I’ve worked with our cyber research team, providing assessments of mobile apps for mobile banks and brands, and it always surprised me to see that API endpoints and API keys were not protected in Android and iOS apps. Then, I saw today’s news from Cybernews, and it hit me why. White-box cryptography can’t protect this critical data in apps.
Mobile security is full of buzzwords, but few are as misleading as “white-box cryptography.” If you’ve ever been sold on the idea that white-box cryptography is the answer to securing your mobile app’s sensitive data, it’s time to reconsider. In reality, white-box cryptography isn’t true encryption, lacks an industry standard, and often gives developers a false sense of security.
What is White-box Cryptography?
White-box cryptography is an approach that attempts to obscure cryptographic keys and operations within a software environment where an attacker has full access—like a mobile app running on a user’s device. Unlike traditional encryption, which relies on securely stored keys and computationally hard problems to protect data, white-box cryptography relies on obfuscation techniques to make it harder for an attacker to extract secrets.
But here’s the catch: obfuscation is not encryption.
No Standard, No Guarantees
One of the biggest problems with white-box cryptography is that there is no widely accepted standard defining what it should do or how it should be implemented. Real encryption methods like AES or RSA have well-defined mathematical properties, peer-reviewed implementations, and cryptographic proofs. White-box cryptography, on the other hand, is a collection of ad-hoc techniques with no formal security guarantees.
This lack of standardisation means that companies offering white-box solutions are essentially making up their own rules. Some claim to make it “difficult” to extract secrets, while others boast “protection against reverse engineering.” But without cryptographic rigor, these claims often fall apart under real-world attacks.
White-box Cryptography is Not True Encryption
Encryption is a process where data is transformed in such a way that it can only be reverted to its original form with a secret key. White-box cryptography does not offer this guarantee. Instead, it hides keys and cryptographic operations inside a tangled mess of code, hoping that attackers won’t be able to untangle it.
But hope is not security. Security researchers regularly break white-box implementations, extracting hardcoded secrets that should never have been stored in an insecure manner to begin with. A recent study highlighted by Cybernews found that iOS apps were leaking hardcoded secrets—including API keys and encryption keys—due to poor implementation practices. This underscores the reality that obfuscation-based security measures like white-box cryptography fail to provide real protection.
What Mobile Apps Need Instead: Real Encryption
If your goal is to secure sensitive data in a mobile app, white-box cryptography is not the answer. Instead, you should focus on implementing real encryption:
- Encrypt API Endpoints Hardcoded into Apps: Use proper AES 256 string encryption to protect hardcoded values like API endpoints in Android and iOS apps.
- Encrypt sensitive data properly: Use AES with secure key derivation functions, such as Appdome’s AES 256 Data at Rest Encryption, to encrypt sensitive data like API tokens and session keys before storing them in the mobile app.
- Secure communication channels: Ensure all network transmissions are encrypted using secure TLS, certificate pinning, and active man-in-the-middle (MiTM) defences that safeguard the mobile app’s communications from MiTM proxies, packet sniffing, session hijacking, cookie hijacking and other methods.
- Adopt runtime protections in Mobile Apps: Implement techniques like runtime integrity checks, anti-tampering mechanisms, and secure enclaves to protect cryptographic operations.
- Use mobile bot defence to protect APIs Used for the Business: To really ensure that attackers don’t use data in your application against your backend, in DDoS, Credential Stuffing or ATO attacks, leverage a mobile bot defence solution to fingerprint the real application and perform 360° device, network, application and behaviour biometric inspection before allowing access to critical APIs.
Conclusion
As recent Cybernews research shows, white-box cryptography isn’t a defence. In fact, it is, at the very best, a temporary speed bump for attackers—not a true security measure. It will fail if a security solution relies on secrecy rather than cryptographic strength.
Instead of placing trust in proprietary white-box solutions, mobile developers should implement real encryption backed by well-established cryptographic principles and best practices. The security of mobile applications depends on it.
Contact Appdome to learn more!
