Sie benutzen einen alten Browser.

Bitte updaten Sie Ihren Browser damit Sie diese Seite so sehen, wie wir das geplant haben ...

Saturday, 23. January 2016 / posted by Michael Schranz

PROTECT YOUR APPLICATIONS' GUTS

Software protection is a topic that is becoming increasingly important, especially since the emergence of ubiquitous and mobile computing. Furthermore because mobile applications are in effect becoming a means for deploying business operations, companies’ business models are more exposed to outsiders’ attacks.

SECURE SOFTWARE DEVELOPMENT AND BEYOND

We live in a personalized mobile world. Enterprises that are adapting to nowadays “app economy” are very successful at improving customer engagement (an example of such aforementioned business operations) and driving new business in this fast-changing and dynamic world. Where lots of business opportunities exist, it will be a piece of good fortune for “black hats” as well. The practice of reverse-engineering applications is a customary step for any illegal modification or sharing of software, with an aim for understanding the inner workings of applications, fo example in order to bypass and disable embedded security mechanisms, or simply to understand “how it is done” and steal intellectual property.

APP HACKING IS QUITE EASY

The initial compromise takes “just couple of minutes” to complete. There exist automated tools readily available on-line to support reverse engineering. In comparison to Web environments, mobile applications live in a distributed, fragmented and mostly unregulated ecosystem. Unprotected binary codes in mobile apps can be directly accessed, examined, modified and exploited by hackers.

WHAT CAN HAPPEN TO YOUR APPS AND DATA

HOW TO SECURE YOUR SOFTWARE

Securing a software application does not consist in just cryptographically protecting the network communications or performing a pen-test one week before shipping. It is a long process that needs to be started as soon as or even before the actual development begins. Professor Pascal Junod pointed out the important steps that one has to care about during a typical software development lifecycle in order to ensure an acceptable level of security. Additionally, he described technical solutions able to protect an application from today’s threats.

Software vulnerability has been increasing for the last couple of decades due to the emergence of mobile applications. The "trinity of troubles", consisting of complexity, connectivity and extensibility, illustrates the security problems resulting from the current evolution. The more complex software becomes the harder it is to secure t; in particular communication and integration with other software and tools opens up new possible vulnerabilities. Due to these factors, there now is an increasingly big need for good application security, which has to be a priority from the beginning of the development process. A good practice is to nominate one person in a team as a security advisor. That person needs not be a particularly technical one; most importantly someone oversees security as a priority and brings it up when relevant decisions are made.

THE MAN AT THE END

So let's assume you have developed a piece of good software and security has been a priority from day one. You have done countless code-reviews, pen tests, every possible measure. Then your software gets hacked. Why? Secure software will attract more skilled hackers; they see it as a challenge to seek out even the smallest breaches in your code. To mitigate this from happening, you can use multiple techniques which greatly increase the effort taken to find and exploit vulnerabilities:

Prevent debugging of your software

Loading your software in a debugging environment is the first go-to method for most attackers. With some tricks you can detect when the application is running in such an environment, and thus prevent the attacker from finding vulnerabilities through debugging.

Code obfuscation

Code obfuscation complexifies the internal structure of your software, the code flow that defines the application’s execution logic. Instead of a pretty straightforward, typically linear program execution structure, obfuscated code messes up the entire program sequence, forcing the execution flow to hop around incessantly, in effect hiding the things your app is really performing. Yet the application’s behavior to the eyes of the legitimate user remains unchanged, effectively rendering the obfuscation transparent. Yet to the hacker, this protective step makes it harder to understand how the application behavior is realized by your software, which critically hinders potential attacks.

Tamper-proofing

Using several techniques, such as self-checking code, protection known as code tamper-proofing validates the integrity of your software at runtime, i.e. that no part of the code has incurred even the slightest changed. As a result attacks such as bit-flipping become harder to perform, for example to invalidate a security measure (certificate, license, etc) or any test (e.g. if, while statements) performed by the code.

Watermarking – Identify your attackers

By integrating a unique element into your software for each one of your customers, you can identify where illegally distributed code came from – and take the steps necessary to prevent it.

PROTECTING YOUR APP DOESN'T HAVE TO BE HARD

Integrating those techniques can greatly increase your app's security – as long as there is no other weak link in the chain. To find out more about integrating debug prevention, code obfuscation, tamper-proofing and watermarking in the apps, we recommend checking out strong.codes whose company offers both open-source and closed-source security tools that can be easily integrated into your development process.

WATCH THE TALK

Find the full-length presentation on the subject which Prof. Junod kindly gave at Apps with love HQ:

Literature tip: Collberg, Nagra: "Surreptitious Software" - Addison-Wesley, 2009

Michael Schranz

Michael Schranz

Head of Business Development

Hier bündelt sich übermenschliches Marketing- und Business-Know How in einer Person. Zwei grüne Daumen und eine Vergangenheit als Maurer machen ihn zum Survivor of the fittest. Aber vorsicht, er beherrscht nicht nur die Kunst des Speed-Pitching und Public Speaking, sondern auch die des Filibusters.