Professional Documents
Culture Documents
GUARDSQUARE_2
GUARDSQUARE_2
Approach to Mobile
App Security
Defense in Depth: A Layered
Approach to Mobile
App Security
Table of contents
Introduction............................................................................................................................. 1
The first pillar of a strong mobile security strategy is the implementation of advanced
protection techniques. Developers should start by defining the threat model they’re
protecting against. For example, the developers of a gaming app may be concerned
with cheating, while the developers of a banking app may be concerned with
protecting against financial fraud. It’s important to understand which attack vectors a
threat actor may try to exploit, as well as the method they would implement to do so.
This approach enables developers to make informed decisions about which protection
techniques are appropriate for their app. Guardsquare suggests a combination of
mechanisms from both of the following categories:
Key takeaway
Developers are often concerned that protection mechanisms increase the size of
the mobile app and slow its performance. When considering security solutions,
choose one that supports configurability. This allows you to control which parts
of the code are protected and how aggressive the protection mechanisms are,
ensuring that they won’t negatively impact your app’s size or performance. These
configurations should be stored in configuration files that can be easily managed
as part of your code repository.
Key takeaway
Seek testing solutions that integrate seamlessly into your existing workflows. A
few things to consider when choosing a testing solution:
• Make sure scan times are fast enough to integrate into your pipeline.
• In addition to flagging vulnerabilities, the tool you choose should also
provide actionable recommendations to set developers on the right path
for quick and effective remediation.
• To establish security as a repeatable practice, look for tools that offer
automated scanning, ensuring regular and reliable feedback.
• Prioritize a tool that integrates with commonly-used build tools, like Gradle,
Bitrise, Jenkins, or Github.
Threat monitoring is the third pillar of a comprehensive mobile app security strategy.
While testing for security risks will significantly improve a mobile app’s security
posture, these tools do not provide insights on what is happening with the app after
it is downloaded onto a user’s mobile device. Threat monitoring provides real-time
information on the environments in which the app is running.
Our internal data shows that out of 40+ million daily active devices using Guardsquare’s
threat monitoring solution, ThreatCast, approximately 2% are triggering at least one
threat. That’s 800,000 devices per day!
Automation can play a key role in the threat monitoring pillar as well. Developers
should seek solutions that automate both the injection of monitoring points in the
code and the collection, processing, visualization, and sharing of the resulting data.
Key takeaway
Beyond identifying threat actors in real time, data gathered from threat monitoring
can be leveraged to provide additional context around security efforts. Developers
can drill down into specific events to analyze threat actors’ attempts at reverse
engineering and tampering to identify common attack vectors, and possibly
mitigate them in a future release before a breach occurs.
One example of this is correlating threat data with your reports from your crash
analytics tool (e.g., Crashlytics). You may be able to isolate specific crashes where
an end user tampers with your app vs. a coding issue that needs to be addressed.
As you can see, mobile app security should not be a binary, on-or-off concept, and
developers can’t rely on a single mechanism to protect their applications. Defense
in depth can only be achieved through dynamic, layered, and constantly-evolving
security measures. Ultimately, developers who prioritize security at all stages of the
mobile app development will reduce the time associated with mitigating risks and
deliver secure apps faster.
The bank utilized Guardsquare’s iXGuard (for iOS) and DexGuard (for Android)
to protect their mobile applications, applying code hardening and automatically
injecting runtime application self-protection (RASP) checks. They also took
advantage of the real-time threat monitoring capabilities of ThreatCast. Not only
did these solutions protect their mobile app against hooking, cloning, recompiling,
and more, but they also helped this financial services company to achieve and
maintain compliance with local government regulations, like the LGPD.
The development team was already using ProGuard to optimize the app. They
decided it was time to prioritize security and use DexGuard as well. DexGuard’s
features made it more difficult for attackers to clone or repackage the application.
And with Guardsquare’s help, the company was able to analyze past app attacks
to find security problems and give the company more solutions to strengthen its
security.
• Developers are being called on to reevaluate their mobile app security architecture
to become educated on and to implement security best practices throughout their
dev lifecycle.
• A robust security posture is supported by 3 security pillars: protect, test, and
monitor.
• Commit to shifting from DevOps to DevSecOps by combining security tools and
AppSec best practices.
Request a quote
Guardsquare offers the most complete approach to mobile application security on the
market. Built on the open source ProGuard® technology, Guardsquare’s software inte-
grates seamlessly across the development cycle. From app security testing to code hard-
ening to real-time visibility into the threat landscape, Guardsquare solutions provide
enhanced mobile application security from early in the development process through
publication.
More than 850 customers worldwide across all major industries rely on Guardsquare to
help them identify security risks and protect their mobile applications against reverse
engineering and tampering.