With the introduction of ThreatCast, Guardsquare’s new mobile app security console, Guardsquare enhances its offering in the mobile app security market. Combined with our app shielding solutions DexGuard (Android) and iXGuard (iOS), ThreatCast allows development and security teams to close the app security loop.
What does this mean? Most app developers lack reliable information about the actual threats facing their applications once they are released “into the wild.” Teams are left guessing about the effectiveness of their app security measures. ThreatCast allows both developers and security professionals to access information about detected application threats in real time, analyze attack vectors and implement new or improved app security measures based on objective data.
In this blog, we take a closer look at how organizations can leverage the threat intelligence collected by ThreatCast to adapt to the constantly evolving mobile threat landscape and respond to emerging attack vectors.
ThreatCast segments application threats into three categories:
This categorization allows users to quickly and easily assess their level of risk, filter detected threat events, and set priorities to ensure maximum app security. For all of the detected threats in any of these three categories, ThreatCast displays a wealth of information enabling in-depth analysis based on:
Environment threats are threats related to the environment in which an application is executed, mostly (but not exclusively) the end-user’s device. This type of threat is logged whenever your DexGuard or iXGuard protected application detects that it is being run in a potentially harmful environment—such as a rooted or jailbroken device. The detected threats in this category are general security threats. They do not directly target mobile applications, but are often the basis for targeted attacks. In other words, when an environment threat appears in the ThreatCast dashboard, it does not necessarily mean your application has been compromised, but rather that there is potential for abuse. Related threats in the app or code threat categories should be carefully monitored.
Threats in this category include, but are not limited to:
Figure 1 - ThreatCast dashboard, with overviews of environment threats (blue), app threats (orange), and code threats (red)
Application threats are threats related to the integrity of the application. An app threat is registered whenever the application package is modified. If this happens, DexGuard’s and iXGuard’s runtime application self-protection (RASP) functionality is automatically triggered to respond to the detected threat. Application threats are more acute than environment threats, because they indicate that there was an attempt to tamper with the application itself and possibly modify its behavior (see code threats).
Some examples of application threats:
Code threats occur when someone attempts to statically or dynamically alter the internal logic of mobile applications and modify their intended behavior. Code threats are the most explicit indicators that malicious users are targeting specific mobile apps.
This category includes following threats and more:
ThreatCast provides a wealth of information to help development teams and security professionals to make informed decisions about their mobile security strategies. Here are some ways to leverage the threat intelligence delivered by ThreatCast:
ThreatCast shows you which of your app’s libraries or functions are primary targets for attacks, enabling you to reinforce the protection of these libraries and functions.This can be achieved by locally increasing the aggressiveness of the runtime self-protection (RASP) checks or by tweaking your code hardening configuration to add additional protection to specific parts of the application’s source code. In other words, DexGuard and iXGuard help you implement security best practices, while ThreatCast allows you to fine-tune your exact security protocols based on real threats.
DexGuard and iXGuard’s runtime application self-protection (RASP) functionality allows you to determine how your applications respond to detected runtime threats. The data provided by ThreatCast allow you to optimize your response strategy and decide based on objective data whether an application should terminate, limit the available functionality, or display a notification when a particular subcategory of threats is detected.
Figure 2 - ThreatCast Timeflow View: Allows teams to analyze app upgrade adoption (the green and blue bands), threats per app version (the red bands), and time-to-first-threat-detection (red milestones), all in one single view.
The code hardening applied by DexGuard and iXGuard is polymorphic. In other words, the applied code protection is different in every single build, obliging malicious actors targeting applications to restart from zero after every new release. ThreatCast shows you the time it takes, on average, for attackers to compromise a new version of your application. This knowledge allows you to adjust your release frequency to optimally benefit from the polymorphic nature of the protection DexGuard and iXGuard provide and discourage malicious actors. The effectiveness of an optimized release cycle for security can be further improved by forcing all users to upgrade every time a new version is available.
After a mobile app is released to the app store, security teams and developers have historically lacked visibility into the most common attack vectors and vulnerable parts of their code. As this blog post illustrates, while DexGuard and iXGuard provide important and necessary layered security protections for Android and iOS mobile apps, ThreatCast brings a new level of visibility and clarity to the table. ThreatCast lets organizations identify specific threats in the wild, in real time, and enables teams to take action and shift their strategies to best respond to suspicious activity and malicious actors.