Gamania CloudForce pushes appGuard to help the insurance industry keep Apps safe

According to statistics, the number of globally downloaded Apps has reached 175 billion in 2017. Consumers spend an average of almost 3 hours a day on using Apps, and this shows how tightly connected Apps are with people’s lives; it has penetrated many aspects including shopping, multimedia, games, communities, and financial management etc. As fingertip economy flourishes, hackers have been hacking Apps more and more frequently, especially ones that are involved with personal information and financial benefits; they are their top priorities.

In light of this, the Financial Supervisory Commission has demanded that banks need to perform comprehensive security tests to their Apps; insurance industries might also be expected to be regulated next year (2019). Take life insurance for example, not only should they follow Article 9 of the “Self-discipline norms for information security protection in life insurance industries” (Note 1) set by The Life Insurance Association of the Republic of China, they must also create mobile App information security control mechanisms according to the mobile App operating principles provided by the life insurance industry; not only to enhance the security of mobile Apps, the Apps must also be submitted to certification laboratories for testing according to the “Mobile Application Basic Security Independent Testing Promotion System” announced by the Industrial Development Bureau, Ministry of Economic Affairs.

From this it can be seen that Apps do indeed contain huge information security risks; any vertical fields that provide App services from gaming, payment, e-commerce, government, banks, or insurance industries etc. should all strengthen their App protections. At this moment, App security protection services such as appGuard from Gamania CloudForce can provide immediate help to help business owners reinforce the information security weaknesses of their Apps as soon as possible.

App functions increase daily, information security risks also increase accordingly

Gamania CloudForce appGuard operations department’s information security consultant Eric Lien indicated that when we look at the current stage of insurance Apps, most of them only provide querying functions; and since industries are trying to accelerate their launch schedules, they don’t really pay much attention to information security during development. When we look into the future as more value-added services are created, such as online insurance application and tariff calculation etc., if industries do not correct their past practices, they might put their App users in severe risk of leaking personal information.

Eric Lien even thinks that industries should not only try to meet specifications on the program aspect, but consider all aspects of program development comprehensively. For example, Android is an open architecture; anyone who downloads Android Apps has the chance of learning the program architecture through decompiling and further repack and counterfeit it to trick the unsuspecting public into using it. If industries only care about complying with the regulations, they might not necessarily have considered the requirements for the prevention of reverse engineering.

Gamania CloudForce’s customer manager Ryan Lee summarized that generally speaking, if the information security of Apps was insufficient and causing in Apps to be cracked and resulting in counterfeit Apps entering the market, the best scenario will be hackers sharing the users’ traffic and advertising revenues, and the worst scenario will be causing personal information of users being stolen, leaked or tampered with and damaging the business reputation of the industry. There are always industries that take it lightly and think that their Apps only have verification functions and networking behaviors, and they do not include transaction functions or process personal information of customers, so the risks they face might not be big, but what they don’t know is that hackers can use these Apps to learn how the program codes were written, the library used, and even steal certifications and further use the App to take over backstage servers and cause severe disasters, so they must be careful.

Gamania CloudForce’s appGuard is an information security protection service for Apps; its functions include preventing reverse engineering, encrypting program codes, making debugger tools invalid and performing integrity checks etc. to continually ensuring the security strength of Apps, effectively preventing Apps from being cracked, having source codes stolen or having personal information leaked. Eric Lien stressed that appGuard has several major advantages; not only does it have extremely high levels of security that can prevent hacker attacks effectively, its greatest advantage is that it “does not require modifying the source code.” Once insurance companies provide the APK (Android Application Package), Gamania CloudForce can tailor the most suitable protection strategy for it regardless of the development architecture used behind it.

No changing of program codes, enabling App protection within 30 minutes

He further explained that most peers adopt the SDK method and place protection components in the source code; this means that industries must provide their source codes to third parties and this causes concerns for leaking intellectual properties. Also, as source codes are changed, it may result in compatibility issues with the App’s functions. Ryan Lee added that placing protection components in the source code is usually done in stages and cannot be all done at once; it usually takes over 3 months. And once there is operational error in any of the stages, the schedule might be delayed due to repeated corrections; therefore, it really needs to rely on architects with experience and skills. In addition, the SDK of peers protects Apps through the protection mechanism of the Java layer, but to hackers, mixing the protection mechanism of the Java layer with the program code can only delay the cracking time; hackers can use reverse engineering to decompile the program codes easily. Once the hackers understand the logic of the protection mechanism, for example: mechanism to detect root and mechanism for credential verification etc., they can modify them using reverse engineering and crack the tampered package successfully, or bypass the protection mechanism to perform malicious attacks. Therefore, appGuard uses functions such as prevention of reverse engineering and program code encryption to prevent hackers from decompiling the source code, make debugger tools invalid and have integrity check functions to prevent hackers from attacking Apps with dynamic injections or even crack the tampered package. These functions ensure that Apps can be fully protected. As for compatibility issues that many industries are concerned about, Gamania CloudForce also put in a lot of effort; not only are there self-created compatibility tests, hundreds of different brands of Android phones were also prepared to provide the most rigorous and comprehensive testing service.

Eric Lien then stated that faced with insurance industries that are interested in activating the appGuard service, the professional team of Gamania CloudForce always performs pre-interviews with them to analyze the APK provided by them and learn which tools were used to develop the App, and then use this information to formulae protection strategies and perform compatibility tests. Once any incompatibility was discovered during the process, the protection strategy will be adjusted until it has passed all tests on over one hundred different phones. Under most circumstances, the preparation described above usually takes 3~5 days; but if there are special situations, for example the customer does not want to use cloud service mode but want protection mechanisms to be created in their own environment (to prevent the APK from being leaked), then the preparation will take longer but no more than 20 days.

After the preparations were completed, Gamania CloudForce will deliver the account officially so that the industry can login the appGuard website with it and perform processes including uploading the APK file, downloading the protected APK file and performing signature for the APK file etc. The securely protected App can be officially launched on open software markets (such as Google Play) within a short 30 minutes.

What’s worth mentioning is that Gamania CloudForce focuses on complete deployment of App security services, and also created their own related testing systems with 37 test items set, in which the test items were established by referring to the OWASP Mobile Top 10 Risks and part of the standard definitions adopted from the “Mobile Application Basic Security Independent Testing Promotion System” of the Industrial Development Bureau, and focus on finding problems with the information security architecture of the App. The meaning of establishing the testing system was not to replace existing laboratory mechanisms, but to provide professional consultancy functions and help users uncover potential information security issues in the APK’s environment, and provide analysis reports so developers can correct the problems on their own. If complicated difficulties based on the platform occurred, such as being decompiled easily, then consider using appGuard to solve the problem.