FAQ_hero
    FAQs

    Frequently Asked Questions

    Learn more about mobile application security and the value of applying protective security measures to enhance your mobile app protection.

    1. Mobile Application Security

    Mobile application security is the practice of securing your application from external threats. Good mobile application security strategy relies on understanding your threat model and applying the appropriate tools and techniques throughout your SDLC to eliminate or mitigate the risk of threats to your applications, related services or the data they process.

    Mobile application security is the general concept of introducing processes and practices to help find, fix and, ideally, prevent security issues from impacting your application. It is a broad category that can include any discipline of app security and applying the concepts to the unique technological considerations of a mobile app and its threat model.

    A malicious user will use tools and techniques to tamper with a mobile application, usually for the purpose of learning its behavior and modifying the application. This is frequently done to commit fraud or an attack against the app, its back-end or broader infrastructure, or its end users.

    Rooted or jailbroken devices are more susceptible to tampering due to the elevated privileges that software and tools have on the device. If your app is running on a rooted and jailbroken device, it doesn’t necessarily mean your app is being attacked; however, jailbroken or rooted devices are often a prerequisite for certain types of attacks. In fact, a significant amount of the software that powers a mobile app can be easily manipulated by the end user on such a device. For this reason, it is encouraged that you implement detections for your app when it is running in such an untrusted environment.

     

    Malware on mobile phones poses the biggest risk to the end users of the device. Though detection and mitigation often falls in the technical purview of the platforms themselves (Android, iOS), specific mobile malware may take advantage of the knowledge gained during a reverse engineering effort to explicitly target and exploit apps on a user’s phone. 

    There is no single answer to protecting your app and your users data from malware, but having an in-depth defense strategy goes a long way to preventing or limiting the impact of malware on your application.

    Man-in-the-middle (MITM) attacks are when a malicious user intercepts and spoofs the communications between two endpoints. In a mobile application context, such an attack is usually the result of intercepting communications between the mobile app and a server, often by impersonating the server, or intercepting the requests to a server. Though such attacks are well known and relatively easy to execute, they are also entirely preventable with proper security practices in place that focus on communications.

    Man-at-the-end (MATE) attacks describe a scenario where the end user of your application is the attacker. In this scenario, the end user  has complete control over the application and the client environment used to execute it. MATE attacks use various tools, techniques and often elevated privileges to inspect, reverse engineer and tamper with the application or to spoof communications to the server.

    Mobile application threat monitoring is a specialized practice of observing data and signals from a device or app to identify potential security threats. In a mobile application security context, this can include detecting occurrences of tampering, such as failed environment checks, API requests not originating from a trusted source, bot activity, code tampering, such as hooking, or invalid code signing.

    Mobile application threat monitoring can be useful for assessing the significance of the threat landscape for your mobile application. It can draw attention to, and provide more insight into, the types and targets of attacks users may be performing. In certain scenarios, it can also be used to refine and target protections, block users or flag potential for fraud.

    2. Mobile Application Protection

    Mobile application protection is the concept of applying protective security measures to provide defense against reverse engineering and tampering. This can help prevent your app from being tampered, modified, cloned or analyzed to exploit other vulnerabilities affecting the app or the data it processes.

    Mobile application protection, also known as app shielding, is the practice of implementing protective measures to increase the complexity of an app’s code to prevent reverse engineering or tampering.

     

    SSL, TLS or certificate pinning ensures that an application only trusts a pre-defined back-end identified by the public key contained in its TLS certificate. SSL pinning would be used as an additional layer of security for API communications, ensuring the communication cannot be intercepted by a man-in-the-middle (MITM) attack that would present a different, but otherwise valid, security certificate.

    Reverse engineering is the practice of acquiring knowledge through inspection and analysis of an application package. Often, the information is used to modify or bypass certain logic or functionality. Though sometimes, reverse engineering can simply be used to learn how an application works or to discover the presence of unannounced features that can be valuable to leak to the public. Any mobile application that is downloadable by untrusted users on their devices is susceptible to reverse engineering.

    Code hardening is the general concept of increasing the security of your code. Said another way, it’s the process of improving the resilience against reverse engineering or runtime analysis, and reducing the potential for vulnerabilities or security threats.

    Polymorphism is pivotal in Guardsquare's security framework. While initial code transformations and security checks offer effectiveness, they're prone to discovery and bypassing over time by determined attackers. Once malicious actors decode obfuscated values and identify security checks, attacking subsequent application versions becomes easier.

