Menu Close Back

Blog

Five Mobile App Risks You Might Not Be Prepared for in 2020

Mobile applications and app stores have been around for about 12 years now, but many app owners still find themselves struggling to properly secure their mobile applications. Hackers are well aware of this, and often target mobile apps for financial fraud, data theft, and other criminal exploits. In this piece, we share five mobile app risks that businesses may not be prepared for in 2020, as well as some advice on how to get up to speed. 

1. iOS Jailbreaks

Jailbreaking iOS devices allows hackers to change, copy or dissect developers’ apps. Jailbroken devices allow hackers to do any or all of the following:

  • circumvent the encryption applied by Apple
  • dump the decrypted code from memory
  • expose sensitive IP and data
  • modify the behavior of an app 
  • circumvent an app’s license checks or built-in security checks

The latest iOS jailbreak tool, checkra1n, is now in public beta, which means users will be testing it out and using it to hack iOS devices in the real world. As a result, developers need to take extra precautions to protect their iOS apps, including using jailbreak detection and code obfuscation. 

2. iOS Piracy

Many people believe that iOS apps are less vulnerable to piracy than Android apps. This is unfortunately not the case. Using a third-party app store, it is possible to install so-called “tweaks” for certain apps. This lets users get their in-app “purchases” for free.
This is a surprisingly major issue, and one that doesn’t get a lot of attention. Our team was able to find pirated versions of more than 200 apps, easily accessible on the internet.
Piracy costs app owners a lot of money, yet most of them do not have sufficient protections built into their apps. We found that even the jailbreak detection mechanisms in place in about 10% of these apps are easily circumvented by hackers. This is why it’s key to take a multilayered approach to mobile app security.

3. Fake Apps

Another major and often underestimated issue is that of fake apps, or fraudulent app clones. A recent McAfee report found 65,000 new fake apps published in a single month. Fake apps are even being used in cyber espionage attempts.
So what exactly are fake mobile apps? They are Android or iOS applications that mimic the look and/or functionality of real applications to trick users into installing them. Once they have been installed, these apps can:

  • aggressively display advertisements for revenue 
  • harvest credentials
  • intercept sensitive data 
  • divert revenue from legitimate apps 
  • infect devices with malware 

For app makers who want to protect their apps and users, code hardening and runtime application self-protection (RASP) effectively prevent mobile applications from being cloned and tampered with.

4. Kotlin-Written Android Apps

When Google declared Kotlin their preferred Android programming language, it quickly shot to the fourth fastest growing language. We anticipate its usage will continue to spread widely—likely overtaking Javascript in the near future.

Yet, many developers using the language do not fully understand security best practices, including how to protect Kotlin code against OWASP's well-known Mobile Top 10 risks, as explained in-depth here.

In 2020, developers must carefully educate themselves and their teams about Kotlin security and aim to fully protect their apps written using Kotlin. As with any other Java-based language, apps written using Kotlin must be protected against both static and dynamic attacks using a combination of code hardening and RASP.

5. Insecure Financial Apps

A Juniper Research report found that the number of people using mobile banking apps is approaching two billion—about 40 percent of the global adult population. Yet a report we recently released found that more than 50% of all banking and other mobile financial applications do not use sufficient code obfuscation, leaving those apps wide open to attacks. 

Consumers today have a lot of options to choose from when it comes to banks and mobile financial applications. If a company loses their trust due to a mobile data breach, they can and will go elsewhere. Additionally, fines and legal consequences for fraud and data loss in the financial space can cripple a business. 

If you operate in the mobile financial application space, it’s key to use security best practices to both protect your apps and to provide consumers with the peace of mind they need to do business with you.

Bonus: New Compliance Mandates

This one isn’t technically a threat, but there are a lot of new compliance mandates hitting the market recently, ranging from country-specific banking regulations to broader frameworks like PCI SPoC. Companies who don’t have a strategy in place to track these complex and evolving regulations and ensure they meet baseline requirements for the ones they are beholden to could find themselves in regulatory trouble or losing out on business deals. 

What mobile app risks are you paying the most attention to in 2020?

 

ProGuard vs. DexGuard

You may be familiar with ProGuard, an open source optimizer created by Guardsquare founder and CTO Eric Lafortune. But if you’re building Android apps and are interested in advanced protection and security features, you may want to consider DexGuard.

At their core, the biggest difference between the products is this: ProGuard is a generic optimizer for Java bytecode, while DexGuard provides advanced protection for Android applications

In this blog, you will find an overview of the differences between ProGuard and DexGuard.

Quick Compare: ProGuard vs. DexGuard

DexGuard is based on ProGuard, which is why it’s so easy to upgrade to DexGuard. DexGuard contains all ProGuard features and many more significant additional features —particularly on the security front. Below is a side-by-side comparison of the key aspects of both products:

proguard v dexguard comparison table
 

Deeper Dive: ProGuard vs. DexGuard

While the high-level details of ProGuard and DexGuard are laid out above, there are more in-depth benefits to be discussed. In the FAQ below, we explore the differences between ProGuard and DexGuard in more detail, including reasons why each product may suit different needs within a software engineering team’s project lineup.

Q. What should I use each tool for?

A. ProGuard is a generic optimizer for Java bytecode. DexGuard is a specialized tool for the protection of Android applications.

ProGuard is a versatile optimizer for Java bytecode. It enables you to shrink, optimize and obfuscate desktop applications, embedded applications, and mobile Android applications.

