Categories
Support Corner

Remove Log4J calls with DashO’s Method Call Removal

Reading Time: 3 minutes

As we all know Log4j is a ubiquitous piece of software used to record activities in a wide range of systems found in consumer facing products and services. The discovery of the recent vulnerability in the Java logging package (CVE-2021-4428) This risk posed a severe threat to millions of consumer products from enterprise software to web applications. It presents risk of loss, or breach of personal information, financial loss and irreversible reputation harm. Currently, the FTC is taking action to require organizations to settle any associated risk caused by the known vulnerabilities. The FTC is now noted as using its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposures. 

A recent example of this negligence came on the back of a complaint in regards to Equifax’s failure to patch a known vulnerability which irreversibly exposed the personal identifiable information of 147 million consumers. This resulted in Equifax paying $700 million to settle the actions taken by the FTC and the consumer financial protection bureau. The risk for businesses is therefore clear, take actionable steps to remediate the vulnerability, or face litigation, breach risk and reputation damage.

In this guide, we will walk you through how you can use Method Call Removal to mitigate this vulnerability.

Method Call Removal

Method Call Removal has been available since our DashO 6.11 release.  It is mostly used for removing logging statements, but it can be used to strip any method calls we’d prefer not to have in our production release.  The only caveat is that the method definition must also be in DashO’s input.

Let’s assume Log4j is used for our application’s logging.  We might want to remove all log statements from production builds, then create special debug builds with logging enabled as needed.  Or, we might want to remove Info, Warn, and Debug messages, but retain Error or Fatal message in our production build.  This can be done using DashO’s Method Call Removal feature, without needing to adjust the Log4j configuration.

Please consider the following example:

This application logs informational messages when the app starts, and when it shuts down.  

The Log4J configuration has been organized into a global logging class:

In our DashO project, I’ll select the “LogInfo” method for method call removal:

Graphical user interface, text, application
Description automatically generated

After doing so, the application runs normally, but informational messages are no longer logged to console or written to log file.

After the app has been in production, I may need to create an obfuscated debug build for troubleshooting an issue with a specific client.  If so, I can run DashO without Method Call Removal to preserve logging calls in my debug build.

The above example can be downloaded here.


If you have any feedback on this topic or other topics you would like us to discuss in the Support Corner, please feel free to contact our Support Department.


Categories
101

Dotfuscator 101

Reading Time: 4 minutes

In this blog we will dive into Dotfuscator  as part of our 101 series – we walk you through what Dofuscator for .NET does and how this can help protect your projects. 

For those of you who are in the industry and know how this product protects your code, we appreciate the loyalty! If you are not tech savvy, but want to know a little bit more about this product, here’s our summary:

What is Dotfuscator for .NET?

Dotfuscator – by definition is a multi-functional tool that combines obfuscation, optimization while shrinking your source code, on .NET, Xamarin and Windows Platform Apps. Basically this jumbles, encrypts your code, hardening it to prevent theft. 

How does Dotfuscator work?

PreEmptive Dotfuscator for .Net provides many layers of protection for .NET users with multiple forms of obfuscation. We like to describe this as constructing the perfect sandwich.

  • First we start with the bread, in this case we will call it Renaming. Renaming obfuscation alters the variables and methods making it difficult to read or scan over to gain access to the certain parts of your source code. However, we go a little further by making things extra difficult for the typical hacker by utilizing Overload Induction™. This renames as many methods as possible to the same name instead of changing one variable one by one. To say this least – this is what makes the “bread” harden at surface level.
  • Then add the veggies: lettuce (Control Flow) and tomato (String Encryption). Control Flow uses advanced obfuscation by falsifying conditional statements. Basically it destroys the code patterns that decompilers use to recreate source code resulting in spaghetti logic to confuse anyone who tries to crack the code. Adding the tomato to this (String Encryption), hides all the strings that are present in the user’s assembly. To better explain, the typical hacker will locate string references inside the binary. Usually if the application is time sensitive, a message will pop up when time has expired – this is exactly what hackers search for inside the decompiled output indicating that they are VERY close to stealing your algorithm. Dotfuscator directly addresses this issue by allowing the user to encrypt strings in the most vulnerable part of the source code. 
  • Now comes the choice of meat (Watermarking, Pruning, Linking-Assembly Merging). Watermarking helps track unauthorized copies of the user’s project by embedding copyright information directly into .NET applications without jeopardizing runtime behavior. Pruning takes the work out for you by removing unused types, methods, fields, debugging information and non-essential metadata from a MSIL file all while processing. Dotfuscator Linking-Assembly Merger combines multiple input assemblies into one or more output assemblies – meaning it shrinks your application down alongside pruning and renaming. 
  • Next is the cheese (Tamper Detection & Defense). Dotfuscator injects code that verifies your application’s integrity during runtime and if it detects tampering, it will shut down the application, invoking random crashes. Now that’s an excellent choice of cheese! 
  • Last but not least are the condiments: mayo (Debug Detection) and mustard (Defense Using Checks). These two are prebuilt into Dotfuscator and can be injected into the .NET apps. This allows your app to detect any unauthorized uses such as debugging or tampering of any sort. Don’t be fooled, checks can do more than just the average scanning, they can react too, for example – exiting the app when tampering is found. 
  • For those who like a little extra to the sandwich, (Shelf Life) is the pickle! Shelf Life is an inventory management function that allows you to embed an expiration date, de-activation, and notification logic to your code! Now this is what we call the ultimate sandwich! 

When should you use Dotfuscator?

Whether you’re a start-up company, freelancer or an organization developing projects using .NET software, you should be using this in the development process – preferably in the beginning stages even after launches. Data breaches are no longer part of the “new normal” they are part of everyday scenarios. If you don’t protect your code from the beginning…you will likely become another data breach statistic.

Where does Dotfuscator work?

Dotfuscator is injected directly into your source code, providing a multi-layered approach by way of in-app hardening; assessing and securing where your code is vulnerable.  

Why should you use PreEmptive Dotfuscator?

PreEmptive Dotfuscator has paved the way in In-App security since 2003, that’s 19 years in the biz! Our clients range from small to large enterprises including many Fortune 500 companies of different industries from medical to government agencies. But if you still need a little more convincing, check out our client list here

For more information on how to get started, download our free trial or need further help, we encourage you to use our resources, found in our navigation bar. We hope this blog has helped you better understand Dotfuscator for .NET. We look forward to our next 101!


