What is RASP and Why It Matters to Mobile App Developers

When development teams consider mobile app security, their strategies often begin and end with code obfuscation and encryption. While both are important in a comprehensive security approach, these measures are not enough to protect your mobile application. Attackers use various techniques at runtime to reverse engineer, modify, and compromise your app. Leveraging tools and techniques that protect against dynamic analysis are crucial for properly securing a mobile app. Here’s where runtime application self-protection (RASP) comes into play.

RASP is a security feature added to an application that becomes part of the application’s runtime environment. It enables a host of checks to detect hostile environments, and tools used by attackers. It also provides actions to inform or stop an attack.

Let’s look further into dynamic analysis attack methods, how RASP functions, and where your team should consider injecting RASP checks into your mobile apps.

What is dynamic analysis?

Dynamic analysis is the examination of application code during runtime that can be used to find and exploit vulnerabilities. Threat actors use a variety of tools and techniques on a mobile application for dynamic analysis, including:

• Frida: Frida is a free, open-source tool used to inject custom scripts into black box processes. The tool provides a hook into a mobile app’s functions and allows threat actors to trace instruction execution without access to the app’s source code.
• Debuggers: Debuggers are a common tool developers use to find and fix problems in an app’s code. Attackers use debuggers to gain insight into an app’s code for reverse engineering and tampering.
• Emulators: Emulators allow applications to run on virtual devices or computers. A development team can use them to test how a mobile app would function on various systems/devices. Threat actors also use emulators to gain insight into how an app functions and to understand the app’s weaknesses.

It’s easy for malicious users to find and learn how to use these tools for jailbreaking, rooting, and hooking mobile apps.

Why is dynamic analysis a threat?

While code obfuscation and encryption are great methods to protect against attackers statically analyzing your app, dynamic analysis gives attackers visibility into the instructions being executed or data accessed at runtime.Threat actors tamper with mobile apps during runtime for a variety of reasons: to unlock hidden or premium features, steal sensitive data, or learn more about the application to support reverse engineering attempts.

Why is automatic injection of RASP checks better than manual?

While there are various RASP tools available, It’s important to find a solution that automatically injects RASP checks instead of requiring developers to add the code that makes the checks. Manually injecting RASP checks is perceived as giving developers greater control over where the feature is used in their app. In reality, the shortcomings of this approach can compromise the effectiveness of the protection.

Manually coded RASP checks can result in single points of failure and easy-to-detect injection points. When added manually, RASP injection points tend to stay in the same location over multiple releases, giving attackers time to analyze the code to find and defeat the RASP checks. It’s also more difficult to manually add enough checks to properly secure an app. In other words, it's easier for a reverse engineer to find and bypass six static checks than it is to find and bypass 600 checks automatically injected in different locations from build to build.

Tips for injecting RASP checks

Development teams looking to add RASP to their mobile app security strategy should consider DexGuard. This Guardsquare Product provides comprehensive mobile app security for Android apps by introducing multiple layers of code obfuscation for static analysis protection and RASP for dynamic analysis protection. DexGuard automates much of the security process but still gives your team control over where to inject RASP checks. The ability to control where RASP checks are inserted helps avoid injecting in locations that are performance sensitive or areas where security isn’t required.

Here are a few tips for injecting checks:

Define a wide area of your app’s code for RASP check injection

Tagging as much of your code as possible for RASP check injection makes it more difficult for threat actors to find and disable the checks. Defining a wide area of your app’s code includes objects in your code that perform security-sensitive operations.

Don’t insert checks that negatively impact your app’s code

Depending on your app’s security needs, you may want to exclude certain elements from injections. Developers do this to avoid RASP checks that negatively impact a mobile app’s performance.

Using DexGuard with the above considerations can help you optimize the tool’s effectiveness. It will also save your team considerable time as they won’t have to manually write code to carry out the checks.

RASP can enable mobile app monitoring

Adding RASP to your mobile app is powerful. Your team can take action against threat actors attempting to attack your app. Good mobile app security, however, includes learning from each attempt and adapting your security plan accordingly.

A comprehensive mobile app security solution should use RASP in concert with a monitoring tool like ThreatCast. ThreatCast provides context to development teams when RASP checks are triggered during an attempted attack. The monitoring solution provides information on the type and origin of attacks (device type, region, and user ID). Armed with this knowledge, development teams can shift their mobile app security approach from reactive to proactive.

Consider RASP for complete security

When it comes to defending your app against dynamic analysis attacks, code obfuscation and encryption are not enough. A complete mobile app security approach should include RASP, which protects against attackers looking to gain insights into your app’s operations to reverse engineer and compromise it.

Developers using tools like DexGuard can automatically inject RASP checks throughout their app’s code, while still retaining the ability to exclude portions of code for performance. Leveraging DexGuard and iXGuard to uniquely inject RASP checks with every new build, and then using Threatcast to consistently monitor the checks, can elevate your app’s security to protect against sophisticated attacks in an evolving threat landscape.

Executive Summary (TL;DR)

• Many developers rely on code obfuscation and encryption to protect mobile apps, but these tools can’t protect against dynamic attacks.
• Runtime application self-protection (RASP) can protect your app against threat actors looking to reverse engineer your app, tamper with its data, or compromise the app to elevate privileges.
• Developers adopting RASP tools should look for automated solutions like DexGuard. DexGuard injects and tracks RASP checks at different locations across each build of your mobile application for optimal security against dynamic analysis attacks.