Application Protection: Frequently asked questions

Find answers to the most frequently asked questions about in-app protection, application shielding techniques, cryptographic key protection, and other application protection topics.

What is application protection and why do I need it?

Application protection, also referred to as in-app protection, can be categorized as security solutions that focus on building and increasing the defense capabilities within an application, making it more resistant to attacks. It generally includes techniques such as code obfuscation, specialized cryptographic key protection, anti-tampering protections, and Runtime Application Self-Protection (RASP).

In-app protection solutions are proactive in nature, embedding defenses into your applications so they can withstand and block threats like reverse-engineering, data and IP theft, misuse, vulnerability exploitation, and tampering. Application protection secures your software-based assets, and safeguards your organization and customers from attacks.

What are the differences between application protection, in-app protection, application hardening, and application shielding?

Often all of these terms are used interchangeably. However, application protection and in-app protection can be regarded as broader terms that include application hardening and shielding techniques, as well as cryptographic key protection and additional security measures that increase the self-defense capabilities of an application. In-app protection incorporates mechanisms to detect and respond to threats and malicious behavior in real-time. These capabilities are critical for applications to operate securely in untrusted environments.

Application hardening and application shielding generally refer to a subset of the security techniques covered by application protection. Application shielding involves making strategic modifications to the source, byte, or binary code that make the application resistant to reverse-engineering and tampering.

Learn more about application shielding and it’s benefits.

We already use an application security testing solution, how is in-app protection different?

Unlike security solutions focused on testing, detecting, and then remediating vulnerabilities in apps, in-app protection plays its part primarily in the prevention and thwarting of attempted attacks. Application testing solutions are based on analyzing and finding known vulnerabilities and weaknesses against identified threats. By contrast, application shielding hardens code to make it extremely difficult to understand it or find a foothold to launch any type of attack on an application. It evaluates and analyzes an app’s environment to ensure it can run securely and proactively blocks attacks before they can cause damage. 

Application security testing and in-app protection address different security needs and complement, rather than substitute for, one another.

Is in-app protection applicable to both desktop and mobile applications?

Yes, application protection techniques should be used by both desktop and mobile applications, although many tools focus exclusively on one or the other. Intertrust’s whiteCryption application security hardening solutions support Android, iOS, Linux, macOS, and Windows platforms—along with embedded systems, set-top boxes, connected-cars, medical devices, mobile banking solutions, and more. 

whiteCryption Code Protection can protect Android Java, Desktop/Server Java, Kotlin for Android, C, C++, Objective-C, and Swift source code and requires no significant changes to the code itself or the existing build chain.

What are the different methods or techniques of application protection?

Several combinations of techniques are used to provide robust in-app protection. Below are some of the most crucial. 

Reverse engineering protections

  1. Code obfuscation: Code obfuscation makes strategic modifications to the code so that it is difficult to decipher and decode.
  2. Anti-debugging: Adding mechanisms that detect the presence of common debuggers and debugging techniques, and take action to block them.
  3. Binary packing: Binary packing is a technique used to protect against static analysis.
  4. Diversification: Diversification alters code so that each software instance must be cracked individually.

Cryptographic key protection

White-box cryptography: A software-based method to secure cryptographic keys that combines obfuscation, encryption, and mathematical transformation techniques to hide cryptographic keys and algorithms so that even if a program or device is compromised, cryptographic keys remain safe.

Tampering

  1. Integrity Checking: Integrity checking hardens applications by inserting thousands of small, overlapping checksums. During runtime, each of these checksums tests whether a particular segment of the executable has been tampered with.
  2. iOS Jailbreak Detection: Jailbreak protection identifies if the device security has been breached and reports it to the application, enabling it to take the appropriate response.
  3. Android Rooting Detection: Android rooting detection methodologies implement anti-rooting techniques to detect the legitimacy of the operating system and execute defense actions accordingly.
  4. RASP/intrusion detection and response: Apps can protect themselves by executing a defense response when a tampering attempt is detected. For example, sending an alert, preventing execution of some commands, deleting sensitive data, or shutting the app down.

Learn about the top seven app shielding methods.

Does application protection help me comply with regulations that are required for my business?

Robust application protection generally includes specific security measures in accordance with requirements by GDPR, PCI-DSS, EMV, HIPAA, the EU Medical Device Regulation, and other regulatory statutes and bodies. For example, many regulations require strong protections against reverse-engineering and tampering including code obfuscation, environmental checks, embedded integrity checkers, as well as cryptographic key security.

Does application protection protect encryption keys?

While most in-app protection solutions provide at least some level of key protection, they may or may not include dedicated cryptographic key security such as white-box cryptography. White-box cryptography is probably the most effective software-based method to protect encryption keys. It uses extremely sophisticated mathematical transformation and obfuscation techniques to hide cipher keys and cryptographic operations. White-box cryptography ensures that encryption keys remain protected at all times, even if the application or device is compromised. 

Learn more about best practices for encryption key security.

How does the DevSecOps framework fit into application protection?

The goal of DevSecOps is to bake security in as a part of the software development lifecycle (SDLC) with secure coding best practices and testing automation. This has proven to be better and more efficient than addressing security concerns after applications are in production. 

Combining development, security, and operations teams under a DevSecOps model helps teams release app builds faster, with fewer vulnerabilities, and with upgraded security. While it may require an additional early investment, it saves on major post-production costs by preventing attackers from exploiting the app easily. Combining application shielding in the DevSecOps framework strengthens the app at its core, adding a layer of protection that is toughened and ready for launch into zero-trust environments.

What kinds of threats does application protection help mitigate?

