Categories
Risk Management

Common Mistakes Developers Do When Building Apps

Reading Time: 5 minutes

With the rapid rate at which new apps are popping up, it goes without saying that app development is becoming increasingly popular. Over 143 billion apps were downloaded in 2021 alone. However, not all apps garner the success their developers may have initially hoped to achieve. Many end up getting uninstalled after their first use.

The competitive market is partly to blame for this. But mistakes that occur during the application development process are to blame as well. Here, we’ll go over eight of the most common mistakes developers make so that you can avoid them and position your app for success. 

1. Skipping Over Research

After coming up with or hearing an idea for an app, many developers want to dive right into bringing the vision to life. However, rushing in without research can lead to numerous issues and wasted money. 

Successfully developing and marketing an app relies on user research. Is there a need for the app? If so, who is the target audience — what are their demographics? And what are their typical behaviors and motivations?

Competitor research is also critical. If they’re also developing an app — or if they already have one — then keeping tabs on what they’re up to will help you create something unique and appealing. 

2. Striving to Create a “Perfect” App

There’s nothing wrong with wanting to create a great app that users will love. In fact, that’s usually the point. There’s no such thing as a “perfect” app, though. Trying to create something that’s free of all flaws could lead to a never-ending development cycle. Ultimately, you may never launch it. 

That doesn’t mean you can’t strive to develop an app that continues to improve over time. One way to do this is by creating a minimum viable product or MVP. An MVP is a version of an app that only includes the essential features it needs to work. You can then release it to early adopters who can assess its functionality and performance. Their feedback allows you to create a better final product, avoid time and budget waste, and may even speed up the time to launch. 

3. Failure to Test Properly

Testing is a critical component of the software development lifecycle (SDLC). It ensures a smooth, pleasant user experience and helps developers squash “bugs” before launch. The problem is that several challenges still exist

There are several strategies for dealing with common testing challenges. Here are a few that may help:

  • Develop a solid testing process that includes how often you’ll test an app and who will do it. 
  • Consider using in-house and outsourced testing experts. 
  • Make sure you have all of the proper tools to run tests.
  • Make sure there’s ample time to devote to testing (schedule it if you have to). 

4. Creating a Poor User Experience

It’s not uncommon for developers to get so entrenched in the development process that they forget about how users will interact with an app. Unfortunately, that mistake can be costly. A poor user experience is one of the top reasons people uninstall apps. 

Several issues can impact an app’s user experience, including:

  • Slow loading speeds
  • Difficult to navigate (it takes too many clicks for users to find what they need)
  • Unnecessary log-in pages
  • Intrusive ads
  • Low-quality content
  • Boring design

An essential consideration for a good user experience? The user! Put yourself in their shoes when assessing the overall experience. The feedback you get from your MVP version can come in handy, too.  

5. Trying to Squeeze Too Many Features and Functions Into the App

Unique features and functions that serve a purpose for app users are great. Trying to squeeze in too many, however, can be detrimental. 

For one thing, the more features you add, the more expensive the project becomes. Excessive features can bog the app down, hindering its performance and ruining the user experience. The app can also become too large and require too much space on users’ phones.

When determining what features to add to an app, consider if they’re necessary first. Leave out the ones that don’t offer any value. If you start hearing a call for specific features from users, you can add and optimize them later. 

6. Building for Every Possible Platform

You might feel tempted to develop your app for every possible platform right out of the gate. After all, it’s a surefire way to attract more users.

But trying to tackle multiple platforms from the start could quickly destroy your budget. It can also be incredibly time-consuming. Instead, consider starting with one platform — basing your decision on market research — and expanding to others after your initial launch. 

That doesn’t mean you can’t develop an app for more than one platform to start. Make sure that you have a cross-platform strategy, though. For instance, you could use a single source code on a cross-platform app development tool to deploy on Android and iOS devices. 

7. Ignoring Feedback 

Feedback has come up a couple of times already. Listening to what your app users have to say is critical for building an app that they want to use. It’s about more than just listening, though. It’s also about using that feedback to improve your app with each update. Along with eliminating pain points for your users, using customer input lets them know you care. That’s one of the best ways to earn their loyalty. 

