Categories
Support Corner

Remove Log4J calls with DashO’s Method Call Removal

Reading Time: 3 minutes

As we all know Log4j is a ubiquitous piece of software used to record activities in a wide range of systems found in consumer facing products and services. The discovery of the recent vulnerability in the Java logging package (CVE-2021-4428) This risk posed a severe threat to millions of consumer products from enterprise software to web applications. It presents risk of loss, or breach of personal information, financial loss and irreversible reputation harm. Currently, the FTC is taking action to require organizations to settle any associated risk caused by the known vulnerabilities. The FTC is now noted as using its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposures. 

A recent example of this negligence came on the back of a complaint in regards to Equifax’s failure to patch a known vulnerability which irreversibly exposed the personal identifiable information of 147 million consumers. This resulted in Equifax paying $700 million to settle the actions taken by the FTC and the consumer financial protection bureau. The risk for businesses is therefore clear, take actionable steps to remediate the vulnerability, or face litigation, breach risk and reputation damage.

In this guide, we will walk you through how you can use Method Call Removal to mitigate this vulnerability.

Method Call Removal

Method Call Removal has been available since our DashO 6.11 release.  It is mostly used for removing logging statements, but it can be used to strip any method calls we’d prefer not to have in our production release.  The only caveat is that the method definition must also be in DashO’s input.

Let’s assume Log4j is used for our application’s logging.  We might want to remove all log statements from production builds, then create special debug builds with logging enabled as needed.  Or, we might want to remove Info, Warn, and Debug messages, but retain Error or Fatal message in our production build.  This can be done using DashO’s Method Call Removal feature, without needing to adjust the Log4j configuration.

Please consider the following example:

This application logs informational messages when the app starts, and when it shuts down.  

The Log4J configuration has been organized into a global logging class:

In our DashO project, I’ll select the “LogInfo” method for method call removal:

Graphical user interface, text, application
Description automatically generated

After doing so, the application runs normally, but informational messages are no longer logged to console or written to log file.

After the app has been in production, I may need to create an obfuscated debug build for troubleshooting an issue with a specific client.  If so, I can run DashO without Method Call Removal to preserve logging calls in my debug build.

The above example can be downloaded here.


If you have any feedback on this topic or other topics you would like us to discuss in the Support Corner, please feel free to contact our Support Department.


Categories
101

Dotfuscator 101

Reading Time: 4 minutes

In this blog we will dive into Dotfuscator  as part of our 101 series – we walk you through what Dofuscator for .NET does and how this can help protect your projects. 

For those of you who are in the industry and know how this product protects your code, we appreciate the loyalty! If you are not tech savvy, but want to know a little bit more about this product, here’s our summary:

What is Dotfuscator for .NET?

Dotfuscator – by definition is a multi-functional tool that combines obfuscation, optimization while shrinking your source code, on .NET, Xamarin and Windows Platform Apps. Basically this jumbles, encrypts your code, hardening it to prevent theft. 

How does Dotfuscator work?

PreEmptive Dotfuscator for .Net provides many layers of protection for .NET users with multiple forms of obfuscation. We like to describe this as constructing the perfect sandwich.

  • First we start with the bread, in this case we will call it Renaming. Renaming obfuscation alters the variables and methods making it difficult to read or scan over to gain access to the certain parts of your source code. However, we go a little further by making things extra difficult for the typical hacker by utilizing Overload Induction™. This renames as many methods as possible to the same name instead of changing one variable one by one. To say this least – this is what makes the “bread” harden at surface level.
  • Then add the veggies: lettuce (Control Flow) and tomato (String Encryption). Control Flow uses advanced obfuscation by falsifying conditional statements. Basically it destroys the code patterns that decompilers use to recreate source code resulting in spaghetti logic to confuse anyone who tries to crack the code. Adding the tomato to this (String Encryption), hides all the strings that are present in the user’s assembly. To better explain, the typical hacker will locate string references inside the binary. Usually if the application is time sensitive, a message will pop up when time has expired – this is exactly what hackers search for inside the decompiled output indicating that they are VERY close to stealing your algorithm. Dotfuscator directly addresses this issue by allowing the user to encrypt strings in the most vulnerable part of the source code. 
  • Now comes the choice of meat (Watermarking, Pruning, Linking-Assembly Merging). Watermarking helps track unauthorized copies of the user’s project by embedding copyright information directly into .NET applications without jeopardizing runtime behavior. Pruning takes the work out for you by removing unused types, methods, fields, debugging information and non-essential metadata from a MSIL file all while processing. Dotfuscator Linking-Assembly Merger combines multiple input assemblies into one or more output assemblies – meaning it shrinks your application down alongside pruning and renaming. 
  • Next is the cheese (Tamper Detection & Defense). Dotfuscator injects code that verifies your application’s integrity during runtime and if it detects tampering, it will shut down the application, invoking random crashes. Now that’s an excellent choice of cheese! 
  • Last but not least are the condiments: mayo (Debug Detection) and mustard (Defense Using Checks). These two are prebuilt into Dotfuscator and can be injected into the .NET apps. This allows your app to detect any unauthorized uses such as debugging or tampering of any sort. Don’t be fooled, checks can do more than just the average scanning, they can react too, for example – exiting the app when tampering is found. 
  • For those who like a little extra to the sandwich, (Shelf Life) is the pickle! Shelf Life is an inventory management function that allows you to embed an expiration date, de-activation, and notification logic to your code! Now this is what we call the ultimate sandwich! 

When should you use Dotfuscator?

Whether you’re a start-up company, freelancer or an organization developing projects using .NET software, you should be using this in the development process – preferably in the beginning stages even after launches. Data breaches are no longer part of the “new normal” they are part of everyday scenarios. If you don’t protect your code from the beginning…you will likely become another data breach statistic.

Where does Dotfuscator work?

Dotfuscator is injected directly into your source code, providing a multi-layered approach by way of in-app hardening; assessing and securing where your code is vulnerable.  

Why should you use PreEmptive Dotfuscator?

PreEmptive Dotfuscator has paved the way in In-App security since 2003, that’s 19 years in the biz! Our clients range from small to large enterprises including many Fortune 500 companies of different industries from medical to government agencies. But if you still need a little more convincing, check out our client list here

For more information on how to get started, download our free trial or need further help, we encourage you to use our resources, found in our navigation bar. We hope this blog has helped you better understand Dotfuscator for .NET. We look forward to our next 101!


