Page 24 - index
P. 24
Audit processes to validate that only legitimate and harmless apps are placed in the app
store. Audit mechanisms to block illegitimate apps from distribution to users are far from
perfect, as seen by recent iOS malware, including XcodeGhost.
Consequently, it is important to determine the scale and sophistication of attacks that you anticipate
for your applications, and validate that the security solution you rely on is capable of meeting the
challenge. For small-scale developers with free- or ad-supported apps, typically basic application
protection will suffice, even though ad revenue may be subverted through Trojanization.
In contrast, for business-critical enterprise applications, it is safe to assume that an organized army
of hackers will be actively looking for ways to subvert your app as quickly and as comprehensively
as possible. Since such attacks are designed to be covert, it can take weeks or even months until
evidence of a successful hack surfaces. For that reason, measures of defense against attacks have
to be complemented by measures of detection and reaction. For example, deeply instrumenting an
app to detect attempted attacks and react with functions such as “phone home” can provide long-
lasting and durable protection.
Consider the recent benchmarking study that analyzed an Android Java mobile payment application
that was hardened with a comprehensive protection solution against the same application with a
Basic Java protection solution. Key findings from the study appear in the chart below:
Chart 2: Strength of Protection of Basic and Comprehensive Hardening Techniques
24 Cyber Warnings E-Magazine – October 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