    Maintaining a favorable defense requires continuously changing protective measure placement, a strategy known as "resetting the clock" on attackers. This forces them to repeatedly reverse engineer each iteration as if it's a new program as the previously acquired knowledge is lost. This concept of resetting the clock with every new build is known as Polymorphism.

    Even though code hardening and code obfuscation are often used as synonyms, code hardening is a more general term. It covers a variety of practices for increasing the robustness of your code against a variety of security threats. 

    Code obfuscation, on the other hand, is a specific technique or practice that increases the complexity of a mobile app’s code and hides data, making it less susceptible to inspection and analysis. Code obfuscation is a useful layer of defense, increasing the complexity of analyzing an application.

    Correctly applied and renewed, state of the art obfuscation techniques can practically prevent an attacker from gaining useful insight into application data and logic through binary inspection and analysis. This approach often leads attackers to look for other approaches to infiltrate a mobile app. This is where the numerous other layers of a complete mobile application protection solution come into play. While obfuscation should not be relied on as the sole security measure for your application, it is very useful in combination with other mobile app protection features.

    RASP is a term commonly used to refer to a set of runtime protection techniques aimed at detecting anomalies in the execution environment or process code and data. Typically, because such detection can be configured with a reaction, e.g. reporting or crashes, they are said to be ‘self protecting.’

    RASP features help ensure environment integrity, code integrity and app integrity, and can be very powerful when combined with code obfuscation and other protections against static analysis. Any good, in-depth security strategy relies on layers of protection to deal with the multitude of tools and techniques used by an attacker.

    Environment integrity is a specific category of RASP features that ensure the environment in which an application is executed can be more readily trusted. This typically means verifying the lack of elevated privileges (root, jailbreaks), ensuring real hardware (rather than emulation), and verifying certain tools and techniques commonly used for tampering are not present.

    Mobile applications don’t just rely on the code within the application itself; they also rely on code provided from system libraries. For this reason, system libraries are a vector that an attacker can focus on with reverse engineering efforts. System library integrity is a specific RASP feature that focuses on ensuring critical system libraries your application relies on have not been tampered with.

    Hooking is a technique that is used to intercept calls to a function of an application and replace it with a script or code that changes the behavior. This technique is often used to achieve some sort of progress in reverse engineering, usually bypassing some form of check or step in the application logic.

    3. Mobile Application Security Testing

    Mobile Application Security Testing (MAST) covers the processes and tools used to identify potential security issues in your Android and iOS mobile applications. It also provides information to help remediate those issues to reduce risk. Mobile Application Security Testing can be performed manually or through the use of automated tools using a variety of techniques.

    Mobile application security testing is the processes and tools used to identify security issues in an application with the intent to remediate those issues before they can be exploited by an attacker and have an impact on users or business.

    Penetration testing (also known as pentesting) is a form of security testing that typically involves a 3rd party expert performing a range of tests and analysis on an application to identify security risks. Because it is typically done by an external party and may require more significant resources, it is often conducted at infrequent intervals, usually with specific requirements.

    Relying solely on penetration testing and manual efforts to test the security of your application can be costly and often will not keep up with the pace of software development of a mobile application. The manual activity would slow down the release process and possibly compromise the completeness of your security testing. A common strategy to reduce the impact of security testing on development teams is to shift left with the testing and verification being done through automation as part of the CI/CD process.

    By automating your MAST, you get immediate feedback on security issues in your app, you can remediate them very quickly, and make pentesting more efficient and effective with a higher likelihood of a positive outcome. The automation, the timely feedback, and the ability to quickly fix issues results in less disruptions for the development team and reduced schedule impacts.

    The most relevant standard for mobile application security testing is the OWASP Mobile Application Security Verification Standard (MASVS), which provides guidelines on what to test for. This is complemented by the Mobile Application Security Testing Guide (MASTG), which provides guidelines on how to test for them. These guides identify the primary security risks to consider when developing a mobile application.

    Static application security testing (SAST) is a security testing method that involves analyzing the source code, bytecode, or binary code of a mobile application without actually running the application. It aims to identify security issues, weaknesses, and potential flaws in the application's codebase.

    Dynamic application security testing (DAST) is a type of security testing that involves actively scanning and testing the mobile application while it is running on a real device or on a simulated runtime environment. It aims to identify security issues that the apps can incur during runtime. There are different types of dynamic application security testing, including black box testing, or interactive testing.