Categories
Press Releases

New Release: PreEmptive DashO 11.2.1

Reading Time: < 1 minute

Professional-grade Application protection With PreEmptive DashO

You asked, we delivered: Announcing a new minor release for PreEmptive DashO

Obfuscation is more than just renaming! PreEmptive DashO is a layered obfuscation approach to provide your Java, Kotlin & Android applications with the security protection you need.

In the latest update, our development team has rolled out some new enhancements, changes and bug fixes. What’s New?

Version 11.2.1 includes:

  • Enhancements
  • Validate the Modifiers input fields in the Config Editor for Include & Exclude rules
  • New option for Properties with filesystem path values that opens a system browse dialog
  • A new dropdown for Android mode projects allowing easy switching from configured build variants and their associated inputs in the Config Editor.
  • Changes
  • The Config Editor now opens the last project on startup by default
  • Bug Fixes
  • Fixed an issue where input Jars with the same name could overwrite each other, if “Merge Inputs” was unchecked.
  • Fixed an issue where the Config Editor allowed selection of some methods for Check injections in Android projects.

Ready to learn more about DashO? Request a quote: Request A Qoute

Categories
101

Top 3 Reasons to Use PreEmptive

Reading Time: 3 minutes

Cyber attacks are part of our everyday discussions and most likely will continue to be present throughout the next 12-18 months. With the rise in nation state attacks, and consistent expansion of IOT tools developers have to stay focused on the prescience of cyber threats. For those who followed our #DataPrivacyWeek on our social platforms, we explained that our personal lives are very much intertwined with our work lives, with many folks working remotely, we are more likely to be part of those data breaches we read in the news, as a side effect of network security risks. In this article we will dive into the primary reasons your team can benefit from PreEmptive to protect your applications. 

While we were focused on supply chain attacks, ransomware threats, we overlooked another but equally prominent risk – mobile app breaches. There were over 200 BILLION mobile application downloads in 2021 and that number will most likely increase as we progress through 2022. This means, if you’re a programmer developing an app or creating a program that consists of custom code, securing your work is more important than ever. Here are the top 3 reasons why you should use PreEmptive to add a security layer to your applications:

Reason 3: Protecting Your Hard Work

We understand the countless hours that go into coding, whether that was spent on debugging, creating or troubleshooting your code’s infrastructure, it takes hard work. Many developers have projects that have been in the works for lengths at a time and have firm deadlines to meet. So when a project is complete it feels like gold! We tend to concentrate on completing our projects and ensuring that functionality/usability is up to standard. But, security is often an afterthought. PreEmptive In-App security features have been helping programmers prevent, detect, and respond to attacks without breaking or slowing down your applications – giving you a peace of mind throughout development. Sure, we all want to complete our projects on time or earlier than expected, but if we treat our projects like we treat our phones by putting a lock on it, then that finish line will look even sweeter. 

Reason 2: Knowing the Functionality of Your Security

Data breaches are a hot topic, so searching for the right security platform has become even more of a priority. One of the factors when searching for the right security toolset – how does it actually work? PreEmptive has a layered approach when it comes to protecting your data. Think of it as building your perfect sandwich starting with the bread (obfuscation), adding the meat (renaming code), then the veggies – lettuce (string encryption), tomato (control flow) and more, topping it off with the condiments (active runtime checks) that monitors tampering, debugs, and more. Now that you know what’s in the perfect “security sandwich,” it’s imperative that you continue to test and secure after each build. This will allow you to have the confidence in your security application.

Reason 1: Becoming another Data Breach Statistic

Every month there is another data breach that is brought to our attention. Which makes you really think, are you choosing the right security platform? How do you know this platform is the right one? Assessing the needs of your company/organization or projects is the first step, next researching security options. Some promise to be “the leading” security platform or the “number one,” but PreEmptive has been in the biz since 1996. That’s over 20 years of securing your applications! Not only do we have the experience, we have hundreds of fortune 500 companies who use PreEmptive, Charles Schwab, FedEx, Census Bureau, Microsoft to name a few. If these companies trust our software, we guarantee that by using us, you won’t become another data breach victim.

In case you still need more information, we encourage everyone to read our case studies to find out how other companies found success in protecting their companies with PreEmptive. We hope this blog has eased your worries, but if you’re not sold try us with a FREE Trial


Categories
Dotfuscator Support Corner

Protecting Windows Forms Applications with Data Bound GUI Controls

Reading Time: 3 minutes

Today we will focus on data binding, but first let’s define this. Data binding allows Windows Forms applications to display and update UI controls from a data source, without having to modify source code for the control itself. 

When protecting Windows Forms applications, it is important to note how the data bound controls are constructed to determine if they will be impacted by code obfuscation.  If the controls bind to a collection of objects, original property names of that object must be preserved to correctly populate “DisplayMember” and “ValueMember” properties of the control.  When binding controls to an Enum, the original names of its members must be preserved, or the GUI control might show obfuscated names.  On the other hand, if we’re binding directly to a database table (and the table does not map to an object in source code), we don’t need any custom configurations because Dotfuscator does not mangle table and column names.

Consider the Following Example:

This simple Windows Forms application has three UI controls with different data binding techniques: a DataGridView binds to a Customer table in a database, a ListBox binds to a collection of Employee objects, and ComboBox binds to an Enum called DaysOfWeek:  

If I obfuscate with project defaults, I experience a runtime error at app startup:

This occurs because original property names of the Employee object are used in “DisplayMember” and “ValueMember” ListBox properties:

            listBox1.DataSource = employeeList;

            listBox1.DisplayMember = “Name”;

            listBox1.ValueMember = “Department”;

To Avoid the Runtime Error:

First, I’ll open my project configuration file (DotfuscatorConfig.xml) in the Dotfuscator Config Editor, and set a Rename exclusion for the properties in the Employee object:

After configuring this Rename exclusions, the application starts without the runtime exception, but the “DaysOfWeek” ComboBox appears with obfuscated names:

In order to fix this, I will configure a Rename exclusion for the members of DaysOfWeek.

