Why Your Apps Need Multi-Layered Security Defenses

Over the last 20 years, how we build and deploy software has radically changed. Applications now run on untrusted mobile devices, data flows through the cloud, and IoT devices operate in uncontrolled environments. A standard industry myth is that once source code is packaged into an application, it becomes significantly more challenging for an attacker to exploit. In reality, applications deployed on edge devices such as mobile, IoT, and desktop systems remain highly vulnerable. This article will outline four main security threats facing your applications and discuss the necessary security layers to protect against them.

Key threats to your app’s security

1. Sensitive data leakage
One of the most critical threats is the leakage of sensitive data. Security researchers have identified 1,859 mobile applications on Google Play and the App Store that contain hard-coded Amazon Web Services (AWS) credentials [1]. If an attacker retrieves such credentials, they could gain unauthorized access to user data, posing a significant risk to personal information. Similar issues exist in the IoT domain, where hard-coded passwords have been discovered in Cisco firewalls [2] and D-Link routers [3].

2. Intellectual property (IP) theft
Reverse engineering is a common method of stealing intellectual property. Many home automation products have been reverse-engineered, allowing unauthorized parties to develop compatible devices or controllers for well-known brands such as Somfy [4], Velux [5], and LG [6]. This poses a significant financial risk. Additionally, with the rise of Artificial Intelligence (AI) on edge devices, AI engines and models are increasingly at risk of being stolen if not adequately protected.

3. Software tampering
Attackers frequently tamper with software to exploit its functionalities for unauthorized purposes. This includes bypassing license restrictions, as seen in pirated Adobe software [7], or modifying gaming applications to enable cheating in Pokémon Go [8] and Fortnite [9].

4. Reverse engineering for exploitation
Attackers can reverse-engineer applications running on edge devices to identify vulnerabilities, which they may then exploit to compromise other devices. Security researchers have used this technique to uncover flaws in platforms such as Silicon Labs’ Gecko platform [10], Samsung Galaxy phones [11], and Google’s secure chip [12].

How to protect against these threats

A multi-layered security approach is essential to safeguard software on edge devices. Here are three key protection mechanisms:
1. Code obfuscation
Obfuscation is a fundamental technique that makes reverse engineering significantly more difficult. Obfuscation helps prevent attackers from easily analyzing or modifying the software by concealing sensitive data and increasing code complexity.

2. Code integrity protection
Code integrity protection is essential to prevent attackers from modifying an application to bypass security checks or restrictions. Integrity checks ensure that any unauthorized modifications render the software inoperable, mitigating the risk of tampering.

3. Runtime Application Self-Protection (RASP)
To counter dynamic attack tools such as debuggers, hooking frameworks, or virtual environments, Runtime Application Self-Protection (RASP) continuously monitors the application’s execution environment. RASP detects and mitigates attempts to alter an application during runtime, ensuring its integrity remains intact.
These three layers provide a robust defense against dynamic attacks, tampering, and reverse engineering, ensuring your software remains secure.

How Quarkslab helps

At Quarkslab, we specialize in protecting software against these threats. Our team performs in-depth security audits to uncover vulnerabilities, offers expert consulting for secure product design, and provides forensic analysis in cases of intellectual property theft or software tampering.
Our QShield product suite delivers robust protection for software running on edge devices. It includes advanced techniques such as obfuscation, code integrity enforcement, runtime application self-protection (RASP), and white-box cryptography—ensuring encryption keys remain secure and data stays protected through device binding.

Why being at Cybersec Europe is essential for us

Cybersec Europe brings together key players in the cybersecurity ecosystem, making it the ideal platform for us to showcase our expertise, connect with industry leaders, and stay ahead of emerging threats. Being present allows us to engage directly with CTOs, product and engineering teams, security experts, etc. facing real-world security challenges, and demonstrate Quarkslab’s capabilities. It’s also a unique opportunity to share insights, learn from peers, and contribute to the evolving conversation around software protection.

References

[1] https://thehackernews.com/2022/09/over-1800-android-and-ios-apps-found.html
[2] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-statcred-dFC8tXT5?ref=thestack.technology
[3] https://www.scworld.com/news/d-link-patches-5-vulnerabilities-including-rce-hard-coded-credential-flaws
[4] https://deralchemist.wordpress.com/2021/05/10/reverse-engineering-remote-controlled-somfy-blinds-part-1/
[5] https://github.com/Julius2342/pyvlx
[6] https://github.com/hww3/LG_Aircon_MQTT_interface
[7] https://www.youtube.com/watch?v=VvWbcwL3bMI
[8] https://gamerant.com/best-game-rom-hacks-pokemon-fans-should-play/
[9] https://www.esports.net/news/fortnite/aimbot-fortnite/
[10] https://blog.quarkslab.com/breaking-secure-boot-on-the-silicon-labs-gecko-platform.html
[11] https://blog.quarkslab.com/attacking-the-samsung-galaxy-a-boot-chain.html
[12] https://blog.quarkslab.com/attacking-titan-m-with-only-one-byte.html