Protecting iOS and Android applications in a fully automated way
In this Help Net Security podcast recorded at Black Hat USA 2019, Dave Belt, Technology Evangelist at Irdeto, and Jaco du Plooy, VP Cloakware at Irdeto, discuss the current threat landscape, software security trends, and the importance of protecting iOS and Android applications.
Here’s a transcript of the podcast for your convenience.
Dave Belt: Good afternoon, my name is Dave Belt, I’m a technologist in the office of the CTO with Irdeto. And I’m here with my colleague Jaco.
Jaco du Plooy: Good afternoon, my name is Jaco Du Plooy, I manage the IoT security market unit for Irdeto.
Dave Belt: Today we’re going to talk about software security in particular and more generally about trends around security. Right now, we’re seeing everything converging with regards to digital connectivity in particular, connected industries, connected health and the like.
Ultimately this is just upping the ante with regards to hackers. This is giving them more and more attack points. Ultimately what we’re doing is getting to a point where we’re having hard time keeping up with this as technologies. So, in order to deal with this moving forward, we’re focusing on this from a number of different standpoints. One is software lifecycle, in particular. In the development lifecycle, we’ve traditionally sort of tacked security onto the end of the development process.
It seems like security is becoming part of the process where, as we do the development, as we do the integration, we’re essentially validating for security concerns and we’re then taking it outside into the real world. You know exactly what’s happening with these technologies out in the field, and can we continue to collect data on them, and the like. Ultimately, we have the software lifecycle that we’re now beefing up and also, we have new technologies that are coming to the table.
The big thing that I think is the big trend right now is Big Data, of course has been coming on the scene for some time. We’re now instrumenting everything. Any time that you have a device, you have an app, or anything of the like, collect as much information as you can, and then figure out what to do with it later on a certain level. In order to do something with that data, we’re now using more enhanced algorithms, we have data process or data analysis tools, image processing, signal processing and the like that we’re using.
The big thing, of course right now, is machine learning. Machine learning has now become mainstream. We’re using it for more or less everything in kind of every industry. The big places where machine learning really seems to stand out is in identifying patterns. Essentially saying “this matches, this does not match”.
I think that this technology is becoming a distinct trend in the security space with regards to identifying where the hackers are trying to come in and the like, where can we find anomalies with device behavior and the like.
In our space we’ve been doing something very interesting. As I mentioned previously, we’re involved with software protection, and our software protection technologies right now are focused on “you need to apply this to particular areas of code”. You don’t want to blanket a piece of code with software protection because it ultimately is going to affect your performance adversely, but ultimately if we can make that simpler from the perspective of how do we actually apply that software protection and can we use machine learning technologies to identify, one, where are those vulnerabilities, where are the significant places that need to be hardened. Then secondly, can we actually do intelligent analysis with regards to how it’s going to affect the performance of that. Based on those two aspects, can we come up with an optimal protection mechanism for your software as a whole?
In our own space we’ve been using this with our software transcode technology called Cloakware and now we’ve actually come out with a new product called Trusted Software. Here we have Jaco to talk about this technology.
Jaco du Plooy: Thanks Dave. As Dave said, the difference for us has been the machine learning. For over 20 years now, the Cloakware part of the data technology has been predicting high value content, high value applications, high value binaries for customers, but it’s always been sold as a tool where a developer has to actually go into his code, annotate his code or her code, and then apply our protections on the code.
But what the machine learning has enabled us to do now is to automate this whole service. Instead of a developer having to annotate code, all they basically do, whether it’s an iOS app or an Android app, they just submit the APK for Android, or their package for iOS to our service, and we take that, we break it up into the components we need to, go down to an intermediate layer of representation of the code, and then we apply our old trusted technologies, the transcoder, binary protections etc., repackage it and send it back to the developer. It’s a zero-touch and handsfree solution for application developers.
And again, the machine learning part of it is super important to us because now we can identify, as Dave said, what areas of the code are critical algorithms, or secure pieces of data that needs to be protected. We can identify that through our machine learning algorithms and only protect the pieces of code in the applications that need to be predicted, and in that way provide back a solution that, from a performance perspective, still meets the requirements from the customer.
The zero-touch service is a big deal as well. There’s a huge skills shortage in cybersecurity coming up, and what we hope to achieve with the service is to address part of that skills shortage. We don’t need a company to go and hire cybersecurity specialists. They want to protect their apps. There is a service that makes it easy for them, and they get the same premium level protection that they would have always received if they purchased the tool from us to do it themselves, but then without that skill set, hiring cost and training on their board. If you want more information about the service that we’ve just launched, please visit our website www.irdeto.com.