DexGuard, on the other hand, is specifically designed to protect and optimize Android applications. Mobile applications are often used in distributed and quickly-evolving environments -- DexGuard provides multilayer protection adapted to these use cases. In addition, DexGuard offers functionality to utilize the Android platform efficiently. It comes with a tuned configuration for the Android runtime and for common libraries (Google Play Services, Dagger, Realm, SQLCipher etc.) and automatically splits DEX files that exceed the size limits imposed by the format (MultiDex).

Q. What do they each protect against?

A. ProGuard offers basic protection against static analysis. DexGuard protects applications against static and dynamic analysis, as well as attacks at runtime.

Hackers generally combine two approaches when attempting to reverse engineer an application. They may try to gain access to the source code of the application by using decompilers, which is called static analysis. Malicious actors may also monitor the behavior of applications at runtime, which is called dynamic analysis. Static and dynamic analysis are often used in tandem.

ProGuard offers basic protection against static analysis only.

DexGuard shields applications from both static and dynamic analysis. DexGuard uses a multitude of obfuscation and encryption techniques to harden an app’s source code. It also integrates a series of runtime security mechanisms (RASP) into Android apps. These mechanisms check the integrity of both the application and its environment, enabling the app to react whenever a potential threat is detected.

Q. What security features do these products provide?

A. ProGuard provides minimal obfuscation. DexGuard applies multiple layers of encryption and obfuscation and adds runtime security mechanisms (RASP).

Both ProGuard and DexGuard harden the code of applications to shield them from reverse engineering. However, the extent to which they harden the code is different. 

ProGuard offers basic protection in the form of name obfuscation.

DexGuard provides advanced code protection via obfuscation and encryption; it not only obfuscates names of classes, fields, and methods, but also arithmetic and logical expressions in the code and the control flow of the code inside methods. In addition, DexGuard encrypts strings and classes and adds reflection to access-sensitive APIs. 

DexGuard also offers runtime application self-protection (RASP)--which is necessary to protect against dynamic attacks.

In combination, DexGuard’s code protection and RASP function result is a more fully protected application.

Q. What does each product process and protect in an application?

A. ProGuard focuses on the bytecode. DexGuard processes all the components of an application.

ProGuard’s action is restricted to the bytecode of Java applications. In contrast, DexGuard provides 360-degree protection. Besides the Dalvik bytecode, DexGuard optimizes, obfuscates and encrypts manifest files, native libraries, resources, resource files, and asset files.

Q. How much do these tools cost?

A. ProGuard is an open source tool. DexGuard is a commercial, enterprise-grade product.

ProGuard can be downloaded and used free of charge to process commercial and non-commercial applications. All the information needed to set up ProGuard is detailed in the online manual

DexGuard is a commercial product from Guardsquare. With a license, companies can use DexGuard and receive access to a team of experienced Guardsquare engineers to help set up the software. Companies can also opt for an enhanced level of support with faster response times, configuration support and more.

 

3 Myths About Mobile App security Busted

Mobile app security continues to be a weak spot for many organizations. During 2018, one in 36 devices used in organizations could be classified as high-risk. Why? Many of these devices had been rooted or jailbroken, and many others were malware victims (at times, both come into play). Considering there are currently 3.5 billion smartphone users worldwide, one in 36 devices translates to approximately 97 million compromised devices.

Unfortunately, these numbers demonstrate the reality that organizations who build and deploy mobile apps often do not apply the same level of security to these assets that they use with the rest of their information technology stack.

To properly secure the sensitive data that likely passes through and resides within your mobile apps (ranging from customers’ personal and financial information to corporate intellectual property), apps must be treated with the same level of care and attention relative to the value of security as all other pieces of technological infrastructure. Without proper care and attention, bad actors can and will take advantage.

To that end, today we want to talk about three myths that surround mobile app security and share some strategies for better defending your mobile apps against the very real risks present in the market.

Myth 1: Security is the Job of the Security Team Alone

Mobile applications are one of the most common ways that users interact with an organization’s services, yet they often lag behind web, desktop, and other services when it comes to security. As the DevSecOps (or SecOps) movement has spread throughout the technology industry, mobile app development has at times been left behind the curve. This means there is often not a tight feedback loop between security and development teams, which can lead to mistrust, slower release cycles, or insecure apps.

The best way to ensure the security of mobile apps is to involve both the development team and the security team in ensuring best-in-breed security measures are implemented early and often in the app’s lifecycle. This includes implementing a multi-layered approach. We recommend applying obfuscation techniques to code to ensure that it is not easily read by hackers, ideally using tools like DexGuard or iXGuard, that ensure the development team is able to balance lean development cycles with security requirements. Dynamic security protections are required as part of a multi-layered security strategy to prevent theft of both information and IP embedded in code.

Myth 2: iOS is Secure, End of Story

We’ve written before about misconceptions around iOS security, but it bears revisiting, especially given recent headlines around the checkra1n jailbreak exploit. This jailbreak is permanent, and has been sweeping the internet, as app developers recognize the potential for unauthorized data exposure or modification by hackers conducted via jailbroken phones.

Additionally, iOS piracy is more common than many realize. Pirated apps endanger in-app revenue (which accounts for 96% of consumer spend in non-gaming apps) through the distribution of modified or “cracked” apps (Android and iOS) and through “tweaks” that modify the behavior of iOS apps primarily. Either form of piracy can enable users to access paid features for free, which decreases revenue for many organizations.

