Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles
(untagged)

Quixxi – Mobile App Security Suite

6 Sep 2018 1  
An overview of Quixxi App Security Suite and all its capabilities.

This article is in the Product Showcase section for our sponsors at CodeProject. These articles are intended to provide you with information on products and services that we consider useful and of value to developers.

This intelligent and integrated platform fits perfectly in any app development lifecycle and takes care of the mobile app security in the most effective way. As the company claims 360-degree app security, it comprises of a variety of security features from the app development all the way through to post app release.

Getting started

Registration in Quixxi is set simply as a basic login, requiring only email and password to enter. Following this is account verification, which can be completed by clicking the activation link received from Quixxi.

Create Your App

The first action is to add a new app on the portal. The app created is a virtual app and users can manage all their apps from the home page. A single app can be created in Quixxi for both android and iOS.

App Dashboard

Every app that you create in Quixxi will have its own dash board from where you can review recent scans and security compilations. The maximum stars an app can obtain is 5, and is a security rating provided by Quixxi.

Automated App Assessment

This is one of the most useful security features of Quixxi that helps a developer to run a quick static assessment of the app in order to find out active vulnerabilities present in the app. The static assessment report starts with an overview identifying the number of threats and their severity which can be expanded further to access threat details in a code level, relevant description, risk associated with it and surprisingly remediation information relevant to that threat (this additional component is available with the premium subscription)

It also highlights which vulnerabilities can be fixed by Quixxi as below:

App Security Shield

This integral part of Quixxi mainly works against Reverse Engineering protection, Tampering and hack protection.

For protecting the app (Quixxi app shield integration), A user (developer) needs to upload the final package file (APK/iPA) before publishing to the app store. App shield integration is very easy and does not require any coding skills. It is a straight forward method for a developer to upload and get a protected APK in minutes, here I thank Quixxi developers for providing a online delivery platform.

Reverse Engineering Protection

Quixxi secures your mobile applications by making it nearly impossible to understand the app’s decompiled code. Depending on the platform, Quixxi Shield leverages a variety of innovative and technologically advanced techniques that include:

Encrypted Strings - Removing the hardcoded strings in the classes replacing them with native layer calls. Removed strings are encrypted and stored in the native layer in order to protect the associated data

Method Call Hiding – Hiding the method calls too, filling their body declaration with native method calls. Code readability for the attackers is going to dramatically drop down, in order to protect the trivial understanding of the business logic

Dynamically derived encryption keys - Quixxi doesn't store the keys used to encrypt strings in the application and the key to decrypt encrypted strings will vary from application to application. Moreover different keys will handle different content

Randomization - Quixxi will replace the original variables and methods labels with incomprehensible ones that will be different for each application, in order to make the sequence of calls unique and unforeseeable

Spoofing techniques - Quixxi will fool the attacker and increase the cracking effort inserting spoof Android code in multiple ways

Library Protection – Quixxi can apply its effects also on Android libraries, supporting both aar and jar files. After a simple drag'n'drop the library code will be moved into the native layer

Tamper Detection

Quixxi Shield makes use of an advanced technology to detect the genuineness of the app run by the final user. Their security engine ensures that both you and the honest users will not be easily exploited

Threats Detection - Quixxi will automatically terminate your app instance whenever a runtime threat is trying to break the security configuration of your choice, providing directly on the portal both the attacker and the offence details

App Integrity Check - Quixxi will double check if your app has been modified from its original version and close it when it is the case, preventing any risk for the final user

In-App purchase protection - Quixxi will secure your app and defend it against the circumvention of the in-app purchase logic.

Debug log removal - Quixxi will remove the Android logs because they can provide hints for realizing a successful hack

Static resources encryption - Quixxi will be able to encrypt the images used in your Android app

Runtime Protection

Many attacks are carried out by trying to exploit vulnerabilities at runtime. Even when it doesn't result in piracy, you may need to stop users from violating rules. Quixxi can remotely terminate the app instance whenever the right conditions for its execution are not met.

