API Scrapping, API Security, Application DDoS, Application Security, Application System Security, Certificate Pinning, Code Obfuscation, Container Security, DLP Exfiltration, Intellectual property protection, Kotlin, Repackaged App, Runtime Application Self Protection, SMS Grabbing
by Irfan

Mobile applications require self-defensing capabilities


Software problems begin with errors made by coders

Developers often lack security expertise and provide weight-age to the business process while developing client side applications such as mobile apps. With increased usage of smart phones and access to wireless internet keeps the application development market very busy. Organizations are moving towards digital platform and the mobile first generation are been targeted as consumers of those applications. Error rates may vary with approx. 10 to 20 defects per 1,000 lines of code. Coding errors are a direct cause of vulnerabilities in mobile apps and websites, which may expose an organization to attack. Project managers must expect coding errors, which is why rigorous ongoing testing is essential – especially for DevOps where change in code is constant. Security protection measures are available to help avert possible compromises due to coding error.

Fixing software code errors are biggest concern in DevOps world as they lack cyber security expertise and don’t think from cyber criminals. The list of potential vulnerabilities for mobile apps and websites is endless. People who are responsible for securing an organization’s apps and website must not underestimate how easy it is to hack code. Many publicly available tools make it easy to exploit vulnerabilities in code, some of which persist for years despite ongoing news stories of one related breach after another. Few examples are

  • Magisk is a tool that provides root access and a system less interface, allowing a hacker to alter a system without tampering with the partitions.
  • Frida is a dynamic instrumentation toolkit for developers, reverse engineers and security researchers.
  • Cycript allows attackers to explore and modify running apps on iOS or Mac OS X. It can also be used to redirect and intercept API calls

Most of such tools are freely downloadable, relatively simple to use, with ample documentation and supporting communities.

In-app protection technologies secure software based assets

In-app protection technologies refers to security solutions implemented within the application to make the application more resistant to attacks such as malicious data exfiltration, intrusion, tampering and reverse engineering. Organizations use in-app protection to safeguard their software-based assets, and to protect their organization and customers from fraudulent attacks. Thus, in-app protection particularly suited to high-value applications running on unattended devices or untrusted operating environments. Use cases often involve consumer-facing applications, JavaScript client-side.

Some of the industry verticals interested in in-app protection are media and entertainment, as well as financial services, retail, healthcare, insurance and government. The typical threats addressed by in-app protections solutions are

  • API scrapping
  • Application DDoS
  • SMS grabbing
  • Cryptojacking
  • Script injection
  • Repackaged app

Self defense capabilities for mobile applications

In-app protection capabilities can be introduced in an application during development or post coding. Some solutions provide libraries in the form of SDKs to be integrated directly into the source code, some leverage native code instrumentation and others inject their functionality directly into an application without requiring modifications or possession of the source code

Typically most mobile applications use software languages and frameworks such as Windows SDK, .NET, C/C++, Objective-C, C#, Swift, Java, Kotlin, JavaScript, Cordova, React, Xamarin, Swift, Android and use platforms such as Android, iOS, browsers, Linux, macOS, Windows.

Application Protection & Hardening Standards
  • Code obfuscation: This scrambles the code and makes it harder for an attacker to reverse engineer how the application works. An application that is harder to read is also harder to attack, and it is harder to steal its intellectual property or to repackage the application
  • Certificate pinning: Rather than accepting any certificate from a specific range of certification authorities, pinning allows the parties involved in the mutual authentication process to pin down particular certificates — only these certificates will be accepted. If an attacker spoofs a certificate, even if this certificate is coming from a legitimate certification authority, the communicating party will reject it, avoiding a man-in-the-middle attack.
  • Resource encryption: Resource encryption of various components, such as classes or strings, can also be used to prevent attacks
  • Fingerprinting: This collects information about the device. The information can be used to uniquely identify a device, which allows the app to lock itself and only run on that specific device (i.e., device binding).
  • Privilege escalation detection: This is a frequently used control. On mobile platforms, it translates to jailbreak or rooting detection
  • Debugger and emulation detection: These are common capabilities in this area, as both of these tools are used in reverse engineering attempts
  • Anti-bot: Anti-bot technologies are used to identify and/or block malicious bots based on behaviour (e.g., geolocation, IP address reputation, biometric behaviour).
  • Integrity checks: These can detect whether an application or a device configuration has been altered. Integrity checks can involve a variety of checks, such as a checksum of the entire app or a check of the inventory of libraries and calls included in the application
  • Polymorphism: This is another technique we have observed emerging in this market, where the code can be altered during a reverse engineering attempt to add difficulty to the exercise
  • Clickjacking: Clickjacking protection includes a variety of methods, such as CSP, SRI, script injection detection and other methods
  • Malware detection: This analyzes the other applications installed on the device (on OS platforms where this is allowed; for example; recent iOS modifications do not allow this), as well as broader device behavior, and can identify malware present on the device
  • White boxing: White boxing, or white-box cryptography, refers to the set of techniques used to hide and protect sensitive application data (typically encryption keys) stored on a device. In its most basic form, white boxing uses techniques similar to obfuscation to hide data, but it can also combine anti-tampering functionality
  • Runtime Application Self-Protection: Runtime Application Self-Protection (RASP) is a security technology added onto an application’s runtime environment via code instrumentation. It monitors behaviours, controls application execution, and detects and prevents real-time attacks.

Also read

  1. Application visibility is key for data center micro segmentation
  2. Security considerations while migrating business applications to cloud infrastructure
  3. Web Isolation Recommendations and Benefits
  4. Threat modeling frameworks and methodologies
  5. Quantum computers pose a significant risk to Bitcoin