It’s key to develop strategies against threats like jailbreaking and piracy if mobile apps are a key aspect of your business strategy or revenue streams. The Apple App Store does indeed provide a bit more security to end users than Android, but it’s still the case that developers need to take extra precautions to fully secure their apps and protect their own organizations.

Myth 3: Customer Data is the Most Valuable Target

It’s important to secure mobile apps so that customer data is not stolen or misused, harming trust and reputation. However, companies must also recognize that they are at great risk, too, when valuable and innovative source code is stolen. This can happen because mobile apps are inherently vulnerable to hacking and reverse engineering.

Typically when intellectual property (IP) is stolen via a mobile channel, it is a result of piracy and/or cloning of partial or entire mobile apps.

And lest you suspect that this is an edge case, the reality is information theft is the most expensive and fastest growing cybercrime. It is estimated that IP-related cybercrime accounts for $50 to $60 billion of global losses yearly. Of note, this type of crime is increasingly targeted at the gaming sector (which, as you may know, is the largest and most valuable area of the mobile app industry).

Theft of intellectual property is another compelling reason organizations must properly secure their mobile apps against the complex and ever-evolving attacks that hackers launch.

Getting Realistic About Mobile Security

While it may be daunting at first to undertake the project of better securing your mobile apps, it’s important to have a game plan for defending against the very real attacks and risks discussed above. These threats can impact your business in dramatic ways, so organizations must fully secure their mobile apps to decrease risk.

Once you have brought your security and development teams into alignment, one of the key ways to improve your mobile app security is to take a layered approach. Rarely is a single mechanism or solution sufficient to fully protect against all of the creative ways that maliciously-motivated actors will attempt to compromise your hard-earned app revenue and sensitive data.

Both code hardening and runtime application self-protection are necessary to ensure a truly tough security posture. The best approach to mobile application security brings development and security teams into close alignment to implement strong and layered security across mobile applications.

The Case for Company Stewardship of Open Source Projects

By: Eric Lafortune - CTO

Sometimes the smallest decisions lead to big outcomes.

In 2002, I started to play around with code that could compress and optimize mobile apps. Eventually, that code became ProGuard, an open source app optimizer built on Java. Little did I know that my hobby would take off, with adoption by companies like Facebook, Google, and Sun Microsystems. Today, ProGuard has been downloaded more than 1 million times as a standalone project from Sourceforge, and it is downloaded around 20,000 times a day as the long-time optimizer in Google’s Android SDK. In fact, ProGuard is the inspiration behind Google’s R8 compiler.

Building ProGuard gave me a direct view into how powerful open source code can be when it comes to solving problems. Ultimately, the interest I saw in ProGuard led me to found our company, Guardsquare, which now serves as the sponsor and steward of ProGuard.

The Value of Open Source

Open source is huge. According to GitHub’s 2019 State of the Octoverse Report, 35 of the Global Fortune 50 companies contributed to open source via Github’s platform. And, by Github’s 2019 estimate some 40 million people contribute to open source on their platform alone.

ProGuard is just one example of the billions of lines of open source code that underpin some of the world’s biggest technology products and companies. Over the last decade, individual coders and corporations have created valuable code and shared it freely for anyone to use. Today, even huge public tech companies like Google and Facebook rely heavily on open source code. They also contribute back to the community with their own open source projects.

Open source stewardship is the duty of technology companies to give back to the tech ecosystem. We all benefit from beautiful code that is well-managed and open. Sometimes, the relationship between creators and the community can be tense, as we saw from the recent Rust discussion. But when this relationship works well, it benefits both individual contributors and companies.

However, maintaining an open source project is a lot of work. It’s truly a labor of love, even when the sponsor or maintainer is a corporation like Google or Facebook. This is non-trivial code. It represents thousands of hours of work. Despite the incremental hours, there are many benefits of corporate sponsorship, both for the company and the open source community. Let’s explore these in more detail.

Users Flag Features You Never Thought to Create

For Companies: Software is complicated, and external users have more creative and varied uses for a piece of code than anyone could anticipate in design and testing. As the steward of the ProGuard open source project, I receive many interesting requests for use cases I never imagined. These requests lead us to update and improve the code.

For Open Source: For the creating company, the benefit of starting and steering an open source project is usually obvious: The product gets better and better. There’s a big benefit for the developers using the open source code, too. They benefit from hundreds if not thousands of others who downloaded the open source code for free, used it, and flagged helpful potential features.

Thought Leadership and Community Building

For Companies: Developers often work collaboratively. While most users of open source use code without commenting or contributing changes, there are many active participants. As the steward of an open source project, companies can work to build community. They will also naturally come to understand what their potential audiences want from both non-commercial and commercial products. Take, for example, MongoDB—their open source database is used by large and small tech companies around the world for free, but MongoDB still operates a for-profit company with other offerings.

For Open Source: From the open source community’s perspective, this corporate stewardship of open source projects also has benefits. A corporation can organize and fund projects, devoting employee time and company resources to improving and developing new code. Companies can often devote resources to open source that would be difficult for individual contributors to sustain.
For example, at Guardsquare, our Android team splits time between DexGuard -- Guardsquare’s paid, proprietary product for that operating system -- and ProGuard. These are employees we pay, but a significant portion of their time also goes to benefiting the open source community.
When a well-funded corporate sponsor is shepherding updates and constantly developing new features, the quality and usefulness of the open source code remains high.

