Skip to content

Mobile RASP vs Shielding vs In-App Protection

We live in a mobile first world. This means any organization seeking to engage today’s and tomorrow’s customers needs to provide a compelling mobile experience.

The reward of engaging with a loyal customer base doesn’t come without risk. Hackers, often highly resourced cybercriminal gangs, recognize that mobile apps provide a gateway into the enterprise. As awareness grows about this risk, enterprises are increasingly seeking solutions to secure and protect their mobile apps.

“Secure and protect” means different things to different people. For example:

  • For CISOs, it means that their organizations’ mobile apps don’t become an entry point for threat actors to gain access to their infrastructure.
  • For the mobile developers, it means that a hacker doesn’t reverse engineer the app to steal all their hard work.
  • For the compliance officer, it means that the products their company is putting into the market meet the contractual and regularity requirements of their industry.
  • For the user, it means their personal data remains private.
  • And for the marketing VP, it means their brand reputation won’t be destroyed by a cyberattack against the mobile app.

A range of technologies exist to secure and protect mobile apps. This blog focuses on three of them: Mobile RASP (Runtime Application Self-Protection), Shielding and In-App Protection. The terms are often used as synonyms of each other but there are subtle differences.

While there is no formal definition of the three terms, a common understanding has built up around them.

Mobile App Shielding

Shielding an app refers to the act of hardening the app to make it difficult to reverse engineer (through both static and dynamic analysis) and difficult to tamper with its behavior. This allows the app to comply with OWASP Mobile Top 10 controls M8 (code tampering) and M9 (reverse engineering).

App Shielding doesn’t imply any particular technology. The solution could be a “wrapper” based technology (something Verimatrix doesn’t recommend due to the single point of failure innate to such approaches) or an approach that interleaves the protection with the business logic of the app.

Common techniques employed include code encryption, control flow obfuscation, runtime environmental checks, binary integrity checks and whitebox cryptography.

Mobile RASP (Runtime Application Self-Protection)

The “runtime” portion of the name defines the aim of RASP solutions. They focus on protecting the app while it is executing – protecting its operation and the data with in it. This means observing the app while it runs, looking for threats against the app.

As with Shielding, RASP doesn’t imply one particular technology, though a typical RASP solution will deploy similar runtime monitoring technology to App Shielding (environmental checks and code integrity protection) but will sometimes augment it with a server-side component to provide additional oversight. This additional oversight is often referred to as device attestation.

In-App Protection

Any protection that is implemented within the app itself is considered in-app protection. This means to be truly considered in-app protection, the protection can’t rely on the device, operating system or network. The protection should be maintained even when the app is isolated from the device and/or from the internet by a threat actor.

When protected apps running on unmanaged devices – as all consumer mobile apps do – in-app protection techniques are crucial as the only security control point we have available is the mobile app itself.

For example, a RASP solution with a device attestation component requires in-app protection to firmly anchor the client-side attestation components. Otherwise, it is easy for an attacker to manipulate the app to fake the attestations data.

Going further

Verimatrix’s App Shield and Code Shield products provide features that cover a superset of all three categories. In fact, Verimatrix is a Gartner recognized vendor for Shielding and In-App Protection.

While Verimatrix XTD goes beyond all three categories to provide an all-encompassing cybersecurity solution for consumer mobile apps. This includes advanced threat detection and response techniques.

See how we can help protect your business: 

  • Mobile applications and APIs
  • Video content
  • Digital payments
Book a call
Do you have questions about applications and content security?

Book a call with one of our experts

BOOK A CALL
Want to keep up with Verimatrix news?

Sign up to the newsletter

SIGN UP

View by Category

Recent Posts

Esports Through the Lens of Team 7am

The image of the gamer secluded in the solitude of his room, in front of his computer playing 24/7, may still be the norm for some, but certainly not for professional gamers and most definitely not if they play and work within an esports squad, such as Euro-American Team 7am.

Mobile Apps Are at Risk for Static and Dynamic Attacks

Mobile apps have become an ubiquitous presence in our lives. We use them to check our investment portfolios, order meals, and even find dating partners. But as we increasingly rely on these apps to manage our personal and professional lives, businesses struggle to prevent cyber attacks originating from within the app, and from the billions of app-connected devices.

chat gpt

ChatGPT: Friend or Foe?

The reward of engaging with a loyal customer base doesn’t come without risk. Hackers, often highly resourced cybercriminal gangs, recognize that mobile apps provide a gateway into the enterprise. As awareness grows about this risk, enterprises are increasingly seeking solutions to secure and protect their mobile apps.

Esports Through the Lens of Team 7am

Esports Through the Lens of Team 7am

March 15, 2023
The image of the gamer secluded in the solitude of his room, in front of his computer playing 24/7, may still be the norm for…
Mobile Apps Are at Risk for Static and Dynamic Attacks

Mobile Apps Are at Risk for Static and Dynamic Attacks

February 9, 2023
Mobile apps have become an ubiquitous presence in our lives. We use them to check our investment portfolios, order meals, and even find dating partners.…
Rock Concerts, Blind Spots and a Widening Attack Surface

Rock Concerts, Blind Spots and a Widening Attack Surface

January 31, 2023
We are living in a mobile-first world, and the explosion of mobile applications is nothing short of remarkable. We're talking about 6-7 million apps on…
Want to take a deep dive?
VIEW EBOOKS

Connect with us

Facebook Twitter Youtube

Related Posts

Esports Through the Lens of Team 7am

Esports Through the Lens of Team 7am

March 15, 2023
Mobile Apps Are at Risk for Static and Dynamic Attacks

Mobile Apps Are at Risk for Static and Dynamic Attacks

February 9, 2023
Rock Concerts, Blind Spots and a Widening Attack Surface

Rock Concerts, Blind Spots and a Widening Attack Surface

January 31, 2023
ChatGPT: Friend or Foe?

ChatGPT: Friend or Foe?

January 23, 2023
Software Supply Chain Reaction

Software Supply Chain Reaction

January 6, 2023
Streamkeeper™ Named a Product of the Year

Streamkeeper™ Named a Product of the Year

January 17, 2023
5 Misconceptions of Root Detection

5 Misconceptions of Root Detection

January 6, 2023
Towards a Proactive Threat Defense in Mobile Apps

Towards a Proactive Threat Defense in Mobile Apps

January 6, 2023
Broadcast Trade Shows Are Back!

Broadcast Trade Shows Are Back!

January 17, 2023
The devil’s in the data

The devil’s in the data

January 17, 2023
Securing the Road Ahead: Automotive Security Done Right

Securing the Road Ahead: Automotive Security Done Right

January 13, 2023
Verimatrix Data Shows Both Russians and Ukrainians Turning to VPNs

Verimatrix Data Shows Both Russians and Ukrainians Turning to VPNs

January 6, 2023

Anti-Piracy

Streamkeeper Cloud Solutions
On Prem Solutions

Threat Defense

App & Client Protection
Endpoint Defense

Techniques

Solutions

Platform

Resources

About Us

Pricing

EN

Talk to specialist