RSA 2013 Wrap-Up – InfoSec Products Guide Winner & Podcast

Posted on March 5, 2013 by kmorgan

We are proud to announce that our Mobile Application Protection: App Integrity for Android solution was named Gold winner of the 2013 Global Excellence Awards in the “Best Security Software (New or Updated Version)” category at the 9th Annual 2013 Info Security’s Global Excellence Awards dinner held in conjunction with the RSA Conference 2013. Read More…

Also, check out our latest podcast from the RSA show: Layered Security for Mobile Apps

The new generation of mobile applications requires layers of security to protect integrity, says Vince Arneja of Arxan Technologies.

For example, the security controls of the latest apps are potential targets for hackers, so they need to be adequately protected. Fraudsters are interested in manipulating mobile apps designed for use by corporations as well as consumer apps, he notes.

In an interview, Arneja describes:

Why applications are “the new perimeter;”
How the mobile threat landscape is evolving;
How application integrity protection works.

LISTEN TO THE PODCAST HERE: Layered Security for Mobile Apps

Kids Use Coding Skills to Hack Online Games

Posted on February 12, 2013 by kmorgan

“Kids as young as 11 are using coding skills to hack accounts on social media and gaming sites…” (1)

Time will only tell the types of hacks, capabilities, and even requisite skill level needed to attack software. The exponential growth of young coders exposes the App Economy to compromise of application integrity.

(1) http://mashable.com/2013/02/09/kids-coding/

Piracy Will Continue to Increase in 2013….

Posted on January 11, 2013 by kmorgan

Consistent with much current industry research, we feel piracy will only increase in 2013 for a few reasons.

The number of mobile OS’s are growing. In addition to popular iOS and Android, as well as ‘backseat’ platforms such as Blackberry and Windows, Tizen and Ubuntu are entering the scene (stage left!). More specifically, Android, the fastest growing OS due to compelling price points*, lacks a robust and standardized security process. For, iOS, although Hackulous has shut down, other websites, especially those hosted in minimal or unregulated territories such as China, we believe will continue to be plentiful and widespread as alternative sources for jailbroken apps. Additionally, many global developers may continue to maintain the importance of a ‘free’ development environment as they view jailbreaking as being about innovation (even though piracy is a consequence) and having the ability to create outside of the iOS sandbox.

Although the lack of iOS 6 jailbreak has been suggested as contributing to the Hackulous shutdown, it is always an arms race for the hacking community. In fact, today, hackers are touting a significant milestone of iPhone 5 running 6.0.2 as finally being jailbroken (iPhone Dev Team member – planetbeing – has revealed his jailbroken iPhone 5). The purported logic from the hacker for not yet releasing the exploit that enables the jailbreak is that it allows hackers to be able to maintain a “window” into new firmware for future jailbreaks. Hence, software publishers can’t expect piracy levels to decrease. In fact, our continued growth in providing more and more customers (we’re deployed on over 200 million devices) with app integrity via our app hardening and tamper proofing products underlines widespread concern on the prevalence of piracy attacks.

Furthermore, as mobile computing continues its stakehold as today’s mainstream platform, the underlying app economy multiplies to address multi-platform software requirements across diverse industries, such as mobile banking/payment, digital media, gaming, etc. Hence, the software piracy and app integrity challenge will undoubtedly follow in at least a linear manner.

*- “The tablet market has seen greater price competition from Android devices as well as smaller, low-priced devices in emerging markets,” Gartner said. “It is ultimately this shift toward relatively lower-priced tablets that lowers our average selling prices forecast for 2012 through 2016, which in turn is responsible for slowing device spending growth in general, and PC and tablet spending growth in particular.”

Webcast: Mobile Application Security Strategies for Financial Services

Posted on November 7, 2012 by kmorgan

This panel will tackle the unique challenges faced by businesses in Financial Services as they try to enter the growing mobile app market. We will bring together perspectives from vendors and researchers focusing on the topic and end users implementing the solutions and dealing with the day-to-day challenges.

