With October National Cybersecurity Awareness Month (NCSAM), Intertrust is publishing a series of posts that expand on the NCSAM theme “If you connect it, protect it!”
If you connect it, protect it
October is National Cybersecurity Awareness Month (NCSAM), a joint-initiative of the Department of Homeland Security and the National Cyber Security Alliance to build cyber awareness among US businesses and the public alike. Now in its 17th iteration, NCSAM has grown and evolved over the years to address the increasing challenges and scope of today’s uber-connected world. From mobile apps that help us shop, bank, collaborate, and perform myriad other personal and business functions to IoT devices used both in industry and everyday life. These connected apps and devices add convenience and boost efficiency but also significantly broaden the attackable surface. That’s why device and application security are a critical piece of an organization’s overall cybersecurity strategy.
This year’s focus, “If You Connect It, Protect It!” reflects that fact. Virtually anything with access to the internet can be used by hackers to access systems, steal data, or threaten lives. Some interesting recent examples include:
- A Milwaukee couple’s connected home was hacked, and the attacker turned up the temperature, played creepy music, and spoke through their speakers.
- A connected fish tank provided back-door access to a casino’s client list.
- Criminals in Chicago hacking into a car-sharing app to steal more than 100 Mercedes-Benz cars.
- Pacemakers and insulin pumps that can be taken over by hackers and potentially used to blackmail patients or put their health at risk.
Why mobile and desktop app security is so important
No software is free of flaws and mobile and desktop apps often contain vulnerabilities that can be easily exploited by malicious actors. OWASP keeps a running list of the top application security risks. Compromised apps can lead to stolen data or cryptographic keys and even server access or loss of device control. For those reasons, app security needs to be proactive, rather than reactive. A strong security policy for software development ensures that security best practices are employed from the beginning and carried out through to deployment.
Attackers use a variety of methods to breach app security. Some of the most common are:
- Reverse engineering: The first step in getting around application security is for the hacker to clearly understand its code to find vulnerabilities. This often includes running the application through a debugger or decompiler.
- Code tampering: Here, the attacker injects malicious code into the application to try and circumvent app security mechanisms and perform harmful actions.
- Jailbreaking/Rooting: The two major mobile operating systems (Apple’s iOS and Google’s Android) have built-in application security mechanisms. By jailbreaking or rooting these devices, apps can be run in vulnerable environments outside of these protections, making it easier for hackers to use them maliciously.
- Dynamic analysis: During an application’s runtime, its functionality and even the cryptographic keys it uses to securely communicate and authenticate itself may become visible. This makes runtime or dynamic analysis one of the most crucial areas of app security.
- Side-channel attacks: Side-channel attacks use measurable physical outcomes of device usage to extract information, including cryptographic keys, while an application is working.
Boosting application security
Raising awareness of the threats posed by connected applications and devices is only one element of NCSAM’s objectives. They also aim to inform businesses and consumers about app security best practices and what they can be doing to make their usage of applications and devices safer.
CISA offers a number of resources on the NCSAM site with tips to protect IoT devices, the digital home, and other security guidance, but for application developers and vendors, security needs to be embedded directly in the app itself.
Some of the most effective strategies to deter and complicate hackers attempts to attack applications include:
- Code obfuscation: Tactics including changing directional flows and inserting nonsense code to make code more difficult to understand for attackers.
- Integrity protection: By deploying thousands of overlapping checksum checkers, attempts by would-be attackers to alter code are detected. This allows for a customizable app security reaction.
- Anti-debugging: There are a number of strategies that can be deployed so that an application recognizes when someone is trying to use it with a debugger. This allows the application to take defensive actions (such as shutting down or running in a ‘safe mode’).
- Jailbreak/rooting detection: Similar to anti-debugging protection, a jailbreak/rooting detection detection system understands when an app is being run outside of normal application security environments provided by mobile operating systems.
- White-box cryptography: This is an advanced key protection method that ensures cryptographic keys used in applications never appear in the clear, whether at rest, in transit, or in use. Even if a side-channel attack is successful, the keys can’t be deciphered and used.
whiteCryption boosts app security
For any business involved with manufacturing devices or creating applications, National Cybersecurity Awareness month delivers an apt message: “If You Connect It, Protect It.” Taking steps to harden application security is essential, and each avenue of attack needs its own defensive strategy to counter it.
At Intertrust, we support the creation of a more secure cyber environment for businesses and their customers. Our whiteCryption application protection suite, which includes Code Protection and Secure Key Box, is one of the most complete app security solutions in the field and includes each of the protection strategies mentioned above.
About Prateek Panda
Prateek Panda is Director of Marketing at Intertrust Technologies and leads global marketing for Intertrust’s application shielding and device identity solutions. His expertise in product marketing and product management stem from his experience as the founder of a cybersecurity company with products in the mobile application security space.