Why choose us?
Products
Mobile app protection
Promon SHIELD® for Mobile Secure iOS & Android apps from tampering, repackaging, & more.
Promon IP Protection Pro™ Protect app code & data from reverse engineering & copying.
Promon App Attestation™ Verify the integrity of apps accessing APIs in real-time.
Promon Asset Protection™ Store app secrets on compromised end-user devices securely.
Desktop app protection
Promon SHIELD® for Desktop Protect Windows & macOS apps from static & dynamic attacks.
SDK protection
Promon SDK Protection™ Defend SDKs from tampering, & unauthorized use.
Mobile app analytics
Promon Insight™ Understand security risks & make data-driven decisions.
Featured content
Have a financial app? Here's what you need to know about the EU's DORA.
Download the ebook
Solutions
For your industry
Banking Comply, prevent fraud, & protect sensitive data.
Payments Achieve compliance, prevent tampering, & secure data.
Gaming Prevent cheating, protect transactions, & revenue.
Streaming & media Secure content, intellectual property, & user data.
Retail & e-commerce Stop malware, MitM attacks, & account takeovers.
Public sector Prevent repackaging, breaches, & tampering.
Healthcare Ensure regulatory compliance & secure PHI.
Automotive Secure sensitive app data & assets.
Customer stories
We protect the world's leading brands, & we can protect yours too.
Read more
About Promon
Company
About us Learn about us & our 19-year history.
Contact us Need help? Get in touch with our team.
Careers #LifeAtPromon & the latest jobs.
Partners Become a partner & deliver app security.
We're hiring!
We're changing the world, one app at a time. Will you help us?
View open roles
Resources
App sec library
All resources Explore The Mobile App Security Library.
Customer stories Find out how the world's leading brands stay secure.
Webinars & events Meet peers (& Promon) online & around the world.
Ebooks & whitepapers Dive into the finer points of app shielding.
Blog Keep up with app sec news & developments.
Glossary Understand critical app sec terminology.
Knowledge Center
App shielding 101 What you need to know about mobile app shielding.
Obfuscation techniques & tools Discover code obfuscation best practices & protect your IP.
The OWASP MASVS explained Get started with resilience & get compliant.
The future of AI in cybersecurity Navigate artificial intelligence (AI) in cybersecurity.
Calculating your app security ROI Make a compelling business case for app protection.
Featured webinar
Obfuscation: Techniques, applications, & the impact of AI.
Watch it on demand
Book a meeting
Glossary

Mobile app security glossary

Gain a clear understanding of essential mobile app protection terms and concepts, from foundational security principles to advanced threat mitigation strategies.
By topics

App tampering

App tampering refers to unauthorized modifications made to an application’s code or operational environment to alter its behavior, bypass security measures, or manipulate its functions. This can include changes to the application's binary, the injection of malicious code, or modifications to its runtime environment.

Application hardening

Application hardening for mobile apps refers to implementing security measures to protect apps against reverse engineering, tampering, or malware attacks. Using methods such as runtime self-protection, code obfuscation, and white-box cryptography, application hardening protects your app against some of the most common types of cyberattacks. However, application hardening is not a replacement for security measures integrated into app development at outset.

Application shielding

Application shielding refers to a set of technologies that modify an application’s source, byte, or binary code, making it more resistant to intrusion, tampering, reverse engineering, and malware attacks. Unlike security solutions that monitor and test vulnerabilities, application shielding can detect and prevent real-time attacks against mobile applications.

Certificate pinning

Certificate pinning is a security technique that increases secure communication over the TLS (transport layer security) protocol, like HTTPS. It ties a chosen TLS certificate or public key exclusively to the API server, allowing the application to reliably confirm the server's identity each time it connects. During interactions, the server presents a digital certificate to prove its identity and secures the encryption of data sent through APIs between the client and server. By matching the server’s shown certificate against a predetermined or "pinned" certificate within the app, certificate pinning ensures an additional layer of security, preventing man-in-the-middle (MITM) attacks and ensuring server communication integrity.

Code obfuscation

Code obfuscation is the process of modifying an executable so that it is useless to a hacker while remaining fully functional. The functionality of the code remains unchanged, and code obfuscation helps conceal the logic and purpose of an app’s code. It works through transformations like data, layout, and control flow obfuscation, each targeting different aspects of the code to mask its true structure and logic.

