You’ve just built an Android* app. It’s tested and polished and you’re proud of it. What’s the next step? Rush the app into an online store? Not according to Patrick Kehoe, chief marketing officer for Arxan. He would urge you to protect your intellectual property before exposing it to hackers. “If you don’t take the last step to harden an application and protect it from reverse engineering and runtime attacks, then all the time and money you invested in the application could be lost—and you are increasing your odds of becoming the victim of fraud, piracy, and IP theft that leads to financial loss and brand damage,” he said.
Arxan’s EnsureIT* application-protection solution is now optimized to work on Intel®-powered Android* devices. Arxan and Intel have worked together for many years, most recently focusing on the protection of IoT applications running on Intel® processors. “Our discussions eventually led to our support for Intel-based Android devices,” Kehoe said. “We started to see a good amount of market demand for this Intel platform from gaming developers and from digital media companies that wanted to run their applications on the new platform. We strategically decided to add the support to address the strong market demand.”
Arxan’s patented guarding technology defends applications against attacks, detects when an attack is being attempted, and responds to detected attacks with alerts and repairs. Arxan’s security products protect the confidentiality of applications (which can be compromised by reverse-engineering) and the integrity of applications (which can be sacrificed through tampering, malware insertion, and other types of attacks). Arxan inserts tiny code “guards” into the application binary to “lockdown” applications against attacks—with obfuscation, encryption, cryptographic key transformation, and other techniques.
Arxan began as a DOD initiative when Pentagon officials worried that missile technology and military software could end up in the wrong hands. If enemies were able to reverse-engineer the code, they would get easy access to many secrets about how U.S. armed forces controlled their weaponry. Arxan’s clever solution proved effective, and the Maryland-based company quickly realized that they could apply their approach to medical devices, financial services, banking applications, the software that governs access to digital media, and other areas. They’ve never looked back.
In the past when applications were run inside data centers, hackers had just a few “attack areas” to pursue, focusing on remotely exploiting flaws and defects in the application code. Now, with the growing adoption of cloud and mobile, apps are released and deployed “out in the wild” where the attacker can easily compromise the application binary in ways that were not possible with traditional web and data center applications. Apps with unprotected binary code are at risk because it’s quite easy for a hacker to reverse-engineer binary code back to source code. With access to the source code, attackers can do lots of things—like copy the logic, modify and repackage the code, or inject malicious code.
A recent State of Mobile App Security infographic explained that most apps have, in fact, been hacked—perhaps as high as 97 percent of Android apps—according to Arxan’s research.
Given that so many apps are now exposed out in the wild and the extent that hacking is occurring, Kehoe believes that a new security paradigm is required. Most web applications running in data centers have robust firewalls that secure them, and that tends to be sufficient protection. For the future, Arxan predicts that hybrid applications, which leverage native code on the mobile device and server-based code, will be the new trend. Traditionally, most organizations have focused on network and device protection, but with more native code and hybrid applications out in the wild, Kehoe believes that it’s time to double-down on application self-protection.
“We built this solution to minimally impact the developer’s life,” Kehoe said. “We know developers are under enormous pressure to get new functionality out into the market very quickly. We can ensure the security of their work without causing too much effort because there is no need to change source code. It’s a step they should take to protect themselves, or all their work is at risk.”