Application Hardening

What is application hardening?

Application hardening is a concept and technique in cybersecurity that uses code obfuscation, white-box cryptography, and other techniques to protect applications from mobile fraud techniques, such as reverse engineering and tampering. It includes measures to increase the level of effort required for a malicious actor to attack an app. Application hardening should be a best practice for companies to protect their apps, reduce security risks, and prevent abuse, cheating, and repackaging.

In-app protection, application hardening, and application shielding

Application hardening and application shielding are subsets of in-app protection. In-app protection is designed to defend applications from the inside and is well-suited for a zero-trust approach to app protection. In-app protection is best used for high-value applications running on unattended devices or untrusted environments.  

Application hardening includes prevention capabilities that increase the difficulty for an attacker to execute an attack. Application shielding involves anti-tampering measures designed to disrupt an attacker and detection capabilities that determine whether the app environment can be trusted.

In-app protection also encompasses capabilities such as anti-bot technologies, clickjacking protection, runtime application self-protection, and multifactor authentication.

Mobile security assumptions that leave applications vulnerable

Mobile app developers are not able to control all the environments in which their apps will be used. For example, users can jailbreak or root their device, which disables the operating system's safeguards. Therefore, application hardening is an important part of mobile application security, because it builds protections into the app itself regardless of the security status of the device or operating system.

Two common misconceptions increase the risks of a mobile app compromise.

First, people assume that the official apps stores – Apple App Store and Google Play – only offer legitimate, secure apps for download. The official apps stores scan apps that developers submit for malware and check that the apps’ access to user data is mediated.  

But the reality is that the app store are unable to catch every malicious app, because there are just too many apps to root out all of the bad ones and act as a reliable security control.

Second, many assume that iOS and Android operating systems provide adequate security for mobile apps downloaded onto their devices. The reality is that patches for a vulnerabilities in Android or iOS are not always immediately available, and users might not always practice cyber hygiene by updating their devices regularly. In addition, in some cases developers do not correctly implement encryption capabilities provided by the operating systems.

 

Reasons to harden your applications

There are three primary reasons for app hardening: secure intellectual property, protect app integrity, and safeguard sensitive data on the app.

Within an application, there is intellectual property (IP), such as concepts, innovations, and inventions that give the company a competitive advantage. Possession of working source code provides access to any IP that is encoded within the app. By analyzing the app's source code, a hacker could steal IP. Application hardening can keep IP secure.

App integrity is also a concern of app developers. Malicious actors may inspect and, if possible, modify an app to clone it, steal data, or scrape data via APIs. An app that is not hardened using obfuscation and whitebox cryptography is like an open book. Attackers can perform a static analysis of the app’s code in plain view and find areas to attack and exploit. As part of a layered defense strategy, companies should also have mechanisms that add anti-debug and anti-tamper functionality into an application to protect, detect, and respond to attacks on its integrity.

A popular attack technique is exploiting app security flaws to steal sensitive private data. Since data in use during runtime can be exposed in ways data at rest or in transit may not be and attackers may be able to learn how to exploit this by using debuggers, emulators, and other tools, the next best strategy is to restrict unauthorized use of debuggers, emulators, and other tools that hackers employ to access and modify data in apps. In addition, if the encryption keys are not properly protected,  an attacker could steal those keys and use them to access data in transit. Application hardening and other in-app protection techniques secure apps and the data that flows through them by disabling the attack vectors that hackers use.

Application hardening techniques

Application hardening encompasses several techniques to protect apps from attackers. These include:

Code Obfuscation:  

Code obfuscation scrambles the app's code to make it more difficult to reverse engineer apps. Therefore, it is more difficult to target an app by making it harder to read, which also makes it tougher to steal its IP or repackage it. Code obfuscation uses several techniques to protect apps. Software components and identifiers can be renamed. Dummy code that is never used can be added, and strings can be encrypted. Code can be recompiled and run in an interpreter or virtual machine. Other code obfuscation techniques include reflection and packing.

White boxing or white-box cryptography:  

This approach provides an alternative to utilizing modern platforms' native tools, such as Apple iOS's Keychain or Android Keystore. If a company needs to allow its apps to run on jailbroken devices, this can be a useful cryptographic technique. Also, white boxing can be used if the intruder sees the default location, such as Keychain/Secure Enclave for iOS or KeyStore for Android, for credentials on a device to target an attack.  

Other Techniques:

• Certificate pinning, which allows parties involved in a mutual authentication process to pin down particular certificates, can be used to counter man-in-the-middle attacks.
• Resource encryption involves encrypting app components, such as classes and strings.
• Auto-expiry sets a deadline after which a user is logged out after a period of inactivity.
• Stand-alone keyboards can be employed to stop keylogging attempts, and rogue keyboard detection can be used to detect unauthorized keyboards.
• Polymorphism is a method where the code can be altered to make reverse engineering more difficult.

Application hardening use cases

Mobile banking apps are one use case for application hardening. More mobile users are relying on their devices for banking. Fraudsters are looking to capitalize on any lapse in security they can find. Application hardening helps prevent fraudsters from developing malicious exploitations of the mobile banking app , making it more difficult for an attacker to succeed.   

Mobile healthcare apps handle protected health information (PHI) regulated by the Health Insurance Portability and Accountability Act (HIPAA). Healthcare providers and others can face stiff penalties if their telehealth apps disclose patient data. Application hardening can ensure that patient confidentiality is maintained and HIPAA fines are avoided by ensuring that cyberattackers cannot access PHI.

Mobile retail apps are another excellent use case for application hardening. They handle card-card data regulated by the Payment Card Industry Data Security Standard (PCI DSS). Online merchants who fail to comply with PCI DSS could face fines from credit card companies, the loss of customer trust, and even Federal Trade Commission audits.   

Public services personnel, such as first responders, law enforcement, and government agencies, access, transmit, and store sensitive information on their mobile apps. This data could be governed by HIPAA, agency policies, or privacy rules, so it needs to be protected by robust security measures such as application hardening.  

Consumer-facing mobile apps are a bridge between the outside world and sensitive internal customer databases, making them a target for attackers. Application hardening is capable of blocking or otherwise prevent attackers from exploiting the numerous vulnerabilities in mobile apps that can result in data theft.   

With the number of connected devices and apps increasing exponentially, the attack surface for hackers to infiltrate networks at home, in the workplace, and in the factory is expanding at a similar pace. Apps that control connected devices are vulnerable to attacks. Application hardening can secure those apps to protect embedded systems in ways that antivirus solutions and other conventional security tools cannot.

 

Help protect against these attack strategies with application hardening

Application hardening can help defend apps against several attack scenarios, including reverse engineering, repackaging, and rogue keyboards.  

Reverse engineering is the practice of analyzing an app to extract design and implementation information. The technique can be used for legitimate purposes, but an attacker can also use it to analyze code and develop malware that exploits apps for nefarious purposes.  

In a repackaging attack, a hacker reverse engineers a legitimate app, adds malicious code to it, and uploads it to an app store. This is a favorite technique of attackers targeting mobile banking apps.

Alternative keyboard apps, which are used by people to customize their keyboards, can also hide malicious code that steals data or performs other malicious actions.

The bottom line is that application hardening protects apps against malicious activity and safeguards sensitive information from cybercriminals throughout their lifecycle. Application hardening is part of layered app security approach that includes runtime protection, strong authentication, and other techniques. Layered security can help accelerate digital transformation initiatives, reduce operational costs, and open new growth opportunities.