Post on 14-Aug-2015
© 2013 IBM Corporation
Arxan, IBM & FS-ISAC Present:
Mobile Payments: Protecting Apps and Data from Emerging Risks
Tom Mulvehill, Mobile Security Strategy, IBMWinston Bond, Technical Manager, Arxan Technologies
© 2015 IBM Corporation2
IBM Security Systems
Agenda
• Mobile App and Payment Landscape
• How Criminals Can Attack Your App
• Comprehensive Protection Techniques
• Q&A
© 2015 IBM Corporation3
IBM Security Systems
Mobile App and Payment Landscape
© 2015 IBM Corporation4
IBM Security Systems
Mobile Banking Services Can be a Competitive Advantage
Mobile banking is the most important deciding factor when switching banks (32%)
More important than fees
(24%) or branch location
(21%) or services (21%)… a
survey of mobile banking
customers in the U.S. 1
Mobile banking channel development is the #1 technology priority of N.A. retail banks (2013)
#1 Channel
The mobile payments market will eventually eclipse $1 trillion by 2017
$1tn
43%of 18-20 year olds
have used a mobile banking app in the past
12 months
29%Cash-based retail payments in the U.S. have fallen from 36% in 2002 to 29% in 2012
$
Of customers won't mobile bank because of security fears
19%
90%Of mobile banking app users use the app to check account balances or recent transactions
© 2015 IBM Corporation5
IBM Security Systems
However, as mobile grows, so do security threats
“With the growing penetration of mobile devices in the enterprise, security testing and protection of mobile applications and data become mandatory.”
Gartner
“Enterprise mobility… new systems of engagement. These new systems help firms empower their customers, partners, and employees with context-aware
apps and smart products.”Forrester
Arxan
Top mobile devices and apps hacked
97%Android 87%
iOS
387 new threats every minute
and six every secondMcAfee
© 2015 IBM Corporation6
IBM Security Systems
What concerns does this create for the enterprise?
© 2015 IBM Corporation7
IBM Security Systems
Security Is Front and Center and Must Be Addressed
© 2015 IBM Corporation
IBM Security
8
You are only as strong as your weakest link
Application Risks Device Risks Session Risks
App hacking
App security vulnerabilities
Rooted / jailbroken devices
Outdated OS security vulnerabilities
Malware
Unsecure connection
SMS forwarding
Mobile ATO / cross-channel ATO
© 2015 IBM Corporation9
IBM Security Systems
How Criminals Can Easily Attack Your Mobile Banking App
© 2015 IBM Corporation
IBM Security Systems
10
Disruption in the Security LandscapeCentralized,trusted environment
Distributed or untrusted environment “Apps in the Wild”
• Web Apps• Data Center Apps
Attackers do not have easy access to application binary
+ Application Security Testing (“Build it Secure”)
+ Application Self-Protection (“Keep it Secure”)
• Mobile Apps• Internet of Things• Packaged Software
Attackers can easily access and compromise application binary
© 2015 IBM Corporation
IBM Security Systems
11
Mobile Apps Are Vulnerable to Attacks
•Applications can be modified and tampered with, e.g. Key Generation / Use algorithms can be altered, causing key theft or data theft•Run-time behavior of applications can be altered, causing unsafe or improper operation•Malicious code can be injected or hooked into applications
Integrity Risk (Code Modification or
Code Injection Vulnerabilities)
•Private and sensitive information can be exposed, including Cryptographic Keys that are used to secure information•Applications can be reverse-engineered back to the source code •Code and Intellectual Property (IP) can be lifted, stolen, reused or repackaged
Confidentiality Risk
(Reverse Engineering or
Code Analysis Vulnerabilities)
© 2015 IBM Corporation12
IBM Security Systems
Particularly Crypto Keys
Cryptographic key hacking examples:
Crypto keys extracted though memory scrapping, allowing unauthorized access to financial transactions (in PoS systems)
Exploiting forms of buffer overflow attacks, like Heartbleed, to steal crypt key
Android APK integrity vulnerability
And many more…
Unfortunately, many don’t protect their keys or think it is too difficult to protect them
80% of respondents to Ponemon Institute survey identified broken cryptography as most difficult risk to minimize (State of Mobile Application Insecurity, February 2015)
Growing trend of memory scrapping (Source: Verizon 2015 Data Breach Investigations Report)
Hackers are relying on memory scraping w/ increasing frequency -- it is essential
to protect keys in memory!