What happens if you don’t listen? User satisfaction decreases, and people start uninstalling your app in favor of something else.

8. Neglecting the Importance of Security

A recent survey found that 86% of developers don’t view security as a top priority when writing code. Half of the respondents also said they wouldn’t be able to guarantee their code to be safe from common vulnerabilities. 

Hackers don’t only attack websites. Some can reverse engineer mobile apps to inspect them while they work or capture communications between an app and server. They can also use code-based attacks to steal data, get around security checks, or compromise your app’s integrity. 

Prioritizing security is a must. One way to do this is with comprehensive mobile app protection with PreEmptive. Applying a layered approach, PreEmptive Protection uses obfuscation, encryption, tamper-proofing, and more to make your apps more difficult for potential hackers to exploit. It integrates seamlessly into your build process and requires no code changes. Best of all, it goes wherever your apps go. 


Avoid Common Mistakes for Better Apps People Love to Use

App development can be a time-intensive and sometimes frustrating process. Even the best developers make mistakes from time to time. Understanding the most common ones can help you avoid them or manage them more effectively if they do happen. 

If you’re looking for ways to make your apps more secure, PreEmptive is here to help. Visit our products page for more information about our app protection, or check out our resources to see what else we can do for you!


Categories
Support Corner

Understanding Cross-Assembly obfuscation

Reading Time: 2 minutes

Enterprise application development involves several moving parts.  There may be different teams working on different components: server-side, client-side, GUI, API, database, etc.  Each component may have a completely different release cycle, and each team may be working completely independent of one another.  But however the work is divided, all these components must come together to work properly at runtime. Any professional application protection tool should have the ability to handle these complex scenarios without disrupting the development process.  

Dotfuscator’s Runtime

Dotfuscator is designed with that at the center. The tool allows users to get up and running quickly, while providing full control to adjust for specific project requirements.  Cross-Assembly Obfuscation is just one example of the many ways it provides us this flexibility. 

Dotfuscator treats its inputs as a set of related assemblies.  It examines all internal and external references, traverses the full inheritance hierarchy.  It then performs “Cross-Assembly Obfuscation” meaning classes, methods, properties and their references are renamed uniformly across all input assemblies.

Dotfuscator Flexibility

If it’s not feasible to obfuscate and deploy our entire application at the same time, this is not a problem for Dotfuscator.  It can be approached a few different ways, but the easiest to maintain is to build with Library Mode enabled for each project.  In Library Mode, Dotfuscator preserves public and protected types and member names and signatures.  Only private and internal types and members will be renamed.  Obfuscation transforms like Control Flow, String Encryption, and Tamper detection will be performed regardless of access modifier.  This ensures that calls to the obfuscated assemblies work properly whether the calling assembly has been obfuscated in the same project or not.  

Cross Assembly Obfuscation Example

A simple example can be downloaded here.  This shows the same set of assemblies (two dll’s referenced by one main exe) obfuscated two different ways.  In the first scenario, all assembly files are included in one Dotfuscator project.  In the second scenario, each assembly is obfuscated separately, with Library Mode enabled to preserve references between them.  In both scenarios, the obfuscated binaries come together to work properly at runtime. 


Stay tuned for our continuation article, we will examine other strategies for approaching obfuscation spanning different teams.  If you have feedback on this topic or other topics you would like us to discuss in the Support Corner, please feel free to contact our Support Department.


Categories
Risk Management

The Risks Of Not Using In-App Protection

Reading Time: 4 minutes

Businesses of all types rely on applications, in fact they have become the central way the majority of us live our lives. From online banking, to filing your taxes on your phone or attending a virtual doctor’s appointment. Every element of our lives is navigated by a mobile or desktop application

It’s not just users, companies are also reliant on applications. Using them to manage central operations, production, fulfillment and marketing. Organizations use applications in a myriad of fashions, by the same token every application adds further risk. 

