support for protecting applications that use Spring Framework Core. Spring can be configured either by custom annotations or XML configuration files, and DashO has support for both. However, applications that use custom annotations require additional handling.

There’s big money in artificial intelligence (AI) — reaching almost $12 billion over the next six years. As noted by research firm McKinsey & Company, companies are now in the process of building out the technology foundation they need for AI deployment, with 45 percent of executives already worried about not investing enough in AI to keep up with the competition. It’s not a baseless fear: The McKinsey research also suggests that AI adoption is following a standard “S-Curve” model, which starts with slow adoption by a limited number of businesses followed by rapid mass adoption as market opportunities increase and then slows again as stragglers are left behind.

Given the wide range of potential applications for AI and the evolution of core intelligence technologies, increased business interest is no surprise. What companies may not be prepared for, however, is the uptick in hacker usage of AI tools and solutions — what happens when attackers flip the AI script?

That was the title of yesterday's congressional briefing organized by ACT | The App Association (in cooperation with the Congressional IP Caucus which is co-chaired by Rep. George Holding, Rep. Adam Smith, & Rep. Hakeem Jeffries).

As is often the case when presenting to different kind of audience (not software-centric), you’re forced to reorganize your thoughts – here are few that might be worth sharing.

Attendees were promised the following agenda:

Learn how rogue apps steal content;
Understand what access devices are enabling the piracy of content;
Learn about a range of app piracy methods used to exploit U.S. companies;
Gain insight into existing industry best practices and enforcement methods for combating IP piracy.

App development now happens at breakneck speeds as companies recognize the need for first-to-market applications that exceed consumer expectations for usability and performance. The root of this rapid release cycle? DevOps — the combination of development and operations teams to deliver best-in-class applications ASAP.

But more apps on the market more quickly means more chances for security issues — as noted by Bank Info Security, 60 percent of all breaches over the last two years started with known software vulnerabilities. Bottom line? DevOps is getting apps out of development, but lack of security is putting them in harm’s way. There are no second chances when it comes to first impressions; users won’t come back if applications expose personal data or become malware distribution drones.

The solution? DevSecOps: Security as a fundamental aspect of application development. Here’s what you need to know.

Model–View–ViewModel (MVVM) is a common pattern used in WPF, Xamarin, and other types of .NET applications. There are different ways to apply the MVVM pattern, but they all share a few underlying concepts. I’d like to discuss these concepts, and how to successfully configure protection with Dotfuscator for MVVM-based apps.

Your apps may be getting hacked – Why should you care? What can you do?

Is your application at risk? Answer these two questions first.

Why is this necessary?

What now?

Protecting Java applications that use Spring Framework Core

Artificial Intelligence, Real Threats: Can Attackers Flip the AI Script?

Rogue Apps: Facilitating Theft from Developers and Consumers

No Second Chances: App Shielding and the Emerging Need for DevSecOps

Protecting .NET applications that use the MVVM pattern

Latest Blog Posts

Protecting Java applications that use Spring Framework Core

Artificial Intelligence, Real Threats: Can Attackers Flip the AI Script?

Rogue Apps: Facilitating Theft from Developers and Consumers

No Second Chances: App Shielding and the Emerging Need for DevSecOps

Protecting .NET applications that use the MVVM pattern

Latest News

Dotfuscator Adds Rooted Device Controls to Meet Exceptional Xamarin.Android Demand

Microsoft Build 2018

PreEmptive Solutions Launches GDPR Compliance Relief Program

Protecting Your Xamarin Apps with Dotfuscator

Third Major Dotfuscator Community Edition Release in 12 Months Expands Real-time Defense and Streamlines Xamarin Integration

Twitter

App Protection Blogs

Your apps may be getting hacked – Why should you care? What can you do?

Is your application at risk? Answer these two questions first.

Why is this necessary?

What now?

Latest Blog Posts

Latest News

Twitter