Defense in Depth: A Layered

Approach to Mobile
App Security
 Defense in Depth: A Layered
Approach to Mobile
App Security

Table of contents
Introduction............................................................................................................................. 1

3 Pillars of mobile app security........................................................................................... 2

Mobile application protection......................................................................................... 2
Mobile application security testing................................................................................ 3
Mobile application threat monitoring............................................................................ 5

Real-world examples of mobile app sec programs........................................................... 6

User case: Financial services........................................................................................... 6
User case: Video software............................................................................................... 6

Guardsquare can help............................................................................................................ 7

Defense in Depth: A Layered Approach to Mobile App Security

www.guardsquare.com
 Introduction
In recent years, the mobile app industry has seen an
increase in conversations around security concerns, but
unfortunately, it isn’t enough to keep pace with malicious
parties that continue to develop new and more advanced
attack methods.

Take brand abuse attacks, for example, which make up

65% of attacks on mobile finance apps. They’re particularly
concerning because they seek to exploit any vulnerability,
no matter how small, in an effort to damage the brand.
These attackers aren’t necessarily after the organization’s IP
or sensitive data, which are often the focus of security efforts.
Instead, they fly under the radar, targeting lesser-known or
deprioritized vulnerabilities.

So while awareness of the problem has increased, there

continues to be a lag in remediation efforts — 95% of mobile
app security professionals report room for improvement in
their security program or protocols.

Defense in Depth: A Layered Approach to Mobile App Security www.guardsquare.com 1

 3 Pillars of mobile app security
1. Mobile application protection

The first pillar of a strong mobile security strategy is the implementation of advanced
protection techniques. Developers should start by defining the threat model they’re
protecting against. For example, the developers of a gaming app may be concerned
with cheating, while the developers of a banking app may be concerned with
protecting against financial fraud. It’s important to understand which attack vectors a
threat actor may try to exploit, as well as the method they would implement to do so.

This approach enables developers to make informed decisions about which protection
techniques are appropriate for their app. Guardsquare suggests a combination of
mechanisms from both of the following categories:

1. Code hardening renders code virtually incomprehensible to threat actors,

even those using decompilers, making it difficult for them to understand
a mobile application’s code. Examples include code and control flow
obfuscation, encryption, and data transformations.
2. Inject Runtime Application Self-Protection or RASP checks to monitor the app
for suspicious behavior. Automated RASP checks can detect and take action
against rooting/jailbreaking, hooking, code tampering, and debugger or
emulator attachments.

An important element of advanced protection is polymorphism. This approach

automatically changes the code hardening and RASP protections you’ve implemented
after each build. It ensures that an attacker has to start over each time a new version
of the app is released.

Key takeaway

Developers are often concerned that protection mechanisms increase the size of
the mobile app and slow its performance. When considering security solutions,
choose one that supports configurability. This allows you to control which parts
of the code are protected and how aggressive the protection mechanisms are,
ensuring that they won’t negatively impact your app’s size or performance. These
configurations should be stored in configuration files that can be easily managed
as part of your code repository.

Be wary of solutions which singularly promote their ease-of-use, or ability to

protect your code by “wrapping” it after development. These approaches likely
do not support the level of protection you need, can often be compromised with
a single point of failure, and may lack the necessary sophistication to keep your
mobile app secure.

Defense in Depth: A Layered Approach to Mobile App Security www.guardsquare.com 2

 2. Mobile application security testing

Mobile app security testing is the second pillar of mobile

app security. All components of an app should be tested
early and often throughout the development lifecycle
and after each commit or build. “All components” is the
key phrase here. Security testing should be applied to
more than just the code written in-house. Too often,
we see third-party SDKs and other commonly shared
components that contain vulnerabilities.

We saw this in the five popular banking apps that relied on a

vulnerable third-party SDK, exposing over 300,000 biometric
digital fingerprints and users’ personal data (names, dates
of birth, etc.).

OWASP’s Mobile Application Security Testing Guide

(MASTG) is a great overview of general testing principles,
as well as guides for Android and iOS testing. It contains
these primary testing categories:

• Tampering & Reverse Engineering

• Authentication Architectures
• Network Communication
• Cryptography
• Code Quality
• User Privacy Protection

A security testing solution will detect vulnerabilities while

the code is still under development, enabling developers
to address security issues while the code is still clear in
their mind and prevents the possible propagation of core
issues throughout the application. This enables quick
fixes and eliminates the potential for costly and time-
intensive rework late in the development cycle.

It’s important to note that frequent, automated security

testing is not an alternative to pentesting. Rather, they
serve different purposes. Automated testing scans the
code for known security bad practices and issues that
might be exploited. On the other hand, pentesting is a
resource-intensive, manual process executed by experts
who are trained to spot unforeseen failures in the code.
It’s typically used at specific points in the development
process (before release) or on a periodic basis (to meet
compliance requirements).

Defense in Depth: A Layered Approach to Mobile App Security www.guardsquare.com 3

 Due to the cost and manual effort required, it is rarely feasible to complete this
pentesting after every build. Additionally, leaving vulnerabilities until the pentesting
stage isn’t an effective use of these experts’ resources as the issues could hide or
otherwise obscure more systemic problems. By deploying an automated testing tool
and remediating vulnerabilities as they’re found, you will make much better use of
your pentesting efforts.

Key takeaway

Seek testing solutions that integrate seamlessly into your existing workflows. A
few things to consider when choosing a testing solution:

• Make sure scan times are fast enough to integrate into your pipeline.
• In addition to flagging vulnerabilities, the tool you choose should also
provide actionable recommendations to set developers on the right path
for quick and effective remediation.
• To establish security as a repeatable practice, look for tools that offer
automated scanning, ensuring regular and reliable feedback.
• Prioritize a tool that integrates with commonly-used build tools, like Gradle,
Bitrise, Jenkins, or Github.

