Modern applications typically run on open devices (e.g. mobile phones) that are known to be vulnerable to attack. Therefore the devices cannot be trusted by the application developers. This means that developers need to build the applications that are secure regardless of the device environment. This means utilising tools, technologies and methodologies that allow the applications to protect themselves.
Inside Secure's Code Protection technology provides powerful automated software protection tools applicable across Mobile, IoT, Desktop and Server platforms.
The integrity of an application and its function is achieved by tamper-proofing the application code itself. Tamper proofing is achieved by use of the Code Protection Tool to render an application resistant to analysis, change or manipulation by a hacker.
Tamper proofing means that an attacker cannot:
- Modify an application to insert malicious code;
- Dynamically analyse an application with “known” conditions, or change the code to observe the effect the change has;
- Remove other protections such as root detections;
- Lift components (such as white-boxes) out the application to make them easier to analyse.
At the heart of this is a runtime integrity network embedded throughout the application code. This detects and responds to any attempts to analyse, reverse-engineer or otherwise manipulate the application. Attackers trying to compromise the application or other security measures (e.g. white-boxes) will find their room for manoeuvre highly restricted to the point that they cannot do any useful work.
The integrity network created by Inside Secure's anti-tamper technology enables the application to defend itself. The integrity network creates a strong foundation on which to build other security techniques (such as Obfuscation). Without this foundation, these other techniques are easily and quickly broken down by even novice hackers.
Obfuscation on its own is not application protection; but it can be a useful technique to have as part of wider defences. Application developers should hide sensitive data in software and obfuscate sensitive code. The obfuscation applied by Inside Secure's tool greatly hinders an attacker’s ability to statically analyse an application.
Integrated directly with the integrity network, and further hardened by it, Inside Secure's Code Protection provides multiple powerful Obfuscation techniques that render reverse engineering and static analysis impractical, ensuring that even elite hackers will move on to softer, less frustrating targets.
Automated not Manual
It is important to ensure that there are no gaps in the protection that can be exploited. Inside Secure's Code Protection Tool works on an automated model to protect code. It first dynamically analyses the software, then uses that analysis to determine where best to insert the integrity network checks. This gives an optimised integrity network to the profile of the specific application.
In practice, this means the number of checks inserted is an order of magnitude higher than those achieved with a manual or scripted injection approach.