    Interactive application security testing (IAST) is a type of dynamic security testing which combines elements of both static application security testing (SAST) and dynamic application security testing (DAST) to provide comprehensive security analysis. In the context of mobile apps, IAST involves instrumenting the application with additional monitoring functionality that actively observes the application's behavior and interactions during runtime. The monitoring is added to the application's code, libraries, and dependencies to identify security issues and weaknesses at runtime. Typically, the instrumented app is run by an app developer, or as part of the development team’s runtime tests.

     

     

    4. Open Source

    Open source software is a critical enabler for modern software development. Guardsquare itself has its origins in ProGuard®, an open source technology for optimizing and shrinking your Android applications.

    Open source software refers to software released with source code under a license that allows you to inspect, modify or distribute that software with fewer restrictions than a typical closed source software package or component. Open source software often originates from a passionate community of developers that wish to share the software they use to solve a problem or need.

    Open source software should be considered as safe as other forms of software. In some cases, open source software can be trusted more than closed source software because of your ability to inspect and modify the software. That said, relying on popular open source software and components can introduce risk if you don’t adequately assess the risk and provenance of that software.

    Many aspects of mobile app development are supported by open source software. Google is perhaps the most well known leader in open source for the mobile community with the Android operating system and developer tools. There are many other specialist tools that help support the development process for mobile apps, as well as popular open source components which are used for many of the common functions of a modern mobile application.

    The primary purpose of ProGuard® is to optimize and shrink your Android app. One of the core features, name obfuscation, which helps decrease the size of an app, also provides a layer of obfuscation.

    DexGuard is a commercial product, built on the same core as ProGuard®. It offers backward compatibility with your keep rules, and many additional mobile app security and protection features for your app. DexGuard also gives you the benefit of shrinking and optimization with added advantages to protect your application from reverse engineering and tampering. 

    More details about ProGuard® and DexGuard can be found in this blog post.

    Guardsquare is the company that was ultimately created after the success of the ProGuard®  project and is the official maintainer of the project. Guardsquare works with a community of developers to continually improve and maintain ProGuard®.

    ProGuardCORE is a free library to read, analyze, modify, and write Java class files. It is the core of the well-known shrinker, optimizer, and obfuscator ProGuard®, the ProGuard® Assembler and Disassembler, and our Kotlin Metadata Printer. It is also the core of our commercial tools, including DexGuard and AppSweep.

    Though ProGuard® and R8 are both similar (they are designed to shrink, optimize and perform simple name obfuscation for Android apps), ProGuard® contains a feature not found in R8 to help quickly debug configurations: ‘-addconfigurationdebugging’. This provides invaluable feedback at run-time about possibly missing configurations. You can read more in our blog.

    Given the similarities in the keep rules for ProGuard® and R8, we’ve also created a free convenient service called ProGuard Playground to interactively test and tweak keep rules without having to rebuild your app. This is compatible with ProGuard® and R8.

    We are always looking to hear from the community of developers that use the tools we provide. You can contribute directly to ProGuard® on GitHub by submitting issues or pull-requests. You can also find a complete list of other interesting repos for projects we’ve open-sourced on our GitHub page


    For further discussion or support with ProGuard® or our free services, like AppSweep, you can also reach out on the Guardsquare Community.

    5. Guardsquare Supported Technology

    Guardsquare offers several products that support the development of mobile applications and helps in achieving strong mobile app security. ProGuard, DexGuard, iXGuard, AppSweep and ThreatCast are all part of the Guardsquare suite of products, helping you optimize, protect, test and monitor your applications.

    Mobile application threats exist on both Android and iOS. A common misconception is that iOS inherently is more secure than Android. Though there are certainly differences between Android and iOS with respect to security considerations and level of difficulty to reverse engineer, the bottom line is that a skilled person with the right knowledge of reverse engineering and tampering can accomplish many of the same goals with apps on the iOS platform.

    Guardsquare offers mobile app protection for a wide variety of native and cross-platform languages and frameworks, including Flutter™.

    Guardsquare offers mobile app protection for a wide variety of native and cross-platform languages and frameworks, including React Native.

    Guardsquare offers mobile app protection for a wide variety of native and cross-platform languages and frameworks, including Java and Kotlin.

    Guardsquare’s mobile app protection is used by some of the leading SDK providers to protect their intellectual property and to harden SDK’s against reverse engineering. Many third party mobile libraries you rely on, especially for security sensitive functions, such as payment processing, likely rely on Guardsquare for protection.

    Mobile apps built for iOS require similar levels of mobile app protection as mobile apps built for Android. The threat model is quite similar, though there are technological differences. For iOS, we offer a product called iXGuard that is purpose built to support Objective C, Swift and cross-platform frameworks used for iOS.

