Danger in the App Stores: 3rd Party Mobile App Risk for Banks, FinServ & FinTech

Danger in the App Stores:3rd Party Mobile App Risk for Banking & FinTech

8X FASTER3X DEEPER

MOST TRUSTED© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.

THE INFORMATION BLACK HOLE

3RD PARTY APP

INFORMATIONBLACK HOLE


DEEP MOBILE SECURITY EXPERTISE

Open source

Books & Speaking

3

Mobile threat research is in our DNA▪ Dream team of security researchers▪ Every waking moment spent:

– Discovering critical vulns– Identifying novel attack vectors– Creating/maintaining renowned

open-source mobile security tools/projects

The NowSecure Mission▪ Educate enterprises on the latest mobile threats▪ Maximize the security of apps enterprises

develop, purchase and use

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

NowSecure #MobSec5Weekly mobile security news update

SUBSCRIBE NOW:www.nowsecure.com/go/subscribe


AGENDA + SPEAKERS

MILLIONS OF POINTS OF APP RISK▪ Stakeholders▪ Risk & Compliance▪ Mobile Attack Surface

REAL-WORLD APP RISK DATA▪ Industry Benchmark Data▪ Example best in class▪ Example worst in class

RECOMMENDATIONS▪ Best Practice Approaches

Brian ReedChief Mobile Officer

Alex WishkoskiDirector, Product Mgmt


3RD-PARTY MOBILE APP RISK& IMPACT


WHAT IS SCOPE OF 3rd PARTY APP RISK?

50,000 Devices 89 Apps/Device4,450,000 Points of Risk

Sources: “The Economic Risk of Confidential Data on Mobile Devices in the Workplace” Ponemon Institute;“Average number of apps installed by users in the United States in 2016, by device” Statista


WHAT RISK? NEWS FLASH TODAY!

BLOG: https://www.nowsecure.com/blog/2017/11/14/oneplus-device-root-exploit-backdoor-engineermode-app-diagnostics-mode/

▪ Millions of OnePlus Devices in Asia, India & Europe now exposed

▪ New Root Exploit discovered YESTERDAY

• Manufacturer's EngineerMode App left BackDoor in production

• System-signed .apk w/ SHA256 hash of PWD that was easily reversed

• With password, EngineerMode app enables a debugging mode & Rooting

▪ How do you know if you are exposed?

https://www.nowsecure.com/blog/2017/11/14/oneplus-device-root-exploit-backdoor-engineermode-app-diagnostics-mode/


WHAT IS SCOPE OF 3rd PARTY APP RISK?

50,000 Devices 89 Apps/Device4,450,000 Points of Risk

Sources: “The Economic Risk of Confidential Data on Mobile Devices in the Workplace” Ponemon Institute;“Average number of apps installed by users in the United States in 2016, by device” Statista


WHO IS RESPONSIBLE FOR 3rd PARTY APP RISK?

10

• Evaluate mobile technology • Establish mobile security and

architecture requirements• Test for vulnerabilities and ensure

security, privacy, compliance

SECURITY & ARCHITECTURE• Centrally coordinate & enable business

mobilization • Support BYOD, COPE & Enterprise

managed devices & apps• Easy, quick vetting of 3rd party mobile

apps to ensure meet policy and governance requirements

MOBILE CENTER OF EXCELLENCE• Establish risk-based guidelines for

mobile app security, compliance and privacy

• Ensure governance and controls in place for all mobile apps

• Track and report on industry compliance and privacy mandates

COMPLIANCE & RISK


WHAT IS THE MOBILE APP ATTACK SURFACE?

