Principles / 01 The big picture
A guide to mobile application protection
- The big picture
- What needs protecting
- Develop a threat model for your application
- The four layers of mobile application protection
- Decompilation and modification
- Dynamic analysis and tampering
- Emulators and Virtualization Apps
- Network communications interception
- Mobile app fraud
The function of mobile applications is to provide users with access to data and services.
Often, these data and services are sensitive or privileged. Social media apps enable us to access our profiles and to view and to create our personal content. Healthcare apps enable us to access our records and to submit private data. Banking apps enable us to access our accounts and to perform transactions. And so on.
As in the examples above, many apps act primarily as a client, usually requiring a user to log in with their account credentials to access data and functionalities that are hosted on remote servers.
Other apps of course can be used fully offline. Some productivity apps and mobile games, for example. These local apps may also generate, process, and store sensitive data, and usually contain privileged or hidden functionalities. Take games as an example: most games have content that must be earned or unlocked, even if it simply means you cannot play Level 2 without first completing Level 1.
Regardless of the type of app or the stakes involved, then, the most important security consideration for everybody involved in mobile application development is therefore controlling access. In other words, making sure that access to any given service or data is only granted to authorized legitimate users (which also means ensuring that authorized users are legitimate users).
And indeed, for some services and data, such as those related to the app’s internal functioning and/or to its server-side infrastructure, you may not want to grant access to anybody at all. Certainly not to anybody outside of your organization. The same is likely to be true for the logic of the application itself.
When the question “what is mobile application protection” is asked, it’s sometimes implied that it’s primarily or exclusively concerned with data protection. And this is indeed extremely important, and one of our priorities in this guide.
But it’s also important to recognize that attacks fall into two basic categories:
Attacks aiming to exploit the application directly
Attacks aiming to exploit the application’s users
And they tend to target three main assets:
Internal data & intellectual property (IP)
Sensitive user data
As examples of an attack aiming to exploit the application directly:
Think of a rival decompiling your AI-powered chatbot app’s binaries, to gain access to its logic and your organization’s IP.
Or imagine a fraudulent user taking advantage of a rooted device to spoof their location. Doing so allows them access to the geo-restricted benefits offered by your retail app (Restricted functionalities).
Attacks aiming to exploit the application’s users are the more typical focus of writing on mobile app security. As an example:
Some malware gains access to your banking app’s keyboard input data in order to log users’ passwords. This enables the malware developers to gain access to your users’ accounts and make payments to themselves (Sensitive user data; Restricted functionalities).
In this guide we’ll explain how you can prevent and mitigate these and other types of attacks.