App shielding vs. bug bounty programs: In pursuit of fortified mobile applications
By Asaf Ashkenazi
Make no mistake, all software has bugs; the industry standard ranges from 15 to 50 errors per 1,000 of code. Code review and bug bounty programs cannot find all of them. For better security against vulnerabilities, companies should add a layer of protection with app shielding. App shielding is an approach to application security using a three-pronged approach.
There is money to be had in ethical hacking. Big tech is constantly pushing the limit on the amount of a bounty offered to white hat hackers for any discovered application vulnerabilities. Google, for example, recently announced that they are offering a bounty of up to $50,000 for any vulnerabilities found in any application in the Google Play Store that has more than 100 million downloads.
With so much capital being invested in these often widescale efforts, it could be wrongly assumed by some that the majority of applications are largely safe. However, that’s not the reality. Take for example, WhatsApp, which is owned by Facebook. The messaging app had a comprehensive bug bounty program, and yet it was still discovered that a major security flaw granted access to users’ phones without their knowledge. Looking at the sheer amount of code that applications contain, this shouldn’t have come as a surprise – especially to those in the app development field.
All software has code, which is written by humans who obviously make mistakes. And because of that, all software has bugs – it’s called “guaranteed vulnerability.” The accepted industry norm assumes between 15 and 50 errors per 1,000 lines of delivered code. An average smartphone app contains 50,000 lines of code, which translates to between 750 and 2,500 errors potentially waiting to be exploited. Of course, some code errors are benign compared to others, but it’s still unreasonable to expect all (or even most) of the errors to be discovered through bug bounty programs, which allows the at-risk application to be taken advantage of by cybercriminals.
If companies accept that not all bugs can be removed through traditional code review and bug bounty programs, then they should add a layer of protection to their code via app shielding. In the case of WhatsApp, the vulnerability was most likely found by fuzzing the app’s inputs to identify a buffer overflow. Fuzzing relies on being able to control the app by forcing data through specific execution paths and monitoring the results. App shielding makes it much more difficult for unauthorized users to take control and monitor the app by validating the environment the app is executing in and detecting unauthorized processes attaching to the app.
App shielding is easily described as a three-pronged approach for application security:
1.The first is code obfuscation, where the code is scrambled to make it much more difficult to reverse engineer, read and understand it. Think of this as writing a book, but using difficult-to-read fonts, making some text small and some large, then shredding it for good measure. All the content is still there, but it’s now nearly impossible to decipher.
2.The second prong is environment checks, which is controlling where apps can execute. With environment checks built into the code, the code can monitor itself to see if it’s being run in a trusted environment, one void of attached debuggers or emulators.
3.The final prong to app shielding is building anti-tampering into the app, or binary integrity checks. Essentially, a giant and complicated spot-the-difference where a code reference picture is baked into the app. While the app is executing, it is constantly checking itself against the reference picture. If the app doesn’t match the picture, then it knows it’s under attack and terminates the execution.
Let’s be clear. Bug bounty programs play an important role for mobile app developers. In fact, they will likely become even more commonplace – and that’s great from the perspective that it lends more and more attention to the importance of protection. Along with comprehensive code reviews, bug bounty programs help, but don’t fully address the problem. Developers should be encouraged to clean their code, but spending all of your app security budget on bounties and cleaning is a failed approach. A more balanced approach is to also employ code protection that provides true security – not just the sense of security.
HackerOne, a San Francisco-based bug bounty program company, recently announced an additional $36 million in funding. That’s an investment in a service that provides an important, but partial security fix. With bug bounties becoming a mainstay in the developer community, companies cannot get complacent when it comes to application security and should seek out practical ways to fortify their own code to ensure they don’t become the next WhatsApp public relations nightmare.