Categories
Press Releases

New Release: PreEmptive DashO 11.2.1

Reading Time: < 1 minute

Professional-grade Application protection With PreEmptive DashO

You asked, we delivered: Announcing a new minor release for PreEmptive DashO

Obfuscation is more than just renaming! PreEmptive DashO is a layered obfuscation approach to provide your Java, Kotlin & Android applications with the security protection you need.

In the latest update, our development team has rolled out some new enhancements, changes and bug fixes. What’s New?

Version 11.2.1 includes:

  • Enhancements
  • Validate the Modifiers input fields in the Config Editor for Include & Exclude rules
  • New option for Properties with filesystem path values that opens a system browse dialog
  • A new dropdown for Android mode projects allowing easy switching from configured build variants and their associated inputs in the Config Editor.
  • Changes
  • The Config Editor now opens the last project on startup by default
  • Bug Fixes
  • Fixed an issue where input Jars with the same name could overwrite each other, if “Merge Inputs” was unchecked.
  • Fixed an issue where the Config Editor allowed selection of some methods for Check injections in Android projects.

Ready to learn more about DashO? Request a quote: Request A Qoute

Categories
101

Top 3 Reasons to Use PreEmptive

Reading Time: 3 minutes

Cyber attacks are part of our everyday discussions and most likely will continue to be present throughout the next 12-18 months. With the rise in nation state attacks, and consistent expansion of IOT tools developers have to stay focused on the prescience of cyber threats. For those who followed our #DataPrivacyWeek on our social platforms, we explained that our personal lives are very much intertwined with our work lives, with many folks working remotely, we are more likely to be part of those data breaches we read in the news, as a side effect of network security risks. In this article we will dive into the primary reasons your team can benefit from PreEmptive to protect your applications. 

While we were focused on supply chain attacks, ransomware threats, we overlooked another but equally prominent risk – mobile app breaches. There were over 200 BILLION mobile application downloads in 2021 and that number will most likely increase as we progress through 2022. This means, if you’re a programmer developing an app or creating a program that consists of custom code, securing your work is more important than ever. Here are the top 3 reasons why you should use PreEmptive to add a security layer to your applications:

Reason 3: Protecting Your Hard Work

We understand the countless hours that go into coding, whether that was spent on debugging, creating or troubleshooting your code’s infrastructure, it takes hard work. Many developers have projects that have been in the works for lengths at a time and have firm deadlines to meet. So when a project is complete it feels like gold! We tend to concentrate on completing our projects and ensuring that functionality/usability is up to standard. But, security is often an afterthought. PreEmptive In-App security features have been helping programmers prevent, detect, and respond to attacks without breaking or slowing down your applications – giving you a peace of mind throughout development. Sure, we all want to complete our projects on time or earlier than expected, but if we treat our projects like we treat our phones by putting a lock on it, then that finish line will look even sweeter. 

Reason 2: Knowing the Functionality of Your Security

Data breaches are a hot topic, so searching for the right security platform has become even more of a priority. One of the factors when searching for the right security toolset – how does it actually work? PreEmptive has a layered approach when it comes to protecting your data. Think of it as building your perfect sandwich starting with the bread (obfuscation), adding the meat (renaming code), then the veggies – lettuce (string encryption), tomato (control flow) and more, topping it off with the condiments (active runtime checks) that monitors tampering, debugs, and more. Now that you know what’s in the perfect “security sandwich,” it’s imperative that you continue to test and secure after each build. This will allow you to have the confidence in your security application.

Reason 1: Becoming another Data Breach Statistic

Every month there is another data breach that is brought to our attention. Which makes you really think, are you choosing the right security platform? How do you know this platform is the right one? Assessing the needs of your company/organization or projects is the first step, next researching security options. Some promise to be “the leading” security platform or the “number one,” but PreEmptive has been in the biz since 1996. That’s over 20 years of securing your applications! Not only do we have the experience, we have hundreds of fortune 500 companies who use PreEmptive, Charles Schwab, FedEx, Census Bureau, Microsoft to name a few. If these companies trust our software, we guarantee that by using us, you won’t become another data breach victim.

In case you still need more information, we encourage everyone to read our case studies to find out how other companies found success in protecting their companies with PreEmptive. We hope this blog has eased your worries, but if you’re not sold try us with a FREE Trial


Categories
Dotfuscator Support Corner

Protecting Windows Forms Applications with Data Bound GUI Controls

Reading Time: 3 minutes

Today we will focus on data binding, but first let’s define this. Data binding allows Windows Forms applications to display and update UI controls from a data source, without having to modify source code for the control itself. 

When protecting Windows Forms applications, it is important to note how the data bound controls are constructed to determine if they will be impacted by code obfuscation.  If the controls bind to a collection of objects, original property names of that object must be preserved to correctly populate “DisplayMember” and “ValueMember” properties of the control.  When binding controls to an Enum, the original names of its members must be preserved, or the GUI control might show obfuscated names.  On the other hand, if we’re binding directly to a database table (and the table does not map to an object in source code), we don’t need any custom configurations because Dotfuscator does not mangle table and column names.

Consider the Following Example:

This simple Windows Forms application has three UI controls with different data binding techniques: a DataGridView binds to a Customer table in a database, a ListBox binds to a collection of Employee objects, and ComboBox binds to an Enum called DaysOfWeek:  

If I obfuscate with project defaults, I experience a runtime error at app startup:

This occurs because original property names of the Employee object are used in “DisplayMember” and “ValueMember” ListBox properties:

            listBox1.DataSource = employeeList;

            listBox1.DisplayMember = “Name”;

            listBox1.ValueMember = “Department”;

To Avoid the Runtime Error:

First, I’ll open my project configuration file (DotfuscatorConfig.xml) in the Dotfuscator Config Editor, and set a Rename exclusion for the properties in the Employee object:

After configuring this Rename exclusions, the application starts without the runtime exception, but the “DaysOfWeek” ComboBox appears with obfuscated names:

In order to fix this, I will configure a Rename exclusion for the members of DaysOfWeek.

After providing this Rename exclusion, the app starts without any issues or erroneous behavior.  Please also note the DataGridView, which binds to the Customer table in our database, did not require any Rename configuration to start and display correctly.

Conclusion

There are several different ways to use data binding in Windows Forms applications.  We’ve seen a few ways that data bound controls can be impacted by obfuscation.  If you experienced a runtime crash or erroneous UI behavior after applying obfuscation, please use the above steps to resolve the issue. 

The full example can be downloaded here.

If you have any feedback on this topic or other topics you would like us to discuss in the Support Corner, please feel free to contact our Support Department.

Categories
Press Releases

PreEmptive Product Updates

Reading Time: 3 minutes

We are pleased to announce the general availability of Dotfuscator 6.4, DashO 11.2 and JSDefender 2.4 for our customers.

