The Need for Application Protection

As in the early days of email, website and network hacking, cybercriminals in the mobile application hacking business are coming up with new, creative ways to take control of your apps and gain access to the sensitive information that they contain.

A tidal wave of serious threats to your applications is brewing in the previously calm waters of application security, given the fact that applications, which were formerly housed in well-protected data centers behind strong firewalls, now appear on medical devices, in cars, on millions of mobile phones and just about everywhere else you look these days. These environments are virtually impossible to protect, leading analysts and security professionals to realize that a safe harbor in application security hinges on applications protecting themselves.

Unfortunately, most application security activity today centers around secure coding practices, which are critically important but not sufficient to protect applications that are running in untrusted and distributed environments. Application self-protections that check the environment in which applications are running, ensure the integrity of execution and respond proactively to attacks are critical, but they are often overlooked in the rush to deploy new apps.

10 Ways to Upgrade Your Application Protection

With this in mind, we’ve assembled a set of 10 collaborative resources that can help application security practitioners:

  • Understand new threats that are unique to applications running in distributed environments.
  • Protect applications at runtime.
  • Secure cryptographic keys, which are at the core of many digital handshakes that occur across application components.

These actions will connect you with videos, white papers and reports focused on increasing security awareness and curbing mobile hacking threats so you don’t get swept away in the upcoming wave of mobile and IoT app attacks.

1. Read ‘Securing Mobile Applications in the Wild With Application Self-Protection’

Mobile applications are uniquely exposed to hacking attacks since the application code must be released out into the wild. Attackers can directly access, compromise and exploit the binary code, such as by analyzing or reverse engineering sensitive code, modifying code to change application behavior and injecting malicious code. This IBM and Arxan white paper provides a comprehensive examination of the vulnerabilities to your mobile apps and mitigation techniques to secure them.

2. Spend Two Minutes to Learn How to Hack a Cryptographic Key

Cryptographic key-focused attacks are a rapidly growing problem and one of the most difficult risks to minimize. If your organization is not taking appropriate steps to protect these keys, you are giving cybercriminals easy access to your private data and transactions. In this informational video you will learn:

  • How cryptographic keys are being used in a variety of applications;
  • Techniques attackers leverage to steal keys; and
  • IBM’s unique approach to key protection with Arxan’s White Box Cryptography solution.

3. Watch Our On-Demand Webinar: ‘Think Like a Hacker! Common Techniques Used to Exploit Mobile Apps and How to Mitigate These Risks’

The first step in learning how to protect and defend your applications from attackers is to think like one. In this session, you’ll learn just how easy it is for cybercriminals to leverage widely available third-party tools to disable and compromise iOS and Android mobile apps, which can lead to unauthorized access to source code, tampering with apps to enable advanced malware attacks, theft of sensitive data and more.

Learn about the evolution of the mobile threat landscape, view a live demonstration of various reverse engineering and tampering attacks and learn how to mitigate application binary risk and implement new approaches to mobile app security that protect applications at runtime.

4. Learn About the State of Application Security by Reviewing Our 2015 Findings and Recommendations

The illegal reproduction and distribution of copyrighted material on the Web is extensive and growing rapidly. In its highly anticipated “2015 State of Application Security Report,” Arxan analyzed data collected over the past three and a half years that looked at the distribution of pirated software and digital assets on the Dark Web and indexed sites that are focused on distributing pirated assets. Thousands of sites were analyzed in the process, including over 50 that are in the business of distributing pirated releases. In this report you will learn about:

  • The volume and nature of pirated software and digital assets;
  • Today’s distribution model for pirated assets;
  • The economic and business implications of piracy;
  • The role of unprotected applications in enabling piracy; and
  • Key recommendations to mitigate digital piracy.

5. Download Our Recently Updated ‘Mobile Application Protection Handbook’

The “Mobile Application Protection Handbook” provides key insights from security experts on a new generation of mobile attacks as well as risk mitigation strategies to support secure mobile app development and defend against integrity risks. The mobile attack surface has grown due to the unique attributes of the mobile platform and now encompasses application hacking, reverse engineering and tampering that compromise an app’s critical security and business logic. The app security landscape has moved beyond addressing only programming flaws or source-level code fixes to addressing attacks at the binary level.

The handbook answers five key application protection questions:

  1. How frequently are applications getting hacked, and is there a case for action?
  2. Who is advising organizations that binary code must be protected?
  3. How are mobile applications being attacked as a result of a lack of binary code protection?
  4. What are the key application risks that should be defended against?
  5. What are the techniques and best practices that you should use to protect your application’s binary code?

6. Read Our Blog on Application Hardening

Take a moment to read “Which Approach to Mobile Application Hardening Is Right for Your App?” This will help you understand four critical factors that you should consider when determining which mobile application protection solution is the right fit.

7. Take Advantage of Our Complimentary Mobile Application Review

Sign up for a mobile app security assessment and we’ll send you a free personalized report detailing:

  • Your mobile app’s level of exposure in nine key risk areas;
  • The likely key attack points in your app’s binary; and
  • Recommendations and best practices to secure your mobile app.

8. Watch This Three-Minute Video on Protecting Financial Service Applications

The potential mobile banking and payments market for financial institutions is tremendous, and providers that offer the most secure apps will prevail over the competition. But this opportunity is not without potential hazards. The effect on revenue and brand caused by attackers can be devastating.

If you are interested in a more in-depth discussion, listen to the replay of our webinar where industry experts from IBM Security Trusteer and Arxan discuss:

  • Changes in technology that have made mobile applications so vulnerable;
  • Emerging mobile threat vectors and what you can do to mitigate risk; and
  • Must-have requirements for your future security model.

9. Watch the Replay of ‘Securing the Internet of Things’ With Forrester Research

Internet of Things (IoT) devices will increase the size of the threat landscape over the next decade. The complexity of IoT devices is multiplying the difficulties of security in every aspect of the enterprise. As IoT devices bridge the gap between the logic and physical, there are real-world risks and ramifications to human life along with the impact on our digital assets.

This webinar, “Securing the Internet of Things,” outlined the phases of IoT maturity, described how human interaction impacts the risk levels of IoT devices and predicted when your specific market vertical may be impacted by IoT security threats. It also outlined leading practices for securing IoT solutions, focusing on how best to protect mobile and embedded applications that are increasingly the focus of IoT attacks.

10. Watch Our On-Demand Webinar: ‘The 411 on Mobile Application Security Testing and Runtime Protection for iOS Applications’

In this webinar, we provide best practices for mobile application security testing for identifying security vulnerabilities and protecting them at runtime, with a special emphasis on iOS applications. It is commonly believed that iOS apps are more secure than Android apps, but that doesn’t mean that your iOS programs might not contain vulnerabilities or that there aren’t ways for attackers to circumvent iOS security controls. Watch the on-demand session to learn how to protect your ever-expanding portfolio of mobile apps to stay one step ahead of the rush-to-release phenomenon.

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…