Mobile applications are an essential tool for modern businesses, and their usage is exploding. There were 204 billion apps downloaded in 2019, up from 140 billion in 2016. With the enormous amounts of data being processed, stored and transmitted through those apps, application security needs to be a top priority for all businesses.
A problem with app security, however, is that it is often deployed reactively, rather than designed in from the start. App providers often focus on threat detection, or trying to discover vulnerabilities and patch the code in response. In other words, they take security measures after a threat has materialized or an attack has already happened.
By contrast, a proactive approach to app security involves making the app more difficult, time-consuming, and costly to hack in the first place. This can be achieved through the use of application hardening tools, also known as application shielding or in-app protection.
How hackers attack
To gain access to private data, steal details, or even mimic an entire app, hackers first try to reverse engineer it to inspect that application’s source code and understand how it works. They can use various technologies, such as debuggers, to gain a clear idea of how the application operates, and then attempt to manipulate the code so that the app will perform unintended and potentially malicious actions.
Application hardening tools use a variety of methods to make the hacker’s objectives more difficult to achieve. Just like physical security for a building, such as motion sensors, barbed wire, cameras, and guards, application shielding creates layers of protection around your vital resources, including encryption keys, intellectual property, and customer data. It is still technically possible for hackers to get in, but they would need to be extremely skilled and sink in large amounts of time to plan and execute the breach.
Let’s dive into the primary methods that proactive app security solutions use for application hardening.
The top 7 application hardening techniques
1. Code obfuscation
Code obfuscation helps to shield applications by making the source code confusing and difficult to understand. Code obfuscation includes several application shielding methods, including changing the flow of code, flattening the code structure, altering metadata, and constantly updating and inserting new obfuscated code. This makes reverse engineering extremely difficult and mitigates the threat from decompilers.
App developers and others use debuggers regularly and legitimately to check applications for coding flaws. However, hackers can also use debuggers to identify vulnerabilities in an app’s code that they can then exploit. Application shielding can help protect against the improper use of debuggers by inserting special code that detects when a debugger is being used on the app. When an attempt is detected, the app can then be programmed to perform a defensive action, such as shutting down, executing a callback function, or reporting the threat to a cloud service.
3. Binary packing
Binary packing helps with application hardening by making static analysis of the app’s code extremely difficult. The encrypted and compressed code is only unpacked during runtime, which means that static code analysis is impossible without running the app.
4. White-box cryptography
Encryption keys are extremely valuable as they help create secure communications between applications and servers, protect confidential data, and ensure strong authentication. White-box cryptography provides special cryptographic algorithms that ensure the encryption keys are kept secure and don’t appear in the clear, even while the application is running.
5. Integrity checking
Another method for preventing attempts to tamper with code is to insert overlapping checksums that check whether code or other checkers have been tampered with. With this application shielding method, it is not enough for hackers to disable just one checker—they must disable the set of checkers that test its integrity, and then the set that checks their integrity, and so on. When tampering is detected, the app takes defined defense actions.
6. iOS jailbreak detection
Apple devices enforce certain restrictions on what privileges apps have and how they can use the iOS operating system. When an Apple device has been “jailbroken” it means those restrictions have been circumvented. Apps that run on jailbroken devices can be tampered with more easily, and used in ways they weren’t intended.
As an application shielding technique, when an app detects that it is being run on a jailbroken iOS device, it can shut down or execute a custom defensive action.
7. Android rooting detection
Similar to jailbreaking with Apple devices, Google’s Android operating system can be “rooted”. A user who has rooted their Android device gains privileged control over its functions, creating a security risk for any applications running on the device. An application that uses rooting detection can test for the validity of the operating system in use and employ defensive actions if it detects any issues.
Proactivity is vital
Hardening applications so that they maintain their integrity and protect the data and IP they contain, even in insecure environments, is vital for modern businesses. By being proactive and strengthening your application with built-in defenses, you make a hacker’s objectives much more difficult to achieve.
Download “The practical guide to application hardening” to learn best practices to shield your application from attack.
To find out how Intertrust’s whiteCryption Code Protection and whiteCryption Secure Key Box protect applications in every industry around the world, talk to one of our experts.
About Prateek Panda
Prateek Panda is Director of Marketing at Intertrust Technologies and leads global marketing for Intertrust’s application shielding and device identity solutions. His expertise in product marketing and product management stem from his experience as the founder of a cybersecurity company with products in the mobile application security space.