Source code, apart from literally being the instructions that make software work, represents the intellectual property or secret sauce of a company. Almost everything that we use today, whether in business or in our personal lives, is increasingly dependent on good software. Behind the algorithms that power the supply chains that feed us and banking systems that allow us to quickly make transactions, there’s the code that’s constantly at our fingertips. From programs on laptops and apps on our smartphones, to the billions of Internet of Things devices that communicate autonomously to make our lives better and simpler. However, these trillions of lines of code that underpin our modern, digital way of life are vulnerable to bad actors seeking to steal, exploit, and hijack it for their own purposes.
Unfortunately, for many people, including app and IoT device creators, implementing a source code protection policy only comes to the fore AFTER it becomes an issue.
How your code is at risk
Code drives virtually every new interaction or action we take, and with each of those, a new avenue of attack opens up. In the past few years, efforts to compromise devices, apps, and software have surged because the rewards can be extremely valuable.
For companies that hold or analyze data, or create apps or IoT devices, the most significant security vulnerabilities may remain exposed due to flaws with their approach and lack of a fully developed source code protection policy. Companies spend an enormous amount of time and money protecting themselves with firewalls and other network and endpoint-level security tools. They also focus considerable energy on securing the transfer of data between their base of operations and that of a vendor or collaborating firm.
Unfortunately, once a company publishes its application, there are often few protections put in place to stop hackers and bad actors from reverse engineering it and finding out exactly how it’s built. Not only can they steal your IP or sensitive information residing in the app, this information can be used to inject malicious code into an app, like adding a keylogger to exfiltrate passwords or codes. Cybercriminals also fully spoof apps, masquerading as legitimate versions to gather credit card or banking information.
For most experienced hackers, reverse engineering isn’t even difficult, due to both lack of source code protection and the easy availability of debuggers and reverse engineering tools . This creates some relative certainties for what will happen to those that produce apps, software, or IoT devices but don’t secure them properly, including:
- Your intellectual property will be stolen
- Your application will be repackaged with malware
- Cryptographic keys will be extracted
- Malicious software will connect to your devices and servers
- A developer will make a mistake, and a hacker will find it
The threats to your code: Use cases
Reverse engineering and code manipulation can happen to any application, from any size company, if their source code protection policy isn’t robust enough. Here are some recent examples of the risks posed to firms in the field.
What they do: The MyCar Controls app allows users to control their vehicle doors, remote start or stop their engines, and find the location of their vehicle, which is what you’d expect from a smart car app.
The problem with their code: A hardcoded admin-level password was left extremely open and easily extractable. The code also included common flaws that could be exploited to send commands to vehicles. That means, with a bit of standard reverse engineering and hacking, a bad actor could track, unlock, or even control a user’s car.
What they do: Password managers are an increasingly popular way for people to uncomplicate their lives. They keep track of all your passwords for different sites and can also generate new, more complex passwords to make your accounts more difficult to hack with ‘brute force’ or ‘credential stuffing attacks.’
The problem with their code: As no customer wants to spend ages waiting for communication with a third-party server so they can access their own email, password managers store encrypted data on the client-side. Passwords are then decrypted by a secure ‘key’ in the user device’s memory. Unfortunately, most devices and basically all web browsers are insecure, so once a hacker finds the key that’s being stored, they now don’t just have access to one of your passwords but to all of them.
A recent report by research firm ISE assessed password managers Dashlane, 1Password, LastPass, and KeePass on Windows 10, finding that some passwords were left exposed even when the app was in the locked mode. In several apps, the master password itself persisted in memory and could be extracted—sometimes in plaintext.
What they do: Medtronic is the world’s largest medical device manufacturer and is at the forefront of innovation in medical technology. One of their initiatives is to enable pacemakers to communicate with doctors and vice-versa so that accurate monitoring can be carried out, and adjustments can be made to improve patient health. This is performed through a computer called the MyCareLink Patient Monitor.
The problem with their code: Researchers discovered that they were able to reverse engineer the MyCareLink computer and, as the pacemakers involved used no encryption or authentication, hackers would have been able to not only steal vital health information but also to override the pacemaker’s original programming.
Constructing a source code protection policy
A source code protection policy defines a set of rules, requirements, and procedures for handling and protecting code. This includes secure access and use of code repositories, encryption protocols (along with crypto key protections), application hardening and shielding processes, and in-app protection methods. It also involves documentation and training on secure coding practices, and incorporation of secure development methodologies into the software development lifecycle.
Preventing data loss, reputational damage, and regulatory fines requires a source code protection policy to protect software and devices from reverse engineering and code tampering. Without this, hackers can deconstruct all your carefully created products and use them against you or your customers. By following a clear, comprehensive policy, security vulnerabilities can be addressed and source code can be protected.
How Intertrust can help with source code protection
Intertrust has been working in the field of data security for almost 30 years, and has applied this experience and knowledge toward source code protection. Our whiteCryption Code Protection and Secure Key Box solutions keep your data safe by:
- Inserting thousands of integrity checkers for sections of binary which creates a unique binary footprint to check against for code modification
- Code obfuscation that transforms the original source code to protect it from tampering and reverse engineering
- Active detection to protect from debuggers and hackers performing real-time analysis of software
- Ensuring that every build is different so one flaw won’t bring down the whole system
- Protecting source-code repositories without affecting app performance or usability, or requiring developers to change anything
- Securing keys in state-of-the-art white box cryptographic libraries
Any source code protection policy that wants to ensure the security of apps, software, and devices out in the world needs to strengthen the code itself, not just rely on external security measures.
Intertrust whiteCryption Code Protection makes your application code self-defending to ensure code integrity even when operating in untrusted environments. Learn how it works in this white paper.
whiteCryption Secure Key Box ensures that your secret keys always stay encoded, whether at rest or in use. Learn more about key protection and whiteCryption Secure Key Box.
About Prateek Panda
Prateek Panda is Director of Marketing at Intertrust Technologies and leads global marketing for Intertrust’s application shielding and device identity solutions. His expertise in product marketing and product management stem from his experience as the founder of a cybersecurity company with products in the mobile application security space.