After providing this Rename exclusion, the app starts without any issues or erroneous behavior.  Please also note the DataGridView, which binds to the Customer table in our database, did not require any Rename configuration to start and display correctly.

Conclusion

There are several different ways to use data binding in Windows Forms applications.  We’ve seen a few ways that data bound controls can be impacted by obfuscation.  If you experienced a runtime crash or erroneous UI behavior after applying obfuscation, please use the above steps to resolve the issue. 

The full example can be downloaded here.

If you have any feedback on this topic or other topics you would like us to discuss in the Support Corner, please feel free to contact our Support Department.

Categories
Press Releases

PreEmptive Product Updates

Reading Time: 3 minutes

We are pleased to announce the general availability of Dotfuscator 6.4, DashO 11.2 and JSDefender 2.4 for our customers.

PreEmptive has been hard at work on the latest releases of Dotfuscator, DashO, and JSDefender. The improvements are part of PreEmptive’s strategy to continuously support all products with regular updates and new features. Headlining some of the product updates are improvements to integration and usability, and bug fixes to help ensure we keep our customers happy!

Below are the highlights of each release with links to further information such as how to access the latest version, documentation, and changelogs. Free evaluations are always available for each product.

Dotfuscator 6.4

Dotfuscator Professional protects .NET applications from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, debugger detection, and tamper detection. It integrates into the development build process and operates on the .NET Intermediate Language. Dotfuscator Professional supports .NET, including .NET Core, .NET 5, Xamarin, and Mono.

The Dotfuscator Professional 6.4.0 release improves the support for default interface implementations in .NET Core 3+. Dotfuscator can now protect applications that use .NET’s default interface implementation feature, without extra configuration steps which were required before.

Additionally, the tool now provides more granular control of managed resource renaming. Users can now disable automatic resource renaming, in cases where the application loads those resources manually from strings that cannot be statically analyzed.

This version enables authenticated proxies to communicate with the PreEmptive licensing servers, which is a requirement at many enterprise customers.

The Xamarin.Android Root Check is also updated to handle new versions of Android rooting tools. 

Product Links

DashO 11.2

DashO protects Java and Android applications from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, debugger detection, and tamper detection. It integrates into the development build process and operates directly on compiled Java bytecode.

The DashO 11.2.0 release enables Include and Exclude rules to be configured via Java Annotations and Supertypes. Rules can now match classes based on the existence of methods or fields that match the criteria.
The New Project Wizard now includes settings for generating Entry Point rules based on Java annotation based criteria, including a special set of entry points for Hibernate/Java Persistence API.

Additionally, DashO now processes compiled bytecode from Java 16 (except for the record type and the Sealed Classes preview feature).

Also, Global Processing Excludes now allows for classes to never be updated by DashO.

Product Links

JSDefender 2.4

JSDefender protects JavaScript code from reverse-engineering and hacking, using a variety of static and dynamic code transforms and injected runtime checks. Examples include symbol renaming, control flow obfuscation, string encryption, browser-based “Dev Tools” detection, and tamper detection. It integrates into the development build process and operates directly on JavaScript code. JSDefender also supports other languages that “transpile” to JavaScript, such as TypeScript. JSDefender can protect JavaScript running in the browser, on servers/workstations (e.g. NodeJS based applications), and on mobile devices (e.g. React Native applications).

The JSDefender 2.4.0 release brought several changes to the protection runtime which makes the protected code of our customers much harder to reverse-engineer.

Also, it extends the Control Flow transform with an option called “injectFakeCode” that injects fake test conditions to the control flow statements to mislead and confuse the attacker.

Additionally, the release fixes some bugs in the error script parsing of the runtime checks and in the Control Flow transform.

Product Links

Categories
Risk Management

Data Protection in Android Apps: Safeguarding Sensitive Information

Reading Time: 3 minutes 

Android is by far the most popular OS on Earth. Android powers over 75% of tablets and smartphones for over 2.5 billion users. But Android’s popularity means users face a greater level of threat. Some 87% of Android devices have serious security vulnerabilities. 

To combat security threats, developers must incorporate ample security into their Android apps. Below, we’ll explain some methods to secure Android-powered apps. But first a pro tip: 

One of the most secure and efficient ways to reduce vulnerabilities is using a smart app protection solution. PreEmptive’s seamless tools harden and shield apps, preventing the likelihood of data breaches and cyber threats. 

Understanding Data Security Risks in Android Apps

Why are cyber criminals drawn to Android applications? Popularity is one reason. The more popular an OS is, the more it’s targeted. Also, specific weaknesses allow hackers and malware to enter Google Play Store apps more easily. So, users who forget to update their OS are more vulnerable to bad actors.

Data Encryption Techniques for Android Apps

Hacking, malware, ransomware, and data breaches are rising, making it a nonnegotiable for developers to implement data encryption and secure coding practices in Android apps. Even basic security measures significantly reduce the likelihood of succumbing to such nefarious behavior as an SQL injection.

Developers must familiarize themselves with obfuscation, encryption, and security techniques, and incorporate them into their Android apps. This way, they can rest easy after releasing their Android apps.

🔐 Secure Data Storage on Android Devices

Safe storage is essential for any Android application. Developers need easy paths with intuitive access controls to navigate private third-party libraries and security tools for storing sensitive files. Additionally, developers must design apps to prevent private information storage on public databases. 

Don’t assume the onus falls on users. Developers must incorporate security methods that prevent other apps or parties from accessing sensitive data. The Android Application Sandbox feature is critical. This feature allows developers to isolate and regulate apps that store sensitive information, limiting file-sharing access and significantly decreasing the likelihood of unauthorized entry into sensitive files. 

🌐 Securing Network Communication

Haphazard network communication is a recipe for disaster, especially for Android apps. The apps must be built with a secure network protocol, like SSL, which reduces the amount of exposed personal data within public networks.

👥 User Authentication and Authorization

Basic steps, like using the Android Keystore system, greatly enhance authorization protection. Once Android securable objects are placed within the Keystore, developers can layer in restrictions. This helps authenticate legitimate users and deny any unauthorized accounts.

Using tools for runtime memory data protection also greatly helps by constantly analyzing code integrity in real time and avoiding instances of tampering and SQL injection.

⚠️ Data Minimization and Privacy Concerns

Reducing the amounts of stored data, or data minimization, helps eliminate user fears of privacy overreaches. It also creates less work for DevOps teams, eliminating the number of redundancies and backups, and allows developers to focus only on real security issues.

