PreEmptive Thoughts from Build 2017

May 22, 2017 2440 Views Gabriel Torok

Like so many of us returning from Build 2017, we at PreEmptive are feeling both energized and highly motivated. Energized because of the truly impressive innovation coming out of both Microsoft and our larger ecosystem – and motivated because we can all see the expanding concern around application risk management and data security in this rapidly evolving world – and of course, that is where PreEmptive Solutions comes in.

Microsoft announced (and released) a broad range of software at Build: Improving Azure, Visual Studio, cross platform application development, and DevOps automation and efficiencies. You don’t have to hear about these from us – Microsoft published a nice Build wrap up here. I’m proud to say that PreEmptive Solutions were able to continue our 15+ year tradition of keeping pace with Microsoft’s remarkable cadence with a few announcements of our own.

At Build 2017, we announced

An update of our debug defense capabilities inside Dotfuscator to defend against native debuggers in addition to managed,
Enhancements of our Xamarin integration to significantly simplify and automate our protection there, and
Support for .NET Standard and Dotfuscator CE support for VSTS.

In other words, we also “announced (and released) a broad range software at Build improving Azure, Visual Studio, cross platform application development, and DevOps automation and efficiencies.” And you can see our Build 2017 announcement here.

I think my lasting impression of Build 2017 (and I’ve attended every Build so far) will be that the general awareness – even sophistication – around application risk management concepts and practices has never been higher. In fact, in the keynote (see image below) Microsoft noted that a specific key concern developers have is in making sure “their stuff” does not get hacked.

I see this jump in awareness as a direct consequence of the increasing importance of applications in all that we do. The higher the value of an application (and applications in general), the more it is worth protecting. And application developers attending Build certainly demonstrated the high value and impact of the work they’re doing. This is going to be an exciting year.

Free Trial

Request Quote

Request Demo

Five Evil Things a Hacker Does to Your App

Anyone developing software applications today can easily feel overwhelmed by the persistent security threats their products face from application counterfeiting and malware injection to theft of services and confidential information. This article discusses some of ways hackers go about their dirty deeds and how to achieve a balanced perspective on application risk and risk management allowing you to release applications with greater confidence. Gaining this confidence requires a deeper knowledge of the risks and potential remedies.

With our recent DashO releases, we’ve been working to make our Android support even easier to use. A great example of this is our evolved support for Crashlytics, which is an analytics framework that can provide detailed reports on application crashes from the field.

When applications have been obfuscated, the stack traces will contain obfuscated class and method names. To prevent this from complicating debugging, Crashlytics provides a utility to automatically deobfuscate stack traces, so that the reporting server shows the original class and method names. It does so by reading the map file, which is a file created by the obfuscation tool to pair the obfuscated class and method names with the original names. Crashlytics expects this map file to be in a ProGuard-compatible format, which differs from the DashO map file format.

If you were using Crashlytics with a version of DashO prior to our 8.5, this would likely have caused issues. You might have experienced an error during the Gradle build, from the Crashlytics plugin:

Applications are vulnerable. Eighty-six percent of web apps have access control and authentication issues, while 80 percent of mobile apps may unwittingly expose critical vulnerabilities. As noted by Dark Reading, even traditionally “safe” digital environments such as industrial control systems (ICS) are now at risk — more than 50 percent of ICS/SCADA applications available through reputable app stores contain serious authorization flaws.

The result? Companies are looking for new ways to defend web and mobile apps that go beyond standard testing practices and empower real-time response. Enter Runtime Application Self-Protection (RASP) which is designed to detect app attacks as they happen. Over the last few years, the market for this technology has diversified and evolved; recent data puts the RASP market on track for 50 percent CAGR over the next four years.

Over the past year, we have seen an influx of developers looking to replace existing ProGuard and DexGuard implementations with DashO. While the three products are conceptually similar, we have found that there are important differences between the products, and those differences can lead to unexpected migration issues. This article summarizes many of the tips and techniques our support team has been refining, to shorten your learning curve and simplify your migration.

This article:

Provides a logical mapping of features between the three products.
Recommends specific patterns to:
- Simplify and shorten your migration.
- Improve the strength and effectiveness of your application protection.
- Optimize and automate ongoing app protection to reduce the cost and complexity of maintaining protection.

5 Penetration Test Tips for Mobile Apps

Five Penetration Test Tips to Create Secure Mobile Apps

Just as businesses and consumers make the shift from desktop-driven digital change to mobile devices and applications, so are malicious actors. While traditional attack vectors still enjoy widespread success, increasing infosec knowledge about cybercriminal origins and threat profiles has pushed attackers down a new path: Mobile.

As noted by Threat Post, for example, advanced persistent threats (APTs) like RedDawn — which masquerades in app stores as “beta” versions of useful software — are now making the shift to mobile platforms. PC Authority, meanwhile, reports that fraudulent mobile transactions are up more than 600 percent from 2015, while Dark Reading points out that mobile users are now 18 times more likely to be targeted by phishing than traditional malware attack vectors.

What does all this movement mean for mobile app developers and owners? That just designing secure applications is not enough. Ongoing penetration testing and risk assessments are now critical to ensure that apps that were safe yesterday still hold up today — and won’t fall apart tomorrow.

PreEmptive Thoughts from Build 2017

Five Evil Things a Hacker Does to Your App

Protecting Android Applications That Use Crashlytics

RASP Deep Dive: Hype Versus Reality

Migrating from ProGuard or DexGuard to DashO

5 Penetration Test Tips for Mobile Apps

Five Penetration Test Tips to Create Secure Mobile Apps

Latest Blog Posts

Five Evil Things a Hacker Does to Your App

Protecting Android Applications That Use Crashlytics

RASP Deep Dive: Hype Versus Reality

Migrating from ProGuard or DexGuard to DashO

5 Penetration Test Tips for Mobile Apps

Latest News

Dotfuscator Adds Rooted Device Controls to Meet Exceptional Xamarin.Android Demand

Microsoft Build 2018

PreEmptive Solutions Launches GDPR Compliance Relief Program

Protecting Your Xamarin Apps with Dotfuscator

Third Major Dotfuscator Community Edition Release in 12 Months Expands Real-time Defense and Streamlines Xamarin Integration

Twitter

App Protection Blogs

PreEmptive Thoughts from Build 2017

Five Penetration Test Tips to Create Secure Mobile Apps

Latest Blog Posts

Latest News

Twitter