Has anyone tried or used mobile security solutions for your apps ? I have shortlisted two of them that spiked my interest and they are guardsquare (guardsquare.com) and zimperium(zimperium.com). It would be helpful if someone could let me know if you had experience with these products as I'd like to improve my app security

What type and level of security you need

code hardening, Runtime application self protection from live attacks, real time threat monitoring

App is just a frontend You may focus on securing the rest APIs

that is a small piece in the security puzzle especially when it comes to financial apps

If the device is rooted then you can make a check that most of the apps do and do not run app on rooted device

No we are looking into both solutions for our financial apps and looking at experience from others..

If you check popular banking apps like sbi, icici they are simply working on webview Not all of their features are native

I think we are digressing from my question…..we have different requirements and we are well established in UK….

The main problem in using any third party security solutions is that to allow them to access all the data

thanks

@Umar Ata usually you wouldn't use webapps if you want things secure, embedding web apps is a way to cut corners and costs. "It's just frontend" is not really a valid argument here. Security comes from many layers, securing the frontend is one of those. Using proper third party security solutions will NOT allow 3rd parties to access all data. How do you imagine this? They usually provide libraries that run offline and will not have access to the final product or its data, as the tools do not include communication and such things (except if they put in a backdoor but you should not assume that 🙂 ). • Do not store sensitive data if not needed • Store key material in hardware key stores • Do not ever think there is a library that can protect you from rooted phones, it is a cat and mouse game. • Obscure the code • Encrypt valuable strings and resources • Use cert pinning and 2-way ssl • Remove logging I have experience with Dexguard on a payment application (from guardsquare) and I had an introduction with Arxan protecting native code, now known as Digital Ai, I think nowadays they also provide protection for Java code (if I can believe the marketing emails they are still sending 😄 ) From Dexguard I can say it did all the things we wanted, it provided some root protection, it obscured/hardened the code pretty good, you can encrypt credentials (like the certificates you use for pinning) and I think the best part it is configurable a lot like proguard (same vendor 🙂 )

Suppose you install antivirus software in your computer and now you scan your drive and for scan it needs read access obviously then how can you think that it can't read your data? @Joost Klitsie

@Umar Ata then you should really check out these security libraries before you make assumptions

I am not making any assumptions here I have experience in both native and third party security solutions I can only be sure for them to not read my data when they provide their source code

things like root detection is invcluded as a library

I think you are from same team and marketing your product here

Thanks Joost, I have shortlisted digital.ai as well….my priority at the moment is guardsquare ever since they acquired Appray…..

And not good for the channel purpose

@Joost Klitsie, does Dexguard capture screenshot capture detection and do you know how IxGuard works in iOS …surely the channel is for android but out of Curioisity?

So why did you answer in the first place if it is so off-topic? Your comment was my main motivation to answer this question. And no I do not work for guardsquare, if you read my comment then you can see that I used it on a project and I shared my experience. I cannot tell other experiences because they are limited, but arxan looked interesting

cool….does DexGuard support root detection ?

yes

thanks