Join our Webcast: https://www.brighttalk.com/community/it-security/webcast/288/59045

Webcast: Mobile Application Integrity Risks & Mitigations

Posted on November 7, 2012 by kmorgan

Mobile application security extends beyond the identification and elimination of code vulnerabilities. As enterprises (of all types, including financials) extend their computing out to the mobile device world, analysis and modification attacks directly on the distributed application binary code becomes a major security threat. This webinar will focus on the range of techniques (with specific tools identified and examples presented) available to reverse engineer and/or tamper with mobile applications. Specific reversing/tampering uses cases focused on the financial vertical will be presented to demonstrate the critical nature of these attack types.

Join our webcast: http://www.brighttalk.com/webcast/288/58489

Self-Protection: The Last Line of Defense for the iOS Kernel

Posted on September 4, 2012 by kmorgan

By Hoi Chang, VP of Technology, Arxan Technologies, Inc.

Since its start in 2007, Apple’s iOS operating system has come a long way with enhancing its security, from an initial, unsafe state where all apps were run with root privileges, to the current stronger state. Its current security measures include those that validate the integrity of system and application code, such as secure boot chain and code signing, as well as runtime process security restrictions such as sandboxing, data-execution prevention, and address space layout randomization.

Unfortunately, although Apple has progressively improved its security for iOS, creative and highly skilled hackers have still managed to stay ahead by successfully jailbreaking and punching holes in every new version of the OS as soon as it’s released. Through exploitation of code vulnerabilities, hackers break into the OS kernel, disable security restrictions such as code signing and sandboxing, and unleash other targeted changes/modifications.

Specifically, hackers have reverse-engineered many parts of the kernel and identified where security mechanisms have been implemented. Hackers have produced and released versions of the kernel with those security mechanisms patched out or disabled. They have even released tools that automate the generation of jailbroken kernels.

To thwart kernel patching, which is a key step toward jailbreaking, it’s necessary to add to the defense arsenal an important last line of self-protection, one that provides tamper-resistance from targeted attacks.

By self-protection, I mean equipping the kernel with self-awareness, self-repair, and tamper-response capabilities, so that it is fully capable of detecting whether its own state has been modified, erasing the changes if possible, and taking remedial or punitive actions against the intrusion (e.g., rebooting or stopping the kernel from running).

The protection mechanism should itself be resilient against attacks. It should be in a dispersed, obfuscated form, with no single points of attack. Its implementation should also vary across different instances of the kernel so there is no “wholesale” class attack against the protection scheme.

Self-protection is a proven technique, and has been widely deployed in the apps that you and I run. Why make an exception for the kernel, the most critical component to the foundation of the system?

Share your thoughts using hashtag #protectyourapps

“State of Security in the App Economy” research

Posted on August 27, 2012 by kmorgan

By Jukka Alanen, Vice President, Arxan Technologies, Inc.

Mobile apps under attack
On Monday August 20th 2012, we announced an “industry-first” security study that examined the widespread nature of attacks and risks that application owners face when they release mobile apps. There are several prior studies looking at the prevalence of malware in end-user mobile devices and apps. However, there are no studies that look at the prevalence of app hacking from an application owner’s perspective, i.e., how common is it that mobile apps get hacked/cracked after their release. We sought to provide a new, fact-based perspective on the hacking threats that app owners/providers face after releasing their app. This State of Security in the App Economy: “Mobile Apps under Attack” research revealed that over 90% of top mobile apps have been hacked, cracked, and breached, and are available as illegitimate versions on third-party sites.

Our research highlights six types of hacking attacks:
- Disabled or circumvented security (e.g., crack iOS encryption, license management, etc)
- Unlocked or modified features (e.g., allow user to access restricted functionality)
- Free pirated copies (piracy)
- Ad-removed versions
- Source code/IP theft (via reverse-engineering and disassembly/decompilation to expose IP/source code)
- Illegal malware-infested versions (hacker cracks the app, injects malware, repackages the app and distributes it, often while making the app free to entice users).

These hacking attacks on mobile apps can cause significant damage to the application vendor / owner:
- Brand and reputation compromise (from publicly known hacked versions, tampering attacks, and repackaged copies with malware exploits).
- Revenue losses (from piracy, lost paid apps, in-app purchases or ad revenues, lost users, or lost intellectual property).
- User experience compromise (from hacked versions with problems or affected experience in multi-user applications such as games).
- Exposure to liabilities (from tampering, fraud, theft, or exposure of sensitive information, purchases, transactions, etc.)

