Articles / Protecting Mobile Apps from the Inside

on 10 Nov 2017

The late great Edsger Dijkstra once wrote the following: “If ten years from now, when you are doing something quick and dirty, you suddenly realize that I am looking over your shoulders and say to yourself ‘Dijkstra would not have liked this,’ well, that would be enough immortality for me.” This is a wonderful reminder to all computer scientists that developing software should be focused on creating elegant, correct solutions to problems. It should be our daily mantra.

But let’s face it: Most programmers (which today is largely synonymous with mobile app developers) have never heard of Dijkstra, and are caught in the DevOps nightmare of literally sprinting through the coding to keep product managers happy. And yes, I know that all the whining in the world from me will change nothing, so we must be practical. This implies that if we cannot have code that meets all our requirements, then we must compensate.

To that end, I spent a lovely afternoon last week chatting with two interesting technologists: John Aisien and Kevin Fox, from a cyber security company called Blue Cedar. Both John and Kevin were previously executives at Mocana, and their new company derives some of its technology heritage and focus on mobile security from that shared experience. Brian Nugent from Sway Ventures suggested the meeting – and I am glad he did. Here is what I learned:

First, we connected on a common protection theme that I’ve been writing about frequently lately – namely, that security is best accomplished from the inside-out, rather than from the outside-in. Since Blue Cedar develops solutions for mobile apps, this implies that their product is injected into the app code. “What we do is automatically inject code into your binaries,” John explained, “which allows us to enforce a variety of software security policies.”

The Blue Cedar concept is built on the correct observation that most mobile apps will not include the security functionality that a typical enterprise will desire. Examples include strong authentication, advanced encryption, access policy controls, and support for per-app VPN micro-tunnels to on premises or cloud resources. The Blue Cedar team is focused on helping enterprise users compensate for this omission without great time or expense.

John explained some of the design considerations that drove the Blue Cedar product: “Our primary goal was to create an injected software security solution without asking our customers to embed agents, rely on containers, write new code, or restrict their enterprise base to a specific device.” The team’s emphasis on mobile apps, I learned, stems from their observation that this area is where most enterprise cyber risk resides today.

Their mobile app security solution is adopted by enterprises in three phases: The first phase involves injection, where C and C++ code is automatically inserted into unsigned app binaries. The second phase involves enforcement, which allows for policy-based protections such as authorization, authentication, and access control. The third phase involves connection, which recognizes that most mobile apps require secure tunneled access to on premises or cloud resources.

At times during our conversation, I felt my mind wandering back to the late Dijkstra looking over our shoulders, wondering if he would approve. My honest view is that he probably would not approve of all this – but I doubt that his beef would be with Blue Cedar. Instead, he would complain about the poorly planned apps and supporting ecosystems that pervade our industry in enterprise, government, and consumer environments.

But as I suggested above: We must be practical, because such security augmentation iscurrently necessary, and the Blue Cedar process is a low impedance, minimal risk approach to injecting functional security to deal with the mobile deficiency. Maybe someday, mobile apps will not need such injected assistance, but that seems a long, long way off. Until then, we have solutions like the one from Blue Cedar.

So, if your business develops or uses mobile apps, then perhaps you might give John and Kevin a call, and ask them to tell you about their creative security solution. And if you have some additional time, I recommend that you get yourself addicted to the Edsger Dijkstra EWD Series (perhaps the first technology blog ever), archived for your enlightenment and enjoyment at http://www.cs.utexas.edu/users/EWD/).

Let me know what you learn.