Many modern businesses develop code in-house as part of the products and services for their customers. These applications can vary from simple web applications designed to allow the customer to easily manage their accounts with the organization via the Internet to desktop applications that represent a significant part of the company’s offerings to the customer.
Regardless of the type of software developed and used by the organization, application security is a significant concern. In many cases, the organization’s software is the primary way that the customer interacts with the organization. If there are functionality or security flaws in the application, it can negatively reflect on the company and may even be the cause of lost customers or sales.
The concept of code signing is nothing new and is extremely valuable to improving application security. However, many organizations have poor code signing practices, opening them up to attack by hackers trying to take advantage of their good name to hide their own efforts to spread malware. Understanding the risks associated with poor code signing practices and taking steps to improve them is an important aspect of good application security.
What is Code Signing?
Code signing is what makes it possible for users of an application to verify the creator. The developer creates a digital signature using a secret encryption key known only to them. They then provide a public encryption key that, along with the file itself, can be used to verify the signature. The assumption is that, since only the owner of the secret key knows what it is, only they can generate a valid signature, so you can trust the software that the signature verifies.
One example of when you’ll see code signing occur is when you’re trying to install software on your phone or computer. On an iPhone, you can only install an app if it’s been signed using keys issued by Apple. This allows them to maintain control over what is installed on their devices. On Windows computers, the OS will warn you that the developer of the application cannot be verified if there isn’t a trusted signature, ensuring that you are caught by surprise by unsigned code. If code is signed correctly (and the creator is someone you trust), this is a strong mark in favor of the program being safe to install.
Beyond the signatures on the original program, code signing is also invaluable to securing the update process. It’s not difficult for an attacker to send a malicious update to a piece of software. However, most software uses signed updates, where the update is protected by a digital signature that could only be generated by someone with knowledge of the secret key. If the software will only accept and install signed updates, the bar is much higher for attackers attempting to insert backdoors or other malicious code into legitimate software. Code signing is what makes automated updates over the Internet possible and secure.
Implications of Poor Signature Security
Despite the importance of strong code signing practices and security for application security, many organizations have a weak strategy for protecting the secret keys used to sign their code and software updates. A recent survey found that only 28% of organizations had a well-defined process in place for signing their code. The remaining 72% of organizations (and all of their customers) are vulnerable to attacks where hackers attempt to gain access to code signing keys in order to sign malicious software updates. Since over a third (35%) of organizations don’t even know who is “in charge” of their code signing key, the bar isn’t set very high for hackers.
And those hackers are definitely making an effort to gain access to those poorly protected certificates. A report published in May 2018 described the tactics of a set of Chinese hacking groups operating as a team. In general this group targeted gaming studios and other tech companies that develop computer software for sale. One of the members of the group would perform the initial scouting for other groups, and, after obtaining access, search for storage drives and other places where the secret key used for code signing might be located. If they managed to steal keys, they would have the ability to load malware onto clients’ computers while hiding behind the legitimate code signer.
Improving Application Security
For software developers, the security of code signing is important for multiple different reasons. The first is that attackers taking advantage of poor code signing key security may manage to corrupt their supply chain. Most software has third-party dependencies, and a signed (but malicious) update to these could negatively impact the application itself. For this reason, it is important to develop a security plan that manages the possibility of corrupted dependencies within the organization’s software.
Finally, developers of valuable software might be targeted by groups attempting to steal and misuse their code signing certificates. If successful, an attacker could corrupt their application code on their customers’ machines through signed malicious updates. To protect against this, organizations need a comprehensive security strategy. Beyond defending the code signing keys, it’s also important to implement detective and protective mechanisms for the code itself. This requires a degree of visibility beyond that of traditional, perimeter-based security solutions, so organizations in this situation should research and deploy runtime application self-protection (RASP), defensive software integrated into the product itself, to ensure their application security.