Application hardening, also known as application shielding, is the act of applying levels of security in order to protect applications from IP theft, misuse, vulnerability exploitation, tampering or even repackaging by people with ill intentions.
Application hardening is usually performed via security solutions or tools with specialized hardening capabilities that greatly increase the effort required by attackers to modify the application, making it no longer viable or worthwhile to target. The most robust tools shield applications from both static and dynamic threats.
Why Application Hardening?
Application hardening is an integral part of the defense strategy for businesses intent on building a trusted mobile environment with a secure software development lifecycle process. By implementing application hardening, you can:
- Protect the application from a hacker trying to reverse engineer the app back to source code
- Prevent hackers from trying to inspect internal values, monitor or tamper with the app
- Enable your application to safely run in zero‑trust environments
- Protect your users’ data and sensitive information
Does Your App Need Hardening?
Application hardening primarily applies in the prevention stage of a security strategy. If your app includes financial transactions, the collection or storage of users’ personal data, or even holds information about you or your business that you don’t want exposed, you need to harden your application. Applications today run on many untrusted devices in unknown environments. It is impossible to monitor all of these devices and environments, putting your IP and information you need to safeguard beyond the control of your business. Hardening also helps protecting your brand image; security breaches can cause serious reputational damage.
Methods of Application Hardening
Protection from Reverse Engineering
- Code Obfuscation:
One mechanism used in application hardening is code obfuscation. Code obfuscation makes strategic modifications to the code so that it is difficult to decipher and decode. Obfuscation includes encrypting some or all of the code, stripping out potentially revealing metadata, renaming useful class and variable names to meaningless labels, or even adding pointless or unused code to an application’s binary.
Debuggers are one of the main tools used by reverse engineers. Ordinarily they serve the benign purpose of finding and eliminating bugs in code, but in malicious hands are used to learn the structure of your application to find weaknesses and avenues of attack. Applications can be hardened by adding anti-debugging code that actively searches for common debuggers and debugging techniques, and enables the application to detect and block them.
- Binary Packing:
Binary packing is a mechanism used to protect against static analysis. The application downloaded from the app store is encrypted and is only unpacked at runtime making it extremely hard for static analysis to be performed.
- White-Box Cryptography:
White-box cryptography is a set of cryptographic function, that ensure secret keys are always encoded, even during execution. It is a library that can be integrated into any application that requires cryptographic functions to be used.
Protection from Tampering
Several anti-tampering mechanisms exist, all of which contribute towards application hardening. Some typical mechanisms are described below.
- Integrity Checking
Integrity checking hardens applications by inserting thousands of small, overlapping pieces of code called checkers. During runtime, each of these checkers tests whether a particular segment of the executable has been tampered with. If any tampering has occurred, actions can be triggered to protect the application’s integrity such as notifying the user, calling a custom response function, generating a log message, or even shutting down the program.
- iOS Jailbreak Detection
Jailbreaking an iOS device involves removing the limitations that the manufacturer or service providers intended by gaining root access to the device. Once jailbroken, the security controls installed by the manufacturer are breached and any rogue app can access your application data or keys. Jailbreak protection identifies if the device security has been breached and reports it to the application, enabling it to take the appropriate response.
- Android Rooting Detection
Similar to iOS jailbreaking, Android device rooting allows an attacker to gain root access to an Android device. The successful rooting of an Android device is a security risk to applications that deal with sensitive data or enforce certain restrictions. Android rooting detection methodologies implement anti-rooting techniques to detect the legitimacy of the operating system and execute defense actions accordingly.
Application Hardening—Where to Start?
Attempts to hack an application usually begin with attackers trying to reverse engineer or debug the application to find vulnerabilities. Armed with this knowledge, attackers can extract data and/or modify the application to alter its function or behavior. In a world increasingly dominated by mobile and IoT devices, application hardening acts as the first line of defense in zero‑trust environments.
Code Protection injects self-defending capabilities into your applications, enabling them to run securely in zero-trust environments. whiteCryption Code Protection uses multiple techniques including code obfuscation, code flattening, and real-time intrusion detection to strengthen and deepen your app’s security self‑reliance.
whiteCryption Secure Key Box from Intertrust is an easy to integrate and use white-box cryptography library that protects your cryptographic keys from any compromise.
About Paul Butterworth
Paul Butterworth is an experienced payment and security professional, having spent almost 30 years in the card, payments and IT security industries. Paul is responsible for global product marketing for the Intertrust Secure Systems’ market leading application shielding and device identity solutions.