11

API BACKEND▪Platform vulnerabilities▪Server misconfiguration▪Cross-site scripting▪Cross-site request forgery ▪Cross origin resource sharing▪Brute force attacks▪Side channel attacks

▪SQL injection▪Privilege escalation▪Data dumping▪OS command execution▪Weak input validation▪Hypervisor attack▪VPN

DATA AT REST

▪Data caching▪Data stored in application directory

▪Decryption of keychain▪Data stored in log files▪Data cached in memory/RAM▪Data stored in SD card

▪OS data caching▪Passwords & data accessible▪No/Weak encryption▪TEE/Secure Enclave Processor▪Side channel leak▪SQLite database▪Emulator variance

DATA IN MOTION

▪Wi-Fi (no/weak encryption)▪Rogue access point▪Packet sniffing▪Man-in-the-middle▪Session hijacking▪DNS poisoning▪TLS Downgrade▪Fake TLS certificate▪Improper TLS validation

▪HTTP Proxies▪VPNs▪Weak/No Local authentication▪App transport security▪Transmitted to insecure server▪ Zip files in transit▪Cookie “httpOnly” flag▪Cookie “secure” flag

▪GPS spoofing▪Buffer overflow▪allowBackup Flag▪allowDebug Flag▪Code Obfuscation▪Configuration manipulation▪Escalated privileges

▪URL schemes▪GPS spoofing▪Integrity/tampering/repacking▪Side channel attacks▪App signing key unprotected▪JSON-RPC▪Automatic Reference Counting

CODE FUNCTIONALITY

▪Android rooting/iOS jailbreak▪User-initiated code▪Confused deputy attack▪Multimedia/file format parsers▪Insecure 3rd party libraries▪World Writable Files▪World Writable Executables

▪Dynamic runtime injection▪Unintended permissions▪UI overlay/pin stealing▪Intent hijacking▪Zip directory traversal▪Clipboard data▪World Readable Files


WHAT ARE RISK & COMPLIANCE MANDATES?

AppE.5.b Operational Risk Mitigation

AppE.5.b(iii) Mobile Application Risk Mitigation

PCI DSS Version 3.2 Dev, test, Maintain Secure Systems & Apps

PCI Mobile Payment Acceptance Security Guidelines

PART 314—Standards for safeguarding customer information

NIST FIPS 200: Minimum Security Requirements

NIST SP 800-53: Security & Privacy Controls

NIST SP 800-163: Vetting the Security of Mobile Applications

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf?agreement=true&time=1502825144690

http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-163.pdf


WHY ARE THE RISK RATIOS SO BAD?

>5

MILLION APPSTORE

APPS

245

MOBILE APPDEVs

1

SECURITYENGINEER

: :


SPEED

VOLUME

RISK

COST

LOW HIGH

WHY SO MUCH TENSION?


REAL-WORLD EXAMPLES OF APP STORE APP RISKS


WHAT ARE THE 3RD PARTY RISK STATS?

49%apps have at least 1 significant risk

30%of Android reports run reveal sensitive user data

60% of iOS apps don’t require encrypted connections

Source: NowSecure Software and Research Data 2016-2017

20,000+ Android apps found that send passwords in the clear

120,000+Apps that can reveal user location

16

26% of iOS reports reveal sensitive data in transit


INSIDE MOBILE APP RISK SCORING


TESTING FOR RISK -- DATA IN MOTION

▪ Apply SSL/TLS universally

▪ Assume that the network layer is not secure and is susceptible to eavesdropping

▪ Use strong, industry standard cipher suites with appropriate key lengths

▪ 34% of iOS apps use HTTP

▪ iOS ATS slow adoption(less than 40%)


PREVENTING MITM ATTACKS

▪ Use HSTS / HTTPS Prevent protocol downgrade attacks

▪ Validate certificates

▪ Use cert pinning

▪ Educate usersDon’t install certs


TESTING FOR RISK -- IP ADDRESSES

▪ 3rd party libraries, SDKs are common culpritsAd networks frequently uniquely identifyusers and geo-locate them insecurely

▪ Validate all outbound traffic destinations

▪ Apps frequently have 100s of connections(this one had 250)