Increased Security and Faster Bug Fixes

For Companies: No matter how rigorous the testing, all code hits bugs once it enters the real world. Some people say “many eyes make bugs shallow,” meaning that the more people who review the code, the easier it is to find bugs.
You would be hard-pressed to find a way of getting more eyeballs on code than to open source it..

Every day, hundreds if not thousands of developers look at open source code. If they spot an issue, they will flag it to the community steward. In fact, GitHub’s 2019 State of the Octoverse noted that over 7.6 million security alerts were addressed by developers and others from the community. This is hugely valuable, as any one corporation’s developers will have many other projects to review. For example, Google has mobilized their open source community by starting to pay developers to find bugs in Kubernetes.

For Open Source: While there is no guarantee that a bug or security issue will be caught quickly, more people reviewing code is a good thing. Of course, bad guys can find vulnerabilities, too. Take, for example, the Heartbleed issues in 2014. Still, open source software overall becomes more resilient the more widely it’s used.

 

There’s an expression: A rising tide lifts all ships. Open source code started as a trickle, and then became a gush, and is now a massive rising tide that has lifted many, if not all, companies who rely on technology to greater heights. As more companies take stewardship of open source code, software will become more and more advanced. It seems counterintuitive to generate valuable IP and then give it away for free. But there is great value in it on all sides.

 

iOS Piracy is More Common Than You Think: Protect your App

By: Jonas Gijbels - Software engineer

Global app revenue reached $120 billion in 2020 and a growing percentage of that revenue is generated by in-app spending. As much as 96% of consumer spend in non-gaming apps is generated by in-app subscriptions. This vital in-app revenue is endangered by piracy, both through the distribution of modified or “cracked’ apps, on both Android and iOS, and through the use of so-called “tweaks”, scripts that modify the behaviour of mainly iOS apps. Both forms of piracy enable users to access premium content and functionality for free, impacting the revenue stream of many organizations.

To illustrate the magnitude of the problem, our team searched the internet for tweaks for popular iOS apps. We focussed on iOS as the vulnerability of iOS apps to reverse engineering and piracy is the most underestimated. It took us less than half a day to find more than two hundred tweaks in different repositories. We analyzed the found tweaks to better understand how they work and how app developers can defend against the resulting revenue loss.

What you need to know about “tweaks”

Tweaks for iOS apps can freely be downloaded from third party app stores. The only two things users need to install and use them is a jailbroken device and a graphical user interface like Cydia, Sileo or Zebra to integrate the tweaks in the targeted application. The installation process is very similar to installing an app from the App Store, meaning that it doesn’t require any specialized skills or knowledge from the user. Once installed, the tweaks use a technique called hooking to modify the intended behaviour of the application while it is running. In most cases, the tweaks bypass the license or purchasing checking mechanisms of the targeted applications to give the user access to paid content or functionality. Other tweaks are designed to remove ads and/or branding from applications or to disable security checks meant to prevent apps from running on jailbroken devices (jailbreak detection).

What we found

The 200+ tweaks we analyzed target applications in all App Store categories. A large part of the “tweaked” apps we found belong to the category of photo and video applications, but we also encountered tweaks for finance, shopping, gaming, and other applications.
 

Analyzed tweaks per App Store category

Remarkably, it is not only apps belonging to small companies that fall victim to piracy through tweaks. A large share of the found tweaks target applications developed by large corporations and with presumably hundreds of thousands - if not millions - of users. This illustrates how widespread an issue iOS app tweaking is and how few organizations are taking sufficient mobile app security precautions. The following graph gives an idea of the popularity of the impacted applications using the number of available reviews for each included app as a proxy for popularity.

Number of reviews in the US App Store of all the targeted apps in our research

As far as functionality goes, 93% of the analyzed tweaks were designed to provide free access to premium features or content to users; a significant share of these tweaks also removed jailbreak detection mechanism to make this possible. The unlocked features vary greatly as they depend on the type and category of the target application. Here are a few examples: one of the included tweaks unlocks advanced photo editing settings and functionality and gives users access to additional filters and themes in a leading photo editing application. Another tweak enables users to access all premium functionality for free in a popular utility app, undermining the freemium business model adopted by the app publisher. The remaining tweaks in our batch were built to disable built-in jailbreak detection mechanisms or to remove ads/branding from the targeted iOS applications.

What is at stake

The use of app tweaks can have a significant impact on the revenue generated by the affected applications and on the overall company revenue of the app publishers. To illustrate what is at stake, we looked at the losses tweaks can cause for 20 common apps belonging to some of the categories most frequently targeted by this kind of piracy  (photo and video editing applications, note taking applications, document readers, VPNs, media streamers, password managers etc.). For these 20 applications, the lost revenue ranged from $1.25 to $14.99 per user per month depending on the unlocked functionality, with an average of $8.31 per user per month. These small monthly losses can have an important impact on overall revenue. We did the math for the leading photo editing application mentioned above. Based on the assumptions that 0,4% of the iOS devices are jailbroken and that 1 out of 10 app users write a review, the losses in revenue for the app amount to $ 207,152 per month or $ 2,485,824 annually.

