It's great to see an ever-growing awareness of Application Protection, particularly on Mobile devices. Gartner's latest Market Guide report on Application Shielding (or RASP - Runtime Application Self Protection) is now released and Inside Secure's Code Protection technology is featured.
As is usual from Gartner, the Analyst's findings are clear and understandable. As are the reasons for actually using this type of security technology: protecting Application code is fundamental to securing the end-point - without which the whole infrastructure cannot be secured.
In Inside Secure's opinion, the end-point begins at the source code of the app…..
One of the most interesting findings in their work is the comparison table between a number of technologies. Ease of application, deployment, security effectiveness, etc. are compared clearly and simply. This should help Software Developers of Mobile Apps as well as IOT and Server or Desktop Applications choose the best solution for their applications. Inside Secure's Security Lab and Local Teams can also help clarify.
Finally, some of the most fascinating information appears when one digs down deeper into the Gartner source material; as well as talking to users and vendors, their source data comes from research by academia and security labs.
As Dong et all state, obfuscation is important "due to the easy to reverse nature of Java, code protection for Android Apps is of key importance".
I couldn't have put it better myself!
Given that Proguard is a free tool supplied with the Google Android development kit, there is simply no excuse for application developers at least not taking advantage of its basic Obfuscation. The reports' findings are both astonishing and worrying.
Of course as they go on to say, not all "obfuscation techniques are equally effective" and indeed many are ineffective given tools developed specifically to remove them.
What should worry all Android Developers is this one line; "though basic obfuscations prevalently applied to benign apps, the utilisation rate of other more advanced obfuscation techniques is much lower than that of malware".
In other words, the Malware authors understand their environment implicitly, utilising more advanced security than the authors of legitimate apps!
It should be remembered that Proguard is positioned/marketed as an "optimiser" not an "obfuscator".
They have developed these defenses in order to keep one step ahead of the traditional anti-malware techniques usually recommended by Banks and others.
Wermke et al's research threw up some worrying statistics for anyone commissioning the development of an Android Mobile Application, Of 1.7 million apps on the Google Play store, only 24.5% were protected by ANY Code Protection.
They also point out that repackaging is recognised as a major threat to the mobile eco system and that in other research 86% of Malware is delivered through re-packaged legitimate apps.
A small comfort is that the 24.5% Obfuscated figure rises to 50% in the most popular apps (those with over 1 million downloads)…. But that still leaves half of the most popular apps with Zero protection whatsoever!
Another comfort is that App Developers are aware of the theoretical benefits of obfuscation BUT they perceive a "negligible" threat to them or their work from the lack of obfuscation…
In terms of the use of the simplest form of Obfuscation, Proguard, 35% of participants in a test conducted by the researchers found difficulty in using the tool. While 61% of those questioned claimed to already obfuscate their apps. Of course that leaves 39% of aware developers not actually using any form of Obfuscation.
The researched then set a task to their volunteers, most were able to obfuscate a simple project, however 78% failed to protect a more complex app. Worse still, of that group, 35% thought they had succeeded!
These numbers are both worrying and are further evidence of what we found in our Mobile Banking Wild West research, where 95% of mobile banking apps were insecure. In our research some had been partially obfuscated but most were completely open. Many of these features network-style techniques entirely unsuited to the hostile environment of mobile devices.
As I often say, don't trust the platform, trust what you build. You may now need to add - make sure your App Developers are aware of the realities shown in these reports.
Among the sources are two which jumped out immediately to me, these were not looking at the security of mobile apps per se, but were researching the use of the most basic Proguard Obfuscation within Android applications overall.
"Understanding Android Obfuscation Techniques: A Large-Scale Investigation in the Wild" by Dong et al and "A Large Scale Investigation of Obfuscation Use in Google Play" by Warnke et al both looked at the prevalence of obfuscation in Mobile Apps.