As hackers become increasingly adept at targeting smartphones, app security has become a pressing issue. Attackers can exploit vulnerabilities in mobile software to spy on users, grab their data, or even steal their money. In response, security companies are increasingly touting a feature called “application shielding,” a process that obfuscates an application’s binary code, ostensibly making it harder for hackers to reverse-engineer.
Application shielding is mainly used to protect intellectual property and cut down on piracy; the techniques modify a service’s application code, making it more difficult for someone to tamper with it, or to figure out how to remove digital rights locks and steal media like music or movie files.
Over the past few years, though, the term has evolved to encapsulate other features as well. Sometimes called “binary protection,” shielding can run integrity and validity checks to ensure that an app is running in a safe, untainted environment. It can also include biometric authentication checks to make it more difficult for hackers to analyze an application’s binary to look for ways of attacking it.
While many of these mechanisms do help strengthen app defenses, security engineers note that mobile application shielding is still evolving as a concept. And they suggest that some of its purported benefits, like claiming to deter hackers by occluding an app’s binary code, may be overstated.
“I suspect many of these mobile shielding techniques will evolve into either standard development libraries or just standard coding practice and may see an uptick in adoption more quickly among financial enterprises and other high-value environments,” says Kenn White, director of the Open Crypto Audit Project. “But other tactics, like obfuscation, are of more dubious value. An attacker should be able to know everything there is to find about your system without it giving them an advantage.”
Think of shielding code like hiding a safe behind a painting. If you have a secure enough lock, it shouldn’t matter who can see it.
Still, application shielding—and the lack thereof—has garnered the attention of late. One study released at the beginning of April (and commissioned by Arxan, an application security company that sells mobile shielding tools) assessed the security of 30 financial services apps for Android downloaded from the Google Play Store. It found numerous basic security issues in the vast majority of the apps including weak encryption, features that leaked data, and architecture issues where apps stored user data in insecure locations.
Alissa Knight, a senior cybersecurity analyst for the advisory firm Aite Group who conducted the research, told WIRED at the end of March that she considered the lack of shielding to be surprisingly careless. Without it, Knight was able to pull out things like private authentication certificates and keys to the directories an app uses to access data. And Knight says that the most important weakness she found in 29 out of the 30 apps tested was lack of binary obfuscation.