PreEmptive logo

Q&A with PreEmptive CEO Gabriel Torok

Gabriel, you have been in the security industry for over two decades and have seen many different tools and services. Why create a company around something as specific as obfuscation and in-app protection? 

Our customers build innovative apps that enable their users and customers to do new and cool things. These apps frequently run on untrusted client computers/devices, and they control access to customers’ sensitive data or critical devices.

After all the effort they put into designing, building, debugging, and deploying their applications, the last thing they want is for an attacker to steal their work or use it to find vulnerabilities to break into their system.

Long ago, we built a Java code optimizer, but it became clear to us that our customers cared more about the optimization’s obfuscation effects than the actual performance improvement. That is when we really began to focus on app protection—first with Java, then .NET, Android, Xamarin, JavaScript, etc.

How does obfuscation work?

Code obfuscation is the process of modifying an executable so that it is no longer useful to a hacker but remains fully functional. While the process may modify actual method instructions or metadata, it does not alter the output of the program. To be clear, with enough skills, time, and effort, almost all code can be reverse-engineered. However, on some platforms (such as Java, Android, iOS and .NET) free decompilers can easily reverse-engineer source code from an executable or library in virtually no time and with no effort. Automated code obfuscation makes reverse-engineering a program difficult and economically unfeasible at scale.

Why is it important for a company to protect their application?

Because of free and easily available tools, reverse engineering and probing of code has become a common practice for outsiders wanting to steal IP. They understand how to compromise an application, how to bypass security checks and ultimately how to gain control of data. For some applications, unmanaged access to source code can also pose material risks, including application vulnerability exposure, increased likelihood of system attack, theft of intellectual property, privacy violations, and revenue loss through circumvention of usage and other metering enforcements. Techniques such as obfuscation and encryption can make it materially harder to reverse engineer code by breaking the reverse engineering tools and/or making the output extremely hard for a human to follow.

Do PreEmptive Protection Tools Only Obfuscate?

Yes. Obfuscation is only a part of what our tools do. PreEmptive Protection also implements encryption transforms and injects active runtime checks to make applications resistant to tampering, debugging, running on compromised devices, emulators, etc. This might involve automatically inserting overlapping and redundant checks to determine if an application was modified or detecting if an application is running on a jailbroken or rooted device that might compromise some of the safety guarantees. Application exploitation can take many forms, so our protection techniques must also.

What type of Apps does PreEmptive Protection support?

Desktop, mobile, IoT, and server applications.

Many people are familiar with desktop and mobile app protection but for servers? Aren’t servers inherently running in a protected environment?

If you are running an application on a local server fully under your control (and assume no one will ever break in), you might be perfectly fine not protecting it. But now, imagine you are asked to run that same application in a foreign country or on servers controlled by a client or partner. Now, it might be running in an untrusted environment, and you might choose to protect it.

Why should someone buy PreEmptive Protection vs. a competitor’s product?

The first is obvious—our solutions provide solid protection that is battle-hardened and always evolving to keep up with the latest threats. With 4–6 updates per year, we stay on top of the necessary maintenance required to keep our customers’ applications protected.

The second differentiator is integration. Our customers appreciate our configuration flexibility, automation, set-up Wizard, and the ability to scale. If an app hardening solution is too complex to reliably implement, requires too much manual intervention, or cannot integrate into your deployment toolchain—then the cost of development will either increase to an unacceptable amount or your service levels will plummet. It is a complex and expensive undertaking to ensure that we seamlessly fit into the rapidly expanding flavors of DevOps. Still, we invest in it so our customers don’t have to bear that cost alone.

The third reason that sets our products apart is that we approach obfuscation from a “do no harm” perspective. Through this principle, we provide a professional-grade quality tool without slowing down or compromising the application. Our technologies are invasive—and we meticulously design and implement app hardening to NOT cause performance, stability, or even verification problems. We verify all of the above against OS versions, development frameworks, etc. Our customers love that our PreEmptive products do not require third-party consultants or the need to send their source code away for implementation. 

What do you say to people who say a free tool is good enough?

It depends. A company needs to determine the value of their application and the risks they are willing to take with the protection they choose to implement. A free tool may be a good choice if there is a history of many quality devs working on it and consistently maintaining it. Free tools do not offer live support and typically offer little help with implementation. Unfortunately, many free tools may have only one key person and, with some luck, a few infrequent contributors. When they lose interest or become overwhelmed with tedious edge case bugs, the security is compromised. A recent example is JavaScript-Obfuscator, which has hundreds of bugs and has not been maintained for the last two years.

Another important thing to our customers, but not usually found in free tools, is the ease of integration. Many times, free tools have a high implementation cost, and you need to factor that in.

What is the essence of the business problem you help solve? 

We harden and shield applications to make them more resistant to hacking and tampering, protecting a company’s brand, intellectual property, data, and revenue.

What’s the value to your customers in making their application resistant to hacking?

The value of in-app protection is connected to:

  • Value of a customer’s IP (how much did it cost to build the software, is there anything unique or novel about it, would they want their competitors to have their source code?)
  • Value of their software or the gated functionality it offers (what is the revenue loss if license or authentication checks are broken or bypassed).
  • Cost of a data breach (what is the potential revenue hit and reputational damage if an application is used as an attack vector to access sensitive data).

Who are your customers? 

We have a wide range of clients, big and small. All of them are building really neat things that are worth protecting. 

We are proud that we have had some corporate clients for decades and equally excited when an entrepreneur comes to us with a good idea. Our clients include government agencies, financial institutions, leading manufacturers, healthcare and medical device manufacturers, aerospace, and, in fact, every other mission-critical industry segment. 

Can you sum it up?

We provide a great time-to-value for organizations serious about enhancing secure development with in-app protection. 

We are easy to work with, and we have simple-to-understand pricing.

We offer a free trial and are ready to help you protect your apps running in zero-trust environments today.

In This Article:

Try a Free Trial of PreEmptive Today!