Over the last few months, Irdeto has published many blogs and white papers which, in concert, have clearly outlined the reason why we believe application security is an integral part of mobile application development. Hopefully, we’ve convinced the business owners out there as to the necessity of mobile application security. But, this blog is not for business owners.
This blog is for all those out there responsible for creating, maintaining, or updating mobile applications. You know who you are. You’re spinning all those plates to get your organization’s mobile vision executed with minimal cost and time. Now, someone is asking you to add mobile application protection on top of that. Are you kidding?
Here at Irdeto, we’ve been working to protect mobile applications for over a decade, so we’re well aware of the amount of work necessary to bring a successful mobile application to market. This has led us to shift our approach from a security focus to a developer focus. We are looking to minimize, eliminate, if possible, the burden of implementing application security for the software developer by following a strict vision. We refer to that vision as ‘zero-touch’.
In this blog, we’ll describe that vision and explain how we think it will help mobile application developers going forward.
The zero-touch philosophy
Over the last two years, we have worked hard at developing an application security solution that doesn’t require any training, ecosystem modification, setup, build modification or coding changes. This is our zero-touch vision. We did this to minimize the effort required by you, the application developer, to integrate application security into your software development lifecycle. With zero-touch, application security is not another design trade-off or time sync. Let’s explore why.
No training necessary
As an application developer, the toolkit and technologies used for application development are continually evolving. Google released DART 1.0 in 2013, Apple released SWIFT in 2014, and Facebook launched React Native in 2015 just to name a few new development choices available to mobile application developers in the past decade.
On top of this, like clockwork, there are significant advancements in the Android/iOS ecosystem every year. As an app developer, you have to look at mandatory OS changes like scoped storage to new technologies like AR and ML to differentiate your applications and ensure that they remain available via the app stores. For all of you in the field, you know that this is not a trivial activity.
Even worse, application developers sometimes have to take over the maintenance of an existing application. On top of staying current, you also need to learn how the application somebody else built (and probably didn’t document) works.
The last thing you need is to spend time learning a proprietary framework, application or annotation syntax to address a secondary attribute like application security. These are the reasons why Irdeto has developed a zero-touch, no training required application security solution.
RASP maintenance is a pain
We already talked about how there is a new OS update for iOS/Android every year, but, on top of this, security solutions need to release new SDKs to catch the latest changes in rooting, hooking or debugging technologies. Keeping on top of the newest security SDK, even with build automation tools, is still another headache that you don’t need. For example, in 2020 alone, there were over 20 updates to Checkra1n and unc0ver!
As a developer, what are your options? You could integrate new checks into your app 20 times a year, or you could look for a solution that automatically injects ” the latest Root Detection, Jailbreak Detection, Anti-Hook, and Anti-Debugger technology into each protected application. As a developer, this is one less dependency that you need to keep track of, making your life easier and allowing you to focus on your main objective. Even better, the checks’ results are shared via explicit intents instead of API calls, thus simplifying their integration.
RASP is not a primary application feature, so its maintenance should be zero-touch.
Yet another build item to keep updated
Yikes, YABIKU (Yet Another Build Item to Keep Updated)! Ok, that won’t catch on because the acronym is ungainly, but adding yet integration item to your build environment is awkward as well. Irdeto has focused on developing an application security solution that doesn’t require any modification of your build environment. As a result, if you get asked to tack on application security ten weeks into the project, no problem.
No changes mean fewer problems.
No change to dev build time
We know that it’s tough to maintain a topline user experience and that features like or Flutter’s “hot reload” are essential to rapid prototyping. The last thing that a developer needs is for the security solution to augment the development compile time while doing rapid prototyping. As a result, Irdeto has adopted a security model that operates on the final package instead being included in every developer build. Security is a secondary function of a mobile application, so it should not get in the way of enhancing an app UX.
Spinning multiple plates successfully
Being a mobile developer is hard. Between the multiple evolving platforms to the plethora of development frameworks and options available, it’s impossible to find the time and resources to adopt legacy application security solutions.
By making application security zero-touch, it removes a plate instead of forcing you to spin one more.
Click here to get in touch with Irdeto’s Trusted Software team to learn more!