How Secure Is Your Mobile App?
Adam Creamer
What will we talk about today?
Mobile applications are the furthest endpoint in your arsenal of software used to provide a service to your clients. Unlike some software components that are relied upon to ensure effective and secure business operations, mobile applications are available, in their entirety, to anyone with a connected device. While this provides massive distribution potential and business opportunity, it also gives attackers ample opportunity to download, decompile, and find ways to maliciously exploit the application. The best way to address this conundrum is releasing applications that are well-protected using a robust security solution that isn’t trivial to bypass.
Embedding multi-layered static and dynamic protections into the mobile application, a compiler based security approach provides the path for a robust mobile app security solution. Such an approach adds protections that are not merely applied to the periphery of the application; instead, they are ingrained in the application, creating complex barriers that are difficult for even the most skilled and determined attackers. Security features such as obfuscation and encryption transform how the code reads when the application is statically decompiled, presenting a potential attacker with a puzzle instead of a clear picture into the inner workings of the application’s logic. Runtime Application Self-Protection (RASP) changes how the application acts when dynamic threats are detected. For example, crashing the app when a device is identified as rooted, functions are hooked or an app is modified. The proverbial “cherry on top” comes if the protections are applied in a polymorphic manner. This means each released version implements the mobile application protections differently, effectively “resetting the clock” on would-be attackers so they need to start their reverse engineering tactics again from scratch.
It would be difficult to effectively argue against the resiliency of embedding protections into a mobile application; however, altering a mobile application in any way is likely to raise developer and QA eyebrows. For good reason, security features simply aren’t realistic if the application doesn’t remain functional and performant. To be more explicit, the goal is to secure an application as aggressively as possible without unacceptable side effects. Discovering this boundary can be greatly aided by your testing capabilities.
Which brings us to Kobiton. Testing within Kobiton’s platform offers your team a wide range of device types and operating systems along with performance benchmarking and automation. This multi-device and OS testing approach has proven to be invaluable. After protections are applied, utilizing these services enables you to quickly test the protected application in a comprehensive manner, analyze the results and, if needed, adjust the security in order to strike the optimal balance of security and application behavior.
Within the software development lifecycle of your mobile applications, testing and security are unavoidable components of success. They don’t need to be treated as mutually exclusive tasks nor does the boundary between secure, functional and performant need to be viewed as a utopia.
About Kobiton
Kobiton is simple to use, easy to access remotely and has flexible deployment options to meet your test team’s needs. With auto-generated, centralized test data, Kobiton makes mobile testing on real devices faster and more collaborative, helping teams identify and resolve errors sooner for quicker time to market and reduced app abandonment. Learn more at kobiton.com.
About Guardsquare
Guardsquare offers the most complete approach to mobile application security on the market. Built on the open source ProGuard technology, Guardsquare’s software integrates seamlessly across the development cycle. From mobile application security testing to code hardening to real-time visibility into the threat landscape, Guardsquare solutions provide enhanced mobile application security from early in the development process through publication.