How To Protect Your Mobile App

During our research, we found that app developers try to prevent piracy through two different approaches - both of which, based on our research findings, are clearly not as effective as they need to be. The first one is to multiply the number of purchase/license checks performed by the application. Without solid code obfuscation in place, these checks can easily be identified and neutralized. We have found tweaks that hooked up to 89 different methods across the source code to bypass all the purchase/license checks. The second approach consists of implementing mostly DIY jailbreak detection checks to prevent the apps from running on a jailbroken device. 18% of the targeted applications in our research have some kind of jailbreak detection built in. Without additional application shielding measures in place, this security measure is insufficient as the checks are easy to circumvent. In fact, a significant amount of the tweaks we analyzed hook jailbreak checks as part of the process of unlocking premium functionality. Users can also install tweaks specifically designed to bypass jailbreak detection mechanisms.

The most effective way to protect iOS applications against piracy is to adopt a multi-layered approach to app protection combining advanced environment integrity checks, including jailbreak detection, with code integrity checks that prevent the app from being modified at runtime (hook detection, tamper detection) and code obfuscation. iXGuard, our security solution for iOS apps (and DexGuard for Android apps), provides multilayered app protection without affecting end-user experience.

Guardsquare Announces Record Revenue, Customer and Employee Growth for 2019

Product innovation, global expansion and funding fueled momentum for
mobile application security leader

 

BOSTON, USA – January 22, 2020 – Guardsquare, the mobile application security platform, today announced it achieved record revenue, employee, and customer growth adding more than 200 paying customers in 2019. This momentum—along with a $29 million investment from Battery Ventures in early 2019—demonstrates increasing industry-wide demand for Guardsquare’s mobile application protection solutions that secure applications through dynamic and static protection against reverse-engineering and hacking.

“We are extremely proud of the success we have had over the past year and I want to personally thank our open source ProGuard users, as well as our DexGuard and iXGuard customers and partners,” said Roel Caers, CEO of Guardsquare. “We address a critical need for app developers, which is evident by our success and fervent market adoption. The application security market is one of the fastest growing in the industry and Guardsquare is at the forefront, already protecting billions of applications and poised for further adoption in the coming year.”

Increased Need for Mobile Application Security in a Connected World

Recent research shows that the application security market was valued at $4 billion in 2019 and is expected to reach $15.25 billion by 2025 as application security becomes a necessity for organizations across all industries and the developers creating and updating existing applications.

Product Enhancements

Guardsquare delivers a multi-layered security solution to ensure applications are self-defending through code-hardening (encryption and obfuscation) and runtime application self-protection (RASP). These layers of protection are integrated into an application’s code to shield it against threats both on- and off-device.

In addition to ProGuard, its open source optimizer for Java bytecode that makes Java and Android applications up to 90 percent smaller and 20 percent faster, Guardsquare’s two commercial offerings deliver maximum application security--DexGuard (for Android) and iXGuard (for iOS). Guardsquare made significant enhancements to DexGuard and iXGuard in 2019 by incorporating code virtualization and App Bundle support for DexGuard, and the introduction of application integrity protection for enhanced security and an in-app assistant to maximize usability to iXGuard. JavaScript obfuscation was added to both DexGuard and iXGuard.   

Company Growth

Guardsquare recently announced the expansion of its global footprint by adding a North America office in Boston to the headquarters in Leuven, Belgium. Guardsquare also expanded its leadership team with the addition of John Vigeant, chief revenue officer, and Erica Sheehan, vice president of marketing.

Industry Recognition

Guardsquare was awarded the prestigious Ernst & Young “Scale-Up of the Year” 2019 Award, which is given by the Flemish government to Belgian-based companies with top performance, growth, innovation, strategy and entrepreneurship. Guardsquare was also a winner in the BVA Awards for “Growth Company of the Year” and was a top 10 finalist in the Deloitte 2019 Technology Fast 50 Belgium list.

Supporting Quotes

“Mobile applications are the key to success for modern organizations due to their extreme flexibility and portability,” said Dharmesh Thakker, general partner of Battery Ventures. “Guardsquare’s ability to secure mobile applications against reverse engineering and hacking has made it the leading-edge provider of mobile application protection. Its solutions are already in use by six of the top 10 global credit card companies, and Guardsquare is planning additional product innovation and market expansion.”

Supporting Resources

About Guardsquare

Guardsquare is the global leader in mobile application protection. More than 600 customers worldwide across all major industries rely on Guardsquare to secure their mobile applications against reverse engineering and hacking. Built on the open source ProGuard technology, Guardsquare software integrates transparently in the development process and adds multiple layers of protection to Android (DexGuard) and iOS (iXGuard) applications, hardening them against both on-device and off-device attacks. Guardsquare is based in Leuven (Belgium) with a US office in Boston, MA.

Contact
Erica Sheehan
VP of Marketing, Guardsquare
erica.sheehan@guardsquare.com

Heather Fitzsimmons
Mindshare PR for Guardsquare
heather@mindsharepr.com

 

The Role of the CISO in Securing Mobile Applications

Things have changed significantly for chief information security officers (CISOs) in the last 10 years. Security is now a CEO- and board-level concern, with breaches costing companies consumer trust, buyer loyalty, and, in some cases, millions of dollars. As security has become a central issue for organizations that impacts everything from finance, to legal, to HR, CISOs roles have evolved, too. 