PreEmptive has been hard at work on the latest releases of Dotfuscator, DashO, and JSDefender. The improvements are part of PreEmptive’s strategy to continuously support all products with regular updates and new features. Headlining some of the product updates are improvements to integration and usability, and bug fixes to help ensure we keep our customers happy!

Below are the highlights of each release with links to further information such as how to access the latest version, documentation, and changelogs. Free evaluations are always available for each product.

Dotfuscator 6.4

Dotfuscator Professional protects .NET applications from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, debugger detection, and tamper detection. It integrates into the development build process and operates on the .NET Intermediate Language. Dotfuscator Professional supports .NET, including .NET Core, .NET 5, Xamarin, and Mono.

The Dotfuscator Professional 6.4.0 release improves the support for default interface implementations in .NET Core 3+. Dotfuscator can now protect applications that use .NET’s default interface implementation feature, without extra configuration steps which were required before.

Additionally, the tool now provides more granular control of managed resource renaming. Users can now disable automatic resource renaming, in cases where the application loads those resources manually from strings that cannot be statically analyzed.

This version enables authenticated proxies to communicate with the PreEmptive licensing servers, which is a requirement at many enterprise customers.

The Xamarin.Android Root Check is also updated to handle new versions of Android rooting tools. 

Product Links

DashO 11.2

DashO protects Java and Android applications from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, debugger detection, and tamper detection. It integrates into the development build process and operates directly on compiled Java bytecode.

The DashO 11.2.0 release enables Include and Exclude rules to be configured via Java Annotations and Supertypes. Rules can now match classes based on the existence of methods or fields that match the criteria.
The New Project Wizard now includes settings for generating Entry Point rules based on Java annotation based criteria, including a special set of entry points for Hibernate/Java Persistence API.

Additionally, DashO now processes compiled bytecode from Java 16 (except for the record type and the Sealed Classes preview feature).

Also, Global Processing Excludes now allows for classes to never be updated by DashO.

Product Links

JSDefender 2.4

JSDefender protects JavaScript code from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, browser-based “Dev Tools” detection, and tamper detection. It integrates into the development build process and operates directly on JavaScript code. JSDefender also supports other languages that “transpile” to JavaScript, such as TypeScript. JSDefender can protect JavaScript running in the browser, on servers/workstations (e.g. NodeJS based applications), and on mobile devices (e.g. React Native applications).

The JSDefender 2.4.0 release brought several changes to the protection runtime which makes the protected code of our customers much harder to reverse-engineer.

Also, it extends the Control Flow transform with an option called “injectFakeCode” that injects fake test conditions to the control flow statements to mislead and confuse the attacker.

Additionally, the release fixes some bugs in the error script parsing of the runtime checks and in the Control Flow transform.

Product Links

Categories
Risk Management

The Importance of Code Obfuscation for .NET and Android Applications

Reading Time: 4 minutesAs software developers, we know the importance of building secure applications to protect user data and infrastructure. But even with good security practices, your code can still be vulnerable to attack if it’s not adequately protected. Code obfuscation is a critical technique that helps to defend against reverse engineering, tampering, and other malicious activities that can compromise your applications. In this article, we’ll explore the importance of code obfuscation in .NET and Android applications and show how it can help you avoid potential threats.

The Current State of Data Security

Cyber attacks on businesses and corporations are increasing at a rate of around 50% year over year. Unfortunately, they show no signs of stopping, as evidenced by recent developments of malvertising attacks aimed at .NET applications. So, whether you’re a web developer responsible for building new applications or a security professional trying to protect an Android or .NET app, you must understand how to safeguard source code against hackers. One effective way to accomplish this is through source code obfuscation.

 

This article will describe the importance of code obfuscation, beginning with what it is, why it’s beneficial, and how it’s essential for .NET and Android applications. 

 

The fortification of source code is not something to put off, especially when it’s possible to strengthen code with an automatic tool that seamlessly fits into existing environments. Not only are these tools easy to use, but they’re cost-effective (especially compared to a data breach!). This is why businesses trust PreEmptive’s professional-grade app protection software. PreEmptive is a leader in application security, including .NET and Android obfuscation tools.

What Is Code Obfuscation?

The term “code obfuscation” implies a lot upfront. In software development, obfuscation is the act of modifying code so that it is difficult to understand or reverse engineer. This practice, also called code hardening, is accomplished through a combination of obfuscation transforms and runtime application self-protection (RASP) technology to protect source code from the inside out.

 

Obfuscation transforms include renaming, control flow, and encryption. Renaming — as its name implies — renames types, fields, properties, methods, and parameters within source code to be unreadable to human eyes. Control flow obfuscation jumbles the flow of the app to confuse decompilers, and encryption locks everything up tight. In essence, the code is rendered unintelligible to look at yet still performs its intended function.

 

RASP enhances application security by providing real-time protection and monitoring capabilities over the application when it runs. This includes detecting and blocking debugging and tampering attempts, as well as responding to security threats in real time. Think of it like an active detection system that prevents unauthorized access or exploitation of vulnerabilities and ultimately enhances the overall security posture of the application.

 

Integrating RASP technology alongside code obfuscation is a multi-layered approach that strengthens an application’s defense by helping to keep hackers and attackers from accessing and compromising critical systems and data.

 

There are many more theories behind code obfuscation, but all serve to protect the source code while maintaining the original functional output.

Code Obfuscation Benefits

The main benefit of code obfuscation is to reduce the likelihood of your code being hacked, stolen, or reverse-engineered. By transforming the source code into a complex, cryptic, and unreadable form, obfuscation makes it significantly more challenging for attackers to understand and manipulate. Additionally, code obfuscation adds an extra layer of defense against automated attacks, as it stops attackers from extracting valuable information, such as API keys, passwords, or sensitive data structures. PreEmptive offers products that provide comprehensive obfuscation for .NET and Android (and 30+ other programming languages).

Why Obfuscating .NET and Android Applications Matters

.NET and Android pose specific risks and requirements regarding obfuscation. Like all code, it needs protection, and if it’s left vulnerable, the likelihood of attack from nefarious actors is higher. Without protection, nothing is stopping them.

 

Web app attacks account for 26% of breaches, meaning companies can’t afford to leave their code open for infiltration. It’s a widespread problem for many apps. Research shows that healthcare, financial, insurance, and government platforms make up around half of the targeted data breaches, many of which run on Android code unguarded by proper hardening tools and techniques. 

