For many organizations, mobile applications are their most vulnerable asset from a security perspective. There are many reasons for this, ranging from the personal nature of mobile apps to misconceptions about iOS security to the focus on rapid delivery of apps and features at the expense of thorough security precautions.
Hackers know that mobile apps are often vulnerable and commonly look to tamper with unprotected mobile apps at runtime. Consequences of this tampering could include data loss, intellectual property theft, financial loss and reputational damage. According to the OWASP Mobile Security Project, code tampering is among the top 10 mobile security threats for organizations.
For these reasons, anti-tampering protection, otherwise known as runtime application self-protection (RASP), is an essential part of any mobile app’s security defense strategy. Here’s a deeper look at why.
Anti-Tampering Protects the App from Dynamic Analysis and Live Attacks
While code hardening is essential to protect applications and SDKs from reverse-engineering and static analysis, anti-tampering functionality protects the app against all attempts to analyze its functioning and modify its behavior at runtime. It monitors the integrity of the application and the environment in which it is running and triggers the applications to react to detect threats.
Anti-Tampering Monitors Both the App and its Environment
Anti-tampering protection monitors both the application itself and the environment in which it is running, covering the full spectrum of runtime threats and attacks.
A compromised environment signifies an increased risk that the app is attacked. For example, RASP will be able to detect if an application is installed and running on a jailbroken (iOS) or rooted (Android) device which could allow the user to compromise the app or alter its functionality. For example, two major iOS jailbreaking exploits, checkra1n and checkm8, surfaced in 2019 -- which increased the risk of new attack vectors making their way into developers’ applications.
Besides environment threats, anti-tampering detects attempts to compromise the application package (app threats) and code threats, attempts at modifying the intended behavior of the application. To ensure the application is not tampered with, RASP provides such functionality as hook detection, code tracing detection, tamper detection, etc.
Applications React in a Pre-Programmed Manner
Apps that have anti-tampering protection are able to react in an automated, pre-programmed way to runtime attacks to both the app and its environment. Think of RASP as a fully self-contained protection mechanism.
Based on the detected threat, development teams can have their applications react in a number of different ways. The user’s session can immediately be terminated, for instance when a RASP implementation detects an attempt at modifying the app’s intended behavior through hooking. Other possibilities include displaying a warning message or limiting the functionality a user can access to prevent abuse.
Detecting and eliminating this type of activity in an automated way can protect the organization and reduce the burden on security and development teams.
Rounding out Your App Security Coverage
It’s important to note that RASP doesn’t defend against all classes of vulnerabilities on its own. As mentioned above, even with RASP, hackers can still attempt to reverse-engineer apps to steal data and intellectual property. Because of this, both RASP and code-hardening techniques are essential and complement each other. For example, the code hardening technique of obfuscation will protect a RASP implementation, making it much more difficult for a hacker to remove.
Therefore, it’s important to apply code-hardening techniques such as obfuscation and encryption to your app’s source code to prevent such attacks from occurring.
Finally, all organizations should round out their app security coverage with real-time threat monitoring to reinforce RASP anti-tampering protection and code hardening. These monitoring systems will flag and contextualize security events so teams can continually adapt their defenses to protect against emerging threats.