At Guardsquare, we routinely get questions from new and potential customers about the merits of building mobile app security from scratch. On the surface, building code hardening and other protections yourself may seem like a viable exercise and even an interesting engineering challenge.
But some of those challenges may exceed your dev team’s capabilities, and your organization’s budget. In this post, we’ll discuss the challenges of implementing your own mobile app security from scratch, and why using a purpose-built mobile application security solution could be a better and more cost-effective approach.
Implementing your own application hardening measures requires upfront and ongoing costs, and may not be as effective as specialized mobile security solutions. Here’s why.
Implementing mobile app security from scratch may seem cheaper, but in the long run, the time and effort can be better spent elsewhere. Consider, for example, the effort that would be required by at least one skilled software engineer (FTE) to research, design, build, and maintain application hardening measures. That’s an enormous opportunity cost of having your skilled engineers working on something that isn’t directly generating value for your end-user or customer.
Along with the real and potential opportunity costs for building security from scratch, many organizations lack the knowledge and expertise necessary for comprehensive security. Rather than requiring development teams to get up-to-speed with security, they can focus on the company’s core competencies and leave application hardening to security experts.
A commercial mobile app security solution like DexGuard and iXGuard is generally going to cost less than the cost of a skilled full-time engineer, and especially less than a small team. The DIY approach forces development teams to strike a balance between speed and security, whereas a purpose-built security solution enables both at the same time. Moreover, an off-the-shelf security solution can be implemented within weeks, whereas a DIY effort could take months to make an impact on application security.
Beyond the upfront cost of implementing mobile app security from scratch, there are also maintenance concerns. Security is never a one-off solution; it requires constant upgrades to stay ahead of malicious actors. Maintenance for mobile app security requires two very specific areas of attention:
It’s difficult for one engineer, or even a small in-house team, to keep up with an evolving threat landscape on their own. The ongoing maintenance, therefore, will quickly become a significant burden on your development team’s backlog and may never keep pace with the threats your apps are facing. A reliable mobile app solutions provider, however, will have their finger on the pulse when it comes to mobile threats, and will be able to be more agile in making necessary updates to reflect industry needs.
The final consideration is around the robustness of the mobile app security implementation itself. Simple obfuscation may seem straightforward, but in our experience, a more sophisticated solution is required.
This is because application hardening needs to not only be applied to the different aspects of your application, but it also needs to exhibit polymorphic behavior. In terms of protecting against static analysis, this ensures each release creates sufficient randomness as to not be undermined with repeated analysis. Once malicious actors reverse engineering an app, they’ll understand its inner workings and can more easily stage attacks, but polymorphism resets the clock with each new build.
When it comes to protecting against dynamic analysis, however, it requires even more sophisticated and ever-changing requirements. It’s easy to focus on one aspect of application protection when you’re rolling your own mobile app security, but that often means your team is overlooking other threat models. New tools and techniques for dynamic analysis attacks are always being discovered, introducing new threats which can strain development resources when attempting a DIY approach.
Robust application protection relies on a defense-in-depth strategy, with layers of protection that work together to create a resilient and hardened solution. A reliable mobile security solution provider would have a dedicated team of security researchers that can identify these threats as they emerge and ensure their solution adapts to these new tools and techniques.
In short, many people overlook just how difficult it is to develop a robust security mechanism that can withstand the resourcefulness of attackers with motive. That’s why standing on the shoulder of giants, or trusted experts that dedicate their career and livelihood to building, maintaining, and researching a solution for protecting your application, is going to yield a much better outcome, and likely be a better financial ROI for your business.