Resetting the Clock with Compiler-Based Tools in Mobile AppSec

Consider this: you are a developer of apps that offer paid features, advertising, or functionalities susceptible to modification or bypassing. The threat of such apps being targeted by the app modding community looms large. These altered apps often surface on unofficial app stores or modding websites, bypassing app monetization or switching off ads.

Preventing unauthorized modifications of your app is crucial for your organization to protect IP and safeguard end users from potentially harmful versions. This not only protects your brand reputation but also preserves the value of your legitimate app by thwarting attempts to damage its integrity through unauthorized alterations.

The threat doesn’t stop there. If you are an app publisher from the finance sector, your unprotected app might be susceptible to cloning, and users who happen to install this cloned version of your app stand a substantial risk of being exposed to fraudulent activities endangering their personal information.

These are only a few examples of the myriad of issues an unprotected app is likely to face. Data from Guardsquare’s real-time threat monitoring tool, ThreatCast, shows that nearly half of all Android and iOS apps fall victim to hooking along with other types of attacks, with over half of these incidents occurring within the first week of an app's release. Upon its release into the wild, any app has every chance of being a target for malicious actors, often as soon as a new version of the app is released.

An effective mobile app security strategy encompasses protective measures featuring multiple layers of polymorphic defense, along with runtime application self-protection (RASP) capabilities.

In this blog, we evaluate mobile application protection through the lens of polymorphism.

Understanding polymorphism and its significance in mobile app security

By implementing constantly evolving mobile app security measures, app publishers can effectively reset the timeline for malicious actors, compelling them to restart their attack efforts with every release. This concept is referred to as "resetting the clock," embodying the philosophy of polymorphism.

Polymorphism stands as a formidable barrier against persistent attackers by resetting the proverbial clock. With each new build, a fresh code hardening profile is introduced, effectively erasing the attacker's accumulated knowledge. Despite attackers using tools like debuggers, decompilers, and runtime code analyzers, which enable them to dissect even the most intricate apps over time, polymorphism emerges as a tactical element in advanced protection tools to counter this threat. By altering the code protection mechanisms with each iteration, polymorphism ensures that any prior understanding of the app and its defenses becomes obsolete upon release.

Moreover, this strategy ensures that no shared code base or common SDK exists among apps. Consequently, any insights gained from compromising one app cannot be leveraged to compromise another, even if they employ the same protection solution.

Automatic resetting of the clock for both static and dynamic attacks

Polymorphism is effective against both static and dynamic attack attempts. In static attacks, where malicious actors attempt to decipher the app's code through decompilation tools, polymorphism constantly alters code hardening techniques like obfuscation and encryption with each build. This renders the malicious actors' efforts progressively unrealistically expensive as they must repeatedly adapt to new configurations, hindering their ability to understand the application's structure and behavior over time.

In dynamic attacks, app publishers employ runtime application self-protection (RASP) to detect and respond to tampering in real-time. However, malicious actors can pinpoint these defense mechanisms within the application and attempt to circumvent them. Polymorphism addresses this challenge by injecting RASP checks automatically into varied locations with each build, making it exceedingly difficult for attackers to evade detection. This proactive approach not only mitigates dynamic analysis attempts such as debugger attachment or hooking but also enhances security through real-time threat monitoring tools like ThreatCast, providing ongoing visibility into potential security breaches.

Polymorphism made possible with compiler based mobile app security tools

Compiler based mobile app security tools possess the inherent capability to regenerate your entire application code, offering a unique opportunity to interlace the security controls. With minimal input, these enhancements are randomized in terms of semantics, locations, and structure.

This characteristic facilitates two essential elements of mobile app security:

1. The principle of "resetting the clock," compelling attackers to start anew with each app and version. It is the unpredictability that forces attackers to restart every time.
2. Creating a large, uniformly obfuscated "haystack," which complicates the identification of specific security controls.

Unlock polymorphism with Guardsquare

Polymorphism stands as a cornerstone in the Guardsquare security framework. Despite the initial effectiveness of code transformations and security checks within an application, they are susceptible to discovery, reverse engineering, and subsequent bypassing by determined attackers with time.

Once malicious actors decipher the obfuscated values and locate security checks, attacking subsequent versions of the protected application becomes considerably easier. The key to maintaining a favorable balance between defense and attack costs lies in continuously altering both the code and placement of all protective measures. This approach, known as "resetting the clock" on attackers, forces them to repeatedly reverse engineer each software iteration as if encountering an entirely new program.

Achieving stable performance outcomes with polymorphic protection requires meticulous tuning, a capability offered by Guardsquare’s protection products, DexGuard for Android and iXGuard for iOS, through both manual adjustments and automatic optimization features.