Page 30 - Cyber Warnings
P. 30
5. Avoid unauthorized access or deliberate modification of application generated and/or
managed data by a malicious device owner.
Manufacturers have a series of options at their disposal to achieve the required level of
cybersecurity. The use of these tools is highly recommended in case the hardening of
particularly sensitive and critical customer facing apps is a must.
Access control, user authentication, the encryption of data in transit and at rest, and a secure
software update and maintenance process can be achieved by using secure implementations of
standard cryptographic algorithms and secure systems best practices.
However, protecting apps and other software running in open operating systems while it is
running poses new problems – attackers have developed reverse engineering techniques based
on debugging and other technologies that allow them to expropriate secrets while the app is
running.
To protect systems against these attacks, developers must employ software tamper resistance
techniques such as white box cryptography and code hardening. These techniques provide
apps with a “self-defense” capability even when running by keeping cryptographic keys that are
used for encrypting and decrypting data or for user authentication purposes persistently
protected at rest and during execution of the application.
Device makers and solution providers can achieve a high level of software based security by
using white box cryptography in combination with hardening software application on source
code level. These application hardening tools, also known as code protection tools, can prevent
reverse engineering and other techniques used by cyber-criminals who attempt to gain access
to sensitive information and resources contained in the software applications.
These tools work at the source code level, obfuscate source code, and make it more difficult for
attackers to review the code and analyze the application. They also implement integrity checks,
which can deter manipulation and deliberate modification of the app, and code lifting.
But state-of-the-art software security solutions not only focus on obfuscation at the source code
level and application integrity, but also provide a high level of threat protection.
Threat protection adds functions to the mobile medical app to detect and/or prevent the app
from being run on rooted or jailbroken devices, in emulators, in debuggers or when code has
been tampered with, like having been instrumented with debug code or repackaged with
malicious code.
So each additional security measure increases the security level on a sensitive app, but only the
combination of code protection and white-box cryptography with threat protection functionality
will achieve the highest level of software security.
Medical devices and wellness apps will only increase in use, and with this comes a plethora of
security and privacy issues. We have already seen this with ransomware attacks in healthcare
30 Cyber Warnings E-Magazine – May 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
