A wide array of security tools are available to handle threats that are prevalent over the desktop and server-centric code running in untrusted environments. But what about the newer mobile devices? Applications are being downloaded by the billions by consumers and these applications may be at risk from hackers who are able to pirate or reverse engineer your applications. Are tools available to protect your IP?
Last week, I spoke with Vince Arneja, vice president of product management at Arxan Technologies, about their product launch of EnsureIT for Apple iOS. This product is designed to protect applications running on Apple’s iPhone or iPad against reverse-engineering or tampering for unauthorized access, piracy and
insertion of exploits. He explained:
Our technology introduces itself right into the build process. Typically a customer will use our type of product to obfuscate the code that is written by the developer, so that code is inherently harder for a hacker to understand the logic of and subsequently be able to manipulate.
I asked whether obfuscation had the potential for causing performance problems.
Absolutely, it can. A lot of that is controllable by introducing it into the build process. The technology can have an adverse affect on performance, but it’s all managable. There’s a balancing act that needs to be assessed for any aspect of security. In the case of the application, [you’d ask the question] how much security do I want to introduce and still balance the performance that my customer expects? The tuning that can be accomplished is all part of what we call, ‘a guard specification style.’
Arneja went on to explain the configurations that can be done to create the appropriate balance of security and performance.
Curious about obfuscation tools and whether or not their use would grow as a means to protect mobile and embedded applications, I spoke with some analysts in the industry. In Application security hardening for mobile and embedded software, Bob Walder, Research Director at Gartner, said of code obfuscation:
Code obfuscation is the more widely adopted and more-mature method of protecting applications, but estimated adoption rates are still in the high single digits, because most organizations are unaware of its benefits until they directly experience the theft of IP or an attack from an application compromise. Furthermore, for application protection techniques that rely on the insertion of code, development organizations may be reluctant to allow the injection of new code into an application from a source other than a developer.
What are your thoughts?