Improper App Usage Prevention - Quixxi can help developers to message/block/unblock all those app users violating community rules, fair use policies, terms and conditions or just pure common sense

Certificate Pinning - Quixxi can help implement properly the validation of the certificate expected to be received from the client app when contacting the server, preventing the session to start when the match doesn't occur

Root/Jailbreak Detection - Quixxi can detect if an app is running on a rooted/jailbroken phone, where an unplanned excess of exposed data may happen due to a tweak of the official operative system. The final user will then end up being bounced out of the app for his own safety

Emulator Detection - Quixxi can detect if somebody is trying to analyze your app running it inside an emulator and close the app stopping this process

Attached Debugger Detection - Quixxi can detect if a debugger has been attached to the app in order to examine its variables and evaluate its expressions at runtime. In this scenario the app will be immediately terminated

Runtime resources encryption - Quixxi can encrypt the files produced at runtime in your iOS app plus the Shared Preferences/User Defaults that otherwise can be easily accessed in rooted/jailbroken devices

App protection comes with the following custom security options, which can be enabled/disabled as per developer needs.

After selecting the required security option, user can start the security compilation. This takes less than 15 mins for compilation and will provide the download link of the protected app and an automated assessment report of the protected app. You can also secure a specific library/module of app, where you need to upload appropriate aar/jar files.

App Security integration screenshots

Here is a typical example of how Quixxi works on the code level to protect an app. Following is a series of snapshots of a cluster of code from a sample app before and after Quixxi Shield integration. For better understanding, we have named the feature level integration happening in the a particular snapshot with a short description.

Secure Strings:

Replacing all Strings into method calls and storing them in a secure place. So that it fetches appropriate strings only at the runtime of the application

Secure Strings – Before:

Secure Strings – After:

Encrypted Fields:

Changing fields usage by using reflection. It encrypts the Names of the fields to complicate the understanding of the code logic.

Encrypted Fields – Before:

Encrypted Fields – After:

Encrypted Methods:

Changing Methods usage by using reflection. It encrypts the Names of the Methods to complicate the understanding of the code logic.

Encrypted Methods – Before:

Encrypted Methods – After:

Code obfuscation:

Quixxi uses its own algorithm to rename classes, method and fields in the application. In addition to the basic obfuscation Quixxi will also apply Method and Field Reflection logic to reduce code readability. In this case, the process applied is unique to each compilation of your application.

Code obfuscation – Before:

Code obfuscation – After:

Spoofing Sources

Protecting the flow of logic, spoof codes are masqueraded as logic to prevent anyone from following the code and understanding the logic.

Spoofing Sources – After:

 

App Supervision

User Analytics and Insights

Like other analytics platform Quixxi can also track user details, device and demographics, in addition to this Quixxi has complementing features like tracking user behavior based on user events like App launch, registration and other custom events specified by the developer.

Remove Debug logs

Removes Debug Logs added in application to prevent understanding of the code logics. This Framework will Hide Log.d Log.w Log.v, System.out statements.

Remove Debug logs – Before:

Remove Debug logs – After:

App Diagnostics

A detailed report of every user crash is recorded and reported in this module. ,This proactive feature effectively sorts issues and crashes after every app release and helps to take appropriate action before the customer raises a complaint.

This diagnostic report gives a detailed breakdown of every issue with user details, device details, Stack trace, Logcat, Preferences, Events Log, System setting and even quick Stack Overflow reference links for fixing the issue.

Live Threat Monitoring

Any attempt by a user to hack/tamper the app, is reported in a live dashboard. From this feature a developer can protect tampering by monitoring users even after the app release.

Hack Detection

This module provides you with the list of non-licensed users who had downloaded the app from unauthorized distribution channels. It extracts details such as email, device brand, device model, app version, OS version, installation date and country.

Malware Detection

This option allows developers to check for malwares present in user devices and helps mitigate any malware intervention from the time the app is launched. This feature notifies the device user as well as the developer as soon as it detects the malware and it also suggests actions like warn users or force kill app in the presence of malware.

Other help documents

A section for help documents that will provides all related instructions and details in reference to Quixxi integration. This also covers third party app integrations respective to app shield and supervise.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here