Protect your customer data and your reputation with our state-of-the-art security
Secure valuable gaming revenue streams & maintain user trust with our Unity integration
Secure your e-commerce revenue & safeguard data by layering mobile app protection
When development teams consider mobile app security, their strategies often begin and end with code obfuscation and encryption. While both are important in a comprehensive security approach, these measures are not enough to protect your mobile application. Attackers use various techniques at runtime to reverse engineer, modify, and compromise your app. Leveraging tools and techniques that protect against dynamic analysis are crucial for properly securing a mobile app. Here’s where runtime application self-protection (RASP) comes into play.
RASP is a security feature added to an application that becomes part of the application’s runtime environment. It enables a host of checks to detect hostile environments, and tools used by attackers. It also provides actions to inform or stop an attack.
Let’s look further into dynamic analysis attack methods, how RASP functions, and where your team should consider injecting RASP checks into your mobile apps.
Dynamic analysis is the examination of application code during runtime that can be used to find and exploit vulnerabilities. Threat actors use a variety of tools and techniques on a mobile application for dynamic analysis, including:
It’s easy for malicious users to find and learn how to use these tools for jailbreaking, rooting, and hooking mobile apps.
While code obfuscation and encryption are great methods to protect against attackers statically analyzing your app, dynamic analysis gives attackers visibility into the instructions being executed or data accessed at runtime.Threat actors tamper with mobile apps during runtime for a variety of reasons: to unlock hidden or premium features, steal sensitive data, or learn more about the application to support reverse engineering attempts.
While there are various RASP tools available, It’s important to find a solution that automatically injects RASP checks instead of requiring developers to add the code that makes the checks. Manually injecting RASP checks is perceived as giving developers greater control over where the feature is used in their app. In reality, the shortcomings of this approach can compromise the effectiveness of the protection.
Manually coded RASP checks can result in single points of failure and easy-to-detect injection points. When added manually, RASP injection points tend to stay in the same location over multiple releases, giving attackers time to analyze the code to find and defeat the RASP checks. It’s also more difficult to manually add enough checks to properly secure an app. In other words, it's easier for a reverse engineer to find and bypass six static checks than it is to find and bypass 600 checks automatically injected in different locations from build to build.
Development teams looking to add RASP to their mobile app security strategy should consider DexGuard. This Guardsquare Product provides comprehensive mobile app security for Android apps by introducing multiple layers of code obfuscation for static analysis protection and RASP for dynamic analysis protection. DexGuard automates much of the security process but still gives your team control over where to inject RASP checks. The ability to control where RASP checks are inserted helps avoid injecting in locations that are performance sensitive or areas where security isn’t required.
Here are a few tips for injecting checks:
Tagging as much of your code as possible for RASP check injection makes it more difficult for threat actors to find and disable the checks. Defining a wide area of your app’s code includes objects in your code that perform security-sensitive operations.
Depending on your app’s security needs, you may want to exclude certain elements from injections. Developers do this to avoid RASP checks that negatively impact a mobile app’s performance.
Using DexGuard with the above considerations can help you optimize the tool’s effectiveness. It will also save your team considerable time as they won’t have to manually write code to carry out the checks.
Adding RASP to your mobile app is powerful. Your team can take action against threat actors attempting to attack your app. Good mobile app security, however, includes learning from each attempt and adapting your security plan accordingly.
A comprehensive mobile app security solution should use RASP in concert with a monitoring tool like ThreatCast. ThreatCast provides context to development teams when RASP checks are triggered during an attempted attack. The monitoring solution provides information on the type and origin of attacks (device type, region, and user ID). Armed with this knowledge, development teams can shift their mobile app security approach from reactive to proactive.
When it comes to defending your app against dynamic analysis attacks, code obfuscation and encryption are not enough. A complete mobile app security approach should include RASP, which protects against attackers looking to gain insights into your app’s operations to reverse engineer and compromise it.
Developers using tools like DexGuard can automatically inject RASP checks throughout their app’s code, while still retaining the ability to exclude portions of code for performance. Leveraging DexGuard and iXGuard to uniquely inject RASP checks with every new build, and then using Threatcast to consistently monitor the checks, can elevate your app’s security to protect against sophisticated attacks in an evolving threat landscape.Ready to add RASP to your security strategy? Get started with DexGuard here.
Executive Summary (TL;DR)