The research presents a grave security situation for mobile app owners:
- No application is safe: we found hacked versions across all industries/categories(e.g., games, business, productivity, financial services, social networking, entertainment, communication, and health). In addition, we found that free apps are not immune to hacking: 40% of our studied Apple iOS popular free apps were hacked and 80% of the same Android apps.
- The hacking attacks are based on reverse-engineering/tampering techniques (what we call “Anatomy of an App Hack”) that traditional application security methods such as SDLC/secure software development practices and application vulnerability analyses do not address. Moreover, the hacking process with tampering/reverse-engineering is made easy with widely available free or low-cost automated hacking tools.

What do the findings mean…?

…for preventing mobile malware?
For instance, 86% of Android malware are repackaged versions of legitimate applications (source: NC State University study, published in IEEE Security & Privacy 2012). Before releasing their app, application owners need to protect the integrity of their app code against malware insertion by making the code tamper-proof and self-defending. If app owners follow this approach, a lot of the mobile malware can be prevented in the first place, reducing the amount of mobile malware in the world and protecting both the reputation of the app owner as well as the safety of their users.

…for application developers?
As an estimate, less than 5% of major app developers have deployed adequate professional-grade measures inside their apps to protect the integrity of the app code against hacking attacks. App developers need to build protections directly into the app using steps that counter how hackers attack an app: 1. Assess risks and attack targets in the app, 2. Harden the code against reverse-engineering, and 3. Make the app tamper-proof and self-defending. By doing so, app developers can leverage mobile app protection as an enabler to allow full freedom and confidence to innovate and distribute high-value and sensitive mobile apps. For instance, app developers can then put sensitive/high-value code on mobile devices without needing to make architectural trade-offs that hinder user experience.

…for CISOs and enterprise IT security departments?
Security departments need to make mobile app protection a strategic priority, reflecting its new criticality to address hacking attacks and the growing value at stake. They should set security policies to govern mobile app protection (e.g., which apps need to be protected and how) – this is important to consider across external B2C/B2B apps as well as internal B2E apps. We recommend being especially diligent about protecting mobile apps that deal with transactions, payments, sensitive data, or that have high-value IP (e.g., financial services, commerce, digital media, gaming, healthcare, government, corporate apps). Importantly, CISOs and their teams cannot assume that web app security strategies address the new requirements for mobile app protection due to very different threats. They should focus new app security initiatives on protecting the integrity of mobile apps against tampering/reverse-engineering attacks, in addition to traditional approaches to avoiding vulnerabilities.

…for mobile end-users?
Overall, our research focuses on what application owners/providers need to do to keep their applications secure from hackers and other attackers, rather than what individual end-users should do. However, the origin of many end-user risks, such as malware hidden in an application, is that a legitimate application was compromised (and, e.g., repackaged with malware). Therefore, end-users should push application developers make their applications protected against these attacks, i.e., prevent the insertion of malware or application tampering in the first place. But given that many application developers are failing to protect their applications, end-users obviously need to take appropriate security measures on their own such as exercising due care when downloading/installing apps, avoiding suspicious sites, using strong passwords, etc.

…for you?
Contact us at info@arxan.com to discuss your unique situation with us. We can help you assess the risks/threats that your mobile apps face and help you protect your apps from hacking attacks.

Multi-Layered Mobile App Security

Posted on July 18, 2012 by kmorgan

By Hoi Chang, Vice President, Arxan Technologies, Inc.

According to a recent report by Lookout, 9 million people lost their smartphones in 2011; on average, that’s one lost phone in every 3.5 seconds! From the perspective of mobile security, that is rather scary.

If you are in charge of the security of mobile applications deployed across an enterprise, you’re likely faced with risks due to lost devices, since every lost app could potentially end up in the wrong hands. Although in reality not every lost app may end up harmful, it only takes one determined, malicious hacker to pick apart and compromise one important app, and subject your organization to business risk.

