Sie benutzen einen alten Browser.

Bitte updaten Sie Ihren Browser damit Sie diese Seite so sehen, wie wir das geplant haben ...

Samstag, 23. Januar 2016 / Gepostet von Michael Schranz

PROTECT YOUR APPLICATIONS' GUTS

Software protection is a topic that is becoming increasingly important, especially since the emergence of ubiquitous and mobile computing. Furthermore because mobile applications are in effect becoming a means for deploying business operations, companies’ business models are more exposed to outsiders’ attacks.

SECURE SOFTWARE DEVELOPMENT AND BEYOND

We live in a personalized mobile world. Enterprises that are adapting to nowadays “app economy” are very successful at improving customer engagement (an example of such aforementioned business operations) and driving new business in this fast-changing and dynamic world. Where lots of business opportunities exist, it will be a piece of good fortune for “black hats” as well. The practice of reverse-engineering applications is a customary step for any illegal modification or sharing of software, with an aim for understanding the inner workings of applications, fo example in order to bypass and disable embedded security mechanisms, or simply to understand “how it is done” and steal intellectual property.

APP HACKING IS QUITE EASY

The initial compromise takes “just couple of minutes” to complete. There exist automated tools readily available on-line to support reverse engineering. In comparison to Web environments, mobile applications live in a distributed, fragmented and mostly unregulated ecosystem. Unprotected binary codes in mobile apps can be directly accessed, examined, modified and exploited by hackers.

WHAT CAN HAPPEN TO YOUR APPS AND DATA

HOW TO SECURE YOUR SOFTWARE

Securing a software application does not consist in just cryptographically protecting the network communications or performing a pen-test one week before shipping. It is a long process that needs to be started as soon as or even before the actual development begins. Professor Pascal Junod pointed out the important steps that one has to care about during a typical software development lifecycle in order to ensure an acceptable level of security. Additionally, he described technical solutions able to protect an application from today’s threats.

Software vulnerability has been increasing for the last couple of decades due to the emergence of mobile applications. The "trinity of troubles", consisting of complexity, connectivity and extensibility, illustrates the security problems resulting from the current evolution. The more complex software becomes the harder it is to secure t; in particular communication and integration with other software and tools opens up new possible vulnerabilities. Due to these factors, there now is an increasingly big need for good application security, which has to be a priority from the beginning of the development process. A good practice is to nominate one person in a team as a security advisor. That person needs not be a particularly technical one; most importantly someone oversees security as a priority and brings it up when relevant decisions are made.

THE MAN AT THE END

So let's assume you have developed a piece of good software and security has been a priority from day one. You have done countless code-reviews, pen tests, every possible measure. Then your software gets hacked. Why? Secure software will attract more skilled hackers; they see it as a challenge to seek out even the smallest breaches in your code. To mitigate this from happening, you can use multiple techniques which greatly increase the effort taken to find and exploit vulnerabilities:

Prevent debugging of your software

Loading your software in a debugging environment is the first go-to method for most attackers. With some tricks you can detect when the application is running in such an environment, and thus prevent the attacker from finding vulnerabilities through debugging.

Code obfuscation

Code obfuscation complexifies the internal structure of your software, the code flow that defines the application’s execution logic. Instead of a pretty straightforward, typically linear program execution structure, obfuscated code messes up the entire program sequence, forcing the execution flow to hop around incessantly, in effect hiding the things your app is really performing. Yet the application’s behavior to the eyes of the legitimate user remains unchanged, effectively rendering the obfuscation transparent. Yet to the hacker, this protective step makes it harder to understand how the application behavior is realized by your software, which critically hinders potential attacks.

Tamper-proofing

Using several techniques, such as self-checking code, protection known as code tamper-proofing validates the integrity of your software at runtime, i.e. that no part of the code has incurred even the slightest changed. As a result attacks such as bit-flipping become harder to perform, for example to invalidate a security measure (certificate, license, etc) or any test (e.g. if, while statements) performed by the code.

Watermarking – Identify your attackers

By integrating a unique element into your software for each one of your customers, you can identify where illegally distributed code came from – and take the steps necessary to prevent it.

