Recent developments in mobile computing technologies have given rise to personalized, sensitive and therefore valuable software applications (“Apps”) configured for executing on mobile communication devices. For example, the banking, healthcare, entertainment and security industries have developed secured Apps that need a high degree of protection. In particular, it became desirable to “lock” a given software application instance so that it can only be executed on one authentic device. These measures are needed to counter the threat of App cloning, whereby a fraudulent party attempts to copy an App instance from an authentic user device to then run the cloned App instance, unauthorized, on another user device under the control of the fraudulent party. Cloned Apps may potentially enable the fraudulent party to gain unauthorized access to protected data.
In recent times, various attempts have been made to address the issue of App cloning. For example, some services try to identify the device on which an App instance is running via a method known as “device fingerprinting.” Some device fingerprinting techniques involve attempting to uniquely identify a given software application with a high degree of accuracy, for example, each instance of the application may comprise a unique serial number. These techniques, however, are limited by the fact that they only allow a device to be identified via a given application. This flaw makes it easy for fraudulent parties to copy or clone the application, because copying an instance of the software application will also result in a copy of the fingerprint. Other fingerprinting techniques also rely on attributes of a mobile device, such as an IMEI (International Mobile Equipment Identity) number, phone number, email address, identifier of the processor and other device characteristics. In addition, various unique device characteristics such as the MAC (Media Access Control) address, memory, serial number and camera serial numbers may be used to create a user device fingerprint. Persistent cookies may also be used to fingerprint a user device. Once the device is fingerprinted, the fingerprint data may be checked every time the user device requests service. However, all of these methods have a major limitation in that they do not prevent fingerprint characteristics from being easily captured and replayed by a cloned App. Such a cloned App can defeat fingerprint security by providing a fake, replayed, fingerprint to the authorizing party.
Additionally, deep device fingerprinting techniques are currently used to validate App instances. Deep device fingerprinting techniques involve analyzing a set of dynamic characteristics, such as the location and the IP (Internet Protocol) address of a user device, to fingerprint a user device. This fingerprint is then checked to determine the likelihood of the App-device pair being authentic. However, deep device fingerprinting still fails to address the possibility of a fraudulent party capturing and replaying dynamic fingerprint characteristics of the authentic App/device combination.
Consequently, it is highly desirable to have a new type of App authentication/protection system that is not susceptible to fingerprint capture and replay (as in conventional systems), and is capable of detecting and counteracting cloned App instances.