We live in a mobile-first world. Mobile apps have become a ubiquitous presence in our lives. We use them to check our investment portfolios, order meals, and even find dating partners.
But as we increasingly rely on these apps to manage our personal and professional lives, businesses struggle to prevent cyberattacks originating from within the app and from the billions of app-connected devices. This means any organization seeking to engage today’s and tomorrow’s customers needs to provide a well-protected mobile experience.
Hackers, often highly resourced cybercriminal gangs, recognize that mobile apps provide a gateway into the enterprise. As awareness grows about this risk, enterprises are increasingly seeking solutions to secure and protect their mobile apps.
“Secure and protect” means different things to different people. For example:
- For CISOs, it means that their organizations’ mobile apps don’t become an entry point for threat actors to gain access to their infrastructure.
- For the mobile developers, it means that a hacker doesn’t reverse engineer the app to steal all their hard work.
- For the compliance officer, it means that the products their company is putting on the market meet the contractual and regulatory requirements of their industry.
- For the user, it means their personal data remains private.
- For the marketing VP, it means their brand reputation won’t be destroyed by a cyberattack against the mobile app.
This is where a range of technologies exist to secure and protect mobile apps. In this post, we’ll take a look at three related cybersecurity solutions that can help app security professionals protect their organizations from cyberattacks:
These terms are often used as synonyms for each other, but there are subtle differences.
App shielding vs RASP vs in-app protection
App shielding is a process that involves injecting security measures into a mobile app to make it difficult for attackers to access and understand the app’s code. This allows the app to comply with OWASP Mobile Top 10 controls M8 (code tampering) and M9 (reverse engineering).
In other words, app shielding is the act of “hardening” the app, which is typically used to protect against static attacks, where the attacker has access to the app’s code and is attempting to reverse engineer it or exploit vulnerabilities.
App shielding doesn’t imply any particular technology. The solution could be a “wrapper”-based technology (something Verimatrix doesn’t recommend due to the single point of failure innate to such approaches) or an approach that interleaves the protection with the business logic of the app.
Common techniques employed include code encryption, control flow obfuscation, runtime environmental checks, binary integrity checks, and whitebox cryptography.
RASP is a security technology that is built into the app itself. It works by monitoring the app’s runtime environment to prevent attacks in real-time. Hence, the “runtime” portion of the name defines the aim of RASP solutions.
RASP is typically used to protect against dynamic attacks, where the attacker is attempting to exploit vulnerabilities or manipulate the app’s behavior at runtime. This means observing the app while it runs and looking for threats against its protection and the data in it.
As with app shielding, RASP doesn’t imply one particular technology, though a typical RASP solution will deploy similar runtime monitoring technology to app shielding (environmental checks and code integrity protection), but will sometimes augment it with a server-side component to provide additional oversight. This additional oversight is often referred to as device attestation.
Any protection that is implemented within the app itself is considered in-app protection. This means that to be truly considered in-app protection, the protection can’t rely on the device, operating system, or network. The protection should be maintained even when the app is isolated from the device and/or from the internet by a threat actor.
When protected apps run on unmanaged devices, as all consumer mobile apps do, in-app protection techniques are crucial as the only security control point we have available is the mobile app itself.
For example, a RASP solution with a device attestation component requires in-app protection to firmly anchor the client-side attestation components. Otherwise, it is easy for an attacker to manipulate the app to fake the attestation data.
Why app shielding and RASP are so important in the digital landscape
A common misperception that security professionals might have about security solutions like RASP is that they’re only effective against known threats and attacks. However, this is not the case.
RASP is able to prevent both known and unknown threats in real-time by monitoring the app’s runtime environment and looking for any suspicious or malicious activity. This means that even if a new type of attack is discovered, RASP can still prevent it, making it a powerful tool in the fight against cyberattacks.
Additionally, RASP is often augmented to provide valuable insights and telemetry data that can be used to improve the overall security of the app ecosystem.
But why is it so important to have these protections in place? The fastest-growing enterprise security threat today is from mobile apps and the billions of devices that connect to them.
The number of mobile devices in use as of 2023 is around 7 billion. All these devices connected to the internet have downloaded and used multiple apps. And this number is increasing all the time. This means that the risk of cyberattacks will also increase. In fact, McKinsey estimates that the damage from cyberattacks will amount to about $10.5 trillion annually by 2025. Both mobile app shielding and RASP can be essential components for providing cybersecurity for mobile apps.
Some examples of actual attacks that could have been prevented if RASP or app shielding solutions were in place include:
In 2019, a group of hackers used a malicious app disguised as a legitimate utility app, WhatsApp, to infect the phones of at least 25 million users with malware. The malware was designed to steal sensitive information from the user’s device, such as login credentials, credit card information, and more.
IBM Trusteer reported that a dangerous hacking group used a mobile emulator to spoof banking customers’ mobile devices to pilfer millions of dollars from banks in Europe and the United States. It was postulated that the attackers used mobile emulators to spoof tens of thousands of compromised devices. They siphoned away PII data to enable mobile emulators to spoof legitimate devices. The attackers then entered bank account credentials into the apps to create fake withdrawal methods.
Get Extended Threat Defense (XTD) for all-in-one app protection
There are several cybersecurity vendors in the market who provide mobile app security, such as RASP and app shielding, or who offer mobile threat defense for managed employee devices, but few vendors protect mobile apps and defend the enterprise against the myriad of unmanaged devices powered by those apps.
Examples of unmanaged connected devices include consumer smartphones, overnight delivery tablets, payment POSs, smart home appliances, keyless car technologies, and more.
RASP and app shielding offer security measures focused on preventing static and dynamic attacks at the app level, and they should be used in conjunction with other cybersecurity solutions such as mobile threat defense, which monitors threats at the unmanaged device level. Only a comprehensive security umbrella will protect against a wide range of cyber threats.
Extended Threat Defense (XTD), a new cybersecurity solution from Verimatrix, goes beyond all three solutions to provide an all-encompassing cybersecurity solution for consumer mobile apps. This includes advanced threat detection and response techniques.
Verimatrix XTD helps CISOs, SOC teams, application engineers, and mobile app developers predict, prevent, detect, and respond to cyberattacks from a new type of mobile risk: attacks from unmanaged devices that are powered by an app. Any business that has an app is at risk.