Wednesday, May 2, 2018

Antitamper Mobile - Minded Security's Magik Quadrant for Mobile Code Protection (2018 Edition)


Minded Security's Magik Quadrant for Mobile Code Protection shows our evaluation of the top vendors in this market, based on our research and experience, updated to 2018.

Magik Quadrant

 

Why care about Code Protection?

The main reason lies in the fact that Mobile Applications runs within an environment that is not under the control of the organization producing the code.

Lack of Code Protection could have the following consequences:
  • Malicious users or competitors could decompile the application and gain knowledge about proprietary algorithms or intellectual property
  • Using this information, it could be possible to modify the code, repackage it and redistribute it to create a "trojanized" clone of the App
  • Revenue loss due to piracy
  • Reputational damage

Since 2016, the OWASP Mobile Top 10 has included two new categories related to that, that is M8-Code Tampering and M9-Reverse Engineering.

Code Tampering

Code Tampering is the process of changing a mobile app (either the compiled app or the running process) or its environment to affect its behavior.
The most common code tampering techniques are:
  • Code Injection
  • Binary Patching
  • Local Resource Modification
  • Method hooking
  • Method Swizzling
  • Dynamic Memory Modification  
Tools and frameworks like Frida, Substrate, Cycript, Xposed and FLEX could give an attacker direct access to process memory and important structures such as live objects instantiated by the app. 
They come with many utility functions that are useful for resolving loaded libraries, hooking methods and native functions, and more.
This can provide the attacker a direct method of subverting the intended use of the software for personal or monetary gain.

Code Tampering could be prevented by detecting at runtime that code has been added or changed since compile time.

Reverse Engineering

Reverse engineering a mobile app is the process of analyzing the compiled app to extract information about its source code. 
An app is said to be susceptible to reverse engineering if an attacker can derive a reasonably accurate reconstruction of the source code from the binary.
Reverse Engineering could be prevented by using an obfuscation tool that implements controls like:
  • String Encryption
  • Name obfuscation
  • Control flow obfuscation
  • Arithmetic obfuscation


Also to that, it is important to implement anti-debugging techniques and verify if the application is running on a rooted/jailbroken device.


Some commercial tools provides code protection without requiring developers to implement their own custom controls.
The remaining of this blog post is going into details about the tools available in the market in 2018.

Interpreting the Magik Quadrant

The Magik Quadrant study performed on Code Protection solutions takes into account multiple criteria based on Ability to Execute and Completeness of Vision.

Ability to Execute
Vendors must deliver strong functionality in the following areas of capability:
  • Techniques implemented
  • After Sale Support

Completeness of Vision
Completeness of vision in the Code Protection market considers a vendor’s vision and plans for addressing buyer needs in the future:
  • Cross-platform support
  • Innovation
  • Sale Strategy

Before proceeding, it is worth noting that focusing on the leaders' quadrant isn't always the best choice. There are good reasons to consider market challengers. Moreover a niche player may support a specific needs better than a market leader.


Leaders
Leaders offer products and services that best cover current scenarios and are well positioned for the future. They provide solutions that are cross-platform, so with one vendor is possible to protect many platforms. Their complex solutions provide protection (through obfuscation, encryption, call hiding etc.), detection and reaction (in case an attack is detected).

Visionaries
In general, in any Magik Quadrant the Visionaries are the innovators. They understand well where the market is going and therefore they can provide innovative techniques to protect the applications in a cross-platform environment.

Niche Players
Niche Players, in our research, are vendors that do not offer, at the moment, a cross-platform solution but they are focused on a small segment. Since they are offering platform-specific solutions, in some case they are able to provide innovative and specific solutions for that specific target.


Vendor Strengths and Cautions

Arxan

This analysis pertains to Arxan's Application Protection.

Arxan is one of the most trusted names in application security. They provide protection against a widest range of static and dynamic attacks. The protection, provided by Application Protection, is implemented on different layers giving the chance to select the desired level of security.

Strengths:
  • Cross-platform: Android, iOS (Objective-C and Swift applications)
  • No changes to the source code 
  • Protection from reverse engineering and disassembly through obfuscation
  • Sophisticated Anti Code Tampering techniques
  • Threat Analytics feature
  • Latest OS versions supported

Cautions:
  • Price could be higher than expected
  • Strong binary obfuscation may interfere with the application functionalities

Company website: www.arxan.com


Inside Secure

This analysis pertains to Inside Secure Code Protection and WhiteBox.
Inside Secure is one of the leaders in the application security market. They provide a cross-platform solution based on different "modules".

