Page 22 - index
P. 22
What approach to application hardening is right for your
organization?
There’s no shortage of readily available hacker tools and techniques and stories in the news about
mobile app hacks for both the iOS and Android platforms.
Fortunately, security solutions providers have responded swiftly and there are many approaches
that one can leverage to harden an app that is “out in the wild.”
For those of you who may not be familiar with the term, hardening is a key step at the end of any
secure software development lifecycle process which:
Confirms that the app is running as designed at runtime
Thwarts hackers’ efforts to reverse engineer the app back to source code
Which hardening approach is right for your app? To the uninformed purchaser, simple obfuscators
are attractive because they are low in cost, require little training and are quick to implement.
However, given the sophistication of today’s hackers, it is important for app developers to look
beyond the surface and take a more strategic approach to choosing an application hardening
solution.
Below are four key factors that IT Security professionals should consider when evaluating
application hardening solutions:
#1: Value of your applications
A key factor to consider is the level of investment your company is making in an app in terms of
R&D and maintenance costs.
If valuable proprietary intellectual property such as algorithms or monetizable content is
embedded within the app, you should consider the potential revenue loss to your company if
the app is successfully hacked.
If the app processes sensitive information such as financial transactions, account
information or authorization credentials, you should consider the potential loss of revenue
through fraud and potential collateral damage that could occur if the app is hacked or
Trojanized. Collateral damage may include penalties for non-compliance with regulations,
expenditures on security upgrades, and even costs associated with crisis management
communication campaigns to manage adverse publicity and restore brand value.
There is a prevalent belief that encryption and basic obfuscation techniques in and of themselves
are adequate measures to protect apps against hacking. String encryption and variable renaming
form a beneficial security layer, but they are inadequate when used in isolation.
Also, it is important to understand that not all obfuscation and encryption tools are created equal.
Obfuscation is often confused with simple method renaming techniques and basic string
22 Cyber Warnings E-Magazine – October 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