To counter such mobile threats (and more), a number of vendors offer security features such as “secure containers” and “secure wrappers” as part of their mobile device or mobile application management (MDM or MAM) solutions. Typically, these security features wrap unprotected mobile apps with per-app security policies, such as password protection, data encryption, and remote wiping of app data, that protect the apps against illegal access and misuse in insecure environments.

While security policies implemented by MDM and MAM solutions form a very important first line of defense, it can easily be mistaken that this is all you need in securing the apps. An essential but often missing security component is app protection.

Policy code is a security layer protecting against app-level threats such as app misuse and data breach. Without reinforcement by code protection, it can be an easy target of attack – policy code itself provides no defense against internal, code-level reverse engineering and tampering. A malicious cracker can step through an app’s instructions, locate the code that enforces security policies, and subsequently disable or bypass the code. Besides security policies, any sensitive business logic performed in the app is also wide open to attacks. It’s sometimes just a matter of hours to understand and compromise an app’s logic.

To ensure that your apps and policy code will do what they’re supposed to do, you will also need to “tamper-proof” them with application protection. Complementary to policy code, code protection refers to a set of special code transformations that substantially raises the bar that the attacker must overcome for success. They make code that is normally easy to understand much harder to reverse engineer. They also ensure the integrity of code by detecting and taking actions against illegitimate code changes. App protection can be applied to different areas of an app (e.g., sensitive program logic or other trade secrets) in a highly targeted manner, and in a self-defensive layered manner.

If your mobile apps perform cryptographic operations (such as RSA and AES), it’s necessary for you to further protect their cryptographic keys. If left unprotected, the keys can be extracted, therefore allowing attackers to reveal hidden, confidential data. One effective way to protect cryptographic keys and their operations is through the use of white-box cryptography, which “dissolves” the keys into their operating code making them infeasible to extract.

Together, security policies, app protection, and white-box cryptography form a very powerful, multi-layered defense against both policy and code-level threats with mobile apps. Given that these code and key protection technologies have already proven their value in the traditional desktop application space, it’s important to know about and leverage these protections against rising mobile threats in a growing app economy.

The Soul of Compiler – Part II

Posted on April 24, 2012 by kmorgan

-By Joe Abbey, Arxan Technologies, Inc.

The Challenges of GCC adoption
Picking up from last week’s entry, on the genesis of GCC, now leads to the heart of our story. GCC is suffering technically and legally. On the technical side, GCC is now a vast sprawl of code developed and enhanced repeatedly over the last 30 years. While principles and practices in compiler theory have remained largely the same, software design principles have advanced.

In particular, the modularity of GCC is very limited, which reduces it usefulness in the current world where component elements of an overall compiler environment are needed for experimental and production software programs. Additionally GCC is primarily written in C, which limits the software engineering potential of the compiler. The tenets of modern object-oriented software design, such as abstraction, encapsulation, and polymorphism, cannot be easily applied to the GCC codebase, and so the sprawl continues.

On the legal side, GCC had “advanced” to a new version of the GNU Public License, specifically version 3. Version 3 of the GPL contains legal elements that raise substantial concerns about the independence of software (and devices running the software) that is compiled with the compiler. While it is not our intention to debate the specifics of GPLv3 and the substance of those concerns, the simple fact is that those concerns are a tremendous driver towards more “business friendly” alternatives.

In the early-2000’s, a new compiler technology got started by Chris Lattner at the University of Illinois at Urbana-Champaign, call LLVM, for “low level virtual machine”. This new technology has been developed into a very robust, highly modular and modern suite of compiler components focused on the middle and back-end elements of the compilation process (such as code generation, registers allocation, and optimization vs. the front-end high level language parsing component). Well-defined intermediate representations of object code (“bit code”) along with standardized API’s into the LLVM components for manipulation of bit code enables a wide variety of language related tools to be built from or integrated into this technology.

Also, on the legal side, LLVM is licensed with a “BSD” style license. This license, in contrast to the GPLv3, is extremely business friendly, generally allowing anyone to take a copy and privatize it if they wish, or alternative develop and contribute source code back into the LLVM community and body of code. Use of derived versions of LLVM is burdened with no legal restrictions.