🖥 Secure Data Transmission to Backend Servers

Hackers are always looking to exploit data in transit. This is where encryption protocols, like HTTPS or SSH, come to the rescue by creating a protected tunnel as data moves from one device to another. 

☁️ Secure Cloud Data Storage and Backup

Data at rest is just in need of protection as data in transit. To secure data at rest, whether within the cloud or on physical servers, developers must emphasize strict classifications according to the data’s sensitivity. This includes strict encryption and tokenization techniques. 

✅ Compliance With Data Protection Regulations

Another vital element in securing Android apps is ensuring compliance with data storage, privacy, and protection measures, including:

  • Data Privacy Regulations: GDPR, CCPR
  • Data Security: PCI DSS
  • Accessibility: WCAG ADA

The Importance of Continuous Data Protection in Android Apps

Android is a wildly popular OS with unique vulnerabilities that app developers must understand to defend their code and diminish threats. Reliable, quick, and robust app security for your Android or Java applications is crucial — and that’s what DashO is all about. Developers around the world depend on it for advanced obfuscation and active run-time checks that keep hackers out of the source code. Want to secure your vital apps and avoid data breaches? Start a free trial today.

 


 

 

Categories
DashO Change Log

DashO Java Obfuscator Change Log V 12.2 Build 0 – Release Date September 14, 2023

Reading Time: < 1 minute

Enhancements

  • Java 9 Modules (JPMS) support with UI appropriate changes to run on/off functionality
Categories
DevSecOps Risk Management

DevOps in Financial Services: Unlocking Efficiency and Security

Reading Time: 4 minutes 

The financial industry faces immense constraints concerning regulation, compliance, and governance. These factors make speedy financial technology integration difficult.

However, with a competitive technological market and the rise of security threats, financial services can’t afford not to adopt the right security services and tools. Financial professionals understand the grave implications. Because of this, despite the constraints, the financial sector has adopted DevOps across projects faster than any other sector.

Modern DevOps practices are transformational for any industry but are perhaps most pressing in finance. When incorporated correctly, it can create more efficient operations, enhance security measures, and lead to quicker delivery of products and services. For this reason, many financial companies partner with third-party DevOps services, like PreEmptive, to quickly onboard features and tools that construct effective approaches for managing apps and services.

Why Is DevOps So Popular?

There’s a reason businesses invested in DevSecOps to the tune of $4.4 billion in 2022. This number is expected to balloon by 22% between 2023 and 2032. 

So why are companies dumping so much cash into DevOps? There’s no single reason. But the underlying draw to DevOps investment is that it increases connectivity and collaboration, allowing businesses to run efficiently and with heightened security for less cost. 

As businesses increasingly rely on software and IT for a smooth, profitable workflow, investing in DevOps has become a no-brainer, as it provides massive returns and helps cut costs out of the gate. 

These benefits are especially appealing for the financial sector. With digital banking as the new norm, customers expect online services and products that work quickly and securely. 

Benefits of DevOps in Financial Services

The financial services industry is no stranger to the demanding, fast-paced nature of the tech market and tech users. Digitalization redefined customer expectations, and traditional banking institutions and fintech startups now must rush to incorporate DevOps principles to restructure operations and make them more secure and agile.

Mobile apps, digital wallets, and cloud data hosting are all needed for financial services to survive in the modern world. 

DevOps emphasizes collaboration between development and operations to ensure these systems run at their best. Overall, it aims to integrate these services under one protocol and network. It’s a large project, no doubt. But the investment in DevOps comes with numerous benefits. 

🚀 Faster Time to Market

Integrating DevOps practices accelerates the ability of financial organizations to bring new products and features to market. The reason: automation.

With DevOps tools, financial services can automate a routine development, deployment, testing, and maintenance process. This allows institutions to remain competitive in the dynamic financial landscape, especially with updating mobile app services. It also helps identify security threats as the product is built, reducing the time suck of scouring programs and source code for errors, bugs, or glitches. 

✅ Enhanced Security Measures

One-off security assessments are the way of the past. With DevOps, security is genuinely continuous and immediate. 

DevOps practices prioritize security throughout the development process, mitigating risks and analyzing every batch of new code before it’s sent out. Then, organizations can address potential threats proactively by integrating security protocols from the outset. 

Additionally, financial institutions can ensure compliance with stringent regulatory requirements. For example, with CI/CD structures, companies can build automated pipelines, reducing the likelihood of human error that results in non-compliance. 

🏦 Operational Efficiency in Banking

It’d be impossible to track all the time wasted on daily maintenance tasks. Worse yet, the process becomes further bogged down as departments struggle to communicate. And don’t even start on the communication lapses resulting from remote workforces. Bid wasted hours goodbye with DevOps.

DevOps promotes collaboration and breaks apart siloes. Ultimately, it instills a culture of transparency and communication. Once it’s initiated, operational efficiency improves, reducing manual interventions, minimizing errors, and enhancing customer experiences.

⚙️ Continuous Delivery in Finance

There’s no excuse for running a faulty or outdated app, as doing so poses stark security risks. Especially in finance, where sensitive information is constantly being passed back and forth. 

Continuous integration and continuous delivery (CI/CD) practices enable regular and reliable software releases. This approach minimizes disruptions and downtime, allowing financial institutions to respond swiftly to meet customer demands or fix internal bugs and faulty code. 

⚠️ Risk Management with DevOps

Risk reduction must be the name of the game for financial app security. DevOps helps eliminate the risk of multiple fronts, whether through automated testing, code review, and frequent update releases. The whole point of DevOps is to eliminate the risk of security and downtime before it escalates into disaster.

The Risks of Neglecting DevOps Practices

DevOps offers a ton of benefits. But still, many organizations forsake investing in it, and this neglect can result in significant setbacks for financial organizations.

Increased Security Vulnerabilities: Ignoring secure DevOps practices exposes sensitive financial data to cyber threats. The lack of integration between development and security teams creates an environment where overlooked security threats go unaddressed, exposing code and sensitive data. 

Sluggish Innovation: Without a DevOps mindset, financial institutions struggle to meet rapidly changing customer expectations and fail to keep up with the broader market. When companies fail to offer new features or frequent updates, it often results in a mass exodus of customers as they head to services that offer more advanced tech services. 

