Security firms are increasingly touting application shielding as an important layer of defense. But it may be better suited to DRM.
AS HACKERS BECOME increasingly adept at targeting smartphones, app security has become a pressing issue. Attackers can exploit vulnerabilities in mobile software to spy on users, grab their data, or even steal their money. In response, security companies are increasingly touting a feature called “application shielding,” a process that obfuscates an application’s binary code, ostensibly making it harder for hackers to reverse-engineer.
Application shielding is mainly used to protect intellectual property and cut down on piracy; the techniques modify a service’s application code, making it more difficult for someone to tamper with it, or to figure out how to remove digital rights locks and steal media like music or movie files.
Over the past few years, though, the term has evolved to encapsulate other features as well. Sometimes called “binary protection,” shielding can run integrity and validity checks to ensure that an app is running in a safe, untainted environment. It can also include biometric authentication checks to make it more difficult for hackers to analyze an application’s binary to look for ways of attacking it.
While many of these mechanisms do help strengthen app defenses, security engineers note that mobile application shielding is still evolving as a concept. And they suggest that some of its purported benefits, like claiming to deter hackers by occluding an app’s binary code, may be overstated.
“I suspect many of these mobile shielding techniques will evolve into either standard development libraries or just standard coding practice, and may see an uptick in adoption more quickly among financial enterprises and other high-value environments,” says Kenn White, director of the Open Crypto Audit Project. “But other tactics, like obfuscation, are of more dubious value. An attacker should be able to know everything there is to find about your system without it giving them an advantage.”
Think of shielding code like hiding a safe behind a painting. If you have a secure enough lock, it shouldn’t matter who can see it.
Still, application shielding—and the lack thereof—has garnered attention of late. One study released at the beginning of April (and commissioned by Arxan, an application security company that sells mobile shielding tools) assessed the security of 30 financial services apps for Android downloaded from the Google Play Store. It found numerous basic security issues in the vast majority of the apps including weak encryption, features that leaked data, and architecture issues where apps stored user data in insecure locations.
Alissa Knight, a senior cybersecurity analyst for the advisory firm Aite Group who conducted the research, told WIRED at the end of March that she considered the lack of shielding to be surprisingly careless. Without it, Knight was able to pull out things like private authentication certificates and keys to the directories an app uses to access data. And Knight says that the most important weakness she found in 29 out of the 30 apps tested was lack of binary obfuscation.
“Looking at banks, retail banking, stock brokerage firms, one of the things that I came across and found was that they’re not obfuscating their code,” Knight said. “If you’re putting a mobile app out there there’s so much in there that you would expect pretty much everyone to obfuscate whether they’re a bank or a game. I knew that there was a problem, I didn’t know it was this bad.”
In general, mobile security researchers agree that carelessness and lack of investment often lead to security missteps that developers could—and should—avoid. But many also note that attackers can get around obfuscation if they’re motivated to. “Obfuscation, in general, is just a speed bump,” the Open Crypto Audit Project’s White says. “By no means does it stop a skilled practitioner.”
One reason “shielding” is such an amorphous term is that it can also be used in other cybersecurity contexts. For example, customers can use shielding as part of their protection on data and applications they store outside of their own servers in third-party cloud environments. This way they can get the flexibility and reach of a cloud service while still defending their turf against unauthorized access. But where shielding is more established as protection in untrusted cloud environments, it is still evolving as a defense for mobile applications.
“Application shielding, particularly obfuscation, is a layer of digital rights management which a company may want to add to their apps in order to satisfy licensing or regulatory requirements. It is genuinely useful for that purpose and I would recommend the technology to a company creating something like a video streaming service,” says Will Strafach, an iOS security researcher and the president of Sudo Security Group. “But in something like financial apps the choice to not obfuscate their code is not a problem, because it does not add security and can be defeated without much difficulty.”
“By no means does it stop a skilled practitioner.”
Strafach says that part of the reason he is skeptical about binary obfuscation is that it could simply be used to allow app developers to mask components of what their app does—a tactic malware authors already use to sneak malicious apps past app store screening by Apple and Google. And Strafach notes another issue he and his research group have begun to see in their own application security analysis.
“Obfuscation may lead a developer to believe that they can safely leave sensitive content embedded in an app, thinking outsiders could not see it due to the app shielding,” Strafach says. “We have noticed quite a few cases of this in apps.” Think again of the hidden safe. Putting that painting in front doesn’t mean you can leave it unlocked.
When application shielding is used as a sort of suite of best practices to authenticate a user, check the integrity of an operating system, promote cryptographic checks like transaction signing, or confirm device identity it contributes to much-needed mobile defenses. But as the fledgling toolset evolves, it’s important to remember that like anything else, it’s not a security panacea.
“Though we often think of mobile applications as code that runs on our Android or iOS smartphones, that’s only part of the picture,” says Adrian Sanabria, an independent security researcher. “Most mobile apps are more like websites that run partially on our phone and partially in the cloud. Application shielding may make it tougher to hack the parts of apps that run on our phones, but app developers still have to consider protecting the parts of the application that don’t live on the phone.”