Businesses are shifting online to meet emerging needs but are also being faced by an emerging risk landscape with expanding risk across the Internet of Things. Application protection as such is an essential component to protect every element of your organization. IP Theft, application attacks or data leakage can all have material impacts on the organization, reputation and adherence to regulations. The impact of failures in this regard can be expensive. In 2018 it was estimated that IP targeted cyber crime accounted for $50 to $60 Billion of global losses. The payment industry has established fines of up to $500K per incident for security breaches according to UCSC failure to comply for companies is clearly expensive. 

With that noted, it is important to examine the tacit consequences and long term impacts of not using in app protection:

Risk of Unauthorized Access

Unauthorized Access is a critical risk for the majority of industries that handle private information, specifically personally identifiable information. If a person who is not allowed to make use of your application starts making use of it then there are more chances that the individual will commit fraud. It is hard to predict the behavior or intentions of anyone but it is essential to take every proactive step to avoid unauthorized access. 

Vulnerabilities like Broken Authentication expose your applications to hackers gaining access and then committing fraud. Session management or credential management issues can easily enable hackers to gain access and commit fraud against your application. The worst part… these attacks often go unnoticed without in app protection or runtime checks. As we know the cost of breaches only goes up over time: A breach identified in 100 days costs approximately $5.99 Million, while a breach that takes longer can cost upwards of $8.7 Million. 

Hackers can also use access to your application to expose sensitive datam putting end users at risk of losing their personal data or facing the downstream risks of identity theft, data leaking and doxing. All of which present a tangible threat and will likely result in financial obligations for the organization, due to negligence and failure to protect their customers. It can also be as simple as privilege escalation, a user enabling additional privileges allowing them to control aspects of the application that should not be externally leveraged. A recent example is the 2017 Accenture attack.

Risk Of Fines & Financial loss

There is a reason that the top software companies like 1Password, Google & Adobe pay over $100,000 for researchers that identify vulnerabilities within their toolsets. The bug bounty is in fact a rapidly growing industry and entire organizations exist around identifying these vulnerabilities. A recent research report from IBM identified that finance security professionals detect just 56% of incoming attacks, managing 53% of these attacks and only preventing 31% of attacks completely. Organizations don’t have a comprehensive ability to mitigate risk, even if you are using SAST / DAST / IAST and penetration testing risks can still slip through the gaps. 

The average cost of vulnerabilities for all industries is approximately $13 Million. This combines the cost of paying for fines corresponding to regulation violations, the cost of remediating the risky vulnerabilities, the expense to prevent data from being leaked and the potential cost of IP being leaked. Then let’s lay on the cost of reputation damage, Security Magazine reports that 80% of customers will not continue to leverage a bank’s services if their information is compromised… this is probably justified. Organizations are equally skeptical of services following attacks and they will follow the example of customers.  But, reputation isn’t singular, organizations can also face the impact of loss of goodwill. It will impact your brand image and can prevent customers from even acknowledging the validity of your organization.

Risk of IP Loss

Intellectual property loss is likely the most pernicious risk of not using In App protection. It is often the case that applications include some form of intellectual property which could encourage competitors to copy, steal or leverage in their own applications. 

Reverse engineering is a significant issue for organizations, by enabling capabilities on the client side, users and hackers can gain access to and expose more functionality through the server siege of the application. Not obfuscating code enables these users to easily interpret the intended functionality of the application and identify how to replicate this operability. One recent example is American Superconductor, a U.S based provider of clean energy solutions. In 2011 their largest customer Sinovel ignored their contract and refused to pay millions of dollars owed. The company then obtained the source code for all of the electronic components and were able to install a pirated version into their wind turbines. The violation of the IP rights and loss of revenue can incur as much as $200 Million a year in losses. Without possibility for legal resources or ability to prevent continued leverage. 

IP trade theft costs organizations as much as 3% of Annual U.S. GDP.

But, what can be done to prevent these risks? 

Obfuscation, PreEmptive provides a layered approach that clings to the deployed application and helps to ensure any unidentified vulnerabilities that are hidden. Reducing the likelihood of hackers identifying and leveraging them. Obfuscation also protects your IP concealing the framework and structure of your application from corporate spying and ensuring your competitors can’t repurpose your sweat equity.

