Application hardening methods and benefits hero graphic

Application hardening methods and benefits

Posted On

By Paul Butterworth


Application hardening, also known as application shielding, is the act of applying levels of security in order to protect applications from IP theft, misuse, vulnerability exploitation, tampering or even repackaging by people with ill intentions.

Application hardening is usually performed via security solutions or tools with specialized hardening capabilities that greatly increase the effort required by attackers to modify the application, making it no longer viable or worthwhile to target. The most robust tools shield applications from both static and dynamic threats.

Why Application Hardening?

Application hardening is an integral part of the defense strategy for businesses intent on building a trusted mobile environment with a secure software development lifecycle process. By implementing application hardening, you can:

  • Protect the application from a hacker trying to reverse engineer the app back to source code
  • Prevent hackers from trying to inspect internal values, monitor or tamper with the app
  • Enable your application to safely run in zero‑trust environments
  • Protect your users’ data and sensitive information

Does Your App Need Hardening?

Application hardening primarily applies in the prevention stage of a security strategy. If your app includes financial transactions, the collection or storage of users’ personal data, or even holds information about you or your business that you don’t want exposed, you need to harden your application. Applications today run on many untrusted devices in unknown environments. It is impossible to monitor all of these devices and environments, putting your IP and information you need to safeguard beyond the control of your business. Hardening also helps protecting your brand image; security breaches can cause serious reputational damage.

Methods of Application Hardening

Protection from Reverse Engineering

  1. Code Obfuscation:
    One mechanism used in application hardening is code obfuscation. Code obfuscation makes strategic modifications to the code so that it is difficult to decipher and decode. Obfuscation includes encrypting some or all of the code, stripping out potentially revealing metadata, renaming useful class and variable names to meaningless labels, or even adding pointless or unused code to an application’s binary.
  2. Anti-Debugging:
    Debuggers are one of the main tools used by reverse engineers. Ordinarily they serve the benign purpose of finding and eliminating bugs in code, but in malicious hands are used to learn the structure of your application to find weaknesses and avenues of attack. Applications can be hardened by adding anti-debugging code that actively searches for common debuggers and debugging techniques, and enables the application to detect and block them.
  3. Binary Packing:
    Binary packing is a mechanism used to protect against static analysis. The application downloaded from the app store is encrypted and is only unpacked at runtime making it extremely hard for static analysis to be performed.
  4. White-Box Cryptography:
    White-box cryptography is a set of cryptographic function, that ensure secret keys are always encoded, even during execution. It is a library that can be integrated into any application that requires cryptographic functions to be used.

Protection from Tampering

Several anti-tampering mechanisms exist, all of which contribute towards application hardening. Some typical mechanisms are described below.

  1. Integrity Checking
    Integrity checking hardens applications by inserting thousands of small, overlapping pieces of code called checkers. During runtime, each of these checkers tests whether a particular segment of the executable has been tampered with. If any tampering has occurred, actions can be triggered to protect the application’s integrity such as notifying the user, calling a custom response function, generating a log message, or even shutting down the program.
  2. iOS Jailbreak Detection
    Jailbreaking an iOS device involves removing the limitations that the manufacturer or service providers intended by gaining root access to the device. Once jailbroken, the security controls installed by the manufacturer are breached and any rogue app can access your application data or keys. Jailbreak protection identifies if the device security has been breached and reports it to the application, enabling it to take the appropriate response.
  3. Android Rooting Detection
    Similar to iOS jailbreaking, Android device rooting allows an attacker to gain root access to an Android device. The successful rooting of an Android device is a security risk to applications that deal with sensitive data or enforce certain restrictions. Android rooting detection methodologies implement anti-rooting techniques to detect the legitimacy of the operating system and execute defense actions accordingly.

Application Hardening—Where to Start?

Attempts to hack an application usually begin with attackers trying to reverse engineer or debug the application to find vulnerabilities. Armed with this knowledge, attackers can extract data and/or modify the application to alter its function or behavior. In a world increasingly dominated by mobile and IoT devices, application hardening acts as the first line of defense in zero‑trust environments.

Some of the biggest enterprises delivering trusted services across the globe secure their applications with whiteCryption® Code Protection™ from Intertrust.

Code Protection injects self-defending capabilities into your applications, enabling them to run securely in zero-trust environments. whiteCryption Code Protection uses multiple techniques including code obfuscation, code flattening, and real-time intrusion detection to strengthen and deepen your app’s security self‑reliance.

whiteCryption Secure Key Box from Intertrust is an easy to integrate and use white-box cryptography library that protects your cryptographic keys from any compromise.

Get in touch with us to learn more about Code Protection and Secure Key Box, or schedule a demo to see for yourself the benefits application hardening can bring to your business.


whitecryption CTA Banner

About Paul Butterworth

Paul Butterworth is an experienced payment and security professional, having spent almost 30 years in the card, payments and IT security industries. Paul is responsible for global product marketing for the Intertrust Secure Systems’ market leading application shielding and device identity solutions.

Related blog posts


How application shielding fits into the DevSecOps framework

Read more


How DUKPT key management works in POS environments

Read more


Mitigating your Java code security debt

Read more