Minded Security's
Magik Quadrant for Mobile Code Protection shows you our evaluation of
the top vendors in this market, based on our research and experience.
Why care about Code Protection?
There are a lot of reasons to care about Code Protection when dealing with Mobile Applications.
Every year a lot of money is lost due to piracy, intellectual property theft, cracked copyright mechanisms, tampered software, malware, and so on.
Every year a lot of money is lost due to piracy, intellectual property theft, cracked copyright mechanisms, tampered software, malware, and so on.
Mobile Apps are obviously installed client-side, therefore they are under the user's control.
For example, malicious users or competitors could decompile the application and analyse the result.
This could reveal valuable data as proprietary algorithms or intellectual property or allow the attackers to use that information to modify the code, repackage and redistribute it to create a "trojanized" clone of the App in a rapid fashion.
This could reveal valuable data as proprietary algorithms or intellectual property or allow the attackers to use that information to modify the code, repackage and redistribute it to create a "trojanized" clone of the App in a rapid fashion.
Moreover, if the App needs to run on untrusted devices, any malware
could interact with the App at runtime level to steal data (credentials,
credit card number etc.) or bypass security logic (local
authentication, geo-restrictions, custom cryptography etc.).
As you can see a mobile App could be attacked at various layers and with very different goals in mind, creating a very complex problem for those who want to protect their products.
The following diagram shows some of the main attack types.
As you can see a mobile App could be attacked at various layers and with very different goals in mind, creating a very complex problem for those who want to protect their products.
The following diagram shows some of the main attack types.
Why Apps reverse-engineering and tampering are easy?
Many developers do not know how easy mobile application reverse-engineering and tampering are.
Since mobile Apps reside on user's devices and include valuable data
inside - metadata, resources and even the code itself -,
attackers could gather important information just by using publicly
available tools.
In fact, according to the OWASP Top 10 Mobile Risks 2014,
“...it is extremely common for apps to be deployed without binary protection. The prevalence has been studied by a large number of security vendors, analysts and researchers.”
Without protections, it is quite easy to decompile an App to analyse its code (particularly on the Android platform) or to interact with it at runtime level on rooted/jailbroken devices.
How to make it harder?
To make the life harder to the attackers and help protecting valuable data, developers should:
- Harden DRM systems and licensing modules
- Reduce piracy
- Protect intellectual property and personal data
- Secure proprietary algorithms against analysis and reverse engineering
- Harden firmware and OS
- Protect cryptographic keys
- Protect the client side of encrypted communication
- Prevent malware intrusion
Therefore they have to deploy mobile applications with some kind of
protection. To do this they could implement the following techniques:
- Code and Flow Obfuscation
- String and Class Encryption
- Debug code stripping
- Method Call Hiding (Reflection)
- Resource Encryption
- Debug Detection
- Root/Jailbreak Detection
- Runtime Injection Detection (Swizzle/Hook Detection)
- Tamper Detection
- Certificate Pinning
- Watermarking
There are many technical resources on Internet that describe at some
level of detail how to implement one or more of the preceding
techniques.
Moreover, there is some commercial tool which provides binary protection without requiring developers to implement their own custom controls.
Moreover, there is some commercial tool which provides binary protection without requiring developers to implement their own custom controls.
Before going into detail about these tools it is worth noting that all
these security controls do not give a guarantee that mobile applications
are going to be 100% secure, but they can provide additional protection
and make very hard to carry on reverse engineering, tampering and
runtime attacks.
Interpreting the Magik Quadrant
The Magik Quadrant study performed on Code Protection solutions takes into account multiple criteria based on:
- Ability to Execute
- Completeness of Vision
Ability to Execute
Vendors must deliver strong functionality in the following areas of capability:- Techniques implemented
- After Sale Support
Completeness of Vision
Completeness of vision in the Code Protection market considers a vendor’s vision and plans for addressing buyer needs in the future.- Cross-platform support
- Innovation
- Sale Strategy
Before proceeding it is worth noting that focusing on the leaders'
quadrant isn't always the best choice. There are good reasons to
consider market challengers. Moreover a niche player may support a
specific needs better than a market leader.