The front-end of compilers built with LLVM have historically been based on GCC code, but that now is evolving rapidly. A prime industrial supporter of the LLVM technology has been and continues to be Apple, and they have developed an open source (also BSD licensed) front-end called “clang” (for “C language”). Where LLVM provides the highly modular back-end platform, clang provides a platform for building front-end tools with better diagnostics, IDE integration potential, and a focus on the primary languages of software engineering (C/C++/ObjC/ObjC++).

Apple is so committed to these technologies that Xcode, the Apple toolset for building Mac and iOS apps, uses the clang compiler as the default compiler and is showing no signs of looking back. With the release of LLVM 3.0, support and maintenance for the LLVM-GCC front-end has ceased. The clang front-end is rapidly maturing and evolving to cover broad areas of modern language support, such as being the first to support a majority of the C++11 specification.

For reasons of modularity, license flexibility and “business friendliness” and ease of customization, LLVM technology has been utilized here at Arxan Technologies for development of our mobile application protection technology solution called EnsureIT. Our early versions utilized GCC based front end compilers using LLVM, and now we are moving to Clang-LLVM based compilers. We see the overall value of the combination of Clang and LLVM as a new and extremely powerful technology force in computing systems in general. In adopting our advance software protection solution, our customers are adopting the new compiler paradigm.

While GCC is highly venerable and worthy of great praise, in our opinion, GCC has had its day, and the march of technology in compilers has moved on. Clang-LLVM is now leading the way into the future of commercial computing systems of all types.

Forward, LLVM and Clang!

The Soul of A New Compiler – Part I

Posted on April 17, 2012 by kmorgan

-By Joe Abbey, Arxan Technologies, Inc.

The Beginning – How GCC became today’s standard native compiler
For about 30 years the compiler (many compilers, in fact) under the label “GCC” has served the world in wonderful and amazing ways. However, all things change. GCC is from many perspectives approaching end of life as the most mainstream, dynamic force in compiler technology. It’s replacement? Broadly speaking, the toolkit is known as LLVM, and in immediate form, the compiler front-end known as Clang.

First some background. GCC was initially a critical bootstrapping element in Richard Stallman’s vision of a world of “free software”. The G in “GCC” is the first letter of “GNU”, and “GNU” is a recursive acronym (very computer science punny) for “GNU’s not Unix”. This was important at the time because the Unix operating system was, like all operating systems of the day, proprietary and available (legally!) only under commercial license terms. Using GCC as a foundation, Stallman built up a core body of (alternative) Unix utilities licensed with the GNU Public License, or GPL.

Eventually, the final cornerstone of the open source operating system movement was created in the form of Linux, an alternative implementation of the Unix kernel services and interfaces, also licensed under GPL. The complete collection of Linux kernel and GNU utilities (all compiled and made available with GCC) has since been popularly referred to as “GNU/Linux”, and makes up the core elements of the many “Linux distributions” on the market for the last twenty or so years.

Along the way, the GCC compiler grew tremendously in popularity among both independent and commercial developers. One of the first successful open source focused companies, Cygnus, was founded by Michael Tiemann in 1989 to provide commercial level technology investment in the compiler. This company was purchased in the late 1990’s by Red Hat. Embedded systems, where a broad array of microprocessor types and vendors are utilized, was a key area of usage of GCC, as it brought a known stable compiler solution to an area rife with proprietary compilers of highly variable quality.

Overall, the GNU/Linux phenomenon of the 1990’s brought GCC to the absolute forefront, as GCC was and to this day still is the standard native compiler for this environment. Although widely adopted, today, GCC is suffering technically and legally. On the technical side, GCC is now a vast sprawl of code developed and enhanced repeatedly over the last 30 years. While principles and practices in compiler theory have remained largely the same, software design principles have advanced.

Stay tuned for next week’s blog post on how these challenges are being addressed and GCC’s future adoption.

-Featured guest blogger Joe Abbey, Arxan Technologies

Security Insights for Protecting the App Economy

Discussion on the latest application security developments and issues, including piracy, code protection, application hardening and cybersecurity.