We're Hiring!

What is Runtime Application Self-Protection (RASP)?

Mobile security concept; padlock smartphone, digital background

Runtime Application Self-Protection (RASP) is a security technology that is designed to protect applications from attacks while the application is running. It works by embedding a security mechanism directly into the application, which allows it to monitor the application's behavior and detect and prevent malicious activities in real-time.

Unlike traditional security measures, which focus on securing the infrastructure and perimeter, RASP provides an additional layer of protection by focusing on protecting the application itself. This makes it particularly effective against attacks that exploit vulnerabilities in the application code or runtime environment.

RASP Implementation

Mobile RASP is typically implemented using a Software Development Kit (SDK) that is integrated into the mobile application. The SDK can monitor the application's behavior and detect potential security threats in real-time, with minimal changes to the application's code.

Here are the general steps involved in implementing mobile RASP:

  • Integration: The RASP SDK is integrated into the mobile application's codebase. This is typically done by adding the SDK as a dependency and configuring it with the necessary settings.
  • Monitoring: Once the SDK is integrated, it can monitor the application's behavior at runtime, including network traffic and system events.
  • Detection: The RASP SDK uses a variety of techniques to detect potential security threats, this can include behavioral analysis, signature-based detection, and machine learning. When a threat is detected, the SDK can take action to mitigate the threat, such as blocking the request or alerting the user.
  • Response: Depending on the nature of the threat, the RASP SDK can respond in different ways. For example, it might block a malicious request, display a warning message to the user, or log the event for further analysis.
  • Updates: The RASP SDK is updated regularly to stay up-to-date with the latest threats and vulnerabilities. These updates are typically delivered through the SDK provider's update mechanism and can be integrated into the mobile application with minimal effort.

RASP Use Cases

There are several use cases for RASP, including the following:

  • Mobile App Security: RASP can help protect mobile apps by detecting and blocking malicious behavior such as tampering, reverse-engineering, and repackaging, which can be used to steal sensitive information or modify the app's behavior. RASP solutions may also detect and prevent the use of debugging tools and emulators.
  • Compliance: RASP can help organizations comply with regulations such as PCI DSS and HIPAA by detecting and preventing security breaches that could result in data loss or theft.
  • DevSecOps: RASP can be used to integrate security into the development process, allowing security teams to monitor and protect applications as they are developed and deployed. Some RASP solutions can provide live metrics showing app activity and the associated threats.
  • Cloud Security: RASP can help protect cloud-based applications by detecting and blocking attacks that originate from outside the organization's network.
  • Web App Security: RASP integrated into the backend can help protect applications against a wide range of attacks such as injection attacks, cross-site scripting (XSS), and cross-site request forgery (CSRF) by detecting and blocking malicious requests in real-time.

Overall, RASP provides a flexible and powerful security solution that can help organizations protect their applications from a wide range of threats and comply with regulatory requirements while minimizing the impact on application performance.

There are many different RASP solutions available on the market today, and each one is designed to detect and react to different types of threats in different ways. When evaluating potential RASP solutions, it's important to consider factors such as the types of threats that the solution is designed to protect against, the accuracy and effectiveness of the detection and reaction mechanisms, and the impact on application performance.

Approov Runtime Application Self-Protection provides the key features of the above; blocking botnets, malicious scripts, tampered and fake apps and helping to protect against Man-in-the-Middle attacks. Approov's dynamic pinning removes the risk associated with traditional static pinning in the app, and allows app developers to better secure communication between their cloud servers and legitimate instances of their app.

Approov diagram showing both traditional RASP and Approov for RASP

Approov for RASP

Integration: Approov Runtime Application Self-Protection (RASP) requires some code changes to be implemented in the app's communication code. These changes involve integrating the Approov SDK into the app and configuring it to use the necessary APIs to protect the communication channel. Approov provides quickstart guides to make the integration process as easy as possible. These guides provide step-by-step instructions on how to add the Approov SDK to your app and configure it to work with your backend services.

Monitoring: Once the Approov SDK is integrated into your mobile application, it can monitor the application's behavior at runtime, including network traffic, user interactions, and system events. This allows the SDK to detect and respond to security threats in real-time, providing effective protection against a wide range of attacks. In addition to real-time monitoring and detection, the Approov platform also provides detailed metrics and analytics on the Approov detected activity in your deployed app install base. These metrics can include information on the types of threats that have been detected, as well as whether or not the attestation was a pass or a failure.

Detection: Approov collects monitoring and detection results from the mobile app and sends them to the Approov cloud service for analysis. The cloud service uses a configurable security policy to make a decision about whether to allow or block traffic from the app. The security policy can be customized to include rules that are specific to your app and your organization's security requirements. For example, you can configure rules to block traffic from rooted devices, or to permit traffic from these devices but block traffic that is performing more malicious activities. By configuring these rules, you can ensure that your app's communication channels are protected against a wide range of threats, including malware, phishing, and other types of attacks.

Response: The Approov response is always from the Approov cloud service and includes a signed cryptographic token. Results are normally hidden from the App and only exposed to the app's cloud service which can then decide how to respond to failed attestations. In addition, the Approov cloud service can be configured to provide access to extra state on a successful attestation, such as API keys or other App secrets. Secrets provided in this way are never stored at rest on the device and thus this approach completely removes them from the app installation package.

Updates: The Approov SDK is updated regularly, however in some cases, over-the-air (OTA) updates may be sufficient to dynamically adjust to new threats and ensure that existing deployed apps are protected. OTA security updates are managed by the Approov threats reaction team  updating the analysis and detections performed on mobile devices, without requiring users to manually download and install new versions of the app. By using OTA updates, you can ensure that your mobile apps are always protected with the signatures and analysis for the latest threat vectors, without requiring users to take any additional action.

If you’d like to find out more about runtime security please contact us today to speak to one of our mobile API security experts.

 

 

 

Shona Hossell