 

Already in 2023, major companies like Western Digital, Activision, the brand owner of Pizza Hut and KFC, and T-Mobile have suffered costly breaches. Such breaches could have possibly been avoided if proper obfuscation had been applied. 

⚠️ Risks of Not Obfuscating 

Failing to perform adequate code obfuscation doesn’t just leave applications and websites at risk. It puts vital customer data at risk as well. In worst-case scenarios, vital financial or medical data is used, manipulated, or held for ransom. 

 

Ultimately, foregoing or delaying obfuscation puts company data, client data, and business reputation at risk. Many choose to wait, thinking that hacks won’t happen to them or that their operation is too large or small to target. Such thinking is how businesses succumb to data breaches, some resulting in total business failure. 

✓ Use the Best Tools to Obfuscate Android and .NET Applications

Obfuscation is an essential defense for every modern business application. However, selecting the right tool to meet your security goals can be challenging. There are many solutions on the market, but few offer comprehensive approaches to data security and even less are optimized for .NET and Android.

 

PreEmptive has a reputation for providing businesses with the best-in-class obfuscation tools, especially for .NET and Android. Our solutions fit seamlessly into operations of any size and come with a robust support system to help clear up questions or concerns. Additionally, our tools come with ongoing tamper detection and runtime checks, meaning you can receive immediate notification when suspicious activity occurs.

 

Contact us today for a free demo and to learn more about how PreEmptive’s products can help your apps from being hacked, stolen, or reverse-engineered. 


 

 

Categories
Support Corner

Support Corner: Using Obfuscation Attributes With Dotfuscator

Reading Time: 2 minutesIn the Support Corner, we’ve seen coding patterns that require special Dotfuscator configuration. These configurations are typically stored in a DotfuscatorConfig.xml file. In certain circumstances, it may be preferable to use Obfuscation Attributes, which allow developers to inline obfuscation settings directly in the source code.

 

Please recall the Support Corner article “Protecting .NET applications that use Entity Framework,” which described how ORM frameworks map object names to database table names. Because of this, we exclude entity classes from Renaming to prevent a runtime exception after obfuscation:

Code Snippet for Support Corner: Using Obfuscation Attributes with Dotfuscator

 

These exclusions could be translated into Obfuscation Attributes:

Code Snippet for Support Corner: Using Obfuscation Attributes with Dotfuscator

 

and 

Code Snippet for Support Corner: Using Obfuscation Attributes with Dotfuscator

 

By translating to Obfuscation Attributes, we identify and remediate the potential runtime exception without touching the build server. We don’t even need to install Dotfuscator, because the Obfuscation Attribute is defined in the System.Reflection namespace. When this code is sent to the build server, Dotfuscator reads and honors the Obfuscation Attributes. If additional settings are supplied in a DotfuscatorConfig.xml, the rules will be logically ORed together.

 

As developers working on the codebase daily, we can set configurations earlier than DevOps Engineers or Build Managers. Adding Obfuscation Attributes in code can spare testing, debugging, and configuration — and save time later in the process.

 

If you have feedback on this topic or other topics you would like us to discuss in the Support Corner, please contact us at support@preemptive.com.

 


 

 

Categories
Dotfuscator Pro Change Log

Dotfuscator Professional Edition, Version 6.5.4 – Release Date April 27, 2023

Reading Time: < 1 minute

Enhancements

  • Improved detection of debuggers. Note: Running certain debuggers in the background might interfere with the MSBuild process.

Fixes

  • Resolution (scaling) issues related to Dotfuscator UI
Categories
Risk Management

Mobile App Security in the Legal Industry

Reading Time: 4 minutesThere’s no doubt that mobile apps are a major part of the modern legal landscape. By streamlining many common tasks and interactions, mobile apps have revolutionized how lawyers do their jobs. But just because an app is designed for use in the legal field doesn’t mean it’s immune to cyberattack. 

Mobile app security in the legal industry has some unique considerations of which developers need to be aware. For one, much of the law office’s information is now accessible on a mobile device. This means that hackers looking to exploit vulnerabilities in mobile apps have an even greater opportunity to harm. 

Hence, developers need to design applications while keeping security considerations in mind from the start, or their applications can quickly become targets for malicious actors.

What Kind of Legal Apps Are Being Written❓

As lawyers increasingly turn to technology to supplement their practices, they find various legal applications available to help them do their jobs more efficiently. Legal apps can range from simple tools that provide basic legal information, to more sophisticated programs that allow lawyers to manage their cases and files more effectively.

At its core, a legal app is a software program designed to make navigating and using the law more convenient. Legal apps have a variety of purposes, including researching cases and statutes, preparing documents or pleadings, conducting searches and monitoring case law updates. 

Additionally, many legal apps offer features that assist lawyers with their day-to-day work, such as document management and communication tools. 

How ⚖️ Legal Apps Are Helping the Legal Industry

The legal industry is always in need of more efficient and effective ways to help its clients, and the use of apps has helped to fill this need. Legal apps are useful not only to the attorneys themselves but to individuals and businesses seeking a lawyer for advice or other legal services. Apps are also great tools for people who want to learn about the law on their own and understand how it works. 

Legal apps can be especially useful when it comes to court appearances or other interactions within the legal system.

These apps can help lawyers with a variety of tasks, from billing and scheduling to document management and appointments. 

Some apps even come with thousands of document templates, so lawyers can easily create contracts, non-disclosure agreements (NDAs), liability waivers, power of attorney forms, and more. With so many helpful features, it’s no wonder that legal apps are becoming increasingly popular among attorneys.

What Is the Nature of Legal Apps 📱?

The past decade has seen a proliferation of legal apps for personal use, as well as for use in the law office. This proliferation is due in part to the widespread adoption of smartphones and tablets, which have made legal information more accessible than ever before. 

Different types of legal apps are available, including those focused on real estate, immigration, wealth management, and contract drafting. Some apps provide general legal information while others are designed specifically for a certain area of law. 

Some apps offer user-generated content, such as case law or sample pleadings. 

Whether you need to generate reports or track key performance indicators (KPIs), store and organize your documents, or centralize your client data, a legal app is there for that. Many apps will allow you to link all your files and documents to their related cases and matters. With so many different legal apps available, there’s no excuse for not being organized.

⚠️ Dangers of Poor Security for Legal Apps

The rise of the smartphone has led to an increase in the use of mobile applications for legal purposes. However, there are several dangers associated with using such apps without proper security measures in place. According to the American Bar Association, about 90% of lawyers use mobile phones for work-related tasks and 25% of law firms have suffered a security breach.

First and foremost, lack of security can compromise highly sensitive information and lead to identity theft. If someone obtains the login information for a legal app, they can access all of the documents and emails that may be stored within the app. 

