Introducing New Protection Report Features for Continuous Mobile App Security Assurance

Mobile app development teams are often racing to be the first to market with their apps. With constant pressure to deliver more features, tight deadlines, and staffing shortages, teams may give in to the temptation to postpone the implementation and testing of security measures to the very last moment before the release. The consequences can be severe, ranging from data leaks to reputational damage to revenue loss.

That’s why it’s important for organizations to be aware of the benefits of continuous security assurance, and to incorporate security into every stage of their software development lifecycle. One of the crucial aspects in remaining fast and agile while maintaining high security standards is getting early feedback. 

To meet the growing need for accurate and actionable information early in the development lifecycle, we introduced Protection Report in the latest releases of our mobile app protection products, DexGuard (Android) and iXGuard (iOS). Protection Report validates the application of both code hardening and Runtime Application Self-Protection (RASP) immediately after their implementation, allowing development teams to address potential issues in the scope of their development sprint.

Why continuous security assurance is important

Most software developers know that the cost of software changes increases the later a change is made in the development lifecycle. For that reason, development teams are looking to get as much feedback as possible in the early stages of the process so that any issues can be addressed in a cost-effective way.

The same principle applies to the process of applying and testing security measures in general and application hardening in particular. Development teams must be able to verify the effectiveness of the applied application hardening measures immediately after their application and take action to address any gaps in their setup within the scope of their development sprints.

Hastily applying and testing code hardening and RASP late in the development lifecycle not only increases the risk of releasing insufficiently protected applications or SDKs, it also increases the cost of addressing issues and slows down the time-to-market. Insufficiently protected applications or SDKs typically require more iterations to successfully pass penetration testing, eating up valuable time and resources in the process.

Protection Report in DexGuard and iXGuard

When an application or SDK is processed by one of Guardsquare’s tools, DexGuard and iXGuard generate a Protection Report that enables developers to validate the protection they applied and implement improvements, if needed. The Protection Report has three main components: a risk assessment grading the applied app protection against five categories of common and impactful risks, a feature discovery component listing the features you can activate to enhance your overall app protection and, finally, configuration advice adapted to your application or SDK.

Risk assessment

The risk assessment helps development teams quickly assess whether they are applying the right protection measures against the major risks identified in their threat model. The assessment assigns a score to the current protection configuration indicating its effectiveness against these five risk categories:

1. Capabilities and monetization protection
2. Cloning / repackaging protection
3. Data leak and data forgery safety
4. Environment safety
5. IP safety

For each category, the Protection Report indicates which actions you can take to improve the effectiveness of the applied app protection.

The risk assessment scores are important indicators of the robustness of the applied code hardening and RASP. Team leaders and security managers should use it to verify and validate the applied protection before releasing their mobile application or SDK. 

Guardsquare’s Protection Report helps development teams grade their application of code hardening and RASP against five categories of common and impactful risks.

The following categories are included in the risk assessment:

1. Capabilities and monetization protection

This category covers risks related to the addition of unintended functionality to an application or SDK and gaining access to paid content or capabilities.

Examples:

• Adding functionality to save images to a secure chat application in which images are supposed to self-destruct after a timeout
• Unlocking paid content in a video game

2. Cloning / repackaging protection

This category covers risks related to creating unauthorized app clones.

Examples:

• Cloning and modifying a financial app to steal customer data
• Cloning and modifying applications to divert advertising revenue

3. Data leak and data forgery safety

This category includes risks related to API security or involving the theft of user or vendor data and the forgery of data.

Examples:

• Stealing media (video, music etc.) from a media application
• Intercepting PIN codes in a banking application
• Forging data, for example: creating fake booking requests

4. Environment safety

This category includes risks relating to running applications in a compromised environment.

Example:

• Running a merchant app for contactless payment on a jailbroken device

5. IP safety

This category covers all risks involving the analysis or theft of intellectual property, such as proprietary algorithms, assets, or even entire applications.

Examples:

• Cloning an existing app to release a fully functional competing app in no time and at almost no cost. 
• Analyzing the order process of a web store to include it in a white-labeled aggregator app

Feature discovery

Besides the risk assessment, the Protection Report gives an overview of any additional code hardening and RASP features you can activate in your configuration to improve the overall protection of your application or SDK.

Guardsquare’s Protection Report lists the features development teams can implement to improve the protection of their application or SDK.

The feature discovery component lets you uncover both features currently not in use and features that were recently added to DexGuard and iXGuard to stay ahead of the evolving threat landscape. It was designed to help you leverage all of Guardsquare’s protection capabilities to effectively protect your mobile assets.

Customized configuration advice

Finally, Protection Report scans the configuration of both DexGuard and iXGuard for common errors and opportunities for improvement and displays configuration advice specific to your mobile application or SDK.

Guardsquare’s Protection Report displays configuration advice specific to your application or SDK.

The provided configuration advice and best practices reflect the ongoing efforts of our experts to enhance the multi-layered protection applied by DexGuard and iXGuard for specific use cases.

Drive continuous security assurance with Protection Report

Guardsquare’s Protection Report enables development teams to validate their application of DexGuard and iXGuard’s security capabilities immediately after their implementation and to tackle potential security concerns early in the development lifecycle. It assists developers in continuously ensuring that their application or SDK is effectively protected against common app security threats while making the process of testing and implementing more efficient.

The insights provided by the Protection Report are complementary with the real-time threat data provided by ThreatCast, Guardsquare’s threat monitoring platform. ThreatCast creates visibility into the actual threats facing your applications after they have been released, helping you to continuously improve your application protection. Combined, Protection Report and ThreatCast allow development teams to integrate security testing and assurance throughout the mobile application development lifecycle.