In fact, the Wall Street Journal recently recognized this shift, citing a Forrester survey that found a decrease in CISOs who report to the CIO (from 38% in 2018 to 35% in 2019) and an increase in CISOs who report to the CEO or president (from 16% in 2018 to 18% in 2019). While this is not a huge shift in terms of numbers, we do believe it is part of a larger trend of security being recognized as an important concern as well as a business driver. 

As the CISO role has evolved, security threats have also changed in many ways. Originally introduced in 2008, mobile apps today represent a significant—and perhaps overlooked—center for risk. 

Hackers realize that mobile apps are often overlooked within a company’s security portfolio and often focus their efforts on them as a result. Common threats targeting mobile apps include:

  • Advertisement hijacking

  • API key extraction

  • Credential harvesting

  • Financial fraud

  • IP theft and cloning

  • Man-in-the-middle attacks

  • Piracy

  • Security circumvention

  • Tampering

The question becomes, how can CISOs guard against mobile app threats? Below are three key areas where CISOs today should ensure their teams have an appropriate strategy in place.

The Myth of “Safe” Apps 

Many people mistakenly believe that iOS applications cannot be reverse-engineered, thanks to Apple’s App Store encryption, code-signing processes, and other built-in precautions. 

In reality, CISOs and security departments know that this is not true. While the App Store’s goal is to protect consumers from apps with malware and other security issues, their protections do not fully cover the interests of the companies who make these apps. For example, iOS does not have full protections built in to hedge against tampering, cloning, or reverse engineering. 

Additionally, while there is wider acknowledgment of the vulnerabilities affecting Android applications, it does not make sense to only develop or implement protections for Android, as this leaves the door wide open on the iOS side

Tip: It is important to be clear-eyed about the reality that iOS apps are indeed vulnerable to hacking and fraud. Many of the attack methods listed above can be detected and prevented with a multi-layered security approach: Code hardening protects the code at rest, while RASP provides protection when the mobile application is running. 

Fake Mobile Apps Are on the Rise

When the Apple App Store opened and Google Play launched in 2008, businesses and individuals alike recognized a major opportunity. Today, the Apple App Store has about 2 million apps, and Google Play nearly 3 million.

Eager scammers are taking advantage of the proliferation of apps by creating “fake apps” and duping consumers into downloading them with the goal of diverting payment, racking up views for unauthorized ads, spreading malware, and carrying out other fraudulent activities. Companies without strong encryption and other security protections may find their apps reverse-engineered and marketed online by criminals, virtually indistinguishable from the real thing. This problem is so pervasive that the US Federal Trade Commission issued an alert for fake apps just a few years ago.

Tip: Hackers can’t duplicate what they can’t access. Make your app’s code unreadable with obfuscation and encryption, two important code hardening techniques. With these tools in place, hackers will not be able to decompile source code, stopping them from wholesale replicating and falsely marketing a fake app.

Protecting Valuable Intellectual Property

Companies, especially those in high-value, disruptive spaces, invest a lot of time and money developing their unique services. As a natural consequence, many mobile apps include proprietary algorithms used by a company’s core products. If bad actors are able to access the source code of these apps, they can intercept user data or copy a legitimate app’s functionality and go to market without the up-front investment.  

Tip: Code hardening is the best way to protect major investments in developing unique intellectual property from theft and misuse by hackers with bad motives

New Regulatory Landscape

As mobile apps have grown in popularity, regulations have raced to keep up with them. Today, CISOs must ensure that their companies’ applications comply with all major regulations, many of which vary from country to country. This is especially true in highly regulated landscapes, such as banking, where penalties for non-compliance can be costly. 

Additionally, many countries are passing new local, regional, or global regulations aimed at protecting users. Turkey and Singapore, for example, recently passed new regulations around mobile banking. 

Also in 2019, the Payment Card Industry Security Standards Council enacted new guidelines: the PCI Mobile Payment Acceptance Security Guidelines, industry standards for processing credit card information, and PCI SPoC regulating the security of electronic mobile transactions on commercial off-the-shelf devices (COTS). 

These are only a handful of the regulations at play for mobile apps: GDPR, PSD2, and many other regional rules apply, depending on your business, location, customer base, industry, and other factors.

Tip: As security is increasingly linked to regulatory compliance, CISOs must work closely with other business units to monitor for new regulations and apply appropriate security and privacy measures to mobile apps to meet these standards.

Securing Mobile Applications in 2020

As companies develop ever more mobile apps, CISOs’ jobs will only become more complicated. Companies who proactively safeguard their mobile apps using both static and dynamic protections will be well-positioned to gain and maintain user trust in 2020 and beyond. 

 

What PCI SPoC Compliance Means for Mobile Apps

Guardsquare provides security solutions that safeguard mobile apps against reverse engineering and hacking. We develop software that complies with a number of regulatory and industry standards, such as the PSD2, the OWASP mobile security project the PCI guidelines.

In light of the recent compliance discussions and numerous regulatory updates (for instance, in Turkey and Singapore), we are presenting a short blog series discussing how PCI regulations apply to mobile applications. In Part I of this series, we discussed the PCI Mobile Payment Acceptance Security Guidelines. Today, we discuss how our solutions, DexGuard and iXGuard, meet the PCI Software-based PIN entry on Commercial off-the-shelf devices (SPoC) requirements for Android and iOS.

What is PCI SPoC?