Continuous integration and continuous delivery/deployment (CI/CD)

CI/CD stands for continuous integration (CI) and continuous delivery/ continuous deployment (CD). CI/CD automates the process of integrating code changes and deploying them to production environments, ensuring frequent, reliable updates with minimal manual intervention. Continuous delivery takes this further by automating the process of preparing code for release, ensuring it's always in a deployable state. Continuous deployment, an advanced step, automates the release of code to production immediately after passing all tests, without human approval.

Deobfuscation

Code deobfuscation involves reversing techniques used to obscure the functionality of a program. Obfuscation methods include renaming variables to meaningless characters, rearranging code flow, and embedding complex encryption methods to disguise the true logic of the program and protect it from reverse engineering and other attacks. Deobfuscation reverses these methods to reveal the original intent of the code, allowing cybersecurity experts or malicious attackers to understand its structure.

Device cloning

Device cloning is the unauthorized duplication of a mobile device's identity attributes used to create a copy or mimic the original device. In the scope of application security, device cloning allows malicious actors to impersonate the original device's owner, potentially leading to identity theft and fraud.

Encryption

Encryption protects sensitive data by converting it into a coded format that can only be read by someone with the proper decryption key. In the context of mobile security, encryption safeguards data both at rest (stored on the device) and in transit (sent over networks). This prevents unauthorized access and ensures that even if data is intercepted, it cannot be deciphered without the decryption key.

Hooking framework

Hooking framework technique allows to you to intercept and modify a mobile application’s behavior at runtime. These frameworks are often used in debugging, testing, and performance monitoring. However, they also pose significant risks if exploited by enabling unauthorized access, data theft, and app tampering.

Jailbreaking

Jailbreaking is the process of exploiting vulnerabilities in an iOS device's software to remove manufacturer-imposed restrictions. This allows the user to gain root access to the operating system, enabling the installation of third-party applications, custom firmware, and other modifications not officially sanctioned by the device manufacturer.

Keylogging

Keylogging, short for "keystroke logging," is a method of covertly capturing and recording keystrokes made on a computer or other input device, like a keyboard. This technique is commonly employed by malicious software, known as keyloggers, to track and monitor user activity without their knowledge or consent. Keylogging can capture sensitive information and other personal data, posing significant security risks to individuals and organizations. While some keyloggers operate locally on a single device, others can transmit logged data remotely to a third party for exploitation or analysis.

Malware injection

Malware injection involves the unauthorized insertion of malicious code into a mobile app or its environment. This can occur through vulnerabilities within the app itself, compromised third-party libraries, or through other vectors like man-in-the-middle attacks during data transmission. Once injected, the malware can execute harmful actions such as stealing sensitive user data, spying on user activities, or gaining unauthorized access to mobile device functionalities.

Mobile app security

Mobile app security is a set of best practices that protect your app from cyberthreats, vulnerabilities, and unauthorized access. These techniques protect your users' privacy and sensitive information, maintain customer trust, and mitigate the risks associated with mobile threats and attacks.

Repackaging

Repackaging in mobile app security refers to the malicious practice of modifying legitimate mobile apps to include harmful elements like malware. Attackers redistribute these tampered apps on third-party platforms to deceive users into downloading them. Repackaging an app is a security threat and a serious concern for intellectual property theft.

Reverse engineering

Reverse engineering in mobile app security involves breaking down and analyzing a compiled app to extract information from its source code. It's a bit of a double-edged sword — it can reveal security holes that hackers might exploit, but it's also crucial for developers to understand these vulnerabilities to better protect their apps. By learning from reverse engineering, developers can proactively defend against attacks by fixing weaknesses before they're exploited. It’s also a key strategy for understanding the steps that hackers can take to exploit a strategy vulnerability and access the system.

Root detection

Root detection refers to a security measure implemented in Android mobile apps to detect if a device has been rooted, that is, gained superuser access. Rooted devices bypass manufacturer-imposed security restrictions, which can make them vulnerable to malware or unauthorized access.

Rooting

Rooting refers to gaining root access or administrative privileges on an Android device, like access to commands, system files, and folder locations usually locked off. This allows users to overcome limitations imposed by the device manufacturers or carriers, enabling the modification of system settings, removal of pre-installed apps, and installation of specialized apps that require root access. Rooting can enhance device functionality but also poses significant security risks, as it can expose the device to malware and void warranties.

Runtime application self-protection (RASP)

Runtime application self-protection (RASP) is a security technology that uses runtime instrumentation to detect and block attacks in real time. RASP protects apps from the inside out by adding security that is part of the app. It offers one or more of the following abilities: Proactively manages the real threat of sophisticated malware, Detects and prevents fraudulent activities. Connection to the app runtime processes and environment for enhanced performance and reliability.