Operational Inefficiencies: Siloes create inefficiency, and without DevOps, businesses are stuck to manual interventions, lengthy release cycles, and miscommunication. 

PreEmptive: Enhancing App Security in DevOps Workflows

DevOps isn’t a matter of if; it’s a matter of when. Without it, financial companies will find themselves left in the dust, unable to keep up with a market that’s rapidly adopting best-in-class DevOps tools and services. This is why companies must begin accepting DevOps and understanding the best practices to build effective approaches. 

PreEmptive is a trusted leader in providing DevOps workflows. We offer solutions that enhance security throughout the development lifecycle and integrate seamlessly into CI/CD pipelines, ensuring that security measures are woven into the fabric of the development process.

 


 

Categories
Risk Management

#1 Cybersecurity Threat for the Future? Software Security

Reading Time: 4 minutesMost businesses are aware that software and app security are essential to success. Still, estimates show that 83% of sensitive cloud-based data is unencrypted. Of course, encryption is only one aspect of software security, but it’s an indicator that many businesses are in for a rude awakening. 

The European Union Agency for Cybersecurity (ENISA) met in March 2023. The report was long anticipated, especially given the massive online attacks in 2023 that affected many businesses, including T-Mobile, Norton LifeLock, and Sharp HealthCare. 

The conference aimed to analyze digital security trends to keep European citizens safe in online environments, but carried global implications. ENISA conducted in-depth studies and ultimately predicted what’s to come at the forefront of cybersecurity over the next decade. 

Below is a closer look into their findings. Overall, one key area of concern served as the underlying theme of their findings: a dire need for software security. Many businesses recognize this need already and partner with an app protection tool, like PreEmptive.

ENISA’s Cyber Security Threat Report 2030: Navigating the Software Security Landscape

Cybersecurity has become vital, especially as technological advancements reshape industries and societies. Looking ahead to 2030, the ENISA report comprises expert workshops and threat forecasts highlighting current and future concerns over navigating digital landscapes safely throughout the next decade. 

The report primarily focuses on software security and paints a comprehensive picture of the challenges and opportunities ahead. Below is a point-by-point overview of ENISA’s report as it relates to software security. 

The Software Security Imperative: ENISA’s Insights for 2030

In an era where digital services touch every facet of life, software has become the cornerstone of our interactions, transactions, and operations. At this point, there’s hardly a single business operating without software, applications, and APIs. However, this dependence on software also exposes organizations to various vulnerabilities and threats. 

0️⃣ Zero-Day Vulnerabilities

One of the foremost concerns highlighted by ENISA is the persistence of zero-day vulnerabilities. So what is that exactly?

A zero-day vulnerability is a software flaw that hackers recognize before developers notice it or release patches. The ENISA report emphasizes the unyielding need to use a secure software development lifecycle (SSDLC) to combat the threat of zero-day vulnerabilities. Through an SSDLC, businesses instill best practices and security considerations, weaving them into every phase of software development. Overall this process reduces the likelihood of running into such vulnerabilities, which can be devastating in terms of cost.

Moreover, the ENISA reports analyze the increase in open-source vulnerabilities and software supply chain attacks, which exposes the weaknesses of interconnected modern software ecosystems. This is evident in instances like the SolarWinds data hack, where hackers gained backdoor entry and, from there, stormed the private networks of businesses and government agencies. 

⚠️ Danger of IoT 

IoT is becoming wildly popular. The ENISA report highlights exactly where the software security issues reside. 

In short, IoT is becoming ubiquitous across all sectors, but it’s rife with opportunities for human error, and traditional security is not cutting it. The devices rely on software programs and are responsible for running critical infrastructure like electric grids, sewer systems, industrial complexes, and more. When compromised, the results can be catastrophic, resulting in widespread utility shutdown for large populations.

As a solution, ENISA highlights the significance of runtime application self-protection (RASP) mechanisms, which actively monitor and defend software applications 24/7. These mechanisms play a crucial role in detecting and thwarting attacks in real time, adding an extra layer of security.

🎯 Target Attacks on Individuals

Another key ENISA prediction is for more attacks on individual users. They state that because individuals now use a greater network of interconnected applications, hackers can analyze particular behavioral patterns after infiltrating home networks. From this, they can use intimate data to pull off identity theft schemes.

The takeaway is that users must understand how to secure their profiles and limit information sharing between APIs and third parties to reduce victimization to this new hyper-specialized form of online attack.

Implications for Businesses and Developers: The Urgency of Software Security

ENISA’s report bears many implications for businesses and developers. For businesses, it means that increasing reliance on software demands a heightened focus on implementing robust security for software and apps. Even a single vulnerability could result in devastating data breaches and reputational damage. 

Embracing comprehensive software security measures is no longer an option; it’s an urgent imperative for survival in the modern world. Soon, these matters will be an issue of legal compliance rather than a risk businesses can choose to take on or avoid. 

On the other hand, developers act as foot soldiers and generals in the war on cyber threats. The report underscores the need for developers to integrate security into every phase of the software development lifecycle and learn to toss aside the traditional approach of tacking single-purpose security tools onto software solutions that require holistic monitoring. 

PreEmptive: Aligned with ENISA’s Recommendations

The ENISA report findings are sobering but enlightening.

At its core, the report underscores the urgent need for businesses and developers to prioritize automated software security that continuously secures connections, code, APIs, cloud data, and software supply chains. PreEmptive’s solutions emerge as a strategic ally in this context, aligning seamlessly with ENISA’s recommendations to mitigate software security risks.

Whether it’s mobile app protection or analyzing code for errors, any business, agency, or individual needs to equip themselves with the right armor to brave the daunting cyber threats to come in the next decade. 

PreEmptive is a beacon of resilience in a landscape where software security is paramount. PreEmptive’s suite of solutions supports developers in implementing security measures at every step of the software development process. 

Through code obfuscation, runtime application self-protection (RASP), and vulnerability assessment, PreEmptive’s solutions focus on application hardening and tamper resistance. They also mitigate software supply chain attacks, fortifying it against unauthorized access and manipulation and establishing a fully secure software ecosystem. Check out our product page to learn more. 

