An application’s source code is the lifeline of its existence. It represents thousands of hours of work encompassing all the research, the findings, the development and the anticipation for its success. Application source code can be compared to a vital organ in a living organism and should be fully protected from attacks of any kind.
So what is the worst that could happen when someone uses application reverse engineering to steal or decompile a chunk of your app’s source code?
- They steal your business: If you own a paid app and you’re seeing a lot of financial transactions, the attacker can make a free version of it and just put your business model to sleep. This will most likely require that you abandon your project and come up with another one, or pursue a long legal battle.
- Contagious infections: The attackers retain the app as it is, but infect it with malware or viruses to create scammer schemes on later builds. Your users are cheated and take the brunt of the impact. Revenue is redirected to the attackers as opposed to you. It’s likely to force you out of business and probably give you a good work out in the legal department as well.
- Profiting off your hard work: Once attackers notice your success, they are bound to come after you. You’re basically a walking target. If the attackers or your competitors get a hold of your source code, they’ll do everything they can to rip it apart to see what your competitive advantage was. You know what happens in this story.
Even in the case that this doesn’t ruin your business, it’s bound to distract you from what really matters and those are your business goals. Losing precious time and resources are not an option in this case.
Application Reverse Engineering (Built for good, used for bad)
Everything we’ve discussed here is possible through the act of reverse engineering. Application reverse engineering is the process of breaking down an application and then studying its design, code, architecture, and technical composition in order to learn more about how it was created and how it works. Reverse engineering typically can be considered as a means for developers to learn, build skills, and enhance software products or mobile apps for whatever reasons (ethical mostly).
While reverse engineering was intended for good, ill-intentioned hackers use it as an opportunity to discover exploitable bugs for personal gain.
The fact that there are many software reverse engineering tools available in the market makes it easier for these individuals to carry out attacks. Attackers usually perform an audit of the final core binary to determine elements within the app like its original string table, source code, libraries, algorithms, and resources. They use affordable and easy-to-use tools like IDA Pro, Hopper, otool, strings, and a few other binary inspection tools from within the attacker’s environment.
Your competitors, on the other hand, want to learn what you are doing to copy your efforts or do it better.
How To Prevent Application Reverse Engineering?
One may assume that copyright and patent protection would prevent competitors from replicating your product. However, patent and copyright security only help protect the look and shape of the product, and the idea behind its functionality. There are many legal ways around the protection of a patent or copyright. For example, negotiating a license to use the idea, claiming the concept is not a novel one or even by making a subtle change and claiming that the changed product is not protected by the patent. If you think you are protected by legal methods, think again!
If it all sounds too overwhelming, start with the basics. Protect your code and harden your app’s defense. Protecting code can be carried out by using a security measure known as application shielding. Application shielding is a simple means of hardening any application so that it is extremely difficult to get through to the source code. It is usually performed using a number of techniques like code obfuscation, anti-tamper technologies, and key protection techniques.
Obfuscation is a strategic method of scrambling code, so it’s hard to understand and makes it extremely difficult to decode. Anti-tamper technology inserts additional code into your application to detect if the code has been changed, or is being attacked, and key protection uses a combination of mathematics and cryptography to ensure your keys remain protected at all times. By making the job extremely difficult, hackers usually think twice about investing time and resources to break into the application.
They say that one of the best ways to resist an attack is to make the destination not worth the journey. The purpose of most hacks, including application reverse engineering, is to basically steal an app, or its data to get some sort of value or bounty from it. If the effort and time involved outweighs the reward, then hackers will likely move to another target that is easier to compromise with less effort.
For more information please download The Practical Guide to Application Hardening.
About Paul Butterworth
Paul Butterworth is an experienced payment and security professional, having spent almost 30 years in the card, payments and IT security industries. Paul is responsible for global product marketing for the Intertrust Secure Systems’ market leading application shielding and device identity solutions.