Leaders
Leaders offer products and services that best cover current scenarios
and are well positioned for tomorrow. They provide solutions that are
cross-platform, and therefore with one vendor it is possible to protect
many platforms.
Their complex solutions provide protection (through obfuscation,
encryption, call hiding etc.), detection and reaction (in case an attack
is detected).
Visionaries
In general, in any Magic Quadrant the Visionaries are the innovators.
They understand well where the market is going and therefore they can
provide innovative techniques to protect Apps in a cross-platform
environment.
Niche Players
Niche Players, in our research, are vendors that do not offer, at the
moment, a cross-platform solution but they are focused on a small
segment.
Since they are offering platform-specific solutions, in some case they
are able to provide innovative and specific solutions for that
particular target.
Free and Open Source Solutions
The preceding analysis was done on commercial tools available on market.In addition to this, we have also analyzed a free and open source solutions available for iOS: iMAS.
This solution has the main disadvantage that, since it is free and open source, it does not guarantee support. Nevertheless, we want to spend some words about it since it has some interesting features.
Vendor Strengths and Cautions
Arxan
This analysis pertains to Arxan's GuardIT.
Arxan is one of the most trusted names in application security. They provide protection against a widest range of static and dynamic attacks. The protection, provided by GuardIT, is implemented on different layers giving the chance to select the desired level of security.
Arxan is one of the most trusted names in application security. They provide protection against a widest range of static and dynamic attacks. The protection, provided by GuardIT, is implemented on different layers giving the chance to select the desired level of security.
Strengths
- Cross-platform (Android, iOS, Windos Phone)
- Strong code protection
- Strong detection
- Capability to repair after damage
Cautions
- Price could be higher than expected
Metaforic
This analysis pertains to Metaforic Core, Authenticator, Concealer and WhiteBox.
Metaforic is one of the leaders in the application security market. They provide a cross-platform solution based on different "modules" (Core, Authenticator, Concealer and WhiteBox).
Metaforic is one of the leaders in the application security market. They provide a cross-platform solution based on different "modules" (Core, Authenticator, Concealer and WhiteBox).
Strengths
- Cross-platform (Android, iOS)
- Strong Code and Flow obfuscation
- Strong cryptographic key protection
Cautions
- Price could be higher than expected
Company website: www.metaforic.com
WhiteCryption
This analysis pertains to whiteCryption's Cryptanium.
WhiteCryption provides code protection solutions since 2009, so they are relatively new on this market compared to Arxan or Metaforic. However they offer an innovative product that is designed to protect applications at all levels.
WhiteCryption provides code protection solutions since 2009, so they are relatively new on this market compared to Arxan or Metaforic. However they offer an innovative product that is designed to protect applications at all levels.
Strengths
- Cross-platform (Android, iOS)
- Strong Code and Flow Obfuscation
- Strong anti-tampering protection
- Anti-debug and anti-piracy features
Cautions
- White-box cryptography techniques are still adopted very little
Company website: www.whitecryption.com
PreEmptive
This analysis pertains to DashO and .NET Obfuscator.
The first version of DashO was released in 1998 and .NET Obfuscator was initially released few years later. Therefore PreEmptive has a long experience in Code protection.
The first version of DashO was released in 1998 and .NET Obfuscator was initially released few years later. Therefore PreEmptive has a long experience in Code protection.
Strengths
- Cross-platform (Android and Windows Phone)
- Strong code and flow obfuscation
- Watermarking
- Tamper prevention and reaction
Cautions
- No iOS support
Company website: www.preemptive.com
GuardSquare - Saikoa
This analysis pertains to DexGuard.
GuardSquare is very famous since they develop and support ProGuard, that is the successful open source obfuscator for the Java language. DexGuard is derived from it.
They have a great experience in Java and Android platform.
GuardSquare is very famous since they develop and support ProGuard, that is the successful open source obfuscator for the Java language. DexGuard is derived from it.
They have a great experience in Java and Android platform.
Strengths
- Large adoption among our customers
- Strong code optimization and obfuscation
- Anti-tamper detection
Cautions
- Available only for Android
Company website: www.saikoa.com
Licel
This analysis pertains to Licel's DexProtector.
Licel is a new competitor in code protection. Its product, DexProtector, is designed for comprehensive protection of Android-applications against reverse engineering and tampering.