Software development kit (SDK)

Software Development Kits (SDKs) are comprehensive toolsets developers use to create apps on specific platforms, like iOS or Android. SDKs provide essential building blocks, like code libraries, development tools, and API interfaces to integrate native device functionalities and third-party services.

Tokenization

Tokenization is the process of converting sensitive data, such as credit card numbers or personal identifiers, into non-sensitive equivalents called tokens. Tokens can be used in place of real data in transactions or data processing, greatly reducing the risk of data breaches as the tokens are useless if intercepted. This method is particularly effective in mobile payments and apps handling sensitive user information, ensuring data protection while maintaining functionality.

White-box cryptography

White-box cryptography is a software-based technology that merges encryption and code obfuscation to embed secret keys within application code. It aims to make the code and keys indistinguishable to an attacker, allowing the new white-box program to run safely in an insecure environment. White-box cryptography helps organizations encrypt critical portions of programs and store the keys for decryption in a tamper-proof manner.

Penetration testing

Penetration testing, also known as "pen testing," is a security assessment technique in which ethical hackers simulate cyberattacks on a system to identify vulnerabilities before they can be exploited by malicious actors. It is a critical component of a robust security strategy, helping organizations understand their security posture and mitigate risks.

Sideloading

Sideloading refers to installing apps on a mobile device from a source outside the device's official app store, like the Google Play Store or Apple’s App Store. This practice bypasses the default protections put in place by these platforms and is often used to access apps not officially available in certain regions or app stores.

Malware

Malware, short for malicious software, refers to any software specifically designed to disrupt, damage, or gain unauthorized access to computer systems, devices, or networks. In mobile contexts, malware targets mobile devices like smartphones and tablets, often to steal sensitive information, cause disruption, or exploit device resources. Various types of mobile malware exist, each with distinct methods and objectives, ranging from ransomware to cryptojacking.

Mobile application security testing (MAST)

Mobile application security testing (MAST) is a range of methodologies that identify vulnerabilities and ensure the security of mobile apps. It involves analyzing the code, app behavior, and the environment in which the app operates to detect flaws that attackers could exploit. MAST includes static, dynamic, and interactive testing to focus on both the client-side and server-side components of mobile apps.

Security posture

Security posture is an organization’s overall security status and risk tolerance. It includes cybersecurity policies, controls, and technical capabilities to protect against threats. It evaluates how effectively an organization can predict, prevent, detect, and respond to cyber threats. A robust security posture addresses current threats and adapts to new vulnerabilities, ensuring comprehensive protection.

Attack vector

Attack vectors are techniques that cyber attackers use to infiltrate systems, networks, or applications to exploit vulnerabilities. Attack vectors give unauthorized access and facilitate malicious actions like data theft, malware installation, or service disruption. They target weaknesses in software, hardware, and user behavior using techniques like malware, phishing, social engineering, or exploiting software bugs.

False positive

A false positive occurs when a security system incorrectly identifies legitimate, non-malicious activity as a threat. As a result, it generates an alert or blocks the action. False positives are common in tools like antivirus software, intrusion detection systems (IDS), and email filters, where overly sensitive or misconfigured settings can flag normal behavior and files as suspicious.

Application programming interface (API)

APIs are rules and protocols that allow apps to communicate and exchange data with each other by defining how requests are made and how responses are received.

OWASP

OWASP is a non-profit that provides free tools, standards, and frameworks to help build secure software and guides security best practices.

Debugger

A debugger is a tool that helps find and fix bugs in real time. Attackers use them to exploit vulnerabilities, bypass security controls, or tamper with apps.

Man-in-the-middle attack (MitM)

MitM attacks exploit vulnerabilities in communication channels, where attackers intercept and manipulate data in real time to steal data.

Threat modeling

Threat modeling identifies and addresses potential security threats in a system, application, or process to help you design secure systems.

Emulator

An emulator mimics a mobile device's hardware and software so that you can run the app on it as if it were on an actual physical device.
Related content

You might also like this

Stay updated with app security insights

Get exclusive updates, expert advice, and the latest app security news from Promon.
Sign up to our newsletter

Sign up for our newsletter
  • PROMON-Icon-products

    Built for your protection

    Not sure where to start? Let us guide you through our product offerings and find the right fit for your needs.

    Explore our solutions
  • PROMON-Icon- Questions and feedback

    Have any questions or feedback?

    We value your input. Whether you have suggestions, inquiries, or just want to share your thoughts, our team is here to help.

    Contact us