Q&A with PreEmptive CEO Gabriel Torok

Gabriel, you have been in the security industry for over 2 decades. You have seen many different tools and services. Why create a company around something as specific as obfuscation and in-app protection? 

Our customers build a lot of really innovative apps that enable their users and customers to do new and cool things. These apps frequently run on untrusted client computers/devices and they control access to customer’s sensitive data or critical devices.

And after all the effort of designing, building, debugging, and deploying their applications, the last thing they want is for an attacker to steal their work or use it to look for vulnerabilities to break into their system.

Long ago, we built a Java code optimizer, but it became clear to us that our customer cared more about the obfuscation effects of the optimization than the actual performance improvement. That is when we really began to focus on app protection. First with Java, then .NET, Android, iOS, Xamarin, JavaScript, etc.

How does obfuscation work?

Code obfuscation is the process of modifying an executable so that it is no longer useful to a hacker but remains fully functional. While the process may modify actual method instructions or metadata, it does not alter the output of the program. To be clear, with enough skills, time and effort, almost all code can be reverse engineered. However, on some platforms (such as Java, Android, iOS and .NET) free decompilers can easily reverse-engineer source code from an executable or library in virtually no time and with no effort. Automated code obfuscation makes reverse-engineering a program difficult and economically unfeasible at scale.

Why is it important for a company to protect their application?

Because of free and easily available tools, reverse engineering and probing of code has become a common practice for outsiders wanting to steal IP. They understand how to compromise an application, how to bypass security checks and ultimately how to gain control of data. For some applications, unmanaged access to source code can also pose material risks including application vulnerability exposure, increased likelihood of system attack, theft of intellectual property, privacy violations, and revenue loss through circumvention of usage and other metering enforcements. Techniques such as obfuscation and encryption can make it materially harder to reverse engineer code by breaking the reverse engineering tools and/or making the output extremely hard for a human to follow.

Do PreEmptive Protection tools – Dotfuscator, DashO and JSDefender – do anything besides obfuscation?

Yes. Obfuscation is only a part of what our tools do. PreEmptive Protection also implements encryption transforms and injects active runtime checks to make applications resistant to tampering, debugging, running on compromised devices, running in emulators, etc. This might involve automatically inserting overlapping and redundant checks to determine if an application was modified in any way. Or detecting if an application is running in a jailbroken or rooted device that might compromise some of the safety guarantees. Exploitation of applications can take many forms, so our protection techniques must as well.

What type of Apps does PreEmptive Protection support?

Desktop, mobile, IoT and server applications.

Many people are familiar with desktop and mobile app protection, but for servers? Aren’t servers inherently running in a protected environment?

If you are running an application on a local server fully under your control (and you assume no one will ever break in), you might be perfectly fine not protecting it. But, now imagine you are asked to run that same server application in a foreign country or on servers controlled by a client or partner. Now, it might be running in an untrusted environment and you might choose to protect it.

Why should someone buy PreEmptive Protection vs. a competitor’s product?

The first is obvious – our solutions provide solid protection that is battle hardened and always evolving to keep up with the latest threats. With 4-6 updates per year, we stay on top of the necessary maintenance required to keep our customer’s applications protected.

The second differentiator is integration. Our customers appreciate our configuration flexibility, automation, set-up Wizard and the ability to scale. If an app hardening solution is too complex to reliably implement, requires too much manual intervention, or cannot integrate into your deployment tool chain – then the cost of development will either increase to an unacceptable amount or your service levels will plummet. It is a complex and expensive undertaking to ensure that we seamlessly fit into the rapidly expanding flavors of DevOps, but we invest in it, so our customers don’t have to bear that cost alone.

The third reason that sets are products apart is that we approach obfuscation from a “do no harm” perspective. Through this principle, we provide a professional-grade quality tool, without slowing down or compromising the application. Our technologies are invasive – and we meticulously design and implement app hardening to NOT cause performance, stability or even verification problems. We verify all of the above against OS versions, development frameworks, etc. Our customers love that our PreEmptive products do not require 3rd party consultants, or the need to send their source code away for implementation. 

What do you say to people who say a free tool is good enough?

It depends. A company needs to determine the value of their application, and the risks they are willing to take with the protection they choose to implement. A free tool may be a good choice if there is a history of a lot of quality devs working on it and consistently maintaining it. Free tools do not offer live support, and typically offer very little in terms of help with implementation. Unfortunately, many free tools may have only one key person, and with some luck, a few infrequent contributors. When they lose interest or become overwhelmed with tedious edge case bugs, the security is compromised. A recent example is JavaScript-Obfuscator, which has hundreds of bugs and has not really been maintained for the last two years.

Another thing very important to our customers, but not usually found in free tools, is ease of integration. Many times free tools have a high cost of implementation and you need to factor that in.

What is the essence of the business problem you help solve? 

We harden and shield applications to make them more resistant and resilient to hacking and tampering – protecting a company’s brand, intellectual property, data and revenue.

What’s the value to your customers of making their application resistant to hacking?

The value of in-app protection is connected to the

  • Value of a customers’ IP (how much did it cost to build the software, is there anything unique or novel about it, would they want their competitors to have their source code?)
  • Value of their software or the gated functionality it offers (what is the revenue loss if license or authentication checks are broken or bypassed) 
  • Cost of a data breach (what is the potential revenue hit and reputational damage if an application is used as an attack vector to access sensitive data)

Who are your customers? 

We really have a range of clients. Big and small. All of them are building really neat things that are worth protecting. 

We are proud that we have had some corporate clients for decades, and equally excited when an entrepreneur comes to us with a good idea. Our clients include government agencies, financial institutions, leading manufacturers, healthcare and medical device manufacturers, aerospace, and, in fact, every other mission critical industry segment. 

Can you sum it up?

We provide a great time-to-value for organizations serious about enhancing secure development with in-app protection. 

We are easy to work with and we have simple-to-understand pricing.

We have a free trial and are ready to help you protect your apps running in zero trust environments today.