© 2015 IBM Corporation13
IBM Security Systems
Anatomy of Attacks on Mobile Apps
Reverse-engineering app contents
1. Decrypt the mobile app (iOS apps)
2. Open up and examine the app
3. Create a hacked version
11 110 010 10011101100 00101 111 00
11 110 010 01010100101 110011100 00
Extract and steal confidential data
Create a tampered, cracked or patched version of the app
Release / use the hacked app
Use malware to infect/patch the app on other devices
4. Distribute App
https://www.arxan.com/how-to-hack-a-mobile-application
© 2015 IBM Corporation14
IBM Security Systems
Reverse engineering of a mobile payment application
Video: How to Hack an App via Reverse Engineering
© 2015 IBM Corporation15
IBM Security Systems
Mobile App & Mobile Payment Protection Techniques
© 2015 IBM Corporation
IBM Security
16
MobileFirstProtect (MaaS360)
AppScan, Arxan, Trusteer M; bile SDK
IBM Mobile Security Framework
AirWatch, MobileIron, Good, Citrix, Microsoft, Mocana
HP Fortify, Veracode, Proguard CA, Oracle, RSA
• Manage multi-OS BYOD environment
• Mitigate risks of lost and compromised devices
• Separate enterprise and personal data
• Enforce compliance with security policies
• Distribute and control enterprise apps
• Build and secure apps and protect them “in the wild”
• Provide secure web, mobile, API access and identify device risk
• Meet authentication ease-of-use expectation
Extend Security Intelligence
• Extend security information and event management (SIEM) to mobile platform
• Incorporate mobile log management, anomaly detection, configuration and vulnerability management
Manage Access and Fraud
Safeguard Applications and Data
Secure Content and Collaboration
Protect Devices
© 2015 IBM Corporation
IBM Security
17
Extend Security Intelligence
ManageAccess and Fraud
Safeguard Applications and Data
Secure Content and Collaboration
Protect Devices
Business imperatives for managing access and fraud
“The CyberVor gang amassed over 4.5 billion records,mostly consisting of stolen credentials.
To get such an impressive number of credentials,the CyberVors robbed over 420,000 web and FTP sites.”
Hold Security
$6.53 millionaverage cost of a U.S. data breach2015 Cost of Data Breach Study, Ponemon Institute
95% of financial services incidents involve harvesting credentials stolen from customer devices2015 Verizon Data Breech Report
© 2015 IBM Corporation
IBM Security
18
Build, test and secure mobile apps before distributing to end users
Safely distribute apps
Deploy custom enterprise app catalogs; blacklist, whitelist and require apps; administer app volume purchase programs
Test app security
Identify vulnerabilities in development and pre-deployment; isolate data leakage risks; ensure proper use of cryptography
Protect apps
Harden mobile apps to defend against reverse engineering; prevent repacking of apps; protect apps from mobile malware
Secure app data
Protect enterprise apps with authentication, tunneling, copy / paste restrictions and prevent access from compromised devices
© 2015 IBM Corporation19
IBM Security Systems
Application Protection: Can you say: Ob-fu-sca-tion!
Confuse the Hacker
• Dummy Code Insertion
• Instruction Merging
• Block Shuffling
• Function Inlining
• … and More!
Turns this into this …
© 2015 IBM Corporation20
IBM Security Systems
Application Protection: Preventing Reverse Engineering
Other Techniques• Method Renaming
• String Encryption
• … and More!
String not found
Where did it go?
© 2015 IBM Corporation21
IBM Security Systems
Application Protection: Preventing Tampering
Common Techniques
Checksum -- Has the binary changed?
If so, let me know so I can do something about it!
Method Swizzling Detection --
Is someone hijacking my code?
Debug DetectionIs a Debugger Running?