PCI SPoC is a new security standard announced by the Payment Card Industry Security Standards Council (PCI SSC) to regulate the security of electronic mobile transactions on commercial off-the-shelf devices (COTS). The new guidelines secure the authentication of transactions using software-based PIN verification on smartphones and tablets.
Vendors are typically required to use PCI-approved, PCI PIN Transaction Security (PCI PTS) -compliant hardware for PIN authentication (PCI PTS POI). However, the introduction of PCI SPoC allows merchants to leverage the NFC capabilities of off-the-shelf smartphones and tablets in order to secure the authentication of transactions instead. This eliminates the need for vendors to use traditional (often more expensive) electronic PIN pads.

How Does PCI SPoC Work?

PCI SPoC defines a number of components and processes for authenticating transactions using a PIN on COTS. At a minimum, the system consists of an EMV card reader (referred by SPoC as the Secure Card Reader for PIN (SCRP) a back-end monitoring and payment processing system, and a PIN CVM (PIN Cardholder Verification Method) application that accepts the cardholder PIN.

With PCI SPoC, a consumer would enter their card into a secure card reader for PIN (SCRP) that reads the account information, then enter their PIN into the merchant’s smartphone or tablet to authenticate the transaction. PIN information on the mobile device is captured by a PCI compliant, PIN CVM mobile application that then securely exchanges this information with the SCRP. Subsequently, the SCRP securely communicates with both the mobile device and a back-end monitoring system to attest and process the transaction. Transactions in this setting are restricted to EMV contact and contactless.

The key advantage of PCI SPoC is that it allows the PIN information to be effectively isolated from other account data so that it is no longer possible to instigate correlation attacks, which can crack encrypted information. Thus SPoC ensures the integrity of the PIN entry application that captures this data. Additionally, SPoC requires an active monitoring service to enforce additional external security controls for:

  • attestation (ensuring the security mechanisms are intact and operational),
  • detection (notifying when anomalies are present), and
  • response (triggering controls to alert and take action).

How Guardsquare Can Help Mobile Apps Meet SPoC Compliance

Any underlying hardware of COTS devices is assumed to be unknown or untrusted, and an attacker may therefore have full access to its software. PCI SPoC therefore enforces security requirements that developers must meet to ensure software-centric PIN protection. Furthermore, testing requirements are also defined for the validation and evaluation of the solution by payment security laboratories.

As defined by SPoC, “...it is considered important for the software to provide inherent protections that complicate reverse engineering and tampering of the code execution flow. This may include, but is not limited to, protections using “obfuscation” of the code, internal integrity checks for code and processing flows and encryption of code segments, etc.”

Guardsquare hardens the PIN CVM mobile app against reverse engineering and tampering attacks and provides integrity controls to ensure a trusted execution environment on COTS devices.

Our software, DexGuard and iXGuard, obfuscate mobile apps using multiple advanced techniques and secure COTS devices against rooting and other dynamic attacks designed to compromise the Android and iOS Runtimes. Guardsquare tampering detection checks and fingerprinting capabilities further harden these controls, and the overall payment system, by signalling modifications and anomalies of the CVM application to the backend monitoring system.

Stronger Security for Mobile App Transactions

Mobile applications, app security, and compliance are arguably becoming a central pillar of business models across many sectors. Guardsquare’s mobile protection suite, including DexGuard and iXGuard, ensures the overall effectiveness of your IT security architecture by hardening it against dynamic and static attacks.

As the mobile app security solution, Guardsquare helps ensure software-centric PIN protection for Android and iOS devices by providing solutions that directly comply with several PCI security requirements. We use industry-standard cryptography, code obfuscation, tampering prevention and runtime integrity verification to protect hundreds of customers. These technologies are crucial to preventing unintended modification or behavior of the PIN CVM mobile app and COTS devices.

Contact us to learn more about how we can help your business meet the new PCI compliance mandates and ensure the security of your customer data and transactions.

Why Mobile Financial Apps Should Practice Obfuscation

There are 57 million mobile banking users in the U.S. alone. Globally, about 59% of consumers use mobile banking application. However, many report that they are wary of mobile banking, mobile payments, and other financial mobile applications due to security concerns.

Financial mobile app growth is on an impressive trajectory. Yet with the amount and nature of sensitive data being stored and processed in mobile financial apps, consumers need reassurance that security and privacy concerns are being taken seriously by app developers.

Less Than Half of Mobile Financial Apps Practice Obfuscation

As you may know, we recently conducted research into the nature and level of application shielding in use by more than 3,000 of the world’s leading financial services apps on the Android marketplace.

We discovered that less than half of these apps are using proper mobile application security—including obfuscation—to prevent reverse engineering, malicious app clones, sensitive data loss, and other potential negative outcomes.

What is Code Obfuscation?

One valuable form of application shielding that all mobile financial apps should be using is code obfuscation.

Code obfuscation is the process of making applications more difficult to decompile or disassemble, and the retrieved application code more difficult for humans to parse. Obfuscation is part of a broader application shielding strategy.

The goal of code obfuscation is to prevent any unauthorized party from accessing and gaining insight into the logic of an application, which prevents them from extracting data, tampering with code, exploiting vulnerabilities, and more.

Code obfuscation strategies include:

  • Renaming classes, fields, methods, libraries etc.
  • Altering the structure of the code
  • Transforming arithmetic and logical expressions
  • Encryption of strings, classes etc.
  • Removing certain metadata
  • Hiding calls to sensitive APIs & More

All of this is undertaken without altering the function of the code or the end user experience.

