November 11, 2015 By Patrick Kehoe 5 min read

The Need for Application Protection

As in the early days of email, website and network hacking, cybercriminals in the mobile application hacking business are coming up with new, creative ways to take control of your apps and gain access to the sensitive information that they contain.

A tidal wave of serious threats to your applications is brewing in the previously calm waters of application security, given the fact that applications, which were formerly housed in well-protected data centers behind strong firewalls, now appear on medical devices, in cars, on millions of mobile phones and just about everywhere else you look these days. These environments are virtually impossible to protect, leading analysts and security professionals to realize that a safe harbor in application security hinges on applications protecting themselves.

Unfortunately, most application security activity today centers around secure coding practices, which are critically important but not sufficient to protect applications that are running in untrusted and distributed environments. Application self-protections that check the environment in which applications are running, ensure the integrity of execution and respond proactively to attacks are critical, but they are often overlooked in the rush to deploy new apps.

10 Ways to Upgrade Your Application Protection

With this in mind, we’ve assembled a set of 10 collaborative resources that can help application security practitioners:

  • Understand new threats that are unique to applications running in distributed environments.
  • Protect applications at runtime.
  • Secure cryptographic keys, which are at the core of many digital handshakes that occur across application components.

These actions will connect you with videos, white papers and reports focused on increasing security awareness and curbing mobile hacking threats so you don’t get swept away in the upcoming wave of mobile and IoT app attacks.

1. Read ‘Securing Mobile Applications in the Wild With Application Self-Protection’

Mobile applications are uniquely exposed to hacking attacks since the application code must be released out into the wild. Attackers can directly access, compromise and exploit the binary code, such as by analyzing or reverse engineering sensitive code, modifying code to change application behavior and injecting malicious code. This IBM and Arxan white paper provides a comprehensive examination of the vulnerabilities to your mobile apps and mitigation techniques to secure them.

2. Spend Two Minutes to Learn How to Hack a Cryptographic Key

Cryptographic key-focused attacks are a rapidly growing problem and one of the most difficult risks to minimize. If your organization is not taking appropriate steps to protect these keys, you are giving cybercriminals easy access to your private data and transactions. In this informational video you will learn:

  • How cryptographic keys are being used in a variety of applications;
  • Techniques attackers leverage to steal keys; and
  • IBM’s unique approach to key protection with Arxan’s White Box Cryptography solution.

https://youtube.com/watch?v=2vQ2zHscQkQ

3. Watch Our On-Demand Webinar: ‘Think Like a Hacker! Common Techniques Used to Exploit Mobile Apps and How to Mitigate These Risks’

The first step in learning how to protect and defend your applications from attackers is to think like one. In this session, you’ll learn just how easy it is for cybercriminals to leverage widely available third-party tools to disable and compromise iOS and Android mobile apps, which can lead to unauthorized access to source code, tampering with apps to enable advanced malware attacks, theft of sensitive data and more.

Learn about the evolution of the mobile threat landscape, view a live demonstration of various reverse engineering and tampering attacks and learn how to mitigate application binary risk and implement new approaches to mobile app security that protect applications at runtime.

4. Learn About the State of Application Security by Reviewing Our 2015 Findings and Recommendations

The illegal reproduction and distribution of copyrighted material on the Web is extensive and growing rapidly. In its highly anticipated “2015 State of Application Security Report,” Arxan analyzed data collected over the past three and a half years that looked at the distribution of pirated software and digital assets on the Dark Web and indexed sites that are focused on distributing pirated assets. Thousands of sites were analyzed in the process, including over 50 that are in the business of distributing pirated releases. In this report you will learn about:

  • The volume and nature of pirated software and digital assets;
  • Today’s distribution model for pirated assets;
  • The economic and business implications of piracy;
  • The role of unprotected applications in enabling piracy; and
  • Key recommendations to mitigate digital piracy.

5. Download Our Recently Updated ‘Mobile Application Protection Handbook’

The “Mobile Application Protection Handbook” provides key insights from security experts on a new generation of mobile attacks as well as risk mitigation strategies to support secure mobile app development and defend against integrity risks. The mobile attack surface has grown due to the unique attributes of the mobile platform and now encompasses application hacking, reverse engineering and tampering that compromise an app’s critical security and business logic. The app security landscape has moved beyond addressing only programming flaws or source-level code fixes to addressing attacks at the binary level.

The handbook answers five key application protection questions:

  1. How frequently are applications getting hacked, and is there a case for action?
  2. Who is advising organizations that binary code must be protected?
  3. How are mobile applications being attacked as a result of a lack of binary code protection?
  4. What are the key application risks that should be defended against?
  5. What are the techniques and best practices that you should use to protect your application’s binary code?

6. Read Our Blog on Application Hardening

Take a moment to read “Which Approach to Mobile Application Hardening Is Right for Your App?” This will help you understand four critical factors that you should consider when determining which mobile application protection solution is the right fit.

7. Take Advantage of Our Complimentary Mobile Application Review

Sign up for a mobile app security assessment and we’ll send you a free personalized report detailing:

  • Your mobile app’s level of exposure in nine key risk areas;
  • The likely key attack points in your app’s binary; and
  • Recommendations and best practices to secure your mobile app.

8. Watch This Three-Minute Video on Protecting Financial Service Applications

https://youtube.com/watch?v=lP1azJTHgm4

The potential mobile banking and payments market for financial institutions is tremendous, and providers that offer the most secure apps will prevail over the competition. But this opportunity is not without potential hazards. The effect on revenue and brand caused by attackers can be devastating.

If you are interested in a more in-depth discussion, listen to the replay of our webinar where industry experts from IBM Security Trusteer and Arxan discuss:

  • Changes in technology that have made mobile applications so vulnerable;
  • Emerging mobile threat vectors and what you can do to mitigate risk; and
  • Must-have requirements for your future security model.

9. Watch the Replay of ‘Securing the Internet of Things’ With Forrester Research

Internet of Things (IoT) devices will increase the size of the threat landscape over the next decade. The complexity of IoT devices is multiplying the difficulties of security in every aspect of the enterprise. As IoT devices bridge the gap between the logic and physical, there are real-world risks and ramifications to human life along with the impact on our digital assets.

This webinar, “Securing the Internet of Things,” outlined the phases of IoT maturity, described how human interaction impacts the risk levels of IoT devices and predicted when your specific market vertical may be impacted by IoT security threats. It also outlined leading practices for securing IoT solutions, focusing on how best to protect mobile and embedded applications that are increasingly the focus of IoT attacks.

10. Watch Our On-Demand Webinar: ‘The 411 on Mobile Application Security Testing and Runtime Protection for iOS Applications’

In this webinar, we provide best practices for mobile application security testing for identifying security vulnerabilities and protecting them at runtime, with a special emphasis on iOS applications. It is commonly believed that iOS apps are more secure than Android apps, but that doesn’t mean that your iOS programs might not contain vulnerabilities or that there aren’t ways for attackers to circumvent iOS security controls. Watch the on-demand session to learn how to protect your ever-expanding portfolio of mobile apps to stay one step ahead of the rush-to-release phenomenon.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today