As advanced as they have become from a purely technological point of view, smartphones still represent a step backwards from desktops in terms of security. Mobile apps and software are still largely vulnerable to attacks, and current software protections are often limited. The ASPIRE project has developed a turnkey solution for software vendors and developers to overcome these problems.

Digital Economy

Mobile security statistics show little improvement since the first smartphone reached the market. According to Arxan, a market leader in mobile software protection, 90% of apps contain critical security vulnerabilities and 46% of app-making companies expect their products to be hacked within six months. And while protections are available on the market, they do not offer adequate protection, are expensive or difficult to use. ‘It is almost impossible for developers to determine the value they get for their money, or to assess the benefits and risks of investing in protection’, Bjorn De Sutter says, coordinator of ASPIRE and Professor at the University of Ghent’s Computer Systems Lab. Knowing that most organisations have limited budget to invest in the security of their apps, the market seems to be caught in a vicious circle. This is where ASPIRE technology comes into play: ‘We tried to push the state of the art by presenting concrete improvements,’ Prof De Sutter explains. ‘For example, we have developed anti-debugging techniques that are really hard to circumvent. We pushed the boundary of combining a lot of protections, covering a wide range of features and challenges (such as source-level and binary level deployment) while still meeting industrial requirements like co-operation with standard code compilers in which code generation cannot be controlled.’ The consortium managed to demonstrate the feasibility of these academic solutions on complex, real-world use cases, and developed a decision support system with an in-built evaluation methodology for underlying software protection strength. ‘It is first of its kind, as far as we know, to assist users in selecting good combinations of protections in light of their software, assets, and security requirements,’ Prof De Sutter says. Combining strengths One of ASPIRE’s main strengths is the combination of various protection techniques. The point is of course to make hackers’ job more difficult, but also to account for the requirements of the multiple assets included in a single app. Last but not least, this approach enables the system to protect even the protection techniques themselves. As Prof De Sutter points, such combination of forces makes possible attacks so time-and effort-consuming that they are no longer seen as worthwhile. Technically speaking, ASPIRE combines five lines of defence: data value hiding, code obfuscation, anti-tempering techniques, remote attestation, and renewability techniques. ‘Renewable techniques allow us to distribute different versions of the same program and to update programs frequently, so that successful attack paths, once they are identified by attackers, can only be exploited on a limited number of software instances and during a limited window of opportunity,’ Prof. De Sutter explains. The goal is to reduce the potential for an attack to become profitable, in the hope that the attackers will give up on attacking altogether. To verify the reliability of their system, Prof. De Sutter and his team have opened a public challenge where hackers are provided with seven programs to defeat. Successful attackers are provided with a reward if they share their attack method with the consortium. Looking ahead The use cases run over its course have brought valuable knowledge that the consortium intends to exploit in the near future. There were some positive outcomes, notably the fact that the ASPIRE system can effectively be deployed on complex libraries embedded in Android apps, and the consortium also identified room for improvement in the effectiveness of some protections. Most code generated under the project will be made publicly available after the project ends in October 2016, so that researchers can deploy, research and extend existing protections. ‘The industrial partners of ASPIRE are working on their exploitation plans, as for my group it will continue to build on these tools both for internal research purposes and for collaboration with industry,’ Prof De Sutter concludes.

Keywords

ASPIRE, smartphone, mobile security, mobile apps, cyber security