Wouldn’t You Expect Security Features to Just Be in a Security App?

I’ve worked in security companies nearly my whole career, so I understand why building security into our solutions is important. However, for some it can be a challenge, because the details of security can sometimes be complicated and difficult to understand.

It’s our job as a security company to make these things easier to understand, but also to make sure security is something that “just works,” and isn’t a reactive function. Let’s talk about an example that should make this more clear.

Recently, the team here at Centrify alerted me to a news report that a security researcher, Lookout, had found 20,000 apps that have been compromised, and injected with adware and malware.  Using security slang, these were “trojanized” versions of legitimate apps.

The 20,000 apps in question here were all disassembled, had malware injected, and were then repackaged and then distributed through non-secure sources. Unknowing folks who think they are getting a legitimate app, instead install these compromised apps and are victim to exploits or attacks.

In this list of 20,000, a competitor’s app was called out, so naturally the concern here was, “were we in that list of 20K apps as well?”

As I quickly read the blog post to understand the exploit used, and began to scan the list of hacked apps, I realized something. I knew 100% we would not be on that list.

You see, we’ve added several layers of protection to our mobile app to thwart this kind of re-packaging attack from happening, as well as several others.

  • Code obfuscation – It’s well known that Android packages can be un-packaged. If the code isn’t obfuscated, it can then be easily modified. With code obfuscation, if a hacker attempts to un-package the Centrify app, the code appears as jibberish, making it very difficult to tell what is happening, and even more difficult to modify.
    • Bottom line: We added security from the start, to make these kinds of attacks much harder.
  • Screenshot_2015-07-13-13-45-26Anti-tampering – Using a combination of cryptographic checksums and signatures, the Centrify mobile app can self-verify its integrity and authenticity, and alert the user if any tampering has been detected.
    • Bottom line: If the code has somehow been tweaked, the app won’t run.
  • SSL/TLS certificate pinning – We use secure communications between our cloud and the mobile client. However another well-known attack point for malicious actors is intercepting SSL communications, commonly known as a Man in the Middle (MitM) attack. By using a cryptographically signed list of verified certificate fingerprints, our app is able to detect MitM attacks and SSL interceptions, and block any further communications from happening.
    • Bottom line: We try to stop exploits from many angles, to keep customers safe.

Now, these features aren’t revolutionary.  They are in fact the typical security-focused features you get from security-focused solutions.  Maybe it’s because we start with “we hold ourselves accountable, and do everything we can to protect our customers, who expect this from a security company.”

For more information on this incident:

Security Week: http://www.securityweek.com/device-rooting-adware-hidden-20000-android-apps

ZDNet: http://www.zdnet.com/article/mobile-malware-evolves-adware-now-breaks-and-roots-your-phone/