Mobile Payments: Protecting Apps and Data from Emerging Risks

© 2013 IBM Corporation

Arxan, IBM & FS-ISAC Present:

Mobile Payments: Protecting Apps and Data from Emerging Risks

Tom Mulvehill, Mobile Security Strategy, IBMWinston Bond, Technical Manager, Arxan Technologies

© 2015 IBM Corporation2

IBM Security Systems

Agenda

• Mobile App and Payment Landscape

• How Criminals Can Attack Your App

• Comprehensive Protection Techniques

• Q&A



Mobile App and Payment Landscape



Mobile Banking Services Can be a Competitive Advantage

Mobile banking is the most important deciding factor when switching banks (32%)

More important than fees

(24%) or branch location

(21%) or services (21%)… a

survey of mobile banking

customers in the U.S. 1

Mobile banking channel development is the #1 technology priority of N.A. retail banks (2013)

#1 Channel

The mobile payments market will eventually eclipse $1 trillion by 2017

$1tn

43%of 18-20 year olds

have used a mobile banking app in the past

12 months

29%Cash-based retail payments in the U.S. have fallen from 36% in 2002 to 29% in 2012

$

Of customers won't mobile bank because of security fears

19%

90%Of mobile banking app users use the app to check account balances or recent transactions



However, as mobile grows, so do security threats

“With the growing penetration of mobile devices in the enterprise, security testing and protection of mobile applications and data become mandatory.”

Gartner

“Enterprise mobility… new systems of engagement. These new systems help firms empower their customers, partners, and employees with context-aware

apps and smart products.”Forrester

Arxan

Top mobile devices and apps hacked

97%Android 87%

iOS

387 new threats every minute

and six every secondMcAfee

https://w3-03.sso.ibm.com/marketing/mi/compdlib.nsf/weball/F5BFC64E9423A8E485257D2A005743E5

https://www.forrester.com/Enterprise-Mobility

https://www.arxan.com/wp-content/uploads/assets1/pdf/State_of_Mobile_App_Security_2014_final.pdf

http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2014.pdf



What concerns does this create for the enterprise?



Security Is Front and Center and Must Be Addressed


IBM Security

8

You are only as strong as your weakest link

Application Risks Device Risks Session Risks

App hacking

App security vulnerabilities

Rooted / jailbroken devices

Outdated OS security vulnerabilities

Malware

Unsecure connection

SMS forwarding

Mobile ATO / cross-channel ATO



How Criminals Can Easily Attack Your Mobile Banking App



10

Disruption in the Security LandscapeCentralized,trusted environment

Distributed or untrusted environment “Apps in the Wild”

• Web Apps• Data Center Apps

Attackers do not have easy access to application binary

+ Application Security Testing (“Build it Secure”)

+ Application Self-Protection (“Keep it Secure”)

• Mobile Apps• Internet of Things• Packaged Software

Attackers can easily access and compromise application binary



11

Mobile Apps Are Vulnerable to Attacks

•Applications can be modified and tampered with, e.g. Key Generation / Use algorithms can be altered, causing key theft or data theft•Run-time behavior of applications can be altered, causing unsafe or improper operation•Malicious code can be injected or hooked into applications

Integrity Risk (Code Modification or

Code Injection Vulnerabilities)

•Private and sensitive information can be exposed, including Cryptographic Keys that are used to secure information•Applications can be reverse-engineered back to the source code •Code and Intellectual Property (IP) can be lifted, stolen, reused or repackaged

Confidentiality Risk

(Reverse Engineering or

Code Analysis Vulnerabilities)



Particularly Crypto Keys

Cryptographic key hacking examples:

Crypto keys extracted though memory scrapping, allowing unauthorized access to financial transactions (in PoS systems)

Exploiting forms of buffer overflow attacks, like Heartbleed, to steal crypt key

Android APK integrity vulnerability

And many more…

Unfortunately, many don’t protect their keys or think it is too difficult to protect them

80% of respondents to Ponemon Institute survey identified broken cryptography as most difficult risk to minimize (State of Mobile Application Insecurity, February 2015)

Growing trend of memory scrapping (Source: Verizon 2015 Data Breach Investigations Report)

Hackers are relying on memory scraping w/ increasing frequency -- it is essential

to protect keys in memory!