Strengths:
  • Cross-platform: Android, iOS (Objective-C and Swift applications)
  • Strong Code and Flow obfuscation
  • Anti-tampering techniques
  • Strong cryptographic key protection

Cautions:
  • Price could be higher than expected
  • Strong binary obfuscation may interfere with the application functionalities

Company website: https://www.insidesecure.com/


Intertrust

This analysis pertains to Intertrust whiteCryption.
Intertrust is relatively new on this market but offers an innovative product that is designed to protect applications at all levels.

Strengths:
  • Pioneers in Whitebox Crypto 
  • Cross-platform: Android, iOS (Objective-C and Swift applications)
  • Tamper Resistance
  • Self-defending code
  • Code obfuscation
  • Anti-debugging techniques
  • Cross-checking of shared libraries 

Cautions:
  • Price could be higher than expected

GuardSquare

This analysis pertains to GuardSquare DexGuard and iXGuard.
GuardSquare is very famous since they develop and support ProGuard, that is the successful open source obfuscator for the Java language used for Android application. DexGuard is derived from that, while offering more advanced and sophisticated protections.
They have a great experience in Java and Android platform and recently they started offering also iOS support through the iXGuard software.

Strengths:
  • Solution is solid and one of the most used thanks also to the Proguard integration in Android Studio
  • Cross-platform: Android (Cordova and PhoneGap supported), iOS (Objective-C and Swift applications)
  • Large adoption among our customers
  • Strong code optimization and obfuscation 
  • Anti-tamper detection available for the Android platform

Cautions:
  • At this time iXGuard is offering only reverse engineering and not Anti-tampering protections for the iOS platform
  • As demo policy seems to be changed during 2017, it's harder to obtain evaluation versions; this could be a factor to consider if you have a time-constraint project
  • Price also has increased
  • Solution is one of the most used so it may be easier to find deobfuscation tools/information comparing to other solutions in the market

Company website: https://www.guardsquare.com


Licel

This analysis pertains to Licel's DexProtector.
Licel is a new competitor in code protection. Its product, DexProtector, is designed for comprehensive protection of Android applications mainly against reverse engineering, clone protection and tampering.

Strengths:
  • Affordable for our clients
  • Strong code obfuscation
  • Clone protection
  • SSL Pinning support
  • Root and Debug Detection

Cautions:
  • Available only for the Android platform
  • Some feature like Hooks Detection are additional features of the Enterprise version and priced separately

Company website: www.licelus.com


Bangcle - SecNeo

This analysis pertains to Bangcle AppShield, AppSCO and WhiteCrypto.

Strengths:
  • AppShield offers protections against debuggers, tampering, decompilation and malware insertion for Android applications
  • AppSCO offers reverse engineering protections (Android and iOS platform)
  • WhiteCrypto offers strong key protections (Android and iOS platform)

Cautions:
  • Anti Code tampering techniques are only offered for the Android platform 

Company website: http://www.bangcle.co.kr - https://www.secneo.com


Zelix

This analysis pertains to Zelix KlassMaster.
Zelix has a long story and experience in code obfuscation. Since its release in 1997, the Zelix KlassMaster Java code obfuscator has been continually developed to keep it at the forefront of obfuscation technology.
This solution provides a Java code obfuscator but it does not implement other protections such as those against code tampering attempts.

Strengths:
  • Strong code and flow obfuscation
  • Strong Call Hiding
  • Affordable for our clients

Cautions:
  • Available only for Java (Android)
  • Only code protection/obfuscation

Company website: www.zelix.com


Promon

This analysis pertains to Promon SHIELD.
Promon is a Norwegian firm specializing in app hardening focusing largely on Runtime Application Self-Protection (RASP).

Strengths:
  • Cross-platform: Android, iOS (Objective-C and Swift applications)
  • Rooting and Jailbreak detection
  • Repackaging Detection
  • Protections against Runtime App Tampering
  • Debugger Detection
  • SSL Pinning
  • Hook Detection

    Cautions:
    • New player in 2018 Magik Quadrant
    • "RASP" acronym usually applies to solutions that protect applications from vulnerabilities at runtime, it could not fit 100% this solution

    Company website: https://promon.co


    Important note: it is worth noting that all these security controls do not give a guarantee that mobile applications are going to be 100% secure, but they can provide additional protection and make very hard for an attacker to carry on reverse engineering, tampering and runtime attacks.