TESTING FOR RISK -- DATA AT REST

▪ Writable executables

▪ Local log data• GPS data / location• Files / directories accessed

▪ External storage• Always examine all files,

permissions


TESTING FOR RISK -- 3RD PARTY LIBRARIES

▪ Nearly all apps have 3rdparty libs

▪ Open source allows bothgood and bad eyeballs

▪ Popular libraries ≠ safety


TESTING FOR RISK PERMISSIONS & ENTITLEMENTS

▪ Contact list access

▪ Write external storage

▪ Calendar

▪ Send SMS

▪ NFC


IN ACTION:BEST PRACTICES FORFINSERV & BANKING


BEST PRACTICE RECOMMENDATIONS

1. Recognize the risks of 3rd party apps on BYOD and COPE devices

○ Assume all are untrusted until validated, no matter who the developer

2. Put controls and processes in place to analyze and monitor 3rd party app risk

○ Inventory & analyze your existing mobile apps leveraging EMM/MDM

○ Adapt processes to review and approve all new mobile apps before introduction

○ Leverage automated tools for in depth testing and continuous monitoring

3. Find a reputable source to stay up to date on the latest threats

○ Sign up for Nowsecure #MobSec5 at www.nowsecure.com/go/subscribe

○ Read our blog at www.nowsecure.com/blog

25

http://www.nowsecure.com/subscribe

http://www.nowsecure.com/blog

Case Study

● PROBLEM: Provider of 3rd-party risk analytics to insurers, F500 enterprises & investment banks needed app-store app risk rankings at scale

● Leverage the NowSecure Platform™ for the world’s deepest 3rd-partyapp vetting

● On-demand access to millions of app-store app security scores viaNowSecure INTEL API

26


NowSecure INTELAlwaysOn AppStore Cloud Analysis

for EMM & Security teams

NowSecure AUTOOnDemand Fast Cloud Analysis

for Dev, QA & Security teams

NowSecure WORKSTATION

Deep Pen Testing Analysisfor Security Analysts

NOWSECURE PLATFORM for 360º COVERAGE OF MOBILE APP SECURITY TESTING

NowSecure SERVICESExpert Pen Testing, Training & Programs

for App Owners & Security teams

27

8X FASTER – 3X DEEPER – MOST TRUSTED


SHIFT LEFT WITH MOBILE APPSEC FACTORY

28

RAPIDTEST

DEVELOPED APPS PR

OD

UC

TION

YOUR APPSEC FACTORY

Rapid Test all apps in 15mins automatically…

RAPID: PASSED

REQUIREMENTS DESIGN BUILD TEST

Spend <1 hour deep testing any concerning rapid results or additional advanced/pre-release certification

DEEP CERTIFICATION

DEEPTEST

DEEP: PASSED

ANY TEST: FAILED

3RD PARTY APPSTORE APPS ONLINE: FAILED

ONLINE: PASSED

Instantly Vet 3rd Party App Risk

ONLINETEST


NOWSECURE COMING ATTRACTIONS

Next Month’s Webinar2018 Mobile AppSec Must-Dos

Tuesday, Dec. 5

NH-ISAC Fall SummitCome see NowSecure

Nov. 28 - 30 in Scottsdale, AZ

AppSec Cali 2018Come see NowSecure

Jan. 30 - 31 in Santa Monica

29


OPEN Q&A

MILLIONS OF POINTS OF APP RISK▪ Stakeholders▪ Mobile Attack Surface▪ Risk & Compliance

REAL-WORLD APP RISK DATA▪ Industry Benchmark Data▪ Example best in class▪ Example worst in class

RECOMMENDATIONS▪ Best Practice Approaches

Brian ReedChief Mobility Officer

Alex WishkoskiDirector, Product Mgmt

Let’s talk

NowSecure+1 312.878.1100

@NowSecureMobilewww.nowsecure.com

Subscribe to #MobSec5 A digest of the week’s mobile security news that matters

https://www.nowsecure.com/go/subscribe

Danger in the App Stores: 3rd Party Mobile App Risk for Banks, FinServ & FinTech

Technology

Transcript of Danger in the App Stores: 3rd Party Mobile App Risk for Banks, FinServ & FinTech