Application hardening, also known as application shielding, is the act of applying levels of security in order to protect applications from IP theft, misuse, vulnerability exploitation, tampering or even repackaging by people with ill intentions.
Why Application Hardening?
Application hardening is an integral part of the defense strategy for businesses intent on building a trusted mobile environment with a secure software development lifecycle process. By implementing application hardening, you can:
- Protect the application from a hacker trying to reverse engineer the app back to source code
- Prevent hackers from trying to inspect internal values, monitor or tamper with the app
- Enable your application to safely run in zero‑trust environments
- Protect your users’ data and sensitive information
Does Your App Need Hardening?
Application hardening primarily applies in the prevention stage of a security strategy. If your app includes financial transactions, the collection or storage of users’ personal data, or even holds information about you or your business that you don’t want exposed, you need to harden your application. Applications today run on many untrusted devices in unknown environments. . Hardening also helps protecting your brand image; security breaches can cause serious reputational damage.
Methods of Application Hardening
Protection from Reverse Engineering
- Code Obfuscation:
Code obfuscation makes strategic modifications to the code so that it is difficult to decipher and decode. Obfuscation includes encrypting some or all of the code, stripping out potentially revealing metadata, renaming useful class and variable names to meaningless labels, or even adding pointless or unused code to an application’s binary.
Debuggers are one of the main tools used by reverse engineers. Ordinarily they serve the benign purpose of finding and eliminating bugs in code, but in malicious hands are used to learn the structure of your application to find weaknesses and avenues of attack.
- Binary Packing:
Binary packing is a mechanism used to protect against static analysis. The application downloaded from the app store is encrypted and is only unpacked at runtime making it extremely hard for static analysis to be performed.
- White-Box Cryptography:
White-box cryptography is a set of cryptographic function, that ensure secret keys are always encoded, even during execution. It is a library that can be integrated into any application that requires cryptographic functions to be used.
Protection from Tampering
Several anti-tampering mechanisms exist, all of which contribute towards application hardening. Some typical mechanisms are described below.
- Integrity Checking
Integrity checking hardens applications by inserting thousands of small, overlapping pieces of code called checkers. During runtime, each of these checkers tests whether a particular segment of the executable has been tampered with.
- iOS Jailbreak Detection
Jailbreaking an iOS device involves removing the limitations that the manufacturer or service providers intended by gaining root access to the device. Once jailbroken, the security controls installed by the manufacturer are breached and any rogue app can access your application data or keys.
- Android Rooting Detection
Similar to iOS jailbreaking, Android device rooting allows an attacker to gain root access to an Android device. The successful rooting of an Android device is a security risk to applications that deal with sensitive data or enforce certain restrictions.