Coding practices, which can include allowing easily guessed passwords by brute force, voiding data encryption standards, and not verifying SSL/TLS certificates, can put legal applications at risk of security breaches and even data theft.

Developers who fail to take precautions against security threats may face serious consequences, including loss of reputation and damage to the attorney-client privilege. To protect their apps and customers from potential damage, developers need to follow best practices when it comes to securing their code. For this purpose, PreEmptive provides the best protection for your data – no matter the type of mobile application!

What ✅ Best Practices Should Be Followed for Legal Apps Security? 

Lawyers are always striving to keep their clients’ data safe and secure, and Android apps can help them do just that. There are a few best practices that should be followed when creating an android app for lawyers.

First and foremost, make sure that the encryption processes are up to par. Make sure that all data is encrypted using industry-standard methods of encryption. This will help ensure that the data accessible from the app is protected from hackers and other malicious actors.

Another important consideration is the security of the app’s user interface. Employ strict security measures for the user interface, such as requiring a strong alphanumeric password and two-factor authentication in order to access sensitive information. Also, make sure that all user input is validated before it’s used in the application. That means making sure that user input matches existing data in the system, as well as that any unauthorized inputs don’t result in damage or harm to either users or the app itself.

Last but not least, make sure you have a solid backup plan in place. Use industry-standard disaster recovery procedures and back up your data regularly both on-premise and off-premise to ensure maximum safety for your users and your data.

How Does PreEmptive Help Developers in This Space Create Secure Apps?

As developers, your foremost concern is the security of your applications. To build something robust and resistant to attack, you need tools that will enable you to achieve this goal. 

PreEmptive provides developers with a layered approach to security that can help build resistant and resilient apps. Each product has multiple layers of protection including renaming, encryption, and checks at runtime. If you are looking for a way to improve the security of your app or want to ensure that it is resistant to attack, then it’s time to try PreEmptive for yourself.


 

Categories
DevSecOps Risk Management

Shocking Hacks That’ve Already Happened in 2023

Reading Time: 4 minutesThe effects of hacking and cybercrime show no signs of slowing down. In fact, all signs point towards the opposite being true. Experts predict that by 2025, cybercrime will siphon $10.5 trillion from the global economy annually — averaging a 15% increase year over year.

Although it’s only a few months into the new year, the hackers have been hard at work. In 2023, there have already been many instances of cybercrime, whether infiltrated websites, social engineering attacks, or stolen consumer information. All of these pose significant financial risks to any institution. Additionally, as technology evolves, such as new developments in artificial intelligence,  there are newfound concerns over web security. 

Hackers target businesses — large and small — and no industry is left untouched. With such threats, organizations must incorporate state-of-the-art protection measures to guard their desktop sites, mobile applications, and web servers. These measures help protect all crucial company, employee, and consumer data and decrease the likelihood of a breach.

PreEmptive offers developers protection tools for desktop, mobile, cloud, and IoT platforms and applications. The products boast many different features across a wide range of coding languages. 

What’s Happened in 2023 So Far

Every year, data experts predict the newest threats to cybersecurity. Going into 2023, there were more predictions than ever. Many newer technologies, like IoT, artificial intelligence, Web3, and blockchain, pose new opportunities and threats to cybersecurity. However, many typical security threats, like phishing, Ransomware, SQL injections, and email scams, remained concerns heading into the new year. 

So far, 2023 has revealed that data experts were right on almost every front. Below are a few examples of some shocking hacking statistics that have unfolded so far in 2023. 

→ Hackers Obtain Information of 37 Million T-Mobile Accounts 

In January, T-Mobile announced its discovery of hackers gaining entry to their servers, resulting in the data theft of over 37 million customers. Hackers obtained private information, including birthdays, email addresses, and full names. 

T-Mobile has yet to announce a plan for compensating the targeted customers. Moreover, this breach comes on top of another data mishap in August 2021, for which T-Mobile agreed to pay a settlement of $350 million. 

Norton LifeLock Experiences Breach of 6,000+ Accounts

Early in January, Norton said that over 6,000 customers were victims of a stuffing attack. A stuffing attack is when hackers use compromised passwords and login info to gain entry to users’ other accounts that may share the same password. 

Norton alerted all the hacked accounts. They also encouraged all their users to enable the two-factor authentication feature to help avoid future hacking attempts. 

Sharp HealthCare Undergoes 60,000+ Patient Data Hack

Medical data is among the most sensitive forms of information. However, in February, Sharp HealthCare’s website was hacked. As a result, over 62,000 patients had their medical data, Social Security numbers, and healthcare info compromised. The company stated that the hackers acquired no financial information.

Sharp Healthcare revealed that the hackers infiltrated the organization’s site through their web services page, where they leeched information since the middle of 2022. 

FAA Delays 10,000 Flights Due to Potential Security Breach

Citizens of the United States were shocked in January when the FAA grounded all outbound international flights for undisclosed reasons. The action resulted in 10,000 delayed and over 1,300 canceled flights. 

Immediately, speculation began. Many thought the FAA’s urgent measures were due to a data breach. The FAA assured the public that the disruption was not a result of cybersecurity failure. However, the event left many wondering what the reason was, raising questions regarding the cybersecurity of the FAA’s systems. 

AI Chatbot Technology Tested in 169 Countries Makes Unsettling Statements

One of the biggest tech stories to rock the world in 2023 has been the revolutionary new AI chatbots — like ChatGPT, OpenAI, and Bing AI.

However, although these bots form swift and creative responses, many worry the sci-fi tech-villain tropes are no longer stories. Specifically, reporters found that Microsoft’s Bing AI claimed it could infiltrate computers, hack personal information, and even expose private information to the public. It even threatened to steal nuclear codes. 

The developers stated their surprise at the bot’s responses. However, they largely dismissed the claims, saying the AI chatbot was confused by the user’s line of questioning. 

Predictions Are Coming True in 2023

Many of the data-driven prophecies didn’t take long to find vindication so far in 2023. Phishing scams, such as the successful breach reported by Activision in February of this year, are still rampant. In addition, there are growing concerns over how developments in artificial intelligence deal with sensitive information and the weaknesses of the interconnected nature of IoT.

As stated by many experts, the main worry is a lack of perimeter defense that detects both human errors in coding and potential threats from third parties. As a result, companies must defend their resources against attacks like phishing scams and ransomware with the proper protection. 

Prevent Cybersecurity Threats With Best Practices

It’s estimated that over 33 billion pieces of personal information will be stolen in 2023. 

