PreEmptive logo

Rogue Apps: Facilitating Theft from Developers and Consumers

That was the title of yesterday’s congressional briefing organized by ACT | The App Association (in cooperation with the Congressional IP Caucus co-chaired by Rep. George Holding, Rep. Adam Smith, & Rep. Hakeem Jeffries).

As is often the case when presenting to different kinds of audiences (not software-centric), you’re forced to reorganize your thoughts. Here are a few that might be worth sharing.

Attendees were promised the following agenda:

  • Learn how rogue apps steal content;
  • Understand what access devices are enabling the piracy of content;
  • Learn about a range of app piracy methods used to exploit U.S. companies;
  • Gain insight into industry best practices and enforcement methods for combating IP piracy.

The panelists represented a nice cross-section of stakeholders.

First, I have to thank ACT (again) for their amazing work connecting software developers with their representatives (and vice versa)—and, more selfishly today, for inviting me to participate as a panelist (I always leave ACT events feeling maybe a little guilty hoping that I contributed at least as much as I took away).

Attendance

The bad news is that every representative is away campaigning in their districts—but that was the good news—this meant that their staff (who have heavy influence over their boss’ final positions) were free to attend—and we did indeed have a full house—with lots of questions that went beyond the scheduled time slot.

The following summary covers just two topics raised and my responses (I don’t want to presume to quote anyone else). I think it’s extremely important that these topics are front of mind on Capital Hill and in this audience.

Question 1

As a developer of protection tools for software applications, can you tell us what your clients are experiencing in terms of piracy? (both consumer-facing apps and enterprise software attacks)

My response: Consumer-facing

  • There’s the obvious category of primary authors of games, references, and “convenience” apps – apps whose algorithms or content can be readily repurposed.
  • We also see App development shops with specialties like (for example) consumer banking. They target smaller banks, savings & loans—these companies have a toolkit that lets them efficiently develop “custom” apps for each bank, and their theft directly threatens their core business model.
  • Another category is the technology specialist that delivers niche libraries of—for example—graphics functionality that other development organizations use. What’s interesting about these is that we see them include IP protection requirements in their licensing terms to their clients, e.g., other development shops. Often their clients need to work with us to meet their contractual obligations.

Enterprise facing

  • An interesting example of an enterprise is a compliance service provider that migrates massive volumes of archive files and emails from any old format a company might have used over the past 30 or 40 years. The “dictionary” of translation logic to clean up all that data is extremely valuable IP. While no one translation is all that valuable—the total in their library of all formats represents hundreds of person-years of effort.
  • Any kind of simulator—automotive, flight, or any kind of “physics” engine
  • Illegal upgrades to equipment whose functionality is controlled by software, such as cars and sophisticated measurement equipment, are also an interesting piracy threat—it’s not the software but the equipment that is actually being pirated.

Question 2

So, pirates or hackers are not just ripping off content to redistribute it for a profit. Tell us more about why hackers are attacking your clients’ apps.

My response: We’ve seen a dramatic rise in hackers using apps as a means to get to the data that flows through those apps—examples include:

  • Financial
  • Healthcare
  • General PII

As encryption has become more effectively deployed, hackers use developer tools like debuggers to access the data at the only time it isn’t encrypted in memory.

They use developer tools to see user data, tokens, passwords, and other sensitive data that can be used to elevate user privileges and execute unauthorized code.

In fact—from an engineering perspective—there is virtually no distinction between stealing content as a means to compromise systems, e.g., using a trusted brand to deliver a malicious payload versus compromising software or a device to steal valuable content like movies or games from a jailbroken Firestick.

So, hacking breakthroughs for one criminal pattern (like watching illegal movies) can be equally useful to a multitude of other criminal activities—and, as such, are widely shared and valued by other classes of pirates, cyber criminals, and nation-state actors.

There were many more questions (and answers). Visit www.actonline.org and introduce yourself. If you have any comments or questions on the topics raised here (or would like to learn how PreEmptive Solutions is helping others), please do not hesitate to contact me directly.

In This Article:

Try a Free Trial of PreEmptive Today!