Contact Us Blog Register Login
PreEmptive Solutions -
  • Home
  • Products
    • Application Protection
      • Dotfuscator for .NET
        • Overview
        • Features
        • Compare Editions
        • Videos & Resources
        • Pricing
        • Downloads
      • DashO for Android & Java
        • Overview
        • Features
        • Videos & Resources
        • Pricing
        • Downloads
      • PreEmptive Protection for iOS
        • Overview
  • Support
    • Product Support
      • Dotfuscator for .NET
      • DashO for Java & Android
      • PreEmptive Protection for iOS
      • Analytics APIs
    • Resources
      • Frequently Asked Questions
      • Knowledge Base
      • White Papers
      • Glossary
      • Videos
      • Submit Support Request
  • Solutions
    • App Protection Solutions
      • Mobile Application Protection
      • Desktop & Server App Protection
      • General Data Protection Regulation (GDPR)
      • Security Development Lifecycle
      • Application Integrity Protection
  • Company
    • About
      • Why PreEmptive?
      • About Us
      • Careers
      • News & Events
      • Blog
    • Contact
      • Contact Us
      • Submit Support Request
    • Legal

App Protection Blogs

Encryption’s unfortunate, unavoidable, and unfix-able gap - and how to fill it

January 25, 2018 2352 Views Sebastian Holst


When perimeters are breached, identities stolen and malware launched, encryption stands as information’s last line of defense. Without effective encryption policies, you will first be victimized and then held liable (punished) by every information stakeholder (customers, partners, investors, regulators, the courts, etc.).

Just this week, Wired led with the headline Tinder’s Lack of Encryption Lets Strangers Spy on your Swipes where they wrote in part:

“In 2018, You'd be forgiven for assuming that any sensitive app encrypts its connection from your phone to the cloud, … But if you assumed that basic privacy protection for the world's most popular dating app, you'd be mistaken.”

Whether or not Tinder faces any legal or regulatory jeopardy, the press coverage in Fortune Magazine, Wired, and even my local morning news shows cannot be doing their market share or brand any good.

For a longer treatment of another encryption catastrophe that resulted in $300M in fines and other expenses, see the sidebar “Punishing the Victim: Anthem data breach” inside The Six Degrees of Application Risk.

The hard truth is that when data is stored in the clear (unencrypted) that data cannot be secured – and every information stakeholder knows this to be true (including bad actors). That is why, even though it is too early to predict what civil, criminal or market penalties Tinder will face, the reporter’s incredulous disbelief is so pronounced.

Best practices dictate that sensitive data be encrypted whenever and wherever possible;

  • When data is at rest (in files and databases – and especially with portable media) and
  • When data is in motion ((transmitted between applications, services, and networks – and especially over public networks - as with the Tinder example above).

There is, however, one unfortunate, unavoidable and unfix-able hole in the encryption story. When data-is-in-use (being processed by an application rather than sitting on a disk or flying across a wire), that data must be processed in the clear.

In fact, as encryption policies become increasingly effective, hackers are inexorably drawn to the next best thing, application hacking as the attack vector of choice.

THE UNFORTUNATE, UNAVOIDABLE, UNFIX-ABLE ENCRYPTION GAP

Fortunately, even though data-in-use must be processed in the clear – that data is typically found only in app memory – and reading data in memory requires specialized utilities – and access to those tools can be limited. Debuggers are the hacker’s favorite because in addition to accessing unauthorized data, they have the added advantage of being able to modify a running application to circumvent identity verification, authorization, and other critical controls as well.

…and every stakeholder – especially hackers, regulators and the courts – know this to be true too.

Mitigating the encryption gap

Since data in use can’t be encrypted, the next best strategy is to restrict unauthorized use of debuggers, rooted mobile devices, emulators and other tools that hackers rely upon to access and modify application-resident data. Preventative, detective, and responsive controls combine to secure your applications and – by extension – the data that flows through them.

PREVENTION: Where possible, use OS and compile-time configuration settings to disable debugging and prevent remote code execution. Mobile devices, web app servers, build settings, etc. include these options to prevent precisely these kinds of exploits.

While effective as a first line of defense, these settings can be overridden, bypassed, and/or modified (assuming they are set properly in the first place). To effectively secure sensitive data-in-use, additional controls are required to detect and respond when hackers attach debuggers or tamper with an app.

DETECT & RESPOND at a minimum to the following three progressively material scenarios must be addressed:

  1. Configuration values prohibiting debugging and preventing remote execution are NOT properly set (making it especially easy to execute this kind of exploit)
  2. A debugger is attached to a running app processing sensitive data (indicating that an attack is in progress or, at a minimum, unauthorized probing is underway), and lastly
  3. An app has been modified/tampered post build (suggesting that there has been a successful hack and the resulting compromised version is executing).