For more information about in-app security, visit our products page and start protecting your apps today!


Categories
Support Corner

Protecting a ClickOnce Deployed Application

Reading Time: 2 minutes

ClickOnce is a popular way to deploy and keep applications up to date without a lot of hassle.  These applications are downloaded to the end user’s machine after being published to the server, which means they can easily be decompiled and reverse engineered like other .NET applications. 

Protecting an application that is deployed via ClickOnce is usually very complicated.  After protection, the application and deployment manifests must be manually updated using the Mage tool.  Signing of manifests and assembly files must be done manually, as well. 

With Dotfuscator, we’ve worked to make this process much simpler.

Consider this Example

In 4x versions, Dotfuscator accepted the ClickOnce .application as direct input.  It would re-generate the obfuscated assemblies along with the updated .application package.  The updated deployment manifest and protected binaries would then be copied to the ClickOnce deployment server to be downloaded by the end-user.

Starting with version 6, we’ve made this process even easier.  We just have to integrate Dotfuscator into our application’s project file (.csproj, .vbproj).    

Doing so triggers Dotfuscator to run before packaging steps of our Release build.  Protected binaries are then automatically packaged for deployment.  No additional steps required.

We’ve worked with customers that deploy through ClickOnce, and also create an installer for offline installs.  This process allows us to do both without any additional steps.

A simple ClickOnce project with Dotfuscator integration can be downloaded here.  A release publish of this project generates obfuscated binaries.  Double-clicking the .application manifest simulates a download and install of the ClickOnce application on the client’s machine.

If you have feedback on this topic or other topics you would like us to discuss in the Support Corner, please feel free to contact our Support Department.


Categories
Dotfuscator Support Corner

Protecting Windows Forms Applications with Data Bound GUI Controls

Reading Time: 3 minutes

Today we will focus on data binding, but first let’s define this. Data binding allows Windows Forms applications to display and update UI controls from a data source, without having to modify source code for the control itself. 

When protecting Windows Forms applications, it is important to note how the data bound controls are constructed to determine if they will be impacted by code obfuscation.  If the controls bind to a collection of objects, original property names of that object must be preserved to correctly populate “DisplayMember” and “ValueMember” properties of the control.  When binding controls to an Enum, the original names of its members must be preserved, or the GUI control might show obfuscated names.  On the other hand, if we’re binding directly to a database table (and the table does not map to an object in source code), we don’t need any custom configurations because Dotfuscator does not mangle table and column names.

Consider the Following Example:

This simple Windows Forms application has three UI controls with different data binding techniques: a DataGridView binds to a Customer table in a database, a ListBox binds to a collection of Employee objects, and ComboBox binds to an Enum called DaysOfWeek:  

If I obfuscate with project defaults, I experience a runtime error at app startup:

This occurs because original property names of the Employee object are used in “DisplayMember” and “ValueMember” ListBox properties:

            listBox1.DataSource = employeeList;

            listBox1.DisplayMember = “Name”;

            listBox1.ValueMember = “Department”;

To Avoid the Runtime Error:

First, I’ll open my project configuration file (DotfuscatorConfig.xml) in the Dotfuscator Config Editor, and set a Rename exclusion for the properties in the Employee object:

After configuring this Rename exclusions, the application starts without the runtime exception, but the “DaysOfWeek” ComboBox appears with obfuscated names:

In order to fix this, I will configure a Rename exclusion for the members of DaysOfWeek.

After providing this Rename exclusion, the app starts without any issues or erroneous behavior.  Please also note the DataGridView, which binds to the Customer table in our database, did not require any Rename configuration to start and display correctly.

Conclusion

There are several different ways to use data binding in Windows Forms applications.  We’ve seen a few ways that data bound controls can be impacted by obfuscation.  If you experienced a runtime crash or erroneous UI behavior after applying obfuscation, please use the above steps to resolve the issue. 

The full example can be downloaded here.

If you have any feedback on this topic or other topics you would like us to discuss in the Support Corner, please feel free to contact our Support Department.