October 4, 2024
With the introduction of the new guided workflow to Guardsquare's robust, multi-layered protection, which facilitates publishing a well-protected app in less than a day, we are highlighting some of the ways in which we have made this market-changing approach possible. In this blog, we highlight instrumentation and profiling as key aspects of seamlessly integrating a compiler-based protection technology solution like Guardsquare.
Our products go beyond the simple integration of a security library. We start by instrumenting your application, collecting metadata about your application (e.g., names of classes, methods, strings) along with context about the performance characteristics of your application. This metadata and the profile of your application ensure we can apply meaningful protections in a way that does not impact or compromise your app’s stability and performance. The instrumentation optimizes performance, avoids crashes, and allows for fine-grained control over defining the security-sensitive entities of your app that require the strongest protections. This makes sure that the protection applied is not only comprehensive but also tailored to the unique needs of your mobile application.
What is instrumentation and profiling?
Let’s dive a bit deeper into instrumentation and profiling: what is the exact purpose of this step and why is it needed?
Because of Guardsquare’s compiler-based nature and our firm belief that multiple layers of protection are necessary to ensure a well-protected mobile app, we do not offer a one-click solution. In order to obtain a mobile app with the highest level of protection in the easiest possible way, our obfuscation techniques transform your code at the byte level, and we automatically inject code snippets to secure your app at runtime. This is invaluable for your application’s security posture, but some of these transformations could lead to introducing instabilities with your protected app. For example, the use of name obfuscation can introduce problems when reflection is used in your code. Enabling RASP protections (e.g., debugger detection, hook detection) results in code snippets being injected in several areas throughout your code and, if developers are not careful or skilled in this area, can cause lag in performance sensitive areas of your app.
Let’s tackle these aspects separately.
App stability
Mobile applications’ source code increasingly makes use of reflection. This makes perfect sense because reflection is a powerful technique that allows a program to introspect its own structure and behavior at runtime. It enables one to dynamically inspect classes, properties, functions, and more. This is very useful for scenarios where you might not know the structure of a class at compile time.
How Guardsquare simplifies security without compromising stability
During the obfuscation process, Guardsquare renames classes, methods, and fields to make decompiled code difficult to understand, providing a strong defense against reverse engineering. However, renaming entities accessed via reflection can disrupt their accessibility at runtime, potentially causing app crashes.
Guardsquare mitigates this by ensuring these changes don’t impact your app’s performance or user experience. We've developed a reliable solution to ensure your app stays stable and secure: instrumentation and profiling.
While, at first glance, it might seem strange to - for the sake of increased efficiency - introduce an additional step before coming to a first protected build, in-depth profiling of your application is essential in order to ensure that your application remains stable after protection.
It involves the creation of an instrumented build of your application. An instrumented build is an unprotected build that can collect signals related to occurrences of reflection while executing the app, aka the profiling phase. So, during profiling, instead of crashing the app, it will keep track of all the code invocations using reflection.
To achieve the best results, it's vital to profile as many code paths as possible within your app. Certain entities may only be partially accessed through reflection, depending on the specific code path being used.
By profiling the maximum number of paths possible, profiled code paths are assured they will have continued stability after applying Guardsquare protection mechanisms.
App performance
A strong RASP solution will automatically inject code snippets throughout the application, and, polymorphically, with every produced build at different locations. This polymorphism is good for your app’s security, as attackers cannot use prior knowledge of previous releases to identify the locations where the runtime defenses are injected. However, you need to take steps to ensure checks are not injected into a performance-critical method, causing performance issues for your app.
Instrumentation and profiling allows us to collect some runtime statistics to identify your application’s hot-code areas so that we do not inject any snippets in those areas. That way, your app can also be optimally secured at runtime without performance degradation.
Measuring your profiling progress
In order to help you achieve the right level of profiling, we have designed the profiling page as part of Guardsquare’s new guided configuration. It gives users clear guidance about which code paths in the instrumented build were already touched during the profiling run.
The first indicator is the function coverage. Calculated as functions_executed_during profiling/total_functions_in_the_code base, this is a high-level indicator of progress. In almost all cases, it is impossible to achieve 100% function coverage. This is, among others, hindered by:
- Included 3rd party SDKs where the app only makes use of a subset of the available functionality
- Code paths which will only get executed on specific device models or OS versions
However, the % indicator and the entity tree give a good overview of the touched code.
Actionability becomes even greater when clicking the other progress indicators, such as UI coverage and stability coverage:
- UI coverage keeps track of all the screens present in the app and how many of them were already touched during profiling. By exploring the tree view, you can directly identify which screens still remain untouched and directly navigate towards them.
- Stability coverage works similarly to UI coverage but focuses on areas within your mobile application where app stability is potentially endangered after applying our protection techniques. During the instrumentation of your app, we have inserted some markers to guide you in an actionable way toward executing the related classes and methods during profiling.
Such collected profiling data allows Guardsquare to achieve a clear understanding of how your app is structured and its inner workings without requiring you to share any source code or binaries. It allows us to arrive at a strong core protection configuration tailored to your application, which preserves the stability and performance after protection.
Profiling is the foundation of a solid compiler-based security approach. By thoroughly completing this step before generating the first protected build, you ensure enhanced stability and minimize performance impact during the code hardening process, without compromising security. This allows you to focus future iterations on strengthening your app’s security rather than troubleshooting stability or performance issues. Every seasoned ProGuard/R8 developer knows how frustrating it can be to update and maintain -keep rules.
Frequency and depth of profiling
As the trend toward more complex super-apps continues, we understand that in-depth profiling may seem time-consuming and complicated. However, profiling is crucial for developing a stable and customized security approach tailored to your application and use cases rather than opting for a one-size-fits-all solution that compromises security for ease of use.
The profiling process doesn’t have to be done all at once or by a single individual. Teams can collaborate seamlessly across multiple sessions, running the instrumented app on various devices in parallel. Each team member can focus on different functional aspects of the app, enhancing overall efficiency.
Once you've established a solid initial level of profiling coverage, there's no need for a profiling session with every subsequent protected build. Codebases typically don’t change rapidly, making it impractical to conduct new profiling after every code commit.
We've added indicators on the protected builds page to help you gauge the evolution of your code since the last instrumentation and profiling session.
Additionally, you can reuse profiling data from previous runs, allowing you to concentrate on newly introduced screens, functionalities, or refactored areas of the code rather than starting from scratch each time.
While the initial in-depth profiling of your application may take a few hours, subsequent profiling runs will be significantly more efficient. With effective instrumentation and profiling, in less than a day developers can achieve a well-protected app.
Thinking ahead, consider automating some profiling runs as part of your automated UI tests. Taking this approach can enhance your automated app testing coverage while simultaneously improving the stability of your protected app.
Conclusion
In summary, this article highlights the essential role of instrumentation and profiling in ensuring that DexGuard and iXGuard effectively safeguard your app while maintaining optimal stability and performance. Although these processes require careful attention and may take some effort to complete, the payoff is significant: with Guardsquare’s guided configuration, you can achieve a protected app in less than a day. The user-friendly and intuitive interface streamlines the entire process, making it easier to navigate the necessary steps for robust security. This powerful combination empowers you to enhance your app's protection with confidence, making it easier than ever to implement robust protection without sacrificing performance.
Learn more about how our new guided workflow can help protect your mobile app.