Anatomy of Attacks on Mobile Apps

Reverse-engineering app contents

1. Decrypt the mobile app (iOS apps)

2. Open up and examine the app

3. Create a hacked version

11 110 010 10011101100 00101 111 00

11 110 010 01010100101 110011100 00

Extract and steal confidential data

Create a tampered, cracked or patched version of the app

Release / use the hacked app

Use malware to infect/patch the app on other devices

4. Distribute App

https://www.arxan.com/how-to-hack-a-mobile-application



Reverse engineering of a mobile payment application

Video: How to Hack an App via Reverse Engineering



Mobile App & Mobile Payment Protection Techniques


IBM Security

16

MobileFirstProtect (MaaS360)

AppScan, Arxan, Trusteer M; bile SDK

IBM Mobile Security Framework

AirWatch, MobileIron, Good, Citrix, Microsoft, Mocana

HP Fortify, Veracode, Proguard CA, Oracle, RSA

• Manage multi-OS BYOD environment

• Mitigate risks of lost and compromised devices

• Separate enterprise and personal data

• Enforce compliance with security policies

• Distribute and control enterprise apps

• Build and secure apps and protect them “in the wild”

• Provide secure web, mobile, API access and identify device risk

• Meet authentication ease-of-use expectation

Extend Security Intelligence

• Extend security information and event management (SIEM) to mobile platform

• Incorporate mobile log management, anomaly detection, configuration and vulnerability management

Manage Access and Fraud

Safeguard Applications and Data

Secure Content and Collaboration

Protect Devices


IBM Security

17

Extend Security Intelligence

ManageAccess and Fraud

Safeguard Applications and Data

Secure Content and Collaboration

Protect Devices

Business imperatives for managing access and fraud

“The CyberVor gang amassed over 4.5 billion records,mostly consisting of stolen credentials.

To get such an impressive number of credentials,the CyberVors robbed over 420,000 web and FTP sites.”

Hold Security

$6.53 millionaverage cost of a U.S. data breach2015 Cost of Data Breach Study, Ponemon Institute

95% of financial services incidents involve harvesting credentials stolen from customer devices2015 Verizon Data Breech Report

http://www.holdsecurity.com/news/cybervor-breach/

http://www.holdsecurity.com/news/cybervor-breach/

https://w3-03.sso.ibm.com/sales/support/skp/s/e/e/n/sew03053wwen/SEW03053WWEN.PDF

https://w3-03.sso.ibm.com/sales/support/skp/s/e/e/n/sew03053wwen/SEW03053WWEN.PDF


IBM Security

18

Build, test and secure mobile apps before distributing to end users

Safely distribute apps

Deploy custom enterprise app catalogs; blacklist, whitelist and require apps; administer app volume purchase programs

Test app security

Identify vulnerabilities in development and pre-deployment; isolate data leakage risks; ensure proper use of cryptography

Protect apps

Harden mobile apps to defend against reverse engineering; prevent repacking of apps; protect apps from mobile malware

Secure app data

Protect enterprise apps with authentication, tunneling, copy / paste restrictions and prevent access from compromised devices



Application Protection: Can you say: Ob-fu-sca-tion!

Confuse the Hacker

• Dummy Code Insertion

• Instruction Merging

• Block Shuffling

• Function Inlining

• … and More!

Turns this into this …



Application Protection: Preventing Reverse Engineering

Other Techniques• Method Renaming

• String Encryption

• … and More!

String not found

Where did it go?



Application Protection: Preventing Tampering

Common Techniques

Checksum -- Has the binary changed?

If so, let me know so I can do something about it!

Method Swizzling Detection --

Is someone hijacking my code?

Debug DetectionIs a Debugger Running?



