Nominal Flight: Celebrating 10 years of DexProtector ??

During a space rocket launch, you might hear the phrase "Nominal trajectory" or "Nominal flight" if everything is going smoothly. "Nominal" in this context means that the rocket is following its expected or intended trajectory without any significant issues.

This phrase popped into the mind of Licel CEO, Ivan Kinash , when he and CTO, Mikhail Dudarev, sat down with us to celebrate DexProtector’s 10-year anniversary. In the interview below, they reflect on the journey so far and discuss what’s next in DexProtector’s evolution.

How do you feel about DexProtector being 10 years old? Can you share any immediate personal reflections of the journey so far?

Ivan: Obviously, it’s a wonderful feeling! And it’s a milestone that has made me think a lot about those early days of mobile app security. In 2013 the industry didn’t really exist to be honest. After all, back then most apps for Android were written in Java and so the protection tool of choice was more of a Java Obfuscator like our own product, Stringer.??

Mikhail: Yes, it took us quite a long time to raise awareness that obfuscation alone did not equate to security. But it took time because it was new for everybody. The smartphone opened doors that people walked through without properly understanding what was on the other side.

I: In those early days we went to a lot of conferences and gave talks about app protection and security more generally. And we realised pretty quickly that mobile application developers (and end users of apps) would encounter security challenges in the future. That led to us creating DexProtector initially as a kind of offshoot of Stringer for the new challenges the mobile world had created. It’s fair to say it has had a massive impact in shaping mobile app security as we know it around the globe.?

M: One of the things I’m most proud of along the way is that we’ve retained a strong engineering spirit as a company. As we’ve grown and DexProtector has evolved, we’ve continued adding to our team of super-talented engineers.

I: Yes, definitely! The company is rooted in this engineering spirit based around a deep understanding of what cybersecurity is. I’m immensely happy and proud of what we’ve achieved as a company - not least keeping our integrity and not partnering with those who are culturally misaligned to us. If there are any entrepreneurs reading this, make sure you focus on your product or solution, don’t get distracted, be patient and balanced, and keep your authenticity and integrity. If you do, you’ll get there. Quality cannot be sacrificed, unless you’re up for a quick gamble and you’re not here to stay – which I hope isn’t the case.

M: Amen to that.

Looking back, what inspired the creation of DexProtector 10 years ago?

M: I think it’s important to say that we were massive fans of mobile devices and the smartphone just like everybody else. Personally, I was hugely excited by the opportunities the smartphone would bring and how it might change the world. I remember getting my hands on the PalmOS and SymbianOS devices and my eyes lit up! But I also knew that it wouldn’t take long for hackers’ eyes to light up, too – in a different way. The apps people were beginning to rely on a decade or so ago would need to be protected properly.???

I: We knew that the fundamental security concepts for mobile devices were broken. A combination of a lack of cybersecurity awareness, the immaturity of the platform, and the ease with which apps could be reverse engineered amounted to a perfect storm for bad actors. I suppose we saw DexProtector as an important balance to counter this head start that hackers seemed to have. And we wanted to better understand bad actors, too. What were they trying to achieve from their attacks? What were their motivations? Something we’ve touched on with our content is that putting yourself in the hacker’s shoes is an important – and sometimes ignored - part of cybersecurity. I also still want bad actors to know they can use their skills for good rather than engaging in cyber-crime.

Can you highlight some key milestones / achievements of DexProtector over the last 10 years?

I: What makes me proud is the legacy of DexProtector. A lot of the better-known terminology in the industry these days mirrors what DexProtector started around a decade ago. Take RASP, for example. DexProtector was carrying out environment checks long before Runtime Application Self Protection was a thing.?

M: DexProtector has evolved to help our customers at the end of the day. And I’m really happy and proud about that. When we saw that attacks were evolving from static attacks to dynamic attacks, we created DexProtector’s Native Runtime Engine to block those attacks. We added protection for the iOS platform again because it was answering a real customer need. And the list goes on – Alice Threat Intelligence to deal with real-time attacks, AppCare allowing our customers to control their security at each stage of app development..?

I: Yes, absolutely. A result of that is that we now have something like 10 billion installations of apps around the world protected by DexProtector. It’s a mind blowing number. And one last milestone that comes to mind is that DexProtector was the first ever mobile application protection solution to be certified by EMVCo (a body backed by Visa, Mastercard, AMEX and others to facilitate worldwide interoperability and acceptance of secure payment transactions) for both platforms - Android and iOS.

M: I was about to mention that one! For me the EMVCo certification is a reflection of our principles as a company. We follow secure development disciplines and actively want DexProtector to be tested by independent labs on a regular basis.

