skip to Main Content

Secure Application ROM (SAROM)

Protecting your API keys, certificates, and other fixed app secrets

Created to keep your fixed app secrets safe

Often, your app will have fixed secrets such as certificates or API keys that you need for the security of your app’s operation –
but you’d rather not have them easily extracted from your app. 

Hardcoding app secrets directly into the source code, and potentially relying on obfuscation methods for security, is a common strategy for many app developers.

This is however not enough to properly protect your secrets, and hackers can easily retrieve them by reverse engineering.

Did You Know?

According to Gartner, hardcoding API keys or other credentials in web and mobile applications is one of the four most common API Vulnerability paths, and the method makes such secrets subject to decompiling attacks.

Gartner. “API Security: What You Need to Do to Protect Your APIs.” Mark O’Neill, Dionisio Zumerle, Jeremy D’Hoinne. 27 August 2019.

A Unique Solution to a Difficult Challenge

Secure Application ROM (SAROM) is a feature by Promon SHIELD™ that offers a simple solution to a challenge that is difficult to solve on any mobile platform – protecting specific assets in a published app.

SAROM encrypts data in a secure manner to protect secrets such as API keys and certificates from theft.

Secrets encrypted in SAROM are never accessible statically but dynamically decrypted when the app needs an asset. With SAROM, assets are automatically encrypted during Shielding and only decrypted at application runtime when needed by the application code.

It suits a number of use cases where sensitive data must exist in the published app – such as private certificates to protect your API communications.

The consequences of poor API key protection

Most apps make extensive use of third party services via their public APIs,  which usually means handling and securing many different secret API keys. 

These keys are valuable information that is supposed to be kept safe. If not sufficiently protected, hackers can decompile your code and search for your API keys. 

If an attacker gets access to keys, they can extract them and, for example, build new software that impersonates the real app to make arbitrary API calls, or otherwise access your backend infrastructure to communicate with and scrape sensitive information from your servers. 

The consequence of attacks can result in serious data breaches, GDPR fines, and a damaged brand reputation for the targeted company.  

Use Case Examples

Protecting your TLS certificates

Avoiding a leak of the TLS certificate is important for the integrity of the communication between app and server. SAROM will ensure the integrity and security of TLS certificates in the app by encryption, and therefore also the integrity of your TLS communication.

Protecting your API-keys

To ensure that API keys are not leaked, they need to be protected against static and dynamic attacks. By encrypting these with SAROM, your API keys are only decrypted when accessed by the application at runtime.                                                                                          

Secure Application ROM - Created to keep your fixed app secrets safe
Download our Product Sheet and discover the benefits with Secure Application ROM (SAROM)

App data secured by State-Of-The-Art Runtime Protection

PROTECT

Impede attackers’ attempts to reverse-engineer and modify your app. Promon SHIELD™ makes it more difficult for attackers to spoof your app, tamper with its security controls or perform other nefarious activities.

Obfuscation
App binding
Repackaging detection
Secure Local Storage (On device)
Store data encrypted inside the app
Binding the data to be encrypted to the device
Whitebox backed encryption of data
Strong device binding / Fingerprinting

DETECT

Monitor your mobile app’s runtime behavior. Detect whether the app is executing in an insecure environment such as on a rooted (Android) or jailbroken (iOS) device. Mitigate the risks of overlay attacks, debuggers, emulators, and other means by which attackers examine, penetrate, and compromise a mobile app.

Ensure app is running in safe environment
Debugger detection
Jailbreak / Root detection
Emulator detection
Ensure app is not altered or tampered with (e.g. by malware) at runtime
Detection & protection against StrandHogg exploits
Checksum
Protection against Accessibility API abuse / UI Spoofing (overlay attacks/screen readers)
Resource verification
Hook detection

REACT

Upon detecting malicious activity, an app protected by Promon SHIELD™ will modify its behavior in real time to interrupt potential attacks. Response actions include blocking execution of injected code, notifying security administrators, and terminating the infected app to stop the execution of a compromised app.

Integrity checking
Custom reactions
Screenshot detection / blocking
Anti keylogging
Anti screenreading
Alert / reporting
Blocking external screens
Prevent brute force decryption of sensitive information
Back To Top