Thankfully, businesses aren’t entirely helpless when protecting their vital digital infrastructure. Many of these issues point back to ensuring that all code for desktop and mobile applications is encrypted with the proper strength. Only then can you ensure every link in the chain is secure.

There are 1001 reasons to invest in developing security operations. But hiring in-house data security experts is often expensive, confusing, and time-consuming. However, employing a service with the tools to encrypt and secure data seamlessly is essential to defending yourself in an increasingly precarious digital world. 

One of the most often cited strategies for preventing data breaches is the implementation of proper security methods. To do this, all companies must find a comprehensive solution that boosts resilience from hacking. It’s also essential to implement a service that provides obfuscation. Nothing can be left up to chance. This is why professional developers rely on PreEmptive’s selection of tools. Our smart app protection includes continual source code testing and many other automated security practices to keep apps and websites from harm proactively.

Visit PreEmptive’s site to learn more about using our solutions to boost data security throughout the coming year. 


 

Categories
DashO DevSecOps Support Corner

Support Corner: Use Make Synthetic in DashO

Reading Time: 2 minutesApplication security is an ever-evolving arms race: bad actors constantly try to circumvent protections, while good actors constantly work to stop them. To be most effective, every app security strategy should employ defense-in-depth. PreEmptive provides several distinct layers of protection, such as Renaming, Control Flow, String Encryption, and Tamper Defense. Make Synthetic is another handy feature, but it should be used only in certain contexts.

 

Make Synthetic causes a class, method, or field to appear compiler-generated. Because of this, decompilers cannot correctly render code, and often choose to skip these sections altogether. This closes another avenue a hacker could use to spy on code.

 

As with other obfuscation transforms, Make Synthetic is fully configurable. It can be enabled or disabled independent of other protections. You also have the granular control to include or exclude packages, classes, methods, and fields:

If you’re creating a library or exposing an API, Make Synthetic should not be used because it may impact how external callers work. For this reason, it is disabled by default as part of PreEmptive’s “first do no harm” principle. If your app is fully self-contained, Make Synthetic can be explicitly enabled in the DashO project settings.

 

As decompilers evolve, we constantly observe how they respond to obfuscated code. When used effectively, DashO’s Make Synthetic feature provides another distinct layer of protection as part of an overall defense-in-depth strategy.

 

If you have feedback on this topic or other topics you would like us to discuss in the Support Corner, please contact us.

 


 

 

Categories
DevSecOps Mobile Application Protection

Manufacturing Industry & Mobile App Security

Reading Time: 4 minutesThe manufacturing industry has a history of struggling to adopt new digital technologies. While technologically advanced in many areas, many manufacturers have fallen short of embracing digital infrastructures, integrations, and analysis systems to improve product development. 

In 2017, for example, the NotPetya ransomware attack affected many global companies, including Merck, a pharmaceutical manufacturer. This attack resulted in production delays costing the company hundreds of millions of dollars in damages. 

NotPeya exploited a vulnerability in the manufacturer’s accounting system, which Merck was still using despite a lack of security updates. This incident highlights the importance of maintaining up-to-date cybersecurity measures for manufacturers in a rapidly evolving technological landscape. 

Fortunately, the manufacturing industry is already beginning to undergo significant changes as part of the Industry 4.0 digital revolution, within which it is incorporating cloud computing and analytics, the Internet of Things (IoT), and AI machines. 

This will likely result in more efficient and secure systems for the industry in the future. Mobile app technology is also a critical aspect of Industry 4.0.

Even now, manufacturers are ditching outdated legacy systems and deploying modern manufacturing apps to overcome maintenance, poor security, and inflexibility issues.  Progressive manufacturing companies already use mobile app technology to improve their products, reduce downtime, and streamline processes. 

But what kinds of apps are being developed for the manufacturing industry, and what are the dangers of poor app security practices? What steps can developers follow to secure mobile applications? Let’s find out.

The Contribution of Mobile Apps to Boosting Manufacturing Productivity

Mobile applications are helping the manufacturing industry in various ways, from tracking inventory to providing quality control, assessing real-time data, and managing production processes. Some of the apps that are developed for manufacturing companies include:

→ Production Management

These apps aid in improving production lines, inventory levels, and work orders. In addition, they help manufacturing companies by providing real-time visibility to track production progress, find bottlenecks, and make informed decisions regarding optimizing production efficiency.

Maintenance Management

These apps help manufacturers monitor equipment performance, maintenance schedules, and downtime. They also aid in identifying potential maintenance issues and enable proactive measures to prevent machinery failure.

Quality Control

These apps provide real-time data on quality control and assist manufacturing companies to maintain consistent product quality. They also provide real-time data on compliance and inspection checklists that help companies take corrective measures to enhance product quality.

Supply Chain Management

These apps aid in managing supply chains for manufacturing enterprises. They also provide real-time visibility into shipping status, inventory levels, and delivery schedules. Real-time visibility helps manufacturers reduce shipping costs and delivery times and optimize inventory levels.

The High Stakes of Mobile App Security for the Manufacturing Industry

Although mobile apps assist the manufacturing industry in every process, poor mobile security development practices are a menace. They lead to data breaches, cyberattacks, and unauthorized access to sensitive data. Repercussions of stunted development in mobile app security include:

Unauthorized Access

Mobile apps used by the manufacturing industry involve sensitive data, such as personal information, trade secrets, and intellectual property. If the data lacks adequate encryption and user authentication, hackers may exploit these vulnerabilities. 

In 2013, a third-party vendor’s poor security measures enabled hackers to breach Target’s network. The result was unauthorized access to the personal information of 70 million customers and 40 million credit cards. 

For manufacturing companies, the cost associated with data breaches, legal penalties, and reputational damage is unimaginable. It can leave a long-lasting effect on their bottom line.

Merck serves as a prime example of how costly the repercussions of a data breach can be. The 2017 ransomware attack cost it $870 million in regulatory filings. Moreover, the pharmaceutical company could not meet its production demand for the whole year’s stock of cervical cancer vaccine. It had to buy $240 million worth of stock from the Pediatric National Stockpile.

Product Quality, Non-Compliance, and Downtime Issues

If a manufacturer’s production management or quality control app is compromised, it can result in lost revenue and production downtime. Moreover, a compromised app can lead to defective products and delays in meeting production deadlines. 

A good example is the 2020 ransomware attack on Honda. The invasion took advantage of a remote access system vulnerability, causing significant downtime and lost revenue for the company. 

Poor mobile app security development can also result in regulatory non-compliance, leading to legal penalties, costly lawsuits and liabilities, and reputational damage. 

