From Defense Labs to Mobile Apps: How Application Protection Grew Up

2001 was a turning point for application security, though few recognized it at the time.

In April, a U.S. Navy EP-3 made an emergency landing on Hainan Island after a mid-air collision with a Chinese interceptor. The crew had 26 minutes to destroy sensitive equipment and documents before landing. They improvised—pouring coffee into disk drives, using an axe on hard drives. It wasn’t enough.

That same year, OWASP was founded to improve software security—the beginning of a community that would eventually define standards like MASVS that we track today.

And that same year, a Purdue PhD student named Hoi Chang wrote a program to obfuscate Windows applications, working with his advisor Mikhail Atallah and colleagues Tim Korb and John Rice. That work became Arxan.

Three events, one year. A dramatic demonstration of what happens when adversaries get access to unprotected systems. A community forming to address software security at scale. And a company founded to make applications harder to reverse-engineer.

The confluence wasn’t coincidental. Application protection was becoming a concern that crossed boundaries—national security, commercial software, and the emerging discipline of secure development. The threads would take years to weave together, but 2001 was when they all appeared.

The Defense Era

Two years earlier, the Department of Defense had issued its first mandate requiring anti-tamper techniques in military acquisition programs. The threat was nation-states with laboratories, reverse engineering talent, and equipment capable of capturing entire instruction sequences from a single run. Industry events made the real-world consequences clear to those with the appropriate clearances.

Some defense programs embraced protection from the beginning. Others pushed for waivers—anti-tamper added expense, slowed timelines, and complicated the verification and validation process where all code had to be traceable back to requirements. Obfuscation, by design, made that traceability harder.

The same tension exists today—security measures that complicate development are resisted until loss makes the cost undeniable.

But policy enforcement tightened over time. Programs already underway could get waivers; new programs found it increasingly difficult. All these little snowflakes built toward an avalanche.

Arxan was founded in that environment. The company’s early intellectual property was licensed from Purdue, and its initial focus was defense anti-tamper applications.

The Commercial Migration

In 2010, Arxan’s defense unit was sold to Microsemi for regulatory reasons, and the commercial business continued independently. The same protection techniques found new applications.

A software company discovered its products were being reverse-engineered and resold at orders of magnitude discounts. Competitors could buy a single copy, crack the licensing, and undercut the original vendor. The threat was concrete and the losses were quantifiable.

Manufacturing equipment faced similar risks. A foreign competitor could purchase a machine, disassemble the hardware, and reverse-engineer the software that controlled it—creating an instant knock-off. The valuable IP wasn’t just in the physical design; it was in the code.

These early commercial buyers were threat-driven. They had seen the problem firsthand and sought solutions.

Financial Services

A major UK bank—forward-thinking and observing early anomalies in how their applications were being used—started building their own protection before any regulation required it. We partnered with them, implemented features they needed, and still protect them today.

Other banks followed. Some came after quantifying fraud losses they wanted to eliminate. One institution had maintained a significant annual fraud budget; after deploying application protection, they no longer needed it.

The pattern repeated across the industry: the largest institutions recognized the threat first, then knowledge diffused to smaller banks, regional institutions, credit unions, and insurance companies. Employees moved between organizations and carried expertise with them. The logic was simple: as one security leader put it, echoing the old line about bank robbers, that’s where the money is.

Gaming and Revenue Protection

Gaming studios approached protection with a specific calculus. A significant majority of a game’s revenue arrives in the first weeks after launch, with a sharp spike followed by a long decay. Studios told us directly: they needed protection that would hold through that critical window. They knew attackers would eventually find a way through, but by then the revenue curve had flattened.

This was one of the first industries to articulate time-bound security: protection doesn’t need to be permanent, it needs to be sufficient during the revenue window. That concept resonates beyond gaming: product launches, M&A periods, and regulated rollouts all share the same dynamic.

The threat was concrete, the timeline was known, and the return on investment was immediate.

Medical Devices

Medical device manufacturers face FDA cybersecurity requirements that have grown more stringent in recent years. Protection against tampering and reverse engineering is now part of the regulatory landscape.

But compliance isn’t the only driver. These companies also hold valuable IP—proprietary algorithms, diagnostic logic, treatment protocols—that competitors would benefit from accessing. The motivation is familiar: regulatory compliance creates the mandate, but IP protection adds urgency.

Where the Market is Now

In 2020, Arxan joined CollabNet VersionOne, XebiaLabs, Experitest, and Numerify to form Digital.ai. The Arxan name remains well-known in application security circles, and the technology continues to evolve.

Today, buyers enter the market at different points with different contexts. Some have seen the threat firsthand—fraud losses, piracy, competitive intelligence concerns. Some are responding to board-level questions or vendor security requirements. Some are just beginning to ask whether their applications need protection.

The market has matured, and that maturity means more organizations are protected than ever before.

What We’ve Learned

The threat hasn’t fundamentally changed. Adversaries with access to your application—whether a nation-state lab or a motivated individual with freely available tools—will analyze it. What’s changed is who’s paying attention.

Twenty-five years ago, application protection was a defense concern. Today, it spans financial services, gaming, manufacturing, healthcare, and beyond. The tools have evolved—simpler deployment, better analysis, less configuration required. But the core problem remains: valuable logic and data live in software that runs in environments you don’t control.

We’ve worked with buyers at every point on that maturity curve. The ones who came early because they’d been burned. The ones who came later because their industry caught up. The ones just starting to ask the question.

What we’ve found is that the entry point matters less than the commitment to understanding your own risk. We’ve been at this long enough to help with that conversation, wherever it starts.