PROTECTING YOUR APP DOESN'T HAVE TO BE HARD

Integrating those techniques can greatly increase your app's security – as long as there is no other weak link in the chain. To find out more about integrating debug prevention, code obfuscation, tamper-proofing and watermarking in the apps, we recommend checking out strong.codes whose company offers both open-source and closed-source security tools that can be easily integrated into your development process.

WATCH THE TALK

Find the full-length presentation on the subject which Prof. Junod kindly gave at Apps with love HQ:

Literature tip: Collberg, Nagra: "Surreptitious Software" - Addison-Wesley, 2009

Michael Schranz

Michael Schranz

Business Development

Hier bündelt sich übermenschliches Marketing- und Business-Know How in einer Person. Zwei grüne Daumen und eine Vergangenheit als Maurer machen ihn zum Surviver of the fittest. Aber vorsicht, er beherrscht nicht nur die Kunst des Speed-Pitching und Public Speaking, sondern auch die des Filibusters.

Das könnte dich auch interessieren

13. Juli 2017

User Research in der App-Entwicklung - Unsere Erfahrungen

Die Apps with love User Researcherinnen Julia Klammer, Milena Rutz und Alexandra Tanner blicken auf ein Jahr angewandte Nutzerforschung bei Apps with love zurück.

27. Juni 2017

DREAMS AND WISHES - MY JOURNEY FROM SYRIA TO SWITZERLAND

Deaa Chaleh, developer at Apps with love, had to flee his home country Syria. Here is the story of how he ended up in Switzerland and how he started working at Apps with love.

12. April 2017

Dieses Lohnmodell macht Lohnverhandlungen überflüssig

Löhne werden oft verhandelt wie auf dem Teppichbasar. Unser neues Lohnmodell fördert Transparenz und Gleichberechtigung im Personalwesen.

20. Januar 2017

7 entscheidende Tipps für eine erfolgreiche App

Die App-User Experience, der Mehrwert im Kontext, das Projektteam, oder deine Denkweise sind wichtige Erfolgsfaktoren für die erfolgreiche App Entwicklung.

07. Oktober 2016

Smart Home Entwicklung - Wenn weniger nicht mehr ist

SARAH ist ein Smart Home Gesamtsystem und wird gleichzeitig zum Herz und zur Intelligenz deines Hauses.

18. Juli 2016

Vorteile von User Research in der App Entwicklung

Die User im Fokus - Wie Apps with love User Research systematisch und kontinuierlich in die App Entwicklung integriert.

19. Juni 2016

WIE EIN KULTURELLES RÜCKGRAT JEDES UNTERNEHMEN STÄRKEN KANN.

Wir haben ein regelmässiges Kultur Board eingeführt mit erstaunlichen Ergebnissen.

26. April 2016

APP BUILDERS SWITZERLAND 2016

A conference about mobile technologies in the heart of Europe. App Builders Switzerland was a great success and unforgettable for speakers, sponsors and attendees.

04. März 2016

USER ONBOARDING TEIL 2

Die Hälfte der Nutzer öffnet eine App kein zweites Mal. Was kann man dagegen tun? Die Antwort liegt beim allzu oft vergessenen User Onboarding.

07. Februar 2016

DER ERSTE EINDRUCK ZÄHLT – USER ONBOARDING TEIL 1

Die Hälfte der Nutzer öffnet eine App kein zweites Mal. Was kann man dagegen tun? Die Antwort liegt beim allzu oft vergessenen User Onboarding.

03. Dezember 2015

DESIGN VS. TECHNOLOGY

Sind programmierende Designer die besseren Interaction Designer? Sind gestaltende Programmierer die besseren Interface Programmierer? Ein Lösungsansatz.

22. Juni 2015

APP VERMARKTUNG – MIT SYSTEM ZUM ERFOLG

Wer eine App anbietet, muss die Anwendung auch attraktiv vermarkten. Die Kosten für eine App-Entwicklung lohnen sich nicht, wenn keine Downloads und Nutzung der App erfolgen.

11. November 2014

IN 7 SCHRITTEN BIS ZUR APP - ENTWICKLUNGSPROZESS

Die verschiedenen Denkrichtungen und Ansätze im Projektmanagement sind nicht schlecht. Aber...