Solution Briefs

Application Protection for Web Solution Brief

Issue link:

Contents of this Issue


Page 0 of 1

Solution Brief | Application Protection for Web Application Protection for Web (formerly Arxan) Developers want to build web apps that have fast, seamless user experiences and can be easily maintained. One of the most effective ways to achieve that goal is to use JavaScript, HTML5, and APIs. From one-page apps heavily utilizing APIs, progressive web app development projects, or to simply improve performance by pushing validation processes to the client, modern app development is focused on how to efficiently improve performance and user experience. However, with all the benefits these tools bring to web app development, it also opens up a new set of issues with regards to security. The web security problem Web apps depend on JavaScript or HTML5 for simplicity of design and for delivering great user experiences. But these are interpreted languages, not compiled ones, which means that unless additional steps are taken to secure them, code can be easily intercepted, viewed and compromised by formjacking, DOM tampering, session abuse, overlay attacks, API abuse, and more. Web apps and APIs are vulnerable to static app analysis (reading app code that's in the clear) and dynamic app analysis (using a debugger to understand how code operates). Once code designed to interface with APIs is understood, it can be compromised to create attacks to identify vulnerabilities and access back office systems. To secure their entire IT ecosystem, organizations also need to protect client-side web apps and APIs to prevent them from becoming an attack vector. From a security standpoint, all code residing in a client browser should be considered running in a zero- trust environment, and security measures should be taken to protect sensitive data or infrastructure access points. For example, data access methods utilizing APIs, such as payment forms or credential verifications, are vulnerable to exposure when applications are reverse engineered. These attacks can expose customer data, intercept and alter communications, and ultimately lead to the exfiltration of sensitive data. Other forms of attacks can also be created using the knowledge of how web apps interact with back office systems. Most notable are targeted malicious code attacks, like Man-in-the-Browser (MitB) malware designed to steal credentials. Understanding where the inputs occur and are verified can provide attackers all they need to know to design malware to steal a user's credentials and access their accounts. In today's zero-trust world, the need to protect customer, business, and IP data is greater than ever. Securing applications and APIs against data exfiltration is key to preventing brand damage, financial loss, intellectual property theft, game cheating, replay- attacks, government penalties, and more. -[LockScreenViewController confirmPinBtn sub sp, sp, #0x50 ; Objective C stp x20, x19, [sp, #0x30] atp x29, x30, [sp, #0x40] add x29, sp, #0x40 str x1, [sp, #0x40 + var_20] str xzr, [sp, #0x40 + var_28] add x0, sp, #0x18 ; argumant "add mov x1, x2 ; argument "value bl imp___stubs__objc_storeStrong adrp x8, #0x100033000 ; 0x1000332 add x8, x8, #0x2b8 ; 0x1000332b8g adrp x9, x9, #0x5d0 ; 0x1000335d00 ldur x10, [x29, var_18]

Articles in this issue

Links on this page

view archives of Solution Briefs - Application Protection for Web Solution Brief