Last week I had a conversation with Dan Stickel, CEO of Metaforic. Metaforic is the creator of an “app immune system” product that’s designed to keep apps safe from attacks, regardless of the state of the environment in which they’re running. Today Metaforic is announcing that their immune system is now available for BlackBerry 10, in addition to the existing iOS and Android versions. Metaphoric app immune systems could advance the mobile app management (MAM) field considerably. Here’s how:
Where the discussion is today
In the security space at large, most people are concerned with trying to maintain computing environments that are as clean and as sterile as possible. Discussions revolve around things like firewalls, code signing, and application whitelisting. But since any environment is subject to contamination, the Metaforic approach is to create applications that don’t rely on their environment for security and can instead defend themselves against real-time attacks. This is especially important for publically available apps that run on potentially compromised systems, but even well kept environments could benefit from this extra layer of protection.
In the mobile space, application security has been focused on either securing devices or securing apps through authentication, remote kill switches, encryption, and VPNs. Metaforic adds a whole new layer to the equation by protecting against threats that most MAM products don’t address.
Metaforic’s immune system is available for wide variety of server, desktop, and mobile operating systems, and works by inserting thousands or tens of thousands of “antibodies” into applications. The antibodies are small pieces of code that detect attacks in various ways, including through anti-debuggers, breakpoints, and making cryptographic hashes of short sections of the host app’s code, in order to detect changes. These are all well-established software protection techniques, but injecting so many of them into a single app makes real-time attacks extremely difficult. The antibodies can even monitor each other, and an attack can trigger a warning to a user or admin to shut down an app entirely. The system has the advantages that it doesn’t need network access to work and there’s no reliance on malware databases.
For mobile apps, Metaforic is integrated via a desktop toolkit. The toolkit does dynamic and static analysis then injects code before apps are compiled. Metaforic claims that there’s very little performance and storage overhead for treated apps.
What this could be
With the debate about whether or not to manage BYOD mobile devices still raging, there’s an obvious place for self-defending apps. But also consider that all mobile devices face threats unless they’re locked down to un-usable levels; not many users would consider allowing their company to turn off access to app stores, so any corporate apps on those devices are vulnerable. Metaforic would help in these situations. The other major use-case is for public facing apps; like banking apps.
An immune system certainly doesn’t replace the tools that come with mobile app management products, and can be used alongside them without any conflicts. But what would be great is if MAM vendors could license this technology to include in their SDKs and app wrapping tools. This is definitely something to keep an eye on.