 


 

 

Categories
Risk Management

Obfuscation in CI/CD Security — Critical to Avoiding Data Breaches

Reading Time: 4 minutes 

App production is an enormous endeavor. Pulling off the initial launch is one thing, but then it requires constant updates. Every update is labor-intensive, and developers often face pressure to push them out ASAP. When this happens, DevOps teams sometimes cut corners or forget to embed proper security practices into applications. 

Before, there was simply no way around this. Testing, building, and releasing was a manual process. Then something called Continuous Integration and Continuous Delivery (CI/CD) stormed the scene.

Below, we’ll explain CI/CD and why code obfuscation is necessary in protecting business software and data. Then, we’ll explain why businesses should defend their CI/CD pipelines.

✅ Understanding CI/CD Pipelines and the Benefits

CI/CD revolutionized software production, enabling developers to iterate rapidly, automate critical tasks, and deliver updates faster. Overall, it levels up software quality and user experience. CI/CD is a crucial element in DevSecOps. Here’s a top-level view:

  • Continuous Integration (CI): Integrates code changes into a shared repository multiple times per day to spot and fix issues by automating building and testing.
  • Continuous Deployment (CD): An extension of CI that automates code deployment within production environments, ensuring software is always deployable.

Ultimately, CI/CD describes an automated framework for creating, packaging, and deploying code to enhance software delivery. These steps happen with every new software update. It’s the combination of CI and CD where the magic happens — the two factors work in tandem to streamline development workflows, accelerate the feedback loop, and reduce the associated risks of large code releases. Here are a few of the top benefits of implementing CI/CD:

  • Faster, more reliable app releases, updates, and feedback
  • More frequent deployment thanks to automated updates
  • Reduced manual intervention
  • Interactive approach, reducing the likelihood of bugs or errors
  • Better customer and employee satisfaction

The benefits of these practices are outstanding, but it’s not all smooth sailing. Automated processes can inadvertently expose sensitive information and intellectual property. 

To use a real-world example, remember the SolarWinds data breach? That was a direct result of a CI/CD pipeline attack, where hackers identified a backdoor within the existing network. They used that entry to alter code and send out a poisoned application that stole information from 18,000 clients. 

Had SolarWinds employed significant obfuscation techniques, the unprecedented data breach would likely never have occurred.

💻 Code Protection in CI/CD: The Role of Obfuscation

A recent survey of 300 top IT professionals found fewer than 4 in 10 companies can detect code tampering. It’s difficult to spot, but it can be avoided with the proper habits. One of the best anti-tamper security methods is obfuscation. 

In the CI/CD security context, obfuscation functions by transforming source code into unreadable gibberish while preserving its functionality. 

It’s a technique that mitigates security risks like reverse engineering threats and unauthorized access to sensitive data. Code obfuscation makes it almost impossible for attackers to understand any of the logic, algorithms, or data structures embedded in the software.

When approaching obfuscation, developers can choose from a few runtime protection techniques. The more techniques that are layered on, the better. 

  • Symbol Renaming: Classes, methods, and variables are renamed to meaningless names, making it difficult to understand the code’s structure and intent.
  • Code Flattening: Code is restructured to remove indentation and replace structured control flow with jumps, destroying the program’s readable logic.
  • String Encryption: Sensitive strings like API keys and authentication tokens are encrypted and decrypted at runtime.
  • Control Flow Obfuscation: The sequence of instructions in the code is altered, making it challenging for attackers to discern the program’s flow.
  • Code Splitting: Code is split into smaller components, hindering attackers in reverse engineering the entire application from a single point.

⚠️ CI/CD Security: What It Looks Like in the Wild

No company wants to be the next SolarWinds. To prevent that outcome, organizations must begin incorporating obfuscation into their CI/CD frameworks. But it’s hard to know where to begin.

Many prominent companies have embraced holistic and successful CI/CD security strategies to safeguard their code and intellectual property. Below are a couple of examples.

Google

Google uses comprehensive, cutting-edge DevOps features in their CI/CD pipeline. The company also offers great insight into their philosophy and the importance of addressing security concerns early in development. They also list a few of the preferred security services they’ve incorporated to improve their build environment security:

  • Cloud Build: Serverless platform for automating tasks
  • Binary Authorization: Offers deployment time security
  • Artifact Register: Security service to store artifacts

Apriorit

Another great example comes from the founder of the company Apriorit. Here, they explain how refusing to obfuscate explicit names and classes is one of the main points of cyberattacks. 

They also provide excellent examples of specific security techniques, such as bytecode obfuscation and LLVM compilers as excellent app hardening methods. Along with this come a few best practices to be mindful of as companies build secure CI/CD pipelines through obfuscation:

  • Being mindful about code size and performance
  • Using several obfuscation techniques to create layered security
  • Avoiding obfuscating code that’s critical to performance

⚙️ PreEmptive Supports CI/CD Security With Source Code Obfuscation

The average cost of a data breach is $4.35 million. Most businesses can’t afford this, so protecting CI/CD pipelines isn’t a matter of choice. But it’s difficult to know where to begin, and doing it in-house requires a robust IT team, which many businesses can’t afford.

PreEmptive offers cutting-edge source code obfuscation tools with automated security checks. These tools seamlessly integrate into your CI/CD workflows, ensuring code remains secure from reverse engineering threats and unauthorized access. 

The services offer a broad range of obfuscation techniques and runtime protection features, providing a comprehensive defense against existing and emerging security threats, hacks, and vulnerabilities. Reach out to one of our solutions engineers for a no-obligation conversation about your options for defending your CI/CD pipelines immediately.

 


 

 

Categories
JSDefender Change Log

JSDefender Change Log V2.7 Build 0 – Release Date Aug 24, 2023

Reading Time: < 1 minute

Change Log – Version 2.7.0 – Release Date Aug 24, 2023

Features

  • upgrade webpack support to version 5.88.1
Categories
Mobile Protection

Why Should Developers Care About Mobile App Protection?

Reading Time: 4 minutesThese days, mobile app attacks are rampant. With an ever-growing culture of habitual smartphone use, we now see mobile apps as a staple in our lives, and cybercriminals are taking advantage of that.

Malicious actors continuously try to find new ways to infiltrate apps, steal user data, and even disrupt services altogether. All this can occur even if an app has no sensitive data or features, meaning vulnerabilities can often go undetected for quite some time.

