Instructing mobile apps in the art of self-defense
Enterprises and their mobile app developers should build security in from the start by building encryption in, implementing obfuscation techniques with a security framework, and performing deep analysis to understand application integrity, explains Ely. “You need to understand the integrity and state of the libraries the app requires at runtime and the libraries in memory. You need to build out a risk score and profile and then use that to build in counter measures to create self-defending apps,” says Ely.
Ely is not alone in disseminating self-defending app terminology. The OWASP is invested in self-defending apps. The OWASP has established the AppSensor project, which “defines a conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into applications”, according to OWASP. By working at the application layer, building intelligent IDS into mobile apps together with automated responses to address each intrusion, mobile app security becomes native rather than an add-on.
The OWASP approach uses detection points including any of a variety of exceptions and trends as well as honey traps and reputation to identify attacks internally. AppSensor seeks to analyze application logs and the detection points within, independently and on the whole, to determine malicious user behavior, then moves to block the user, according to the OWASP.
According to the OWASP, with help, mobile applications can understand users, their actions, the intended targets of those actions, and whether the app should allow those combinations of users and actions. The OWASP intends AppSensor to identify advanced threats that are engaged in exploitative or evasive behaviors. AppSensor enables the app to block the user permanently or to take other action as the enterprise sees fit. Blocking limits attackers to the application’s perimeter, according to the OWASP.
The OWASP notes that AppSensor permits enterprises to opt out of blocking users automatically so they can receive attack alerts using security monitoring and investigate the event before making a response decision. “The rigor of response is a decision for each organization in relation to their tolerance for risk and specific needs for an application,” the OWASP says. Since an organization’s tolerance for risk and the tolerance of their consumers or any other affected party can differ, it is worth considering the advantages of immediate and automatic blocking where it is reasonable.
Through the AppSensor project, the OWASP offers recommendations for determining what application behaviors are malicious, suggestions for responses, guidance in implementing a system based on AppSensor, and a Java reference implementation that the organization can integrate into its application(s), according to the OWASP.
Other entities claiming some form of self-defending app approach include Apperian, Mocana, and Metaforic.
Sign up for CIO Asia eNewsletters.