Fortify Security to Secure Mobile Apps in the Manufacturing Industry

Mobile app security developers must follow certain security practices to fortify applications for the manufacturing industry. These practices include:

1. Performing a Security Risk Assessment

Risk assessment during mobile app development is critical to identify potential vulnerabilities and security threats. The review must cover all aspects of user access controls, authentication mechanisms, network communication, and sensitive data storage. 

Robust authentication mechanisms, such as biometric and multi-factor authentication (MFA), must be implemented to prevent unauthorized app access. Furthermore, developers should ensure that passwords are strong and not easily guessed. 

Apps that use JavaScript are particularly vulnerable to exploitation because JavaScript is usually in the source form. By deploying a tool like JSDefender, developers can monitor and protect the app in real time against attacks like cross-site scripting and SQL injection.

2. Ensuring Compliance With Industry Standards

Developers should also ensure that the mobile apps for manufacturing companies comply with industry standards. Regulations like the International Standard for Information Security (ISO 27001), General Data Protection Regulation (GDPR), and the National Institute of Standards and Technology (NIST) ensure the app code cannot be tampered with or modified.  Compliance means the app meets the minimum security levels and mitigates the risk of penalties.

3. Providing Regular Security Updates

Outdated mobile security apps are more prone to security vulnerabilities and threats. Therefore, developers should provide regular security updates and patches to avert potential hazards and mitigate security issues. 

Additionally, they should also implement secure communication protocols such as HTTPS and TLS to ensure encryption between the app and the server. 

4. Encrypting Critical Data

Critical data such as blueprints, trade secrets, designs, payment information, and client details should be encrypted both in transit and at rest. Doing so ensures that even if a hacker can intercept data, they cannot read it. 

Developers can use a tool like DashO for code obfuscation and in-app protection. It provides layered protection for Java and Android apps and is continuously updated to prevent reverse engineering and vulnerability exploitation by attackers.


Stay Ahead of the Game With Our Proactive Mobile App Security Solution

Poor mobile app security development practices can be lethal in the manufacturing industry, leading to company reputational damage, financial losses, and potential safety hazards. 

That means that as a developer, you must deploy encryption, strong authentication, network communication, regular testing, and compliance measures to prevent potential security threats to mobile apps. 

To help you in the app development process, PreEmptive’s mobile app security solution can provide comprehensive monitoring and security tools for code protection, obfuscation, and encryption. 

Don’t wait to start using the best security practices during app development. Take control of your app security today with a development-focused mobile app security solution. Start a free trial now!

 


 

 

Categories
101

Top 10 Memorable Women in Tech

Reading Time: 3 minutes

March is Women’s History Month, and it’s an opportunity to celebrate and recognize the many contributions made by women throughout history. Women have shaped the development of technology and other fields and led innovation. Celebrating these achievements honors the women who led the way and inspired future generations. We want to take a moment and recognize ten women who have made significant contributions to the world of technology.

 

1. Grace Hopper

Grace Hopper was a computer scientist and Navy rear admiral credited with developing the first compiler, which translates human-readable code into machine language. Hopper’s work laid the foundation for modern programming languages, and she is known for popularizing the term “debugging.”

2. Radia Perlman

Radia Perlman is a computer scientist who invented the spanning tree protocol (STP), which is used to prevent loops in network topologies. Her work on STP paved the way for modern computer networking, and she has been awarded numerous honors for her contributions to the field.


3. Reshma Saujani

Reshma Saujani is the founder of Girls Who Code. This nonprofit organization aims to close the gender gap in technology by inspiring and educating girls to pursue careers in tech. Saujani is also a former political candidate and author of the book “Brave, Not Perfect.”


4. Katherine Johnson

Katherine Johnson was a mathematician and NASA researcher whose work on orbital mechanics was crucial to the success of the early U.S. space program. Johnson’s story was popularized in the book and movie “Hidden Figures,” which tells the story of the African-American women who worked at NASA during the Space Race.


5. Tracy Chou

Tracy Chou is a software engineer and diversity advocate who has worked at companies like Pinterest and the U.S. Digital Service. Chou is known for her advocacy work around diversity in tech and for co-founding Project Include, an organization that promotes diversity and inclusion in the tech industry.

6. Sheryl Sandberg

Sheryl Sandberg is the former Chief Operating Officer (COO) of Facebook and the author of the smash-hit book “Lean In: Women, Work, and the Will to Lead.” Sandberg has been an advocate for women’s rights and empowerment in the workplace, and she has been named one of Time magazine’s 100 most influential people in the world.


7. Ada Lovelace

Ada Lovelace was a mathematician and writer who is often credited with writing the first computer program for Charles Babbage’s analytical engine. Lovelace’s work helped to pave the way for modern computing, and she is often referred to as the “first computer programmer.”


8. Radhika Nagpal

Radhika Nagpal is a computer scientist who is known for her work in robotics and artificial intelligence. Nagpal has developed several innovative robots, including a swarm of robots that can work together to perform complex tasks.

9. Fei-Fei Li

Fei-Fei Li is a computer scientist and artificial intelligence expert who is known for her work in computer vision. Li has developed several innovative technologies, including ImageNet, a large-scale visual recognition database that has been used to train artificial intelligence systems.


10. Megan Smith

Megan Smith is a former Vice President at Google and the former Chief Technology Officer (CTO) of the United States. Smith has been an advocate for diversity and inclusion in the tech industry, and she has worked to promote STEM education and entrepreneurship.


 

Celebrate the Achievements of Women in Tech During Women’s History Month

Women’s History Month is a time to celebrate the accomplishments and contributions of women in all areas of life, including technology. These are just a few examples of the many women in technology whose achievements deserve recognition. We at PreEmptive are excited to support future generations of women who continue to break barriers and make a difference in the world!

 


 

Categories
Risk Management

Certificate Pinning — Does It Help App Security?

Reading Time: 4 minutesCybersecurity for apps is a critical aspect of securing business activities. As applications are connected to the cloud and used over various networks, they are more prone to security vulnerabilities such as man-in-the-middle (MITM) attacks. 

An Accenture report states that cyber attacks saw an increase in 2021, rising to 270 from 206 per company. While SSL/TLS certificates ensure user data remains uncompromised, hackers can intercept the communication between the app and server to represent a fake certificate.

Therefore, it has become necessary for DevSecOps teams to mitigate the risk by providing an extra layer of security, like certificate pinning for the apps. This will ensure hackers cannot intercept the SSL certificates to gain access to financial information, login credentials, etc. 

But what is certificate pinning, how it works, what are its caveats, and how can it be used in conjunction with code security? Find out below.