I: Yes, threats evolve and so protection tools like DexProtector have to evolve too in order to prove that they’re up to task. That’s what the EMVCo certification is all about. As we speak today, we’re in the process of getting this certification renewed because we know how important it is.?

How would you say the mobile app threat landscape has changed in the past decade? And how has DexProtector evolved to meet these changing threats?

M: As we’ve said, no protection solution can stand still because the threat landscape shifts so rapidly. And DexProtector is no different. A very simple answer would be that threats have evolved from static attacks to dynamic attacks, and so DexProtector has incorporated more sophisticated features to defend against these dynamic attacks.????

I: It’s important to realise just how much the digital world we inhabit has changed in the last ten years. Not so long ago we published a report into the state of mobile app security to set this scene and explain why there are so many dangerous threats out there nowadays. But thinking about DexProtector and the dangers it prevents, Mikhail is absolutely right – it’s a vaster and more fluid threat landscape today. Where we used to be mostly concerned with decompilation and de-obfuscation, we’re now often focused on stopping debuggers, dynamic instrumentation, and malware. These are just a few examples. What’s more, we’re not just supporting Java and Objective-C these days. We’re also supporting a range of exotic hybrid frameworks alongside all the major programming languages.?????

Can you share any challenges that DexProtector has had to overcome along the way?

M: Every day brings challenges, from new threats to new versions of mobile operating systems and developer tools. We’re constantly tinkering with DexProtector to make sure it’s completely compatible.?

I: The big one that comes to mind from the last year or so is Apple dropping Bitcode support when our entire logic for how DexProtector worked with iOS apps was based around Bitcode.?

M: Oh boy..yes - that was interesting!??

I: We had to turn the whole thing around incredibly quickly to keep serving our clients with iOS apps. It was a really big project and something else I’m incredibly proud of our team for.?

M: And it was totally worth it because now DexProtector has a unique engine to protect native ARM-64 code for the iOS platform. Protection for iOS apps has never been better.

How has the Licel team (and the company culture in general) contributed to DexProtector's success?

I: Immeasurably. We’ve just mentioned one example, but there are countless more.

M: We’re all following the same values, which helps a lot. Honesty, transparency, and trusting in one another. These principles are reflected in our relationships with clients, too.?

I: These values are huge for us. They foster a family spirit and sense of belonging. There’s an almost-unspoken support for one another. And everyone in the team understands that what we’re doing – making the digital world safer for people – is vital work.

How has a commitment to customer satisfaction shaped DexProtector's growth?

M: I’d say it’s one of the biggest drivers, if not the biggest. As I said earlier, over the course of the last decade DexProtector has evolved as a result of the needs of our customers and the evolution of the threat landscape.?

I: A lot of our clients will be aware that I was personally responsible for customer support for several years. I would approve or write all the communications our customers received and I read thousands of queries and questions. It was a real education and one of the most valuable things I’ve done.

Can you share your vision for DexProtector for the coming 10 years?

M: DexProtector will continue to evolve to protect new types of threats we’re not even aware of today. And as it does so, we’ll make sure it gets faster and easier to use without sacrificing security.?

I: Exactly. It will evolve while retaining the security controls, protection mechanisms, and visibility that allows our customers to properly address their strategic, operational, reputational, and compliance risks. And it will do so without relying on concepts that will fade away, or are already fading away.?

M: Another thing worth mentioning is that DexProtector will remain an on-premise solution because this means sensitive data stays in our customers’ hands.?

I: Yes, this is crucial as we enter a new era of a distributed yet united world. One thing is for sure, it’s going to continue being a fun and fascinating journey!

Finally, what advice would you give to aspiring entrepreneurs looking to build a cybersecurity product in 2024?

I: Simple – you need to solve a problem.

M: Yes! I was going to say the same thing. If it actually solves a problem, you’re on the right track – keep going.

I: Ideally, you’d be solving a problem that you yourself have encountered. But clearly you also need to have the education and technical know-how to pull it off. For me the aim should be to be able to tell yourself that you’ve done everything in your power to provide the best security possible.??

M: Can I also just add something else that’s a bit of a pet hate of mine? Don’t say your product uses AI unless it really does! You see that so much these days.?

I: I honestly think people have a much better bulls**t radar than you think they do. So, I’m totally with you on that one. And don’t claim you provide 100% security either because, while human beings are around and can fall for social engineering scams, 100% security does not exist. You’ll end up losing your reputation and will find it impossible to be trusted in the market again.

M: I’d also say that your internal team culture is vital and you’re going to be the one setting it whether you realise it or not. Be honest and transparent with those you work with.

I: I completely agree. Oh, and one final thought – as a security provider, you’ll sometimes need to tell your clients that they’re wrong. It happens sometimes. This isn’t easy, but it’s very important.

Find out more about DexProtector.