That said, many people don’t worry too much about mobile app protection. What’s even more concerning, some app developers still consider security a low priority, which can be bad for their work in several ways.

This article explains why developers should pay more attention to user data protection and highlights how to protect mobile apps most efficiently. 

📲 What Is Mobile App Protection?

Mobile app protection (MAP) is a security feature offered by some mobile operating systems, most notably Android, to help protect smartphone and tablet users from unauthorized access to their apps and data. MAP provides an added layer of security by verifying the identity of app users and requesting you to grant specific permissions before installing an app. It can also provide security features such as password locking and file encryption to ensure your information remains confidential.

In some cases, mobile app protection may also include antivirus protection and firewalls to ensure the complete security of mobile applications.

⚠️ The Importance of Mobile App Protection

Mobile app protection is an essential aspect of digital security for both developers and users. For developers, it provides a safe environment to develop applications while preserving the user’s data. Mobile app protection also serves as a deterrent against malicious cyber attacks and provides the best protection against disrupting criminal activities.

For users, mobile app protection ensures that their private information remains confidential and secure, preventing identity theft or other data breaches. Additionally, Android app protection can help to keep apps up-to-date and compliant with relevant regulations. 

💻 How Is User Safety the Responsibility of App Developers?

Mobile apps can jeopardize users’ private data without proper safety features, and the blame can fall on those who developed those apps. That’s why developers must protect apps from potential harm, keeping track of cyber threats in the digital world and making their products resistant. Doing so is essential both during development and after app release. App builders should create secure apps from the ground up and perform regular code reviews and testing to find and correct vulnerabilities promptly.

The question is, how to make an app secure? Developers can ensure mobile security through several methods, including adopting security measures such as passwords and encryption, monitoring for signs of malicious behavior, and avoiding known vulnerabilities. Additionally, they can work with their security vendor to set up proper security measures on their app, such as incorporating codesigned certificates.

As highlighted, protecting user information is the responsibility of developers, such as ensuring that user IDs and passwords are securely stored. These professionals also have to check whether notifications and advertisements in their applications are appropriate and not excessive.

As developers have all these responsibilities, they continuously need to educate themselves about mobile application security threats and practices to prevent potential issues and ensure excellent work results. 

Why Is Mobile Application Security Critical for Finance and Healthcare Services?

It’s good to mention that some industries require more mobile app protection than others. For instance, finance and healthcare systems own critical data of patients and customers that must be secure. Any damage to security or loss of this data can cause serious legal issues for organizations and lead to distrust in patients and customers. In addition to fines and legal implications, such breaches can threaten customers’ privacy as potentially harmful information can fall into the wrong hands.

Considering these two sectors own such significant data, they are more sensitive to cyberattacks that want to steal and use this information to their advantage. That’s why both finance and healthcare systems tend to be more demanding when it comes to mobile app usability and safety. To create apps that meet the high standards in these industries, developers must take steps to protect their apps from harm and make them easy to use for users.

⚖️ Liabilities of Lax Security

When the security of an Android application is lax, many potential liabilities can occur. These include lost data, stolen identities, and financial losses due to fraudulent activity.

One of the most common ways an Android application can get compromised is by the use of insecure storage locations. By default, Android applications store user data such as login credentials and other sensitive information in plaintext format on the device’s internal storage. This makes it easy for third-party attackers to access this information and use it to launch attacks against the application or its users.

It’s also important to remember that not all Android devices are equally secure. If you’re using an insecure device for your Android applications, protect them by opting for a mobile encryption solution like Dotfuscator.

⚙️ Big App Security Blunders of 2022 to Continue Avoiding in 2023

In September of 2022, American Airlines disclosed that they were the target of a data breach by phishing attacks. The attack involved hackers sending out messages to airline employees, attempting to get them to click on a link that would take them to a fake website and steal their login information. According to American Airlines, around 1,708 people had their login credentials stolen during this attack. 

In late 2021, a hacker published data on 5.4 million Twitter users by exploiting an API vulnerability. This data included usernames, phone numbers, and other personal information. The hack resulted from a lack of proper security measures installed by app developers, who allowed unsecured access to their API. 

In fact, both attacks were easy to prevent with proper app-hardening solutions. With PreEmptive protection tools, for instance, developers can easily protect user data and prevent cyberattacks. Different features of these tools, such as obfuscation (e.g., renaming, string encryption, and more) and active runtime checks (tamper, debug, root, and more), deter hackers from cracking the codes and ensure user safety in real time.

✅ The Ultimate Security Solution for Developers

Making an app secure enough for users is a concern of every mobile application developer. Fortunately, you don’t need to look far to find an ultimate app shielding solution. 

PreEmptive products help developers to obfuscate code and protect against all types of malware attacks. They allow you to hide user strings in your assembly, inject code that verifies your application’s integrity at runtime, and provide a high level of resistance to hacking and tampering. 

Whether you are looking to improve the security of your current apps or develop new ones, PreEmptive can help you reach your goals. 

Work with Android apps? Check out our Coffee Break Course on Droidcon!

 


 

 

Categories
Support Corner

Support Corner: Protecting .NET Applications That Use Visual Studio Installer Projects

Reading Time: 2 minutes 

The Visual Studio Installer project remains a popular way to deploy .NET applications. It is simple to configure and maintain, and it produces an MSI or EXE that can easily be distributed via a vendor website, software repository, or any other software distribution system.

The Challenge of Application Security

The installer project places managed assembly files on the end user’s machine. These files can easily be decompiled and reverse-engineered like other .NET applications. This is a significant problem if your app handles sensitive data, contains trade secrets, or has IP that needs to remain hidden.

Promote Security With Dotfuscator

The good news is this is easy to remediate. We just have to integrate Dotfuscator into our application’s .csproj or .vbproj project file.

Doing this will trigger Dotfuscator before the packaging steps of a Release build. Dotfuscator places obfuscated assemblies into the release directory, which will automatically be packaged for deployment by the Installer project. No additional steps are required.

This workflow can be implemented for Visual Studio installer projects and works for the most common project deployments: MSIX, ClickOnce, etc. Some projects, however, have non-standard approaches for creating installers. For example, the installer might be decoupled from projects building the assemblies. If this is the case, the Dotfuscator command line interface can be used to automate the handling of protected files.

