Keeping Secrets: The Evolving Expectation of App Defense

July 10, 2017 885 Views Gabriel Torok

Applications drive corporate success. As noted by Business 2 Community, the average American smartphone owner uses more than 10 apps per day and spends over three hours per day connected to the Internet via their mobile device. The problem? Rapidly-expanding app markets combined with easy-to-find hacker kits make the current environment a cybercriminal’s paradise — according to recent Ponemon data, the average cost of a data breach is around $3.62 million and the size of breaches is trending up. It gets worse: According to Gartner, 99 percent of app vulnerabilities exploited won’t rely on new, sophisticated attack vectors, but existing vulnerabilities that infosec pros have seen in the wild for at least a year.

And according to Alex Urbelis, a partner at the Blackstone Law Group who has also been part of the information security community for more than 20 years, it’s not just technology shortcomings that should worry enterprise decision-makers. New laws such as the Defend Trade Secrets Act create legal challenges — while companies now have a private right of action to make claim for damages in federal court if trade secrets are misappropriated, insufficient (or absent) app protection could render this claim null and void.

Here’s a look at the top enterprise app threats and how companies can start better keeping secrets and better protect their intellectual property.

Statistically Speaking

Data and application breaches have become so common that data about their impact is readily available. While this offers a great jumping-off point it’s also a sobering reminder that breaches are now the rule rather than the exception and that no company can afford to ignore the risks associated with their apps (whether mobile, desktop, cloud, web or IOT.)

We conducted an Application Risk Management survey in June of 2017; and you can look for details soon in an upcoming blog. The survey gathered information about their development organizations’ risk management priorities and mitigation strategies.

The survey results indicated that the top 6 application development vulnerabilities were:

Data loss or corruption
Intellectual Property theft
Liability or reputational damage
Operational disruption
Regulatory or compliance violations
Software piracy

Financial factors pertaining to addressing risks are identified in the Cisco 2017 Annual Cybersecurity Report, showing that 35% of security professionals believe budget is the biggest obstacle to adopting advance security processes and technology. Meanwhile, 20 percent of organizations say they lose customers after a breach and 30 percent lose revenue, even as 27 percent of all new, third-party cloud application introduced into corporate ecosystems pose “high security risk”. As a result of the pressures, it’s no surprise that cyber-insurance premiums are now a must-have for enterprises, with premiums set to triple over the next three years.

Simply put? The statistics paint a clear (if bleak) picture: Enterprises want better application security. It’s not always an easy transition, but the longer companies procrastinate the greater the risk.

Pokemon No

While it’s tempting to imagine that all application threats come from highly-focused groups looking to breach valuable targets, according to hacker Robert Barat of infosec radio show Off The Hook, many basic hacking tools “are open source and hosted on GitHub”. This allows users with minimal skill and moderate interest to compromise applications for their own purposes.

Consider last summer’s wildly popular mobile game Pokemon Go. As noted by Barat, developer Niantic was in a rush to get the game out the door, “didn’t implement basic debugger detection software and sent a lot of data unencrypted.” Leveraging simple and freely-available tools users reverse-engineered the product and accessed for-pay in-game services for free. But that’s the just start — lost revenue meant potential job loss and unencrypted data transmission put personally identifiable information (PII) at risk, opening the door for a lawsuit.

Unhealthy Obsession?

And beyond PII data loss there’s also the risk of serious financial harm. As noted by Urbelis, that’s what happened to medical device manufacturer St. Jude Medical, which created an in-home device to connect with patient pacemakers. A company called MedSec reverse engineered the product and discovered how to remotely drain the battery, in turn putting users in potentially life-threatening danger. Then, MedSec sold this information to a stock shorting firm and released the data publicly, earning a huge windfall and causing a freefall for St. Jude stock.

Even more worrisome? The SEC isn’t coming down on companies for this kind of market manipulation, meaning that vulnerable apps and devices could lead to massive financial frustration.

Keeping Secrets

Recent survey data shows that companies recognize a common list of application development vulnerabilities including data loss and corruption, intellectual property theft, operational disruption and liability damage. And yet just 16 percent of enterprises have app controls established in a formal organizational framework — more than 40 percent opt for ad-hoc and reactive defenses.

So how do organizations effectively keep secrets and reduce the risk of application breaches? From a technology standpoint, companies need smart app protection that hardens applications, obfuscates data and offers “nuclear” options against particularly virulent attacks. This type of defense also provides the “reasonable means” necessary to secure trade secrets under the Defend Trade Secrets Act, allowing companies to both satisfy the demands of an increasingly tech-savvy public willing to share PII via mobile devices and pursue malicious actors if they attempt to misuse or misappropriate critical source code, application data or intellectual property.

Bottom line? Applications are critical to compete on a global scale; fiscal and legal security depend on effective and adaptable app protection and defense.

Dotfuscator Professional 4.31 is Available Now

We have just released Dotfuscator Professional 4.31 and it’s available for immediate download (both for clients and as a free evaluation).

Dotfuscator Professional 4.31

Extends its application protection to new development communities for the very first time.

Support is now available for:

.NET Core 2.0 (released last week by Microsoft) and
The Unity game engine. Supported app platforms include PC, Mac, Linux Standalone, Android, and Windows Store (UWP). Supported scripting back-ends include.NET and Mono.

Garbage in, garbage out is shorthand for “incorrect or poor quality data will always produce faulty results.”

The “garbage data” vulnerability is especially gnarly in that there is actually no fix – no cure.

The only viable development strategy is one of avoidance.

DashO Root Detection & Defense is one Check that will not bounce!

I’m delighted to report that PreEmptive Solutions released DashO 8.2 for Java and Android earlier this week. Like most of our releases, it has a lot packed into it including:

Android-O support,
Kotlin support,
Improvements to our Android Wizard, and
Build performance improvements.

BUT the feature I’m most excited about is the addition of our latest Check Type, Android Root Detection.

The Six Degrees of Application Risk

Cyber-attacks, evolving privacy and intellectual property legislation, and ever-increasing regulatory obligations are now simply “the new normal” – and the implications for development organizations are unavoidable; application risk management principles must be incorporated into every phase of the development lifecycle.

Organizations want to work smart – not be naïve – or paranoid. Application risk management is about getting this balance right. How much security is enough? Are you even protecting the right things?