Unlike some security solutions out there that monitor, test and detect vulnerabilities or loopholes in apps, application shielding plays its part primarily in the prevention of attacks by making it extremely hard and complex to get through or understand the code of an application. This leaves very little room for hackers to work with, making the app much more difficult to decipher and penetrate.
Many security testing solutions take a reactive stance on security, application shielding, on the other hand, evaluates and analyzes an app’s environment to ensure that it can withstand and block attempts of tampering and reverse engineering to protect the application’s integrity before an attack has happened. This makes it a very proactive solution that helps businesses avoid the many adverse outcomes that could result from a security breach.
Some of the biggest brands in the world that are powered by applications have realized how critical it is to harden an app’s security. We’ve seen adoption in the use of application shielding by these businesses in order to use security as a competitive advantage in their race against the competition to scale.
By applying application shielding to your applications, you are dramatically raising the bar on the effort required to reverse engineer or modify your app. It’s similar to installing an alarm system, barbed wire, and CCTV camera to protect your home, it may not make it totally impenetrable but will deter all but the most determined attacker.
Therefore, using application shielding and making it difficult or complicated to reverse engineer an app, tamper with an app or even use a debugger with an app, dramatically impacts the motives that cause a hacker to proceed with an attack.
How does application shielding work?
- Code Obfuscation: In simple words, obfuscation is the act of making something difficult to understand. The code of specific programs is often obfuscated to protect IP and prevent attackers from reverse engineering a proprietary software program. This may involve encrypting some or all of the code, stripping out potentially revealing metadata, renaming useful class and variable names to meaningless labels or even adding unused or pointless code to an application binary. In addition, the physical structure of the code is altered or flattened to make it difficult to follow the flow, all without actually altering the behavior of the app.
- White Boxing or White-box cryptography: Refers to the set of techniques used to hide and protect sensitive application data (typically encryption keys) stored onto a device. In its most basic form, white-box cryptography uses similar techniques as obfuscation to hide data; but it can also combine anti-tampering functionality to do the same. White-box cryptography ensures that the encryption keys are kept encrypted even when being used, they never appear in clear in the memory of the device.
- Anti-Tampering: Involves a combination of techniques like obfuscation, encryption, and protection of checksum & hashcodes. Obfuscation makes it difficult to understand code. However, some hackers are determined to learn and breakthrough to them. Anti tampering techniques help make it difficult for the hacker to succeed with an attack on the obfuscated code.
An attacker needs to decrypt a software before they figure it’s function. Anti-tampering uses a lot of encryption to prevent this but adds an extra defensive layer by hiding how the decryption works or what encryption key has been used.
Both checksum and hashcodes are used to detect modifications in protected code. Anti tampering helps in hiding checksum and hashcodes to prevent illegal modifications to them that let hackers perform illegitimate transactions without being detected.
The Rising Importance of Security On Mobile Apps
While application shielding can be implemented in both web and mobile apps, mobile apps, however, have become increasingly critical to an organizations’ operational success. Their level of access, the sensitive data they contain, and the negative ramifications that can come from a malicious, masquerading version are very high.
As we now rely on the convenience these apps provide in our daily lives, it is becoming increasingly essential to protect these mobile applications from the inside out. Inadequate security puts the safety of users at risk, and it’s not just digital data but actual physical security, given that a massive part of IoT is to do with connected cars and homes.
Application shielding should be your first line of defense when it comes to securing your apps, followed by active threat and vulnerability management solutions. In many cases, application shielding is an essential component in certain industry security compliances, which may result in hefty penalties on businesses if found non-compliant. In conclusion, remember that the primary reason for application shielding is to give your app’s security a boost by adding an additional layer of protection and is not meant to replace any other aspects of security.
For more information please download The Practical Guide to Application Hardening.
About Paul Butterworth
Paul Butterworth is an experienced payment and security professional, having spent almost 30 years in the card, payments and IT security industries. Paul is responsible for global product marketing for the Intertrust Secure Systems’ market leading application shielding and device identity solutions.