We live in a mobile first world. This means any organization seeking to engage today’s and tomorrow’s customers needs to provide a compelling mobile experience.
The reward of engaging with a loyal customer base doesn’t come without risk. Hackers, often highly resourced cybercriminal gangs, recognize that mobile apps provide a gateway into the enterprise. As awareness grows about this risk, enterprises are increasingly seeking solutions to secure and protect their mobile apps.
“Secure and protect” means different things to different people. For example:
- For CISOs, it means that their organizations’ mobile apps don’t become an entry point for threat actors to gain access to their infrastructure.
- For the mobile developers, it means that a hacker doesn’t reverse engineer the app to steal all their hard work.
- For the compliance officer, it means that the products their company is putting into the market meet the contractual and regularity requirements of their industry.
- For the user, it means their personal data remains private.
- And for the marketing VP, it means their brand reputation won’t be destroyed by a cyberattack against the mobile app.
A range of technologies exist to secure and protect mobile apps. This blog focuses on three of them: Mobile RASP (Runtime Application Self-Protection), Shielding and In-App Protection. The terms are often used as synonyms of each other but there are subtle differences.
While there is no formal definition of the three terms, a common understanding has built up around them.
Mobile App Shielding
Shielding an app refers to the act of hardening the app to make it difficult to reverse engineer (through both static and dynamic analysis) and difficult to tamper with its behavior. This allows the app to comply with OWASP Mobile Top 10 controls M8 (code tampering) and M9 (reverse engineering).
App Shielding doesn’t imply any particular technology. The solution could be a “wrapper” based technology (something Verimatrix doesn’t recommend due to the single point of failure innate to such approaches) or an approach that interleaves the protection with the business logic of the app.
Common techniques employed include code encryption, control flow obfuscation, runtime environmental checks, binary integrity checks and whitebox cryptography.
Mobile RASP (Runtime Application Self-Protection)
The “runtime” portion of the name defines the aim of RASP solutions. They focus on protecting the app while it is executing – protecting its operation and the data with in it. This means observing the app while it runs, looking for threats against the app.
As with Shielding, RASP doesn’t imply one particular technology, though a typical RASP solution will deploy similar runtime monitoring technology to App Shielding (environmental checks and code integrity protection) but will sometimes augment it with a server-side component to provide additional oversight. This additional oversight is often referred to as device attestation.
Any protection that is implemented within the app itself is considered in-app protection. This means to be truly considered in-app protection, the protection can’t rely on the device, operating system or network. The protection should be maintained even when the app is isolated from the device and/or from the internet by a threat actor.
When protected apps running on unmanaged devices – as all consumer mobile apps do – in-app protection techniques are crucial as the only security control point we have available is the mobile app itself.
For example, a RASP solution with a device attestation component requires in-app protection to firmly anchor the client-side attestation components. Otherwise, it is easy for an attacker to manipulate the app to fake the attestations data.
Verimatrix’s App Shield and Code Shield products provide features that cover a superset of all three categories. In fact, Verimatrix is a Gartner recognized vendor for Shielding and In-App Protection.
While Verimatrix XTD goes beyond all three categories to provide an all-encompassing cybersecurity solution for consumer mobile apps. This includes advanced threat detection and response techniques.
See how we can help protect your business:
- Mobile applications and APIs
- Video content
- Digital payments