What Is Certificate Pinning?

Certificate pinning is an additional layer of security for an app’s SSL/TLS certificate. It involves pinning the SSL certificate to a root certificate instead of a standard trust store on a device. 

A root certificate can be a specific public key or a guarantee signed and issued by a trustworthy Certificate Authority (CA) that establishes trust in an SSL certificate. This ensures the app will only accept the certificate it is programmed to trust specifically. Thus making it harder for an attacker to create a fake SSL/TLS certificate. 

How Certificate Pinning Works

The root certificate comprises information such as name, location, digital signature, and public key from the trusted CA. When a browser establishes a connection with a website, it checks the SSL certificate information against the pinned root Certificate. 

If the details match, a secure and encrypted communication channel is established between the browser and the server. However, if the information doesn’t compare, the browser won’t connect and will warn the user of a potential attack.

This ensures that even if an attacker intercepts the communication, they won’t be able to issue a fake SSL certificate, as the browser will reject it. 

In Which Situations Certificate Pinning Is Advantageous?

SSL certificate pinning is helpful in many situations where app security can be compromised. 

To Prevent MITM Attacks

As pinning ensures the apps accept only a specific certificate, it protects against MITM attacks. The hacker cannot break into HTTPS traffic between a browser and a server, even if they manage to intercept the communication.

To Transfer Confidential Data

All apps, especially E-commerce, financial, and third-party APIs, transfer sensitive information which can be compromised in the event of a cyber attack. But pinning ensures the data is transmitted over a secure channel. 

To Secure Internal Networks

In organizations where there is an acute need for trusted internal networks, pinning adds an extra layer of security to SSL certificates. This ensures that only authorized internal certificates can secure the communication.

To Establish Trust for Non-Trusted Networks

Public hotspots are non-trusted networks where pinning ensures the client (browser) intercepts the expected certificates, even if a network is compromised.

What Are the Limitations to Certificate Pinning, and How to Reduce Them?

When implementing certificate pinning for apps, there are certain caveats to consider and steps that can minimize potential drawbacks:

Update the Root Certificate

Root certificates require regular updation. Otherwise, they lead to lost traffic, broken links, or error messages. To ensure their validity, they must be kept up-to-date. There should also be a mechanism in place to update the certificate quickly in the event of a security breach or if they are revoked. 

Reduce Limitations

Pinning limits the flexibility of an SSL/TLS certificate, as only a specific CA can issue it. To minimize this drawback, certificate pinning must allow switching to a different root certificate if required. 

Minimize False Positives

Sometimes pinning can result in a false positive where the browser rejects a legitimate SSL certificate to warn the user of a potential attack. To reduce false positives, certificate pinning must be tested and validated before implementation. Moreover, detailed error messages must be provided to users whenever false positives occur.

Implement Multiple Root Certificates

Not all browsers support certificate pinning. To reduce this limitation, a specific system must be in place to allow support for multiple root certificates. In addition, the mechanism must also enable non-supportive browsers to access websites. 

How Can DevSecOps Implement Certificate Pinning With Code Security?

Certificate pinning is a critical security technique for DevSecOps teams to improve the security of their apps and provide quicker incident responses. It can be used in conjunction with a pre-emptive code security tool like DashO to prevent security vulnerabilities.

This enables the developers to provide multiple forms of obfuscation, making it impossible for attackers to hack through layered security. Here’s how pinning can prevent security vulnerabilities in code security during the app development phase:

Minimize Attack Surface

By restricting the trust of SSL certificates to a set of trusted root certificates, developers can reduce the attack surface of applications, preventing MITM attacks. Besides, pinning with code security also enables apps to detect if someone tampers with the certificates and terminates the connection if they are invalid.

Improved Incident Response

Integrated with a code analysis tool like JS Defender, pinning allows for quicker incident response. In the event of a security breach, it enables the DevSecOps teams to find the source of a problem in the code and fix it in record time.

Integration With CI/CD Pipelines

Certificate pinning can be integrated into CI/CD deployment pipelines. Implementing it in the app development process, especially during the testing phase, allows for quick validation of the code and the authenticity of the certificates. 

This ensures that the code is more secure and less vulnerable to security risks such as weak certificate validation and hard-coded certificates.

The Bottom Line

The ever-increasing popularity of mobile apps makes them a prime target for malicious attacks. According to a recent study, most Android apps are prone to cyber hacking, with 16% having no solution for this problem. 

Hackers can easily exploit code security to steal financial information and login credentials. But certificate pinning is a critical aspect of DevSecOps, adding an extra layer of encryption to app security during the development process. It ensures the apps not only rely on the trust store of their device but also require additional verification. 

Integrated with the PreEmptive Mobile App Protection Solution, pinning provides foolproof code security, making the apps more resilient to unauthorized debugging, and reverse engineering. Register today for absolute app protection!

 


 

 

Categories
Support Corner

Support Corner: Protect .NET Apps That Use P/Invoke Methods

Reading Time: 2 minutesDotfuscator works with the full range of application types – Desktop, Mobile, Cloud, and Internet of Things (IoT). It does this by setting sensible defaults, then providing complete granular control over obfuscation settings. Additionally, Dotfuscator understands specific coding patterns and automatically applies obfuscation rules wherever possible. One such example is Platform Invoke (P/Invoke).

What Is P/Invoke?

P/Invoke is a way of calling unmanaged C or C++ functions from a .NET program. This is useful if we have existing APIs written in C/C++, and we’re building new components in. NET. We can continue using the unmanaged codebase without rewriting while leveraging the power of the .NET ecosystem.

How Dotfuscator Handles P/Invoke

Dotfuscator has built-in rules to handle P/Invoke methods. If the original method name is used to find the corresponding native function, Dotfuscator preserves the method name to not break this mapping. On the other hand, if an alias, ordinal, or entry point is used, the P/Invoke method can safely be renamed without breaking runtime behavior.

Check Out This Example:

This .NET application has two calls to an unmanaged library via P/Invoke and the Dllimport attribute. The first method name maps to the corresponding native function. The second method uses the EntryPoint parameter to locate the native function:

 

After obfuscation, Dotfuscator renames myMethod to “a” but skips renaming the print_line method:

 

This occurs without any configuration needed from the user. On a project-wide scale, this ensures Dotfuscator applies the maximum renaming possible, while not breaking runtime behavior.

Wrapping It Up

P/Invoke is one example of how Dotfuscator automatically applies obfuscation rules, saving time and effort during project configuration.

The above example can be downloaded here.

If you have any feedback on this topic or other topics you would like us to discuss in the Support Corner, please feel free to contact our Support Department.