Secure Application ROM (SAROM)

SAROM offers a unique solution to the difficult challenge of protecting fixed secrets inside your app, such as certificates and API keys, which are necessary for the security of an app but are difficult to safeguard.

Often, developers will hardcode secrets directly into the app’s source code and rely on obfuscation for security. However, this is not enough to properly protect these app secrets and hackers can easily retrieve them by simply reverse-engineering the app.

According to Gartner, hardcoding API keys or other credentials in web and mobile applications is one of the four most common API vulnerability paths, and the method makes app secrets subject to decompiling attacks. 

SAROM encrypts data in a secure manner and ensures that encrypted secrets are never accessible statically, but rather dynamically generated. With SAROM, assets are automatically encrypted during Shielding and only decrypted at application runtime when needed by the application code.

“Poor protection of fixed app secrets can have very severe consequences“, comments Tom Lysemose Hansen, CTO and Founder of Promon. “Should an attacker find a way to access API keys, for example, they can easily extract them and build fake apps that impersonates the real ones to make arbitrary API calls, or otherwise access an app’s backend infrastructure to scrape information from servers. These types of attacks can result in serious data breaches and, aside from the associated fines, can have damaging effects on brand reputation.”