Mobile App Security with Ryan Lloyd

What It Covers

Ryan Lloyd, Chief Product Officer at GuardSquare, explains how mobile apps face unique security threats because critical logic lives on user-controlled devices. GuardSquare protects roughly 1,000 apps across finance, gaming, and healthcare using compiler-based obfuscation, runtime self-protection, security testing, and API attestation.

Key Questions Answered

• •Layered Obfuscation vs. Single-Wrapper Protection: Wrapper-based tools encrypt a binary in one layer — crack the decryption mechanism and the original code is fully exposed. GuardSquare's compiler-based approach decompiles the app, applies name obfuscation, class encryption, string encryption, control flow remapping, and code virtualization simultaneously, then recompiles, making reversal exponentially more costly for attackers.
• •Hardcoded Keys Remain the Most Common Vulnerability: A GuardSquare scan of 5,000+ Android banking apps uncovered 164 hardcoded keys, including AWS credentials, authentication tokens, and security endpoint references. Developers should audit mobile binaries specifically for embedded secrets, as general-purpose static analysis tools frequently miss mobile-context vulnerabilities that purpose-built scanners surface.
• •Runtime Application Self-Protection (RASP) Counters Dynamic Attacks: Static obfuscation alone does not stop runtime manipulation via tools like Frida. RASP injects detection tripwires throughout the compiled app to check for debuggers, hooking tools, rooted devices, and memory tampering. These checks are distributed across the codebase so disabling one leaves dozens of others active, raising attacker effort substantially.
• •API Attestation Blocks Credential-Stuffing Bots: Mobile apps can request a signed, time-limited token from GuardSquare's attestation service using a customer-provided public/private key pair. Backend APIs validate the token server-side; requests lacking a valid token — bots, scripts, replayed tokens, or calls from tampered apps — are rejected outright, protecting authentication endpoints without requiring changes to user-facing flows.
• •LLMs Expand the Attacker Pool Without Inventing New Techniques: LLMs do not introduce novel reverse-engineering methods but make existing attack knowledge accessible to a broader, less-skilled audience. Developers should treat this as an increase in attacker volume rather than sophistication, prioritizing multi-layer protections now rather than waiting for a high-profile mobile security breach to force organizational action.