© 2015 IBM Corporation22
IBM Security Systems
Application Protection: A Number of Guards Can Be Leveraged
Defend against compromise
Detect attacks at run time
React to ward off attacks
• Advanced Obfuscation• Code and Resource
Encryption• Pre-Damage• Metadata Removal
• Checksum• Debug Detection• Resource Verification• Jailbreak/Root Detection• Swizzling Detection• Hook Detection
• Shut Down (Exit, Fail)• Self-Repair• Custom Reactions• Alert / Phone Home
© 2015 IBM Corporation23
IBM Security Systems
Arxan Cryptographic Key Protection
Sophisticated implementation of “White-box cryptography”- Intended for any security system that employs cryptographic algorithms and keys, in
an open and untrusted environment- Result: Keys are never present in either the static form or in runtime memory- Protects: Static keys, Dynamic keys, and Sensitive user data
How it works– Combines mathematical algorithms with
data and code obfuscation techniques to transform the key and related operations so keys cannot be discovered at any time
– Supports all major algorithms– Clearly separates the data into two
domains: Open Domain vs Encrypted Domain
– Provides comprehensive protection in conjunction with Arxan’s guarding technology
Encrypted Domain
Mobile Application
Crypto Routin
es
Static & Dynamic
Keys
Secret Data
© 2015 IBM Corporation24
IBM Security Systems
This Approach Yields the Most Protected Form of Data: White-box Form
Forms of Data
Classical form Untransformed data (in the clear)
Obfuscated form Transformed (reversible) data;inputs and outputs of ciphers can be obfuscated
White-box form Maximally secure (for keys) and non-reversible
© 2015 IBM Corporation25
IBM Security Systems
How Are Code and Key Protection Implemented?
© 2015 IBM Corporation26
IBM Security Systems
Why Arxan Protection?
For key protection ‘Gold standard’ protection
• All major cryptography standards and functionality
• Offers a smaller footprint than other solutions
• Delivers better performance Easy Integration
• Conformance to common API calls like OpenSSL, allows straight-forward replacement of existing cryptographic libraries
For application protection ‘Gold standard’ protection strength
• Multi-layered Guards• Static & Run-Time Guards• No binary patterns or agents, no single
point of failure• Customizable to your application• Automated randomization for each build
No disruption to SDLC or source code with unique binary-based Guard injection
Arxan Solutions areProven
• Protected apps deployed on over 300 million devices • Hundreds of satisfied customers across Fortune 500
Cross platform support -- > 7 mobile platforms alone
Unique IP ownership: 10+ patents
Integrated with other IBM security and mobility solutions
© 2015 IBM Corporation27
IBM Security Systems
World’s Strongest App Protection, Now Sold & Supported by IBMBenefit of your existing trusted relationship with IBM
• Arxan’s technology now available from IBM: Sales, Solution, Services, Support from IBM, with close collaboration between IBM and Arxan to ensure your success
• Leverage your existing procurement frameworks and contract vehicles (IBM Passport Advantage, ELAs, Perpetual License, Elite Support, etc) for purchasing Arxan products and take advantage of your relationship pricing and special discounts from IBM
Leverage Arxan as part of comprehensive solution portfolio from IBM to holistically secure mobile apps, with value-adding validated integrations
• Enables unique ‘Scan + Protect’ application security strategy and best practice for building it secure during development (AppScan) and keeping it secure deployed “in the wild” (Arxan)
• Value-adding Arxan integrations, validations, and interoperability testing with other IBM products (e.g., IBM AppScan, IBM Trusteer, IBM Worklight)
© 2015 IBM Corporation28
IBM Security Systems
NEXT STEP: Contact your IBM representative or email IBM@Arxan.com for more information
Free Evaluation of “Arxan Application Protection for IBM Solutions”Now offered as part of IBM’s Security Portfolio
Special Offer
© 2015 IBM Corporation29
IBM Security Systems
Additional Resources
Arxan/IBM White Paper: Securing Mobile Apps in the Wildhttp://www.arxan.com/securing-mobile-apps-in-the-wild-with-app-hardening-and-run-time-protection/
How to Hack An App
https://www.youtube.com/watch?v=VAccZnsJH00
IBM Whitepaper: Old Techniques, New Channel: Mobile Malware Adapting PC Threat Techniqueshttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-WW_Security_Organic&S_PKG=ov26530&S_TACT=C341006W&S_CMP=web_opp_sec_trusteer_msdk/
© 2015 IBM Corporation30
IBM Security Systems
Q&A
© 2015 IBM Corporation31
IBM Security Systems
Thank You! Tom Mulvehill
tom.mulvehill@us.ibm.com
Winston Bond
wbond@arxan.com