Defense in Depth: A Layered Approach to Mobile App Security

4
www.guardsquare.com
 3. Mobile application threat monitoring

Threat monitoring is the third pillar of a comprehensive mobile app security strategy.
While testing for security risks will significantly improve a mobile app’s security
posture, these tools do not provide insights on what is happening with the app after
it is downloaded onto a user’s mobile device. Threat monitoring provides real-time
information on the environments in which the app is running.

Our internal data shows that out of 40+ million daily active devices using Guardsquare’s
threat monitoring solution, ThreatCast, approximately 2% are triggering at least one
threat. That’s 800,000 devices per day!

Automation can play a key role in the threat monitoring pillar as well. Developers
should seek solutions that automate both the injection of monitoring points in the
code and the collection, processing, visualization, and sharing of the resulting data.

Effective monitoring provides real-time information on how threat actors may be

attempting to compromise your app. These reports enable a developer to detect
suspicious users and provide insights into security issues that need to be mitigated
in future releases. They also provide key details about what kinds of attacks are being
carried out and what versions of the app are being attacked.

Key takeaway

Beyond identifying threat actors in real time, data gathered from threat monitoring
can be leveraged to provide additional context around security efforts. Developers
can drill down into specific events to analyze threat actors’ attempts at reverse
engineering and tampering to identify common attack vectors, and possibly
mitigate them in a future release before a breach occurs.

One example of this is correlating threat data with your reports from your crash
analytics tool (e.g., Crashlytics). You may be able to isolate specific crashes where
an end user tampers with your app vs. a coding issue that needs to be addressed.

As you can see, mobile app security should not be a binary, on-or-off concept, and
developers can’t rely on a single mechanism to protect their applications. Defense
in depth can only be achieved through dynamic, layered, and constantly-evolving
security measures. Ultimately, developers who prioritize security at all stages of the
mobile app development will reduce the time associated with mitigating risks and
deliver secure apps faster.

Defense in Depth: A Layered Approach to Mobile App Security

5
www.guardsquare.com
 Real-world examples of mobile app sec
programs
To help companies across gaming, fintech, IT, health, and other industries,
Guardsquare has developed a suite of tools to protect, test, and monitor mobile
apps. Here’s a look at how two real-world companies use Guardsquare solutions
to bolster their mobile app security.

Use case: Financial services

A Brazilian bank with nearly 6 million customers understood the importance
of secure app development. Their internal mobile app dev team conducted
penetration testing and identified exposed data, credentials, and API paths. They
needed a solution that would help address these vulnerabilities and help them
meet the stringent requirements of privacy and security regulations.

“Secure app development is a critical part of what we do, so

we need to start with all the necessary security controls and
mechanisms, especially with so much of our business being
conducted through mobile apps.”
– Cybersecurity Coordinator at financial institution

The bank utilized Guardsquare’s iXGuard (for iOS) and DexGuard (for Android)
to protect their mobile applications, applying code hardening and automatically
injecting runtime application self-protection (RASP) checks. They also took
advantage of the real-time threat monitoring capabilities of ThreatCast. Not only
did these solutions protect their mobile app against hooking, cloning, recompiling,
and more, but they also helped this financial services company to achieve and
maintain compliance with local government regulations, like the LGPD.

Use case: Video software

A leading photo and video software company was facing continuous attacks.
Malicious actors had figured out how to attack the mobile app through the
Google Play licensing check. With this access, actors were able to copy and pirate
the app. At one point, 40% of users were using pirated versions of the app. The
development team knew they had to act fast.

Defense in Depth: A Layered Approach to Mobile App Security www.guardsquare.com 6

 “Secure application development is a huge priority for us,
so we knew we needed a better way to protect our app from
these types of attacks.”
– Director of Android Development at video software company

The development team was already using ProGuard to optimize the app. They
decided it was time to prioritize security and use DexGuard as well. DexGuard’s
features made it more difficult for attackers to clone or repackage the application.
And with Guardsquare’s help, the company was able to analyze past app attacks
to find security problems and give the company more solutions to strengthen its
security.

Guardsquare can help

Guardsquare offers a full suite of solutions that integrate into existing development
workflows to achieve advanced threat protection that won’t delay your release
schedule.

Executive Summary (TL;DR) :

• Developers are being called on to reevaluate their mobile app security architecture
to become educated on and to implement security best practices throughout their
dev lifecycle.
• A robust security posture is supported by 3 security pillars: protect, test, and
monitor.
• Commit to shifting from DevOps to DevSecOps by combining security tools and
AppSec best practices.

PROTECT TEST MONITOR

For more information on Guardsquare’s

dev-friendly security tools

Request a quote

Defense in Depth: A Layered Approach to Mobile App Security www.guardsquare.com 7

 Developer friendly mobile app sec tools that:

PROTECT TEST MONITOR

Guardsquare offers the most complete approach to mobile application security on the
market. Built on the open source ProGuard® technology, Guardsquare’s software inte-
grates seamlessly across the development cycle. From app security testing to code hard-
ening to real-time visibility into the threat landscape, Guardsquare solutions provide
enhanced mobile application security from early in the development process through
publication.

More than 850 customers worldwide across all major industries rely on Guardsquare to
help them identify security risks and protect their mobile applications against reverse
engineering and tampering.

The creators of ProGuard www.guardsquare.com © 2023 Guardsquare - All rights reserved