C-level briefing: Marx Noctor of Arxan explains why your app needs protecting all the way down to the source code.
In the era of increasingly high-profile company cyber-breaches, the temptation is for enterprises to build walls around themselves through firewalls and security solutions.
But what if there is already a tunnel into your enterprise – one that you have built yourself?
"At the moment all of the news is around spooks in your network, APT and trying to find the guys attacking the network," explains Mark Noctor, Director of Sales, EMEA for Arxan. "There are lots of companies now all over the news trying to help you with that network problem.
"[The attacker is] going to go for the breach in the fence; they are going to look for other ways in."
According to Noctor, this is the enterprise application, and it is only a "matter of time" before somebody figures out a way to hack it.
"The app is an endpoint you don’t generally have control of. When you think about an application’s server code, which sits on your servers inside your building, it is surrounded by threat detection, firewalls, barbed wire and machine-guns.
"But you send a mobile app that allows you to connect to it out into the wild through the app store."
This is not the only concern for enterprises. Customer-facing applications, if hacked, could be a way of accessing the details of an enterprise’s customers.
"One of the things our customers are worried about, certainly on the mobile side, are worried about is a one-to-many attack."
Noctor cites the xcode Ghost case, which deployed a tampered-with version of Apple’s app development software.
"xcodeGhost was a one-to-many attack. An enterprising guy downloaded xCode, injected their malware injector into their version of xCode and put it on a Chinese website. Nobody who downloaded it realised they were getting malware injected into their application when they compiled it.
"That kind of one-to-many attack scares some of our customers. They are concerned that someone will take their app of the device, decompile it and inject something specific that does something like captures pin numbers."
Arxan’s solution targets the app developer specifically, which is just one link in the device security chain.
"We are one element of an application security strategy. We’re specifically app hardening. We harden code and protect keys in an application. As part of an overall app security strategy we have partners.
"Our technology prevents reverse engineering and tampering with application software, binaries specifically. We take a customers’ app binary and build protection into the binary of the software that goes wherever the app goes and enables the app to be self-protecting once it goes out into the wild."
The approach is to insert some code of Arxan‘s own, Noctor explains.
"We add code to it. Our approach is to inject runtime modules that we call guards into the binary of the application. This makes it much harder to find and the strength of security is that much greater.
" Some of those guards are passive; we hide stuff, we obfuscate the app and we scramble it."
"Other runtime modules are slightly more dynamic; for example we will employ checksums that will allow you to check certain parts of the code. If someone changes something the checksum will fire and respond in a way that you can choose.
"I use the analogy of a house you are trying to protect. You bolt the windows, lock the doors, maybe put in pressure sensors or lasers."