Securing apps and the data that flows through them

Writing code to enforce these policies is time consuming, requires new development skills, must be coordinated across development teams, and potentially introduces additional runtime risks.

There is a better way - post-compile injection.

As offered by PreEmptive Solutions Dotfuscator for .NET and DashO for Android and Java, post-compile injection of anti-root and anti-tamper, and a variety of related runtime controls offers a compelling alternative to coding.

Dotfuscator and DashO Injection advantages include:

  • As a post-compile step, anti-debug and anti-tamper functionality can be
    • included into a DevOps tool chain simplifying your development’s tasks and
    • Injected into existing executables and libraries by rebuilding rather than coding.
  • Little or no additional development effort is required
  • Root detection and other evolving algorithms are continuously updated to keep up with new platforms and new attack strategies,
  • While most of the injected functionality can be considered “turnkey”, there are also – by design – straightforward extensibility points to support the inclusion of proprietary defenses and reporting capabilities, and
  • The configuration file that dictates how and where controls are injected do double duty by serving as an audit trail as you harden your code.

Application development compliance and the law

Security standards bodies, regulators, legislators, and the courts recognize the necessity to secure data in use. In addition to increasing your risk of a data-related breach, failure to implement appropriate, well-understood and accepted security controls will almost certainly result in increased liability, fines, and dissatisfaction.

For illustration, consider the following excerpts from regulatory, legal and standards bodies that demonstrate the general acceptance of these principles.

Financial Compliance

PCI Mobile Payment Acceptance Security Guidelines for Developers • September 2017

4.3 Prevent escalation of privileges. (Emphasis added)

Controls should exist to prevent the escalation of privileges on the device (e.g., root or group privileges). Bypassing permissions can allow untrusted security decisions to be made, thus increasing the number of possible attack vectors. Therefore, the device should be monitored for activities that defeat operating system security controls—e.g., jailbreaking or rooting—and, when detected, the device should be quarantined by a solution that removes it from the network, removes the payment-acceptance application from the device, or disables the payment application. Offline jailbreak and root detection and auto quarantine are key since some attackers may attempt to put the device in an offline state to further circumvent detection.

Hardening of the application is a method to that may help prevent escalation of privileges in a mobile device.

Controls should include, but are not limited to providing the capability for the device to produce an alarm or warning if there is an attempt to root or jailbreak the device.

Privacy Legislation

General Data Protection Regulation (GDPR)

Recital 83 Security of processing (Emphasis added)

In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art… In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as … unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed…”

Application Security Standards

Open Web Application Security Project (OWASP)

OWASP Mobile Application Security Verification Standard v1.0

V8: RESILIENCE REQUIREMENTS: Control objective: Impede Dynamic Analysis and Tampering

8.1 The app detects, and responds to, the presence of a rooted or jailbroken device either by alerting the user or terminating the app.

8.7 The app implements multiple mechanisms in each defense category.

8.8 The detection mechanisms trigger responses of different types, including delayed and stealthy responses.

You don’t need to be the fastest, but you cannot afford to be the slowest when running from the bear

If you care about data-at-rest and data-in-motion, then you need to care about data-in-use – it’s the same data and it brings with it the same responsibilities, risks and liabilities.

If your organization develops software, you need to ensure that you have implemented appropriate data-in-use controls throughout your application and DevOps lifecycles.

You will also want to update your supplier risk management checklist to ensure that suppliers are taking equivalent steps to secure your “data in use” inside their applications and services.

Do not be the slowest running from the bear - vulnerabilities stemming from "data-in-use" exploits is a real and present threat.

For .NET developers that want to get into implementation detail, here’s a terrific article from November’s MSDN Magazine that includes links to sample code.

(Java and/or Android developers, contact me for some platform specific instruction options)

For continuing updates on topics related to development and compliance, consider registering for one of PreEmptive's ongoing webinars.

Get a Free Trial

Categories

  • Dotfuscator

  • Dotfuscator CE

  • DashO

  • Mobile Protection

  • Risk Management

Recent Posts

Effectively Implementing App Protection



Development’s Journey to Effectively Implementing App Protection

Because data is created, accessed, and changed through applications, hardening and shielding your applications is a key component to protecting your data. Adding application protection to your secure software development lifecycle will make it more difficult for people and machines to exploit them. But, what are the factors to consider when thinking about application risk? Effective application risk management is a sustained, consistent practice and technology selection and implementation is a specialized discipline within that practice. The initial steps below offer a roadmap to selecting and implementing application hardening and shielding as a part of a broader application risk management program.