Cover Your Top 10 Bases

Developers of mobile banking and financial applications should be sure to fully understand the top ten most common security risks for mobile applications, as defined by OWASP. Reverse engineering and tampering rank as the eighth and ninth most prevalent security risks according to this list, and both of these can be dramatically curtailed by using sophisticated obfuscation techniques. Application shielding techniques, including obfuscation, can help protect apps against many of the risks on this list.

Adhere to Compliance Mandates

While compliance mandates are often less strict than security best practices, as a financial institution, you obviously have a good degree of obligation when it comes to regulations. Meeting compliance mandates, such as PCI-DSS for payment processors, SOC 2 for any SaaS-related business, and new international regulations, among others, is a good place to start when it comes to up-leveling your security and privacy practices.

Achieve Consumer Trust

The reality today is that consumers have many options to choose from. It has never been easier to research everything from credit card choices to bank reputations to payment providers’ compliance practices. Savvy consumers can easily walk away from one mobile financial app and choose another one (or stay away from apps altogether). So, if you operate in the mobile financial application space, it’s key to use security best practices to both protect your apps and to provide consumers with the peace of mind they need to do business with you.

Ready to learn more about what our data uncovered when it comes to mobile financial apps?

 

5 Mobile App Security Predictions for 2020

As the year and decade come to a close, it’s a good time to start thinking about what the upcoming months and years are likely to hold when it comes to appsec. Mobile applications continue to be at the heart of many businesses’ strategies, and security vulnerabilities continue to escalate. Below, we’ll share five predictions for mobile app security in 2020, along with recommendations from our appsec experts on how to best prepare your organization.

1. Increased Adoption of Mobile Payments

Research has shown many consumers are wary of using mobile banking applications due to security and privacy concerns. They are interested in the convenience and timeliness these apps can offer, but they want to know that their data will be protected, especially given the near-constant headlines about security breaches. Interestingly enough, more consumers are open to mobile payments apps. Currently, it is predicted that 2020 will be the first year that more than 1 billion people worldwide will use a mobile payment app to pay in-store at least every six months.

Yet as a recent Guardsquare report found, less than half of global mobile financial apps are using any type of code obfuscation currently—leaving them wide open to hacking. Without sufficient security upgrades, the continued growth of mobile payments and financial apps will lead to more hacks and breaches in 2020.

That said, it’s not too late for banks, mobile payment providers, and other developers of mobile financial applications to embrace better appsec practices for the coming year. Proper mobile application security, including both code hardening and runtime application self-protection (RASP) can prevent reverse engineering, fraudulent app clones, sensitive data loss, IP theft, and other potential negative outcomes.

2. Major Kotlin Growth Ahead

Kotlin is the fourth fastest growing language currently, and now that Google has declared it their preferred Android programming language, we anticipate it will only continue to spike—likely overtaking Javascript in the near future.

However, many developers using the language do not fully understand security best practices, including how to protect Kotlin code against OWASP's well-known Mobile Top 10 risks, as explained in-depth here.

In 2020, developers must take steps to educate themselves about Kotlin security and to better protect their apps written using Kotlin. As with any other Java-based language, apps written using Kotlin must be protected against both static and dynamic attacks using a combination of code hardening and RASP.

3. Crackdown on Fake Apps

Nearly 65,000 new fake apps were detected in December of last year alone—over 6 times the amount reported in June 2018. We expect fake apps to be increasingly common and problematic in 2020.

Fake mobile apps are Android or iOS applications that mimic the look and/or functionality of legitimate applications to trick unsuspecting users into installing them. Once downloaded and installed, the applications can perform a variety of malicious actions. Developers need to understand how fake apps threaten their brand reputation and consumer trust and take steps to prevent them, including:

  • Provide legitimate mobile applications.
  • Regularly check the Google Play Store and the App Store for fakes.
  • Protect Android and iOS applications.

You can learn more about this pernicious challenge here . On the positive side, we anticipate that more and more organizations will see mobile as an opportunity to manage and protect their reputation by embracing mobile app security.

4. Increased Awareness of iOS Security Shortfalls

Did you know that every iOS version has eventually been jailbroken? In fact, a recent permanent jailbreak was discovered that highlights the reality that iOS apps are not perfectly secure. Many app developers still believe iOS apps are virtually immune to reverse engineering and don’t need any protection, but this just isn’t true.

We believe that 2020 will be the year more developers open their eyes to the reality that iOS is not immune to hacking and begin to better protect their applications. To learn more about this reality, check out our blog post: 3 Misconceptions About iOS Security.

5. Widespread Regulatory Changes

Recent international mobile banking and financial services app regulations in Turkey and Singapore are paving the way for tighter app security policies. While these regulations are primarily intended to safeguard consumers and their sensitive financial data, in the process, they will protect app publishers from the unintended consequences of mobile application hacking and misuse.
Whether a business is beholden to these specific regulations or not, we expect them to spread globally over the coming year and decade. How to respond? Luckily, application shielding is a measure organizations can easily implement to remain compliant, as well as more generally keep sensitive logic and data protected from misuse. Application shielding makes an app more resistant to common intrusion techniques, including reverse-engineering and tampering.

What are your predictions for mobile apps and appsec in 2020?

Pages