Application Development Isn’t As Secure As You Think

Application Development

The proliferation of mobile devices has created an app-centric global marketplace which is driving innovation, new businesses and business models, and opening up new revenue streams across all industries. Its increasing importance to organisations and consumers means that now more than ever, there needs to be an understanding of the risks and threats facing mobile application development.

In a study of the top applications for iOS and Android, Arxan found that 90% of the top 230 applications had been hacked or tampered with in some way. This could involve circumvented security (such as removing jailbreak detection), unlocked or modified features, free pirated copies of paid versions, ad-removed versions, and applications that had been infected with malware.

Increasingly, we are seeing the drive to produce the next mobile application is putting considerable pressure on app developers and is driving them into a position to rapidly add more features, at the expense of security. This is leaving them with little to no time to focus on developing the security for the applications that protects its integrity such as internal controls and protecting the code from malware insertion or intellectual property theft.

Security shouldn’t stifle innovation

App owners need to not only allow developers to keep up with the demand for new features, but also empower them to produce innovative mobile applications that are inherently secure. Mobile devices can’t be fully trusted and therefore security must be incorporated directly into the application.

Even flawlessly coded applications are vulnerable to reverse-engineering and code tampering, allowing cyber criminals to change or modify applications to incorporate malicious code. In a different study, 30 banking applications on the Android market were found to be vulnerable to these types of attack. Once an attacker gets hold of an unprotected application, it can be reversed back to its high level source code, in a process called decompilation. This is a relatively straight forward process, which can be done using freely available tools on the internet.

Once an application has been decompiled it is then relatively straightforward to locate and compromise critical logic and data, if you know what you’re looking for. As an example, in some banking applications there is jail-break detection, which would prevent users from accessing the application on a device that has been compromised. Once an attacker has located the jail-break detection code, no matter how sophisticated its logic may be, it can usually be defeated by changing a few bytes in the code.

Security needs to be built into the process; it is not a one click solution

App owners and developer have a duty of care to their users, and in order to protect their data, developers need to start implementing “application hardening” techniques at the beginning of the process; ensuring it becomes second nature in the process. That is to say, insert security processes within the app that will yield self-aware, self-defending and tamper-resistant applications. Some of these steps may include:

  • Code Obfuscation – Defend against reverse-engineering by transforming program code and their control flows to an unintelligible form
  • Symbol stripping and renaming – Remove unused program symbols from application binaries and change easy-to-understand program symbol names that can’t be removed to irrelevant names
  • String encryption – Hide clear text string encodings through encryption
  • Self-repair – Special logic that can erase attack changes made to critical code or data by restoring their original values at runtime
  • Alerts – Alert local and remote servers or security management systems.

When applied appropriately self-defence techniques, such as the above, can ensure an application is highly resilient against attacks, even on rooted or jailbroken devices, and independently be capable of detecting whether its own state has been modified, and taking remedial actions as needed.

Currently most threats are aimed at the individual, but as smartphone usage continues to grow, it will only be a matter of time before we see a mobile application be used as a pivot point in to a corporate network. Mobile developers must proactively include application integrity protection as an essential component of application mitigation risk strategies. Mobile application integrity practices of course should be complimentary to other well-established app security practices such as secure coding.

Michael Dager

Michael Dager joined Arxan as Chief Executive Officer in May 2006. Michael has over 27 years of experience in senior level positions at leading technology companies. He came to Arxan from Worksoft, a leading provider of automated enterprise testing solutions, where he served as CEO and Chairman of the Board. Prior to Worksoft, he was president and CEO of OSE Systems, growing the company from a startup in 1997 to the number two embedded operating system supplier in 2001 with a stock market valuation of over $1 billion. Before OSE Systems, Michael held senior sales management positions at Pure Software (RATL) for many years helping raise the market valuation of the company from start-up level to over $1 billion. During his tenure at Pure the company completed one of the most successful IPOs of 1995. The company was later acquired by Rational Software. He began his career at Texas Instruments in the semiconductor division after earning a degree in electrical engineering from the University of Michigan at Ann Arbor.

Our latest thought leaders

What would you like to submit?

Byline Article

Press Release