This post is from the Arxan blog and has not been updated since the original publish date.
Which Approach to Application Hardening Is Right for Your App?
The Importance of Mobile Application Protection
There’s no shortage of hacking tools and techniques or stories in the news about mobile app hacks for both iOS and Android platforms. Fortunately, those offering mobile application protection solutions have responded swiftly to these threats. Now, there are many approaches that one can leverage to harden an app out in the wild. Hardening is a key step at the end of any secure software development life cycle process, which ensures that the app is running as designed at runtime and thwarts cybercriminals’ efforts to reverse engineer the app back to source code. Which hardening approach is right for your app? To the uninformed customer, simple obfuscators are attractive because they are low in cost, require little training to use and are quick to implement. However, given the sophistication of today’s cybercriminals, it is important for app developers to look beyond the surface and take a more strategic approach to choosing a mobile application hardening solution. Below are four key factors that those responsible for app security should consider when evaluating application hardening solutions.
1. The Value of Your App
An important factor to consider is the level of investment your company is making in an app with respect to research and development and maintenance costs. For instance, if valuable, proprietary intellectual property such as algorithms or monetizable content is embedded within the app, you should consider the loss of revenue to your company if the app is successfully hacked. If the app will be processing sensitive information such as financial transactions, account information or authorization credentials, you should consider the potential loss of revenue through fraud and collateral damage that may accrue if the app is hacked or Trojanized. Collateral damage may include not only penalties for noncompliance with regulations and necessary expenditures on security upgrades, but also the costs of crisis management communication campaigns to manage adverse publicity and restore brand value.
There is a prevalent belief that encryption and basic obfuscation techniques in and of themselves are adequate measures to protect apps. String encryption and variable renaming form a useful security layer but are inadequate when used in isolation.
Also, it is important to understand that not all obfuscation and encryption tools are created equal. Obfuscation is often confused with simple method renaming techniques and basic string obfuscation technologies, which can be quickly broken and easily reversed. Any encryption wrapper that applies the same measures of protection across all the apps it secures can be broken by determined attackers. Once that happens, every application secured by that vendor is compromised. See the chart below for recommended mobile application protection techniques for low- and high-value apps.
2. The Scale and Sophistication of Attacks Your App Will Likely Face
Minimal protections against counterfeiting and repackaging are built into the app distribution ecosystem. These include measures such as:
- The detection of jailbreak or root conditions that enable the side-loading of applications, many of which are Trojanized;
- Monetization libraries that ensure only legitimate applications are downloaded through the app store and are correctly purchased or licensed. However, these libraries can and are often breached by cybercriminals; and
- Audit process measures to ensure only legitimate and harmless apps are placed in the app store, even though audit mechanisms to block illegitimate apps from distribution to users are far from perfect.
Consequently, it is important to determine the scale and sophistication of attacks your app may face, and then ensure the security solution you rely on is capable of meeting the challenge. For small-scale developers with free or ad-supported apps, basic protection will typically suffice, although even ad revenue may be subverted through Trojans. In contrast, for serious, business-critical applications, it is safe to assume that an organized army of attackers will be actively looking for ways to subvert your app as quickly and as comprehensively as possible. Because such attacks are designed to be covert, it can be weeks, if not months, until evidence of successful hacks surface. Thus, measures of defense against attacks have to be complemented by measures of detection and reaction. For example, instrumenting an app to detect attempted attacks and react with functions such as “phone home” can provide long-lasting and durable protection. Consider a recently concluded benchmarking study that analyzed an Android Java mobile payment application that was hardened with a comprehensive protection solution and a basic Java protection solution.
Attacks that systematically compromise the underlying libraries an app relies on are the fastest-growing class of attacks — and presently the most dangerous. This makes it imperative that high-value apps are able to verify the pristine nature of their entire execution environment before unlocking sensitive functionality. Obfuscation solutions that focus purely on variable renaming or string encryption can deter static reverse engineering but are not able to protect against the full spectrum of high-intensity attempts to compromise the app.
3. Agility and Portability
The portable device ecosystem, spanning smartphones, tablets and, increasingly, wearable devices, is among the fastest-growing and fastest-evolving. In stark contrast to the PC ecosystem, which is dominated by only a few chipset and operating system (OS) combinations, the portable ecosystem is a nightmare of chipsets, OSs, programming technologies and hardware functionality. Because mobile platforms will continue to evolve at their current breakneck pace, choosing a solid security partner with a history of innovation and keeping pace with ecosystem changes is crucial. Additionally, selecting a security tool that is designed for cross-platform portability and extensibility will go a long way toward ensuring that your ability to reach out to the newest platforms is not hindered in any way.
4. Overhead and Performance Impact
Memory footprint, power consumption and performance are important considerations on portable devices where resources are limited and battery life is precious. Any security technology will impose an additional memory footprint in storage and at runtime. It will also impose process overhead in terms of programming effort, compilation complexity and runtime execution characteristics. That said, more sophisticated application hardening solutions offer a much better trade-off between performance impact and protection strength relative to free or low-cost solutions. For example, brute-force simple obfuscation can quickly cause memory bloat and diminish execution speed, while basic check summing can adversely impact runtime performance while still retaining single points of protection failure. When apps will be deployed to millions of users, or where transaction volumes are expected to be high, it is crucial that the security solution chosen be as robust and reliable as your own app code. Obfuscating sections of the code that are sensitive to performance degradation, such as computation-intensive functions or graphics rendering routines, has an impact on the runtime performance. It’s paramount to choose a protection solution that offers tunable performance versus security trade-off measures and provides developers better control on size and performance of the code. The rise of mobile computing and soaring app usage has companies of every size scrambling to keep up. With customer loyalty and revenues at stake, developers are often rushing to release cutting-edge apps with little thought for long-term security considerations. In these conditions, it is tempting to treat mobile application protection as a checkbox and select the cheapest, most readily downloadable tool to do the job — but buyer beware. If you take the time to assess the value of your application and the options available, you’ll realize that if you have a high-value app and take the cheap route, you are likely to be pennywise and pound foolish.
This blog was authored by Patrick Kehoe, CMO, Arxan -- in collaboration with IBM.