Security Experts:

Metaforic Extends Security Protection System to BlackBerry 10 Applications

Software security firm Metaforic on Tuesday announced added support for applications running on BlackBerry 10 to its software protection portfolio.

San Jose, California-based Metaforic's technology would allow developers to automatically inject the company's "software immune system" protection into the BlackBerry OS applications to create secure, self-defending software, Metaforic said Jan. 15. The immune system ensures the app can defend itself from targeted malware, repackaging, code tampering, or other attacks and unauthorized modifications.

Metaforic LogoMetaforic approaches software security differently from other companies. Instead of looking at it from an IT perspective, where the goal is to try to keep attackers out of the network and applications, Metaforic focuses on making software strong enough to withstand attacks, Metaforic CEO Dan Stickel told SecurityWeek. Software is generally used in a "hostile environment," with a myriad of threats such as worms and malware, and almost never is run on a "pristine" operating system, Stickel noted.

"The reality is, we don't live in a software Eden anymore," Stickel said.

Recall what happened in early 2011 when attackers breached Nasdaq's Directors Desk application, which was used to discuss stock information and company financial data. While the seriousness of the attack was initially downplayed, Nasdaq later admitted the attackers had modified the application and had eavesdropped on financial conversations.

"Nasdaq said, 'Oops. The software was modified that we didn't know about,'" Stickel said.

Software applications needed to learn from the world of biology and inherently defend against malware and hackers trying to modify the code to do something it wasn't designed to do, Stickel said. The immune system technology ensures code integrity.

Developers using Metaforic's software protection technology can inject thousands of interlocking, self-referencing checks into the application source code, Metaforic said. The self-checking anti-tamper system can defend itself from targeted malware that changes application logic, attempts to repackage applications with malicious malware (common with mobile apps), source code tampering, man-in-the-middle attacks, and attempts to sabotage digital signatures and encryption keys.

An attacker would have to first remove each check manually before it would be possible to modify the code. "There's no known way to get around. There's no secret key" to bypass the protections and modify the code, Stickel said.

The developer can specify what kind of response is appropriate to various threats. The application can attempt to repair any problems it finds, report problems to various locations, or terminate the execution of the program.

The software immune system injected directly into the application while it is being built means security is part of the software's makeup, Stickel said.

Metaforic's mobile software immune system "gives users one of the most secure, integrated mobile computing experiences and provides a highly effective and efficient methodology to harden applications to defend themselves against the latest and most malicious attacks," Stickel said. With mobile support, Metaforic is able to protect software from the inside out, even in high-risk environments where there are no other third-party security products deployed or user devices have been rooted or jailbroken, the company said.

Metaforic already supports a wide range of platforms, including iOS, Android, Linux, Windows and Mac OS X.

Nintendo also uses the technology to harden its licensing systems to protect DS games from piracy. Financial institutions use Metaforic to ensure that their mobile applications security and internal back-office software have not been compromised. Device manufacturers use Metaforic to ensure hardware such as network routers and medical devices have not been tampered with.

Fahmida Y. Rashid is a contributing writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.