What is Runtime Application Self-Protection (RASP)?
Runtime Application Self-Protection (commonly known has RASP) is a security technology that can detect and block attacks in a completely self-contained manner: ie: by using information from inside the running software. In mobile, that means building security INTO your mobile app so that the app can defend itself against attacks without relying on external technology (such as firewalls, VPNs, intrusion prevention technology, etc). RASP improves the security of software by monitoring its inputs, and blocking those that could allow attacks to occur, while also protecting the runtime environment from unwanted changes and tampering. RASP-protected applications rely less on external devices like firewalls to provide runtime security protection.
- NOT a separate app that monitors other apps or the device. First, if the solution relies on other things outside the app, it’s not RASP (the “SP” in RASP means ‘self-protecting’). Second, a separate app is a band-aid approach that puts the burden on the user, and there’s no good way to ensure that the protection is enabled because the user can simply forget to run the app, or they can ‘swipe up’ to disable it.
- NOT a separate app that requires the device to be enrolled in MDM or install a ‘management profile’. That’s even worse. First of all, this approach does not work for B2C or ‘consumer’ apps (such as mobile banking apps or fintech apps like Square’s Cash App). Why? Because the mobile app maker doesn’t control or own the device. That’s what this Check Point article is about. Further ‘mobile management’ or MDM is NOT Mobile Security.
Build protections INTO the App for self-defending apps – No coding required
On the other end of the spectrum are solutions that place all the work on the mobile developer (eg: “here’s 5 SDKs to implement. Go rewrite your app. Good luck”). SDKs can indeed give you ‘in-app’ security. But they put all the work on the mobile developer. A better approach is to use a No-code solution that doesn’t put all the burden on the mobile developer and extend release cycles.
The only way to build security into apps quickly is to automate the process. Appdome is a self-service, choice-driven mobile security and development platform that enables developers or non-developers to select specific features or groups of features across different mobile security categories, and deliver those capabilities inside any iOS or Android app in minutes, with no code or coding. Feel free to skip to the end of this blog where I’ve included a video of me implementing 10 or so mobile app security features in Square’s Cash App in less than 5 minutes. The end of the video shows me logging into the newly built Cash App with my own account. Here are some specific use cases to describe how to build self-defending apps with RASP protection inside:
Use Case 1: MOBILE BANKING and FINTECH – Protect User Data
- Some key considerations to protect banking and other apps that hold extremely sensitive data (such as PII): Protecting user data inside the app and as it travels over a public network
When talking about data encryption, it’s important to protect mobile data in all 3 states in which data exists in an app: Data at rest, Data in transit, and data in-use (aka: data in memory). Here’s how you can protect and encrypt data in all 3 states using Appdome:
- Data at rest encryption
- Protecting Mobile data in transit:
This includes things like protecting the app and user from Man-in-the-middle (MiTM) attacks, ensuring that all transport is secure and encrypted. You can also verify that all the certificates in the chain of trust are valid and that the correct version of TLS is implemented. This prevents ‘version attacks’, where the attacker manages to interrupt the TLS handshake and get one of the endpoints to ‘downgrade’ to a version of TLS which includes security vulnerabilities they can exploit – usually without anybody knowing the downgrade occurred.
- Data In Use encryption (aka: in-memory encryption) – This protects transient data that is stored in memory while the app is being used. Attackers know that lots of mobile developers routinely overlook protecting the encryption keys and app secrets. A simple memory dump can produce a pot of gold for hackers. If they can steal the keys, then then they can steal the data.
No-code encryption also provides comprehensive encryption coverage (not all data exists in the app sandbox). Developers should also encrypt in-app preferences, encrypt strings and resources. Other developers may want more control over the encryption model itself. No problem. You can generate an external data seed, implement secure download, exclude certain low-risk files from encryption, encrypting offline data, and more.
Use Case 2: MOBILE GAMING – Prevent Fakes, Mods, and Cheats
- Prevents fake apps, app modifications (“MODS”), prevents fraudsters from re-packaging and re-signing apps, then re-distributing them on questionable app stores.
To illustrate just how easy this is, check out this YouTube video of a mobile gamer demonstrating how to use an emulator to cheat in a mobile game (Jurassic Park). The hacker uses an emulator to create his own “MOD” or patch for Jurassic Park, in which he changes the logic of the “in-app purchase” workflows – giving himself enough “Jurassic credit’ such he can make in-app purchases within the game for free. And he does this live in less than 5 minutes.
The key to prevention is to make it difficult for hackers to learn how your app works in the first place. And that starts with basic protections like anti-tampering and anti-reversing. There’s also anti-debugging, app integrity/structure scan, and checksum validation.
No-code Obfuscation transforms binary code in such a way that makes it extremely difficult to impossible for hackers to understand how it works, making any attempt to reverse-engineer the app infeasible. Appdome’s Obfuscation includes the following RASP features: binary code obfuscation, Flow relocation, Non-native code obfuscation, strip debug information.
And it’s not enough to just obfuscate some parts of your code and call it a day. Professional hackers have many ways to attack an app, and if one method doesn’t work, they move on to the next. So you need multiple detection mechanisms and you need to protect at different layers in the app’s technology stack. Here are a few specific KBs that go into each of these topics in depth.
Use Case 3: RASP for Penn-testers
Appdome’s Mobile RASP solution is comprised of security technology that contains runtime instrumentation inside the app itself, which enables the app to be self-defending against threats. Since most mobile apps do not come with RASP security out-of-the-box, customers use Appdome to deliver RASP capabilities inside their own apps or apps they license from 3rd parties.
Below the two most common use cases where these features are critical. For each use case, I’ll explain not only the “why”, but also the “how”. Each use case includes specific features to solve the use case. And each feature links to a KB article or video that explains how anybody can fulfill the use case in 5 minutes or less. Oh and by the way, for pen-testers and customers of pen-testers, keep reading if you want to advance the pen-test from being ‘informational’ (ie: here’s a bunch of vulnerabilities that you probably won’t fix) to being ‘actionable’: Here are the steps:
- Find vulnerabilities using your favorite application scanning toolset
- Upload app binary to Appdome
- Select the specific features based on the vulnerabilities you found
- Click “Build My App”.
- Re-scan the app to verify that the vulnerabilities have been fixed. If not, rinse and repeat.
All these use cases can be accomplished in 5 minutes or less for any app no matter how the app was built.
Appdome works with app binaries, so there’s no need for source code. Customers select their required security features from our Mobile Security Suite and build RASP protection directly into their existing apps in minutes. And Appdome works with all apps, all frameworks, all platforms (in other words, Appdome developers are free to build apps in whatever tool, method or app development framework they like – Appdome supports them all – out of the box). This lets developers and enterprises build and deliver their own customized mobile security solutions into any Android and iOS app across any app framework. Appdome takes the complexity out of mobile app security by automating the process for mobile developers. This enables developers to take a ‘defense in depth’ approach and create a layered security solution that spans every major mobile security category.
Tune in to my next blog where I’ll cover additional RASP use cases in healthcare and retail.
Check out this video where I implement a full suite of mobile app security and RASP features in the Square Cash app in less than 5 minutes end to end.
How to build runtime application self-protection (RASP) in Square Cash App in 2 min