Join the Conversation

If you have feedback on this topic or other topics you would like us to discuss in the Support Corner, please contact our Support Team. Your feedback is incredibly valuable to us and helps to shapes the conversations in our Support Corner so we can create a community of shared knowledge and mutual growth. We look forward to hearing from you!


 

Categories
DashO Change Log

DashO Java Obfuscator Change Log V 12.1 Build 0 – Release Date August 2, 2023

Reading Time: < 1 minute

Enhancements

  • Android 13 (API level 33) support
  • Support for compiled bytecode of Java versions up to 19
  • Upgraded DashO Plugin for Gradle and DashO Plugin for Android to support Gradle version 7
  • DashO Plugin for Android is now able to automatically find a home directory of installed DashO of version up to 12.x
  • The “New Android Project” wizard modifies the build.gradle file correctly to select the appropriate version of DashO Gradle Plugin for Android depending on the existing version of the Google Android Plugin for Gradle

Changes

  • Updated to use ASM Java bytecode manipulation framework used version 9.5
  • Updated to use Apktool version 2.7.0

Fixes

  • Library Entry Points configuration file section was not correctly imported from earlier versions of DashO
Categories
Risk Management

The Impact of Compliance Regulations on Application Security

Reading Time: 4 minutesApplication security is a critical concern in today’s digital landscape. As organizations develop and deploy apps to cover a wide range of needs, protecting them from malicious attacks is of utmost importance. In fact, sometimes security is even a compliance regulation requirement.

Compliance regulations play a vital role in safeguarding applications and websites by setting standards that developers must adhere to. These regulations help ensure that technology and its outcomes meet an established level of data protection, privacy, and overall security.

This article explores the impact of compliance regulations on application security, highlighting the significance of maintaining both compliance and security in today’s threat landscape.

Common Compliance Regulations for Application Security

Compliance regulations are the set of rules, standards, and guidelines established by regulatory bodies or industry organizations to ensure that applications and systems meet specific security requirements. They often cover areas such as data protection, encryption, access controls, secure coding practices, vulnerability management, and incident response. These regulations aim to protect sensitive data, maintain privacy, and mitigate security risks by defining the necessary measures and practices that organizations must follow.

While compliance regulations are extremely important, they require significant effort to implement and maintain. It’s no wonder that many organizations struggle to keep up with cybersecurity regulations, leaving their systems open to potential compromises. As such, organizations that fail to comply with regulations can face serious consequences, including hefty fines and reputational damage.

Below are some of the common compliance regulations that developers and businesses need to be aware of when developing software.

💳 Payment Card Industry Data Security Standard (PCI-DSS)

PCI DSS is a set of regulations that applies to organizations handling, processing, or storing payment card data. It establishes comprehensive security requirements to protect against data breaches and unauthorized access. Compliance with PCI-DSS is essential for payment processors, and it involves implementing robust data encryption, secure authentication protocols, and data masking techniques to safeguard payment card information.

In 2013, the retail giant Target reported a major data breach that exposed millions of customer’s personal and financial information. Despite implementing PCI DSS regulations, the company missed critical warnings in its malware detection software, resulting in a significant data breach. The repercussions for Target were massive, with the company agreeing to pay an estimated $18.5 million in fines and settlements.

🔐 General Data Protection Regulation (GDPR)

Implemented in 2018, GDPR is a regulation that focuses on data protection and privacy for individuals within the European Union (EU). It imposes stringent requirements on organizations that collect, process, or store personal data of EU citizens. To comply with GDPR, organizations must implement data minimization practices, ensure strong data security and privacy measures, obtain proper consent, and promptly report data breaches.

In 2022, the Irish Data Protection Commission (DPC) fined Meta a total of €17 million after 12 data breaches exposed the personal data of millions of customers. The Irish DPC found that Meta had failed to implement technical and organizational measures to ensure GDPR compliance, making it liable for the breaches.

⚕️ Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a regulation that sets standards for protecting sensitive patient health information in the healthcare industry. It requires healthcare organizations and their business associates to implement safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). Compliance with HIPAA involves implementing access controls, encryption, audit trails, and other security measures to protect patient data.

An example of a software-related violation of HIPAA is the 2019 settlement between the U.S. Department of Health and Human Services (HHS) and EHR vendor Greenway Health. Greenway Health agreed to pay $57.25 million for alleged violations, including failure to conduct a risk analysis, implement sufficient security measures, and enter into business associate agreements.

🛡 Federal Information Security Management Act (FISMA)

FISMA applies to federal agencies and contractors working with federal information systems. It establishes a framework for ensuring the security of government information and systems. Compliance with FISMA involves conducting risk assessments, implementing security controls, and developing incident response plans to protect sensitive government information.

The U.S. Office of Personnel Management (OPM) experienced a data breach in 2015 that compromised the personal information of millions of federal employees and government contractors. The U.S. government conducted an investigation and found that the OPM had failed to adequately implement security measures and comply with FISMA requirements, which led to the breach.

🔎 Sarbanes-Oxley Act (SOX)

SOX is a regulation aimed at enhancing corporate transparency and financial reporting. Organizations must establish internal controls and procedures to ensure accurate financial disclosures. While primarily focused on financial management, compliance with SOX often extends to IT systems and applications that handle financial data.

Peregrine Systems was investigated for accounting irregularities and financial fraud. The company had manipulated its financial statements using software tools to inflate its revenue and deceive investors. As a result, several executives were charged and convicted for their involvement in the fraud. This case highlights the significance of SOX in ensuring accurate financial reporting and ethical business practices within software companies.

Stay Compliant With PreEmptive

Developers need to understand the various compliance regulations and how they apply to cybersecurity. But compliance regulations are just one aspect of application security; organizations must also take proactive measures toward app-hardening. That means regularly reviewing code, understanding and implementing secure coding practices, regularly auditing third-party scripts for vulnerabilities, and ensuring that all data is encrypted.

PreEmptive offers advanced obfuscation tools that help organizations protect their applications from malicious attacks and ensure compliance with security regulations. It uses cutting-edge techniques such as control-flow flattening, tamper detection, and in-app protection transforms to ensure the application code is secure and compliant. Start a free trial and see how it can help you protect your applications today.