Appdome offers the industry’s most extensive and easiest to deploy Mobile Runtime Application Security Protection (Mobile RASP) on the market today. Appdome is a self-service, choice-driven mobile integration platform which enables our customers to select specific features or groups of features across different mobile security categories, and deliver those capabilities inside any iOS or Android app in seconds, with no code or coding.
On Appdome, mobile developers and non-developers create self-defending apps by selecting their required security features and solutions from the Appdome Mobile Security Suite and building RASP protection directly into their existing apps – no matter how they built the app! This lets developers and enterprises build and deliver their own customized mobile security solutions into any Android and iOS app across any app framework. Appdome takes the complexity out of mobile app security by automating the process for mobile developers. Appdome delivers a ‘defense in depth’ approach enabling customers to create a layered security solution that spans every major mobile security category. Appdome empowers enterprise developers and non-developers to embed capabilities inside their mobile apps to protect against every possible threat vector targeted at their mobile apps, mobile channels, users and data.
USE CASES – Creating Self-Defending Mobile Apps
Appdome’s Mobile RASP solution is comprised of security technology that contains runtime instrumentation inside the app itself, which enables the app to be self-defending against threats. Since most mobile apps do not come with RASP security out-of-the-box, customers use Appdome to deliver RASP capabilities inside their own apps or apps they license from 3rd parties.
Below the two most common use cases where these features are critical. For each use case, I’ll explain not only the “why”, but also the “how”. Each use case includes specific features to solve the use case. And each feature links to a KB article or video that explains how anybody can fulfill the use case in 5 minutes or less. If I’ve learned anything in lockdown it’s that talk is cheap. For one, I’m personally fed up using mobile apps that don’t protect my data (which is pretty much most apps on my phone…as well as your phone, and your kid’s phones, and your family’s phones). I’m also tired of vague, amorphous security solutions that either place all the work on the developer (eg: here’s 5 SDKs implement, have at it), or don’t address the root cause problem (eg: Hey install this separate app that requires a management profile on your phone or the user can simply ‘swipe up’ to turn it off). Oh and by the way, for pen-testers and customers of pen-testers, keep reading if you want to advance the pen-test from being ‘informational’ (ie: here’s a bunch of vulnerabilities that you probably won’t fix) to being ‘actionable’ (fix vulnerabilities “abc” x by uploading your app, selecting features ‘xyz’, clicking “Build My App”,, and testing the solution immediately.
Every feature below can be accomplished in 5 minutes or less for any app no matter how the app was built.
MOBILE BANKING and FINTECH – Protect User Data
Study after study shows that many mobile banking or fintech apps do not include even the most basic protections to safeguard user data. The Verizon annual Verizon Mobile Security Index is a good source of info, but there are many more. Here’s a good 3rd article from Lucan Merian of ComputerWorld that captures some of the key findings of the Verizon report.
The key issues are: Protecting user data inside the app and as it travels over a public network.
- RASP capabilities important to mobile banking encrypt and protect all mobile app data in all 3 states in which data exists in an app: Data at rest, Data in transit, and data in-use (aka: data in memory). Here’s how you can protect and encrypt data in all 3 states using Appdome:
- Data at rest encryption
- Protecting Mobile data in transit:
This includes things like protecting the app and user from Man-in-the-middle (MiTM) attacks, ensuring that all transport is secure and encrypted. You can also verify that all the certificates in the chain of trust are valid and that the correct version of TLS is implemented. This prevents ‘version attacks’, where the attacker manages to interrupt the TLS handshake and get one of the endpoints to ‘downgrade’ to a version of TLS which includes security vulnerabilities they can exploit – usually without anybody knowing the downgrade occurred.
- Data In Use encryption (aka: in-memory encryption) – This protects transient data that is stored in memory while the app is being used. Attackers know that lots of mobile developers routinely overlook protecting the encryption keys and app secrets. A simple memory dump can produce a pot of gold for hackers. If they can steal the keys, then then they can steal the data.
Appdome TOTALData encryption also provides customers immense flexibility in how they deploy and manage their encryption capabilities including the ability to: encrypt in-app preferences, encrypt strings and resources, generating an external data seed, secure download, restore from backup, selective encryption, encrypting offline data, and more.
Feel free to skip to the end of this blog where I’ve included a video of me implementing 10 or so mobile app security features in Square’s Cash App in less than 5 minutes. The end of the video shows me logging into the newly built Cash App with my own account.
MOBILE GAMING – Prevent Fakes, Mods, and Cheats
Use Case: Prevents fake apps, app modifications (“MODS”), prevents fraudsters from re-packaging and re-signing apps, then re-distributing them on questionable app stores.
To illustrate just how easy this is, check out this YouTube video of a mobile gamer demonstrating how to use an emulator to cheat in a mobile game (Jurassic Park). The hacker uses an emulator to create his own “MOD” or patch for Jurassic Park, in which he changes the logic of the “in-app purchase” workflows – giving himself enough “Jurassic credit’ such he can make in-app purchases within the game for free. And he does this live in less than 5 minutes.
The key to prevention is to make it difficult for hackers to learn how your app works in the first place. And that starts with obfuscating your app.
Appdome TOTALCode Obfuscation transforms binary code in such a way that makes it extremely difficult to impossible for hackers to understand how it works, making any attempt to reverse-engineer the app infeasible. TOTALCode Obfuscation includes the following RASP features: binary code obfuscation, Flow relocation, Non-native code obfuscation, strip debug information.
And it’s not enough to just obfuscate some parts of your code and call it a day. Professional hackers have many ways to attack an app, and if one method doesn’t work, they move on to the next. So you need multiple detection mechanisms and you need to protect at different layers in the app’s technology stack. Here are a few specific KBs that go into each of these topics in depth.
- ONEShield includes the following RASP features: anti-tampering, anti-reversing, anti-debugging, app integrity/structure scan, and checksum validation.
As I said, our goal is to make it easy for mobile developers to secure all mobile apps, users, and data using Appdome’s no-code mobile development and security platform, where they can click to integrate mobile RASP in any iOS or Android app in minutes. Using Appdome’s No-Code Mobile App Security you can implement comprehensive mobile app security in less time than it took you to read this blog (or type TL;DR).
Tune in to my next blog where I’ll cover additional RASP use cases in healthcare and retail.
Check out this video where I implement a full suite of mobile app security and RASP features in the Square Cash app in less than 5 minutes end to end.