Chip Security Testingย 
Binary Security Analysisย 
Resourcesย 
Blog
Contact us
Back to all articles
Mobile App & Software

Mobile App Shielding Market Intelligence

6 min read
Edit by Hugues Thiebeauld โ€ข May 12, 2021
Share

When it comes to creating a product, it is as important to identify the pain points you want to solve than to size their intensity: the number of people suffering from it.

In the life of a product creation, everything starts with a first use case: One of your customers knocks on your door and asks you for expertise: this is the beginning of a project.

Once the project is mature enough as an entrepreneur, you often wonder if you could replicate it and make it a product you can sell to a market. One customer is a customer, two customers are a market. However, the worth of your investment into converting a single project in a scalable product will depend on the size of your market.

In the context of esChecker, thanks to a project with a payment scheme, we knew that we could create a solution to test the security countermeasure of mobile applications using app shielding technologies. But was it worth investing in converting that project into a product to test any mobile application using app shielding technology?

Looking at Gartner report about App Shielding, it is a growing market, as usual with this kind of report, with a CAGR of 20%. That is cool, better than nothing but it does not give me any clue about the market size. What we wanted to know was: how many mobile apps use app shielding technology and so must be tested with an ad-hoc solution?

That is why we decided to launch our own naรฏve market intelligence study.

  • How many mobile applications integrate security countermeasures, such as obfuscation or runtime application security control such as rooting detection, anti-debugging, anti-hooking, โ€ฆ
  • As we have a technology dedicated to HCE technology, how many mobile applications are designed to perform physical payment (i.e., integrate HCE technology)? When it comes to creating a product, it is as important to identify the pain points you want to solve than to size their intensity: the number of people suffering from it.

Our goal with this market study was to answer two questions:

  • How many mobile applications integrate security countermeasures, such as obfuscation or runtime application security control such as rooting detection, anti-debugging, anti-hooking, โ€ฆ
  • As we have a technology dedicated to HCE technology, how many mobile applications are designed to perform physical payment (i.e., integrate HCE technology)?

The Methodology

  • Brazil
  • Canada France
  • GermanyHonk Kong
  • IndonesiaItaly
  • MexicoSingapore
  • South Korea
  • Switzerland
  • Taiwan
  • UK
  • US

Second, we had to list the security tool, we would look for. To do so, our team of experts wrote rules to identify the artefacts belonging to well-known security tools available in the market.

In a first iteration, they created rules to spot 34 security tools from different vendors:

  • appguard
  • appiron
  • appsuit
  • arxan
  • bitdefender
  • dexguard
  • dexprotector
  • easysol_dsb
  • gd
  • gemalto
  • ijiami
  • jiagu
  • jumio
  • kony
  • liapp
  • mobile_first
  • morpho
  • ollvm
  • onespan
  • promon
  • rootbeer
  • secneo
  • tencent
  • threatmetrixthreatmetrix
  • trusteer
  • upx
  • verimatrix
  • vguard
  • visa
  • vkey
  • whitecryption
  • yidun
  • jumio
  • kony
  • liapp
  • mobile_first
  • morpho
  • ollvm
  • onespan
  • promon
  • rootbeer
  • secneo
  • tencent
  • threatmetrixthreatmetrix
  • trusteer
  • upx
  • verimatrix
  • vguard
  • visa
  • vkey
  • whitecryption
  • yidun

As a example, for Rootbeer, โ€œA tasty root checker library โ€œ, to know if the app uses Rootbeer, we simply check that the app contains: libtool-checker.so

For some other product, the rules were more complex. Of course, we are totally aware of the scope in time of such an empirical approach. If some artefacts are removed from the product they belong to, then we will have false negative. On the contrary, if some artefacts are not uniquely correlated with one product, we will have false negative. Nevertheless, as a first approximation, we decided it was good enough for an estimation of the market size.

The Results

The first result, we got, was the number of applications using one of the protection tools from our sample list: out of the 1400+ apps we examined on Google Play Store, at least 565 use one or more shielding product.

apps_using_protection_tools.svg

Figure 1: Percentage of applications using app shielding technology The second result we got was related to the geographical discrepancies of the app shielding use:

app_shielding_per_country.png

Figure 2 Percentage of application using app shielding technology per country

So, even if as Gartner says, the CACGR of App Shielding is 20%, we know now that the use of App Shielding technologies is not the same everywhere. It is more interesting to focus on Korea or Switzerland when you want to sell testing solution to app shielding customer than to prospect in the US or UK.

Finally, as with esChecker, the support of VISA NFC payment gives us a competitive advantage to test mobile app using HCE technology, we decided to sort our data according to that criteria. We categorized them between those used for physical payment and those exclusively used for mobile operation. To know if the app was meant to perform physical payment, we look at the description of the app manifest file and we examined three sections of it: the permissions ask by the app, the feature and the services declared:

<uses-permission android:name="android.permission.NFC"/>
<uses-feature android:name="android.hardware.nfc.hce" android:required="true"/>
<service android:enabled="true" android:exported="true" android:name="com.myapp" android:permission="android.permission.BIND_NFC_SERVICE"> <intent-filter> <action android:name="android.nfc.cardemulation.action.HOST_APDU_SERVICE"/> </intent-filter> <meta-data android:name="android.nfc.cardemulation.host_apdu_service" android:resource="@xml/apduservice"/> </service>

Based on this categorization we got the following results:

banking_apps_vs_payment_apps.svg

Figure 3 Repartition of Mobile Banking vs Payment Apps in Google Play Store Finance Category for 14 countries

mobile_payment_apps_per_country.svg

Figure 4 Number of HCE Payment Apps in each of the 14 considered countries When we consider the HCE payment market, we see that the number of applications is significantly lower.

Conclusion

With very few resources but a strong expertise, we were able to collect facts related to the status of the deployment of app shielding technologies into the field. These facts will be monitored closely and our methodology improved as we move forward but it is easy now to set up an efficient mobile application shielding testing strategy with a deeper knowledge of the market. Thanks to this market intelligence, we can now prioritize the testing of the app shielding vendors with the higher market share for a maximum benefit to the eShardโ€™s customer.

FUuYVzXWQAAWUQC.jpeg

Share

Categories

All articles
(104)
Case Studies
(2)
Chip Security
(29)
Corporate News
(12)
Expert Review
(3)
Mobile App & Software
(31)
Vulnerability Research
(35)

you might also be interested in

Corporate News
Chip Security

Behind the release of esDynamic 2024.01

6 min read
Edit by Hugues Thiebeauld โ€ข Mar 7, 2024
CopyRights eShard 2024.
All rights reserved
Privacy policy | Legal Notice