Application Protection: A Number of Guards Can Be Leveraged

Defend against compromise

Detect attacks at run time

React to ward off attacks

• Advanced Obfuscation• Code and Resource

Encryption• Pre-Damage• Metadata Removal

• Checksum• Debug Detection• Resource Verification• Jailbreak/Root Detection• Swizzling Detection• Hook Detection

• Shut Down (Exit, Fail)• Self-Repair• Custom Reactions• Alert / Phone Home



Arxan Cryptographic Key Protection

Sophisticated implementation of “White-box cryptography”- Intended for any security system that employs cryptographic algorithms and keys, in

an open and untrusted environment- Result: Keys are never present in either the static form or in runtime memory- Protects: Static keys, Dynamic keys, and Sensitive user data

How it works– Combines mathematical algorithms with

data and code obfuscation techniques to transform the key and related operations so keys cannot be discovered at any time

– Supports all major algorithms– Clearly separates the data into two

domains: Open Domain vs Encrypted Domain

– Provides comprehensive protection in conjunction with Arxan’s guarding technology

Encrypted Domain

Mobile Application

Crypto Routin

es

Static & Dynamic

Keys

Secret Data



This Approach Yields the Most Protected Form of Data: White-box Form

Forms of Data

Classical form Untransformed data (in the clear)

Obfuscated form Transformed (reversible) data;inputs and outputs of ciphers can be obfuscated

White-box form Maximally secure (for keys) and non-reversible



How Are Code and Key Protection Implemented?



Why Arxan Protection?

For key protection ‘Gold standard’ protection

• All major cryptography standards and functionality

• Offers a smaller footprint than other solutions

• Delivers better performance Easy Integration

• Conformance to common API calls like OpenSSL, allows straight-forward replacement of existing cryptographic libraries

For application protection ‘Gold standard’ protection strength

• Multi-layered Guards• Static & Run-Time Guards• No binary patterns or agents, no single

point of failure• Customizable to your application• Automated randomization for each build

No disruption to SDLC or source code with unique binary-based Guard injection

Arxan Solutions areProven

• Protected apps deployed on over 300 million devices • Hundreds of satisfied customers across Fortune 500

Cross platform support -- > 7 mobile platforms alone

Unique IP ownership: 10+ patents

Integrated with other IBM security and mobility solutions



World’s Strongest App Protection, Now Sold & Supported by IBMBenefit of your existing trusted relationship with IBM

• Arxan’s technology now available from IBM: Sales, Solution, Services, Support from IBM, with close collaboration between IBM and Arxan to ensure your success

• Leverage your existing procurement frameworks and contract vehicles (IBM Passport Advantage, ELAs, Perpetual License, Elite Support, etc) for purchasing Arxan products and take advantage of your relationship pricing and special discounts from IBM

Leverage Arxan as part of comprehensive solution portfolio from IBM to holistically secure mobile apps, with value-adding validated integrations

• Enables unique ‘Scan + Protect’ application security strategy and best practice for building it secure during development (AppScan) and keeping it secure deployed “in the wild” (Arxan)

• Value-adding Arxan integrations, validations, and interoperability testing with other IBM products (e.g., IBM AppScan, IBM Trusteer, IBM Worklight)



NEXT STEP: Contact your IBM representative or email [email protected] for more information

Free Evaluation of “Arxan Application Protection for IBM Solutions”Now offered as part of IBM’s Security Portfolio

Special Offer



Additional Resources

Arxan/IBM White Paper: Securing Mobile Apps in the Wildhttp://www.arxan.com/securing-mobile-apps-in-the-wild-with-app-hardening-and-run-time-protection/

How to Hack An App

https://www.youtube.com/watch?v=VAccZnsJH00

IBM Whitepaper: Old Techniques, New Channel: Mobile Malware Adapting PC Threat Techniqueshttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-WW_Security_Organic&S_PKG=ov26530&S_TACT=C341006W&S_CMP=web_opp_sec_trusteer_msdk/

http://www.arxan.com/securing-mobile-apps-in-the-wild-with-app-hardening-and-run-time-protection/






https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-WW_Security_Organic&S_PKG=ov26530&S_TACT=C341006W&S_CMP=web_opp_sec_trusteer_msdk






Q&A



Thank You! Tom Mulvehill

[email protected]

Winston Bond

[email protected]

mailto:[email protected]

mailto:[email protected]

Mobile Payments: Protecting Apps and Data from Emerging Risks

Technology

Transcript of Mobile Payments: Protecting Apps and Data from Emerging Risks