The full Infographic in pdf form is available here.

”
  • Does app have intellectual property?
  • Does app gate access to value?
  • Does app access private information?
  • Is the app subject to regulation?
  • Does app run in an untrusted environment?
Read more

Technology Trust Issues When Running in Untrusted Environments? Try Application Shielding



“Software is eating the world.” The now-famous quote by technology expert Marc Andreessen was relevant in 2011 but seems downright prophetic in 2018 — the rise of web-based, mobile and IoT applications have created a market both massive and ever-changing. Companies know that simply staying competitive requires cutting-edge apps that both streamline the user experience and provide a steady flow of actionable data. But malicious actors also recognize the value of applications — and will do anything they can to compromise, infiltrate or damage business app networks.

It gets worse: According to the Center for Internet Security, “malspam” threats — unsolicited emails that contain malicious links or attachments — remain the number one attack vector for cybercriminals. Why? Because despite their simplicity, these attacks succeed. As noted by SC Magazine, meanwhile, 80 percent of IoT applications still aren’t tested for security vulnerabilities.

Read more

Managing Risk is More Important Now Than Ever



I just read the Forrester Wave™: Governance, Risk, And Compliance Platforms, Q1 2018.

Forrester reminds us all that “Risk and compliance management is more important than ever, thanks to the increasingly intangible nature of business value and the growing risk of violating customer trust.”

Read more

Emerging App Security Regulations: Are You Compliant?



IT security is a hot topic, and no wonder — major healthcare, finance and government breaches have all made headlines in recent months prompting both federal agencies and compliance organizations to draft new security standards. As noted by Tech Target, regulations under Sarbanes-Oxley, PCI-DSS and HIPAA all lay out clear expectations for companies when it comes to protecting network assets, personal data and critical infrastructure.

Software, meanwhile, has historically escaped the reach of these regulations, largely thanks to the rapid uptake of mobile and web-based applications: The sheer number and type of cloud-enabled offerings and now IoT-connected software made it difficult for governing bodies and compliance agencies to define meaningful standards that improved overall security. But, just as cloud computing went through a “wild west” period of rapid expansion followed by increasing scrutiny and regulation, software and application development is now on the receiving end of emerging security regulations.

Read more

An app hardening use case: Filling the PCI prescription for preventing privilege escalation in mobile apps



Preventing Privilege Escalation in mobile payment apps (PCI Mobile Payment Acceptance Security Guidelines Section 4.3)

Regulators, standards bodies and IT auditors have become increasingly likely to recommend an absolute prohibition of rooted Android devices in production environments. As the 2017 PCI Mobile Payment Acceptance Security Guidelines state, “Bypassing permissions can allow untrusted security decisions to be made, thus increasing the number of possible attack vectors.”

It is only natural that the apps themselves rise up to act as a ubiquitous governance, risk, and compliance management layer – preventing, detecting, responding, and reporting on threats - including those posed by unauthorized rooted devices.

Read more

Popular Tags

.net native android application security asp.net cli debug protection dotfuscator dotfuscator ce dtsa

preemptive logo

 

 

767 Beta Dr. Suite A
Mayfield Village, OH 44143

Tel: +1 440.443.7200

solutions@preemptive.com

Latest Blog Posts

Effectively Implementing App Protection

March 14, 2018
Read more

Technology Trust Issues When Running in Untrusted Environments? Try Application Shielding

February 27, 2018
Read more

Managing Risk is More Important Now Than Ever

February 20, 2018
Read more

Emerging App Security Regulations: Are You Compliant?

February 16, 2018
Read more

An app hardening use case: Filling the PCI prescription for preventing privilege escalation in mobile apps

February 8, 2018
Read more

Latest News

PreEmptive Solutions Launches GDPR Compliance Relief Program

November 15, 2017
Read more

Protecting Your Xamarin Apps with Dotfuscator

September 21, 2017
Read more

Third Major Dotfuscator Community Edition Release in 12 Months Expands Real-time Defense and Streamlines Xamarin Integration

May 10, 2017
Read more

DashO 8.0 for Java and Android Ships with Advanced Real-time Application and Data Controls

November 28, 2016
Read more

Dotfuscator® Community Edition Expanded to Include Advanced Application and Data Protection Controls

November 16, 2016
Read more

Twitter

Are you at #RSAC? Then come see us at Booth 3241 North to see how we can help protect your app. https://t.co/NWme0Yst0R Apr 17 • reply • retweet • favorite

Copyright © 2018 PreEmptive Solutions

  • Home
  • Contact Support
  • Blog
  • Contact
  • Sitemap
Scroll to Top