Mobile devices are indispensable in the lives of billions of people. Smartphones, tablets, and smartwatches enable us to listen to music, check our emails, or share updates with friends anywhere we want. With the use of mobile apps, we can do practically anything just by swiping our fingers. Or, as Apple put it, “There’s an app for that!” And yes, that’s correct: in 2015, Google Play and Apple’s App Store offered 3.1 million apps, accounting for no less than 150 billion downloads!
However, the constantly evolving mobile world doesn’t come without risks. Mobile apps have become more and more complex, leaving large gaps open for hackers to exploit. Not only do apps contain intellectual property and/or private information, they also generate sensitive user data. As an app developer, you should be aware that your app is vulnerable. Luckily, there are tools available to help you protect it.
It’s easier to hack an app than you think…
The two most common types of attacks that your app may be vulnerable to are static attacks and dynamic attacks. With static attacks, the hacker focuses on transforming the app’s code to a more human-readable format. An Android app is essentially nothing more than a Zip file containing your code, strings, assets and resources, and there are many click-and-play tools that let anyone reverse engineer it. This enables hackers to gain insight into the code, so that they can find and exploit vulnerabilities. They can also extract sensitive information, like access credentials to communicate with a public API, a security sensitive protocol, or a financial transaction engine. With dynamic attacks, the hacker tries to modify the app while it is running on the device itself. By taking over the application flow, someone gains full control on the execution environment and instructs the operating system to attack the app. Specifically on Android devices, the app has to deal with rooted devices, emulators, and debuggers.
The Consequences of App Hacking
Threats to your app’s security can’t be ignored…
App hacks can have severe consequences for you. If you do not sufficiently secure your app, it risks being pirated, which means that cybercriminals remove the license-checking mechanism to gain access to paid content. They can even steal your customers’ information, or hijack financial transactions. Worst of all, code you’ve invested a lot of time in can be extracted and reused by your competitors, creating devastating revenue loss and irrevocable damage to your reputation.
Ways to Develop a Protected Mobile App
Fear not, a little bit of code hardening can protect your app from hacks!
Like a “knight in shining armor,” code protection helps you defend your app against reverse engineering. Essentially, there are many simple techniques that you can use to secure sensitive information and the execution flow of your app. For example, you can encrypt code, strings, assets and resources to make sure that they are hidden when a hacker tries to reverse engineer your app. You can also obfuscate the execution flow, which breaks app decompilers during a reverse engineering attempt.
Beef up security with Runtime Application Self-Protection (RASP)…
RASP enables your app to scan its environment at runtime in order to monitor its own integrity and the integrity of the device on which it is running. You can also use RASP to let your application react adequately on an unsafe environment, e.g. instruct the app to stop running, or switch off its delicate features when it’s being executed on a rooted device.
Or, simply try GuardSquare’s Tools…
Applying the techniques listed above can be time-consuming. Luckily, there are tools available that can help you implement the necessary security measurements to protect your app from hacks. GuardSquare offers DexGuard, state-of-the-art security software tailor-made for your Android app. It hooks into your build process through a Gradle, Ant, or Maven plugin and produces a protected and optimized app at the end. DexGuard mitigates static and dynamic mobile security threats, by applying various code hardening and RASP techniques. While you focus on developing brilliant apps, DexGuard will take care of their protection.
Learn more about protecting your mobile applications at https://www.guardsquare.com/.
GuardSquare is the global reference in mobile application protection. We develop premium software for the protection of mobile applications against reverse engineering and hacking. Our products are used across the world in a broad range of industries, from financial services, e-commerce and the public sector to telecommunication, gaming and media. GuardSquare is based in Leuven (Belgium) and San Francisco (USA).
I appreciate your writing on mobile hacking. We really need to be aware to use the smartphone.