    6. Guardsquare Products

    Guardsquare offers several products that support the development of mobile applications and helps in achieving strong mobile app security. ProGuard®, DexGuard, iXGuard, AppSweep and ThreatCast are all part of the Guardsquare suite of products, helping you optimize, protect, test and monitor your applications.

    Guardsquare products offer a high degree of configurability, so you can easily adjust where security checks are performed and the aggressiveness of the checks. These configuration options can be used to ensure the optimal balance of security and performance. In fact, Guardsquare is trusted by many of the leading online gaming studios, where performance expectations are highest.

    DexGuard and iXGuard are both part of Guardsquare’s mobile app protection solution. DexGuard is our solution built specifically for Android applications and iXGuard is our solution built for iOS applications. Conceptually, the products are very similar and protect against roughly the same threats. The primary difference is specific to the technology differences in Android vs iOS apps.

    Configuring mobile app protection is as simple as editing a configuration file to specify which mobile application protection features to enable for your application and running the DexGuard or iXGuard command as part of your build process. We find our customers typically spend 2-3 weeks getting familiar with the configuration features, enabling the features and then optimizing their protection to be ready for a deeper security review.

    Yes, Guardsquare offers a product called ThreatCast for mobile application threat monitoring. It provides real-time visibility into threats from devices running your application so you can understand where reverse engineering efforts are coming from and what those attacks are targeting. Through custom webhook integration, you can also consume those insights integrating them into a SIEM tool, or as part of a fraud or anti-cheat system.

    Currently ThreatCast offers insights on triggered RASP events and therefore requires that you utilize DexGuard or iXGuard to protect your mobile application.

    Yes, DexGuard and iXGuard customers can monitor one Android or iOS application free of charge with ThreatCast Free.

    ThreatCast is not suitable for a mobile SDK, since your SDK will be consumed by many end applications that you do not control.

    ThreatCast will capture basic telemetry of the device, device metadata and forensics about the mobile threat detected. Full details of the data we collect can be found in our Data Processing Agreement.

    AppSweep is a free service provided by Guardsquare to perform automated mobile application security testing with every build. It’s a developer-friendly solution that helps you shift your security testing left, identifying security issues sooner and providing actionable recommendations to fix.

    The best practice with AppSweep is to integrate mobile application security testing into your CI/CD process, so each release you build is analyzed for potential security issues. The more frequently you scan with AppSweep, the easier it is to resolve security issues.

    Learn how AppSweep provides support for the OWASP Mobile Application Security Verification Standard (MASVS)

    When you first access AppSweep you can scan your app without creating a user account. We encourage you to create a user account so you can take advantage of all the features. Registering is free and gives you the ability to create a project to organize your scans. You can also invite teammates to review and collaborate on findings, and integrate AppSweep into your CI/CD process using our integrations or API.

    AppSweep allows you to get immediate results from testing your mobile application. It can be used as part of every build of your mobile application, giving your team the best chance of resolving security issues before release and in advance of any further security reviews. 

    Worth noting is that penetration testing can still be a valuable exercise to periodically assess the security of your app with a robust set of tests that go beyond what can be automated using tools. But using AppSweep as part of your regular development process will minimize the chances of discovering issues during a formal security review or pen test.

    The Secure Keyboard  is designed to enhance the security of the keyboard used by your application, eliminating the risk associated with custom keyboards installed by users that may compromise data security. It provides protection against malware attacks, such as overlays, while delivering an optimal user experience as a fully functional keyboard.

    • OS Support: The keyboard supports iOS 12+ and Android API 21+.
    • SDK Details: It is available as an Android and iOS SDK, with the iOS SDK provided as a Swift Package, and the Android SDK provided in Java and Kotlin.
    • UI Customization: Users can customize the keyboard's theme colors, enable dark mode, configure audio feedback, haptic feedback, and customize portrait and landscape modes, along with top bar customization.
    • Convenience Typing: Features include auto-correction, auto-learning, auto-capitalization, and support for 80+ languages with configurable emoji options.
    • Security: The keyboard comes with built-in protection against overlay attacks.

    Guardsquare provides technical support for the secure keyboard add-on on both Android through DexGuard and iOS via iXGuard, ensuring seamless assistance for the implementation and maintenance of these protection measures in your mobile applications.

    Compatibility and usage depend on the choices made by the developers during implementation. Developers have the option to choose between the system keyboard and the Secure In-App Keyboard SDK for each view that implements a keyboard. Developers need to make this choice based on their specific requirements and considerations.

    Do you want to learn more about Guardsquare?