Enterprise-grade application protection solutions give comprehensive protection from attacks associated with reverse engineering, tampering, code lifting, exploitation of vulnerabilities, and even from unconventional attacks like side-channel attacks. The consequences of such attacks include data exfiltration,  intellectual property theft, encryption key discovery, financial fraud, malware insertion, and reputation damage.

Does application shielding prevent reverse engineering?

Reverse engineering plays a central role in almost every attack on an application. Hackers use it to discover sensitive data, unprotected keys, and information that could be used to further penetrate the application and connected systems. Reverse engineering also exposes unprotected proprietary algorithms and other intellectual property.

Application shielding uses different techniques like code obfuscation, anti-debugging mechanisms, binary packing, and diversification to make the source code of an application extremely difficult to reverse engineer. White-box cryptography adds specialized protection for encryption keys. This makes even the most determined hackers abandon their attacks in most cases.

Learn more about application reverse engineering and it’s threats.

How does application shielding protect my app from jailbroken or rooted devices?

Jailbreaking an iOS device and rooting an Android device gives the user administrator-level root access to various subsystems. Once a device is jailbroken or rooted, security controls installed by the manufacturers are breached allowing attackers and rogue apps to access your application data or keys. 

Intertrust’s whiteCryption application protection solution detects when there is a breach in the security of a device and reports it to the application to take appropriate defense measures. The solution also helps strengthen the defense capabilities of the application, so even when operating in an insecure environment such as a compromised OS, it can withstand attacks from different possible threats.

Learn more about how application shielding can protect your apps from jailbroken or rooted devices.

What is code obfuscation?

Code obfuscation is an application protection technique that works by transforming the code to make it very difficult for hackers to understand and decipher. Strong and well-applied code obfuscation:

  • Hides and confuses the logic, structure, and purpose of the code to stop hackers who attempt to reverse engineer or tamper with your application
  • Conceals information that can be used in further attacks, such as debug information, log messages, and strings displayed to the user
  • Secures valuable intellectual property, such as proprietary algorithms or licensed technology or content
  • Hardens potential attack points by obscuring security flaws and vulnerabilities so they can’t be exploited 

Obfuscation methods range from basic to complex, and include stripping out potentially revealing metadata, renaming useful class and variable names to meaningless labels, adding decoy logic, inlining functions, encrypting some or all of the code, and obfuscating the application’s control flow. in.

Learn more about application code obfuscation.

What is RASP?

Hackers tamper with an app to change its compiled code or runtime behavior. For example, they might inject malicious code or spoof an authorized identity, allowing them to access valuable information and possibly the entire network. Apps can protect themselves by using RASP techniques to detect tampering attempts and execute an appropriate defense response. 

Runtime application self-protection (RASP) is a term used to describe the variety of detection methods and defensive actions an app can employ to prevent code reverse-engineering, tampering, and other attacks in real-time

Learn more about runtime application self-protection.

What is a side-channel attack?

Side-channel attacks are a set of security exploits that involve the observation of characteristics and behavior of devices when performing cryptographic operations. When an attack is carried out utilizing these observations, it is known as a side-channel attack. Side-channel attacks can be carried out against any operating system, including Windows and Linux. The infamous Meltdown and Spectre vulnerabilities are prime side-channel attack examples that affected nearly every modern processor.

Types of side-channel attacks include:

  1. Speculative execution attack
  2. Power monitoring attack 
  3. Cache attack 
  4. Timing analysis 
  5. Differential fault analysis (DFA)
  6. Thermal imaging 

Intertrust’s whiteCryption Secure Key Box (SKB) provides an industry-leading white-box cryptography solution to protect secrets and keys from exposure, even against new side-channel attacks as they emerge. 

Learn more about how to protect your organization from side-channel attacks.

What is white-box cryptography?

White-box cryptography is a highly specialized software-based security technique to protect cryptographic keys and operations. It combines obfuscation, encryption, and mathematical transformation techniques to hide cryptographic keys and algorithms so that they never appear in the clear. Standard operations such as encryption, decryption, secure key unwrap, and digital signature creation and validation are done within the secure white-box environment, protecting the keys even if the device is compromised by an attacker. 

White-box cryptography provides essential cryptographic key protection in multiple industries. For example, the Payment Card Industry (PCI) Security Standards Council, has determined white-box cryptography to be a preferred method for securing cryptographic keys in Tap-to-Phone mobile POS applications.

Learn more about white-box cryptography.

Learn more about PCI’s white-box cryptography requirements for CPOC.

What is anti-debugging?

Anti-debugging is a set of techniques used within the code of an application to detect and prevent the act of debugging. This stops attackers from dynamically running applications, trying to understand how they work, and changing the behavior of certain features or checks within the application. Anti-debugging techniques include observation and detection of small memory, the operating system, process information, and latency that arises when a debugger is attached to an application and compared to when there is no debugger present. 

Learn more about the importance of anti-debugging for application security.

What is integrity checking?

Integrity checking is a technique used in application hardening to determine if an application has been tampered with. Small pieces of code, called checkers, are inserted into your application that act as a trigger in the case of tampering. These triggers execute predetermined actions to protect the application’s integrity such as notifying the user, calling a custom response function, generating a log message, or even shutting down the application.

Why is application protection important for apps that run in zero-trust environments?

Applications deployed into zero-trust environments like mobile phones provide opportunities for hackers to easily gain access into systems. Conventional security practices such as firewalls, anti-virus, and MDM are no longer sufficient as none properly protect the app and the assets they contain. 

Applications outside the perimeter need to be protected to reduce risk, prevent financial loss, and protect your business brand and intellectual property. Intertrust whiteCryption’s advanced cross-platform application security suite provides patented application shielding to protect software applications, mobile apps, and IoT devices by dramatically increasing their resistance against reverse engineering, tampering, and theft of cryptographic keys.