Protecting hybrid apps from attackers [Q&A]
How can businesses prevent this and keep their apps and the data they handle safe from hackers? We spoke to Andrew Whaley VP of engineering for Europe at application protection specialist Arxan Technologies to find out.
BN: What makes hybrid apps uniquely vulnerable?
AW: Companies have to put their apps out there and once they do they're necessarily exposed. What some of these apps are doing is quite sensitive, the way the authentication works, biometric profiling of users and so on. There's a lot of sensitive material in there and even just the way the back end APIs work can be useful to an attacker.
BN: How are you protecting these apps?
AW: We're using a technique that involves a combination of obfuscation and runtime protection which helps keep apps secure. Obviously it's not infallible, if someone is prepared to put enough effort in they could bypass it, but it does make it much harder for the attackers. At Arxan we've spent a lot of time creating a product for hybrid apps that will match the security capabilities that are available on the native side.
BN: How does that work, are you putting another layer in between the application and the OS or the outside world?
We also hide data values, so even if you can debug it and see what's going on inside it, it's very hard to make sense of because the program has been transformed from its original state.
BN: Is it possible to improve the protection further?
BN: So all of this is built in at the developer stage?
There are other tools that do something similar, but one of the problems is that their run time protection is layered on top after the obfuscation. That makes it too easy, in our view, to separate the two. What we wanted to do was take an approach where we applied the integrity protection first then obfuscated the whole thing. This makes it much harder for the attacker to work out what was the original code and what was the protection and to separate them.
BN: Is this platform agnostic?
AW: Yes, as long as the engine is ES5 or ES6 compatible it will work. The technology isn't just limited to mobile apps either, it works in browser apps as well.
BN: Does this tie in with protecting data at rest and in transit via encryption?
AW: Most of our customers are already encrypting their data. The problem they have is that the APIs used for that encryption are vulnerable. It can be pretty trivial for an attacker just to call the relevant functions and get information decrypted. This further highlights a need to protect the application code and make the decryption routines harder to find.
BN: Who is the target customer, is finance or eCommerce?