Licel is a new competitor in code protection. Its product, DexProtector, is designed for comprehensive protection of Android-applications against reverse engineering and tampering.
Strengths
- Affordable for our clients
- Strong code obfuscation
- Anti-tamper detection
Cautions
- Available only for Android
Company website: www.licelus.com
Bangcle - SecNeo
This analysis pertains to AppShield service. Bangcle provides a service
that permits to developers to upload its APK on Bangcle's server and
they provide fully automated App shield services. The whole process
takes about one hour or less to complete.
Strengths
- Very simple use
- Anti-debug and Anti-tamper features
- App Data Encryption
Cautions
- Available only for Android
Company website: www.secneo.com
Smardec
This analysis pertains to Smardec's Allatori.
Smardec's main goal is to offer you high quality services and products at a reasonable price. Allatori first version was released in 2006 and it has reached these goals.
Smardec's main goal is to offer you high quality services and products at a reasonable price. Allatori first version was released in 2006 and it has reached these goals.
Strengths
- Strong code and flow obfuscation
- Watermarking
- StackTrace restoring
Cautions
- Available only for Android
- Only code protection/obfuscation
Company website: www.smardec.com
Zelix
This analysis pertains to Zelix KlassMaster.
Zelix has a long story and experience in code obfuscation. Since its release in 1997, the Zelix KlassMaster Java code obfuscator has been continually developed to keep it at the forefront of obfuscation technology.
This solution provides a Java code obfuscator but it does not implement other protections such as those against tampering tries.
Zelix has a long story and experience in code obfuscation. Since its release in 1997, the Zelix KlassMaster Java code obfuscator has been continually developed to keep it at the forefront of obfuscation technology.
This solution provides a Java code obfuscator but it does not implement other protections such as those against tampering tries.
Strengths
- Strong code and flow obfuscation
- Strong Call Hiding
- Affordable for our clients
Cautions
- Available only for Java (Android)
- Only code protection/obfuscation
Company website: www.zelix.com
iMAS
This analysis pertains to iMAS.
This solution is free and open source, available on GitHub, and it provides modularity as the main feature. In particular the iMAS project is composed of many components that developers could include inside their project and every module provides a different feature. So it is up to the developers selecting the desired components and include them in the project.
This solution is free and open source, available on GitHub, and it provides modularity as the main feature. In particular the iMAS project is composed of many components that developers could include inside their project and every module provides a different feature. So it is up to the developers selecting the desired components and include them in the project.
Strengths
- Free
- Anti-tampering protections
- Code encryption
Cautions
- Available only for iOS
- No after sale support
Company website: project-imas.github.io
This is very interesting take off the Gartner Magic Quadrant. I am wondering where you got your data from and how you came about positioning each company?
ReplyDeleteThank you for your feedback Anne. We did a survey among CTO, CSO and Security Architects (mostly from the Financial industry) asking about the products they are using, the products they would like to use and the products they knew. We also asked information about the deployment costs of the different solutions and their desiderata. We publish this post as a resource for helping conducting your own research on the product of choice, as you see solutions are very different and cover one or more platforms.
ReplyDeleteWhy did you neglect to put well known/obvious flaws that some of these products carry in the cautions?
ReplyDeletePreEmptive Solutions supports iOS obfuscation. http://www.preemptive.com/products/ppios
ReplyDeletePS the ability to do cross assembly obfuscation (across app tiers - not just across mobile platforms) is a critical capability that should be considered as well.
Instead of getting into these details, it is better for entreprenuers to outsource to professional iPhone application development company or android app company to get the most out of your applications.
ReplyDelete@Anonymous This should be seen as a dynamic resource and not as content "as is". The security field of Mobile Code protection is of course a mitigation and not a solution, and of course every addition to the topic is very welcome.
ReplyDeleteThank you for sharing.
ReplyDeleteCan I submit some updates to whiteCryption's info? We are on Windows, Linux, macOS/OS X as well as the stated mobile platforms. We'll happily bake off against any of these competitors with our Code Protection and Secure Key Box products (Cryptanium).
ReplyDeleteOur product lets you embrace our security design expertise for your product, vs needing to have the knowledge in-house.
nice one!
ReplyDelete