Swiss Telecom Provider Gains Comprehensive Protection with Guardsquare

The Company

Founded in 2000, this leading challenger telecommunications provider based in Switzerland provides high-quality mobile, landline, broadband internet, and TV services to residential customers. For business customers, their offerings include 360° communications and integrated ICT solutions for connectivity, security, and IoT from a single source. Overall, the company distinguishes itself by providing the most comprehensive fixed network access and a world-class mobile network with the highest gigabit coverage in Switzerland.

The company employs approximately 2,850 full-time employees with a customer base of 2.5 million mobile users, 1.1 million broadband users, and 850 thousand enhanced TV customers, as well as thousands of business customers.

The Challenge

The company offers an application for its mobile customers (one version for Android and another for iOS). About 400,000 monthly active users access these mobile apps for things like bill payment, contract management, hardware accessory purchases, special offers, as well as their own app store and customer support (including an in-app chat agent for troubleshooting issues).

Both security and customer trust are serious considerations within the company’s highly competitive market. Each year, an external evaluator does penetration tests to rate the company’s mobile app against other telecom providers in the DACH region (Germany, Austria, Switzerland); the comparative results are then published. This multi-part testing includes one section dedicated to mobile application security, broken down into four specific areas:

• Data privacy, which includes screen capture protection as well as situations where an attacker could retrieve data from logs/cache, or see sensitive system permissions.
• Traffic protection, which includes cryptographic algorithms on the client side plus insecure cryptographic protocols on both the client side and the server side. It also covers things like unencrypted data, man-in-the-middle (MitM) interception, TLS certificate expiration, compliance with the EU’s General Data Protection Regulation (GDPR), and certificate verification.
• Impersonation attack protection, which includes bypassing authorization schemes, brute force attempts, enumeration attacks, insecure logout mechanisms, replay attacks, password policy violations, unauthorized password recovery requests, venue exploitation, privilege escalation attacks, and application cloning.
• Secure code practices, which covers app development issues such as user input field validation, user input field injection, debugging applications, root detection, Play Store integrity, checking for outdated libraries, source code obfuscation, usage of insecure signature versions, and app modification (repackaging and re-signing).

"From last year’s score, we saw that we had several weak areas where we could improve, but especially in security. There were two big security items which we realized we couldn’t resolve by ourselves: code obfuscation and jailbreak detection.” With only six members on the company’s team for app development, they decided to look for some expert assistance. "We needed to reach out to a third-party vendor."

— Product Owner, Leading Swiss Telecom Mobile App

The company did some initial research and also asked other companies for suggestions based on their direct experience. Several mobile app security solution providers were invited to the company’s RFP. The topline evaluation criteria included comprehensive protection for both iOS- and Android-based applications with specific capabilities for code hardening (obfuscation and encryption) and jailbroken/rooted device detection to improve pentesting results and provide comprehensive application security for all their mobile customers.

"Our company has been especially focused on security over the last year. We wanted a technology provider who’s very experienced with mobile application solutions.” Their research, review, and evaluation process led them to select Guardsquare."Through the RFP process, Guardsquare demonstrated they were by far the best.”

— Product Owner, Leading Swiss Telecom Mobile App

The Solution

The company chose Guardsquare based on the multi-layered protections offered by iXGuard (iOS apps) and DexGuard (Android apps). Both iXGuard and DexGuard use layered defenses that fortify one another providing comprehensive mobile app protection against reverse engineering and tampering in the wild.

Critical solution capabilities include:

• Code hardening that applies multiple obfuscation and encryption techniques.
• Runtime application self protection (RASP) checks that detect rooted or jailbroken devices, as well as certificate checks, hook detection, and much more.
• A guided implementation workflow that simplifies setup, ensuring the highest level of protection without compromising security, app stability, time to market, or performance.

"Switzerland is special in that it has a much higher iOS distribution than Android, nearly a two-to-one ratio. That’s one of the reasons why we looked for a partner with solutions that cover both iOS and Android apps."

— Product Owner, Leading Swiss Telecom Mobile App

The Result

The company needed to move fast to prepare for their annual comparative pentesting. “We had a very short timeframe plus some internal challenges to work through. Guardsquare was especially helpful with delivering quickly and being very supportive during onboarding.”

By all accounts, the process of installing, configuring, and implementing Guardsquare protection was nearly frictionless. “The installation was very fast. We were honestly really surprised how quickly the whole solution was implemented. It actually took us less than one day to fully implement it.”

”On the first day, we were able to release to our test systems a new, fully protected application.” Product Owner, Leading Swiss Telecom Mobile App

“One big benefit was the guided workflow interface that Guardsquare provides for configuration. It was so simple to add everything. It also provided direct feedback. For example, I now receive an email when the new build is protected, which is very convenient. This tells me if there are any errors, alerts, or crashes and what they are. We had one issue when we configured something incorrectly and we saw it in the crash report from the Guardsquare platform even before crash analytics.”

“The documentation and especially the videos that were on the platform made the whole implementation simple and straightforward. We had a few very small problems which were quickly clarified in our weekly catch up sessions with Guardsquare tech support.”

To help with the transition phase, the company selected Gold Support for full implementation assistance. “It was a really smooth integration and the support we received was really outstanding.”

”All the weak points that were discovered last year are now fully covered with the Guardsquare solution” Product Owner, Leading Swiss Telecom Mobile App

But the most important result is that the security issues identified in their previous pentest are now resolved. “We have already had a first round of pre-testing for the next penetration test. All the weak points that were discovered last year are now fully covered with the Guardsquare solution. We’re finally getting 100 percent of the points; that’s exactly what we aimed for.”

Want to learn how Guardsquare can help you quickly add comprehensive protection to your mobile apps?

Guardsquare offers the most complete approach to mobile application security on the market, delivering the highest level of protection, with ease. Guardsquare integrates seamlessly across the full development cycle, from mobile app security testing and code hardening to real-time threat detection and app attestation. Guardsquare provides enhanced mobile application security across the entire development process.

More than 975 customers worldwide across all major industries rely on Guardsquare to help them identify security risks and protect their mobile applications and SDKs against reverse engineering and tampering in the ever-evolving threat landscape.