Resetting the Clock: Why it Matters for Mobile AppSec

The mobile threat landscape is constantly evolving as threat actors develop new and innovative ways to target mobile apps. Automated reverse engineering and tampering tools have come a long way, enabling malicious actors to more quickly discover vulnerabilities within mobile apps.

In fact, data from Guardsquare’s real time threat monitoring solution, ThreatCast, revealed that nearly half of Android and iOS apps suffer from hooking attacks, and over half of these attacks occur within the first week of the app being released. The data suggests a similar timeframe for other types of attacks.

Translation: Malicious actors frequently target apps immediately upon their release.

Effective mobile application security requires staying ahead of malicious actors. By implementing mobile app security measures that are constantly refreshing, app publishers can reset the clock on malicious actors and force them to restart their attack efforts.

In this post, we’ll cover why and how to reset the clock on malicious actors to improve the security of mobile applications.

What does resetting the clock mean?

When we say resetting the clock, we mean applying application hardening measures differently for every build to force malicious actors to restart their efforts from scratch. This approach is called polymorphism, where security measures change with each new app release.

Polymorphism forces malicious actors to quickly find and exploit a vulnerability before a new build is released. That’s because the newly applied security measures prevent the malicious actor from using any prior knowledge they gained in their efforts to reverse engineer an app to stage future attacks. When combined with multiple layers of app hardening measures, polymorphism makes it much more difficult for malicious actors to move fast enough to stage an attack before the clock is reset on them.

An added bonus to integrating a polymorphic security approach into the development process is that security also improves with a faster development velocity. However, app publishers will need to ensure app users are upgrading to the latest version to effectively leverage polymorphism.

The more frequently new versions of an app are released, the harder it is for malicious actors to discover vulnerabilities and exploit them. This makes polymorphism an effective complement to the DevSecOps approach to mobile app development.

Why resetting the clock improves Mobile AppSec

Polymorphism is effective for resetting the clock on malicious actors that are attempting both static and dynamic attacks.

Static Attacks

A static attack occurs when malicious actors use decompilation tools to gain an understanding of the app’s inner workings and then modify its behavior. Code hardening measures, like obfuscation and encryption, make it more challenging to understand the application source code, but malicious actors can still learn how things work over time.

Polymorphism ensures that the obfuscation and encryption techniques are configured differently with each build. For example, name obfuscation is a technique that changes meaningful names for variables, classes, and other aspects of the code into meaningless alternatives to make reverse engineering more difficult. With polymorphism, these meaningless alternatives will be different every time, so malicious actors would have to remap these obfuscated names back to their original.

Dynamic Attacks

When it comes to dynamic attacks, app publishers can use runtime application self-protection (RASP) to detect tampering in real-time and respond in a pre-programmed manner to thwart attacks. The challenge is that malicious actors can eventually discover where these RASP checks are implemented within the application and actively try to bypass them.

Polymorphism ensures that the RASP checks are injected into different locations with each new build, making it much more difficult for attackers to avoid these anti-tampering measures. This helps defend against dynamic analysis attempts, like attaching a debugger or hooking, by automatically crashing the app when suspicious behavior is detected. A threat monitoring tool like ThreatCast can also provide real-time visibility into these dynamic analysis attempts to improve security going forward.

Automatically reset the clock with Guardsquare

While there are enormous benefits to polymorphic application hardening measures, it’s challenging for most app publishers to implement themselves. It’s far too time-consuming and inefficient for development teams to update manual security measures to stay ahead of malicious actors.

Guardsquare’s DexGuard (Android) and iXGuard (iOS) are mobile application hardening solutions that apply multiple layers of obfuscation and RASP measures differently with each new app build. Using multiple layers of app hardening measures slows down malicious actors, while polymorphism continuously resets the clock on them. In turn, this dramatically improves the secure posture of Android and iOS apps.