Think Like a Hacker! New Attacks, New Approaches
-
Upload
ibm-security -
Category
Technology
-
view
1.315 -
download
3
Transcript of Think Like a Hacker! New Attacks, New Approaches
© 2016 IBM Corporation
New Attacks, New Approaches
David MarshakSenior Product Manager, IBM Security
Sam RehmanChief Technology Officer, Arxan Technologies
Think Like a Hacker!
2 © 2016 IBM Corporation
Are Mobile Apps Really At Risk?
Dissecting a Mobile App “Break In”
Mobile App Protection Techniques
IBM & Arxan Partnership
Q&A
Agenda
© 2016 IBM Corporation
Are Mobile Apps Really At Risk?
4 © 2016 IBM Corporation
The Problem Is Real:State of Mobile Application Security Report 2016
5 © 2016 IBM Corporation
What’s Happening With Hacked Apps?
The Payoff for Hackers…• Piracy
– and unauthorized distribution
• IP theft – e.g. proprietary algorithms via reverse
engineering
• Sensitive information – e.g. usernames, passwords, keys,
certificates
• Bypass security controls– e.g. authentication, encryption, licensing,
DRM, root/jailbreak detection, ads
• Insertion of malware or exploits– in the application and repackaging
Ratio of Malicious to Non Malicious Fake Apps*
*Trend Micro Research: Fake Apps Feigning Legitimacy (2014)
6 © 2016 IBM Corporation
The Problem Is Real: Mobile Malware Growth’s Logarithmic
The number of new mobile malware samples jumped by 49% from Q4 2014 to Q1 2015.
7 © 2016 IBM Corporation
The Risk Is Only Growing
• Increasing # of apps• Faster release cycles• Use of 3rd party components/
frameworks• Increasing functionality on client-side
– Competition– User Demand– e.g. - NFC, Host Card Emulation
• “Weaponized” Client used to attack backend services
• Increased IoT apps• Improved hacking tools
– Jailbreak detection avoidance– Cydia Mobile Substrate on Android
8 © 2016 IBM Corporation
Typical Software Security Lifecycle
Design, Build, TestPlan
High-Level Risk Assessments
Security Policy Review
Define Security Requirements
Security Architecture
Review
Threat Modeling Static Analysis
Dynamic Testing
Penetration Testing
Test,Deploy
Application Monitoring
Secure Code Review
Secure Coding Training
Final Functional & Security Testing
Produces a “Secure” Application with few, known and
acceptable vulnerabilities
BUT …
9 © 2016 IBM Corporation
Even Secure Mobile Apps Can Be Hacked!
Centralized, trusted environment• Web Apps• Data Center Custom Apps
Distributed or untrusted environment “Apps in the Wild”• Mobile Apps• Internet of Things / Embedded• Packaged Software
Vulnerability Analysis and Flaw Remediation
Vulnerability Analysis and Flaw Remediation
Application Hardening and Run-Time Protection
Application Environment Application Security Model
Attackers do not have easy access to application binary
Attackers can easily access and compromise application binary
“Build It Secure” “Keep It Secure”
© 2016 IBM Corporation
Dissecting a Mobile App “Break In”
11 © 2016 IBM Corporation
Anatomy of Attacks on Mobile Apps
Reverse-engineering app contents
1. Decrypt the mobile app (iOS apps)
2. Open up and examine the app
3. Create a hacked version
11 110 010 10011101100 00101 111 00
11 110 010 01010100101 110011100 00
Extract and steal confidential data
Create a tampered, cracked or patched version of the app
Release/ use the hacked app
Use malware to infect/patch the
app on other devices
4. Distribute app (optional)
12 © 2016 IBM Corporation
The Hacker’s Toolbox
13 © 2016 IBM Corporation
But Isn’t My App Encrypted?
Well, yes, but …
iTunes Code Encryption BypassIt’s easy for hackers to bypass iOS encryption to progress a mobile app attack.
14 © 2016 IBM Corporation
What’s In Your App?
It’s easy to find out …On iOS
– class-dump
15 © 2016 IBM Corporation
What’s In Your App?
It’s easy to find out …On iOS
– strings
16 © 2016 IBM Corporation
Circumventing Branching StatementsIt’s easy to get back to the source. Would you post your source code online?Disassemblers / Decompilers
– idaPro– Hopper– baksmali– … and more!
Assembly Code
Pseudo Code
17 © 2016 IBM Corporation
A Couple of Bytes Later …
Hex’d!NOP out the jailbreak detection
Pseudo Code
18 © 2016 IBM Corporation
The Danger of Jailbreak
Method Swizzling is an Objective-C Feature
Method Swizzling Defined: The process of changing the implementation of an existing selector. It’s a technique made possible by the fact that method invocations in Objective-C can be changed at runtime, by changing how selectors are mapped to underlying functions in a class’s dispatch table.
But on jailbroken devices, method swizzling can be used by hackers to change your application’s behavior!
19 © 2016 IBM Corporation
Last Step: Distribute App
Put on non-iOS / Android app stores– Many with no/limited review process
Apple App Store has review process– But there are ways to get through it
3 options for Android App distribution– None have formal review process
Sample App Stores
There are a number of ways to distribute hacked apps
Read New Blog: “Do You Know How You’re Getting Hacked?”
© 2016 IBM Corporation
Mobile App Protection Techniques
21 © 2016 IBM Corporation
Confuse and Slow the Hacker Down: Obfuscation
Confuse the Hacker• Dummy Code Insertion
• Instruction Merging
• Block Shuffling
• Function Inlining
• … and More!
Turns this into this …
22 © 2016 IBM Corporation
Preventing Reverse Engineering
Other Techniques• Method Renaming
• String Encryption
• … and More!
String not found
Where did it go?
23 © 2016 IBM Corporation
Preventing Tampering
Common Techniques
Jailbreak DetectionAm I on a
jailbroken device?
ChecksumHas the binary changed?
If so, let me know so I can do something about it!
Method Swizzling Detection
Is someone hijacking my code? Debug Detection
Is a debugger running?
24 © 2016 IBM Corporation
Some Best Practices
… and Other Considerations
• It’s more than just obfuscation – use multiple techniques
• Take action upon detection, e.g. phone home, fail, limit functionality
• Add some variability, e.g. frequency of use, techniques used
• Update internal policies related to SDLC ensuring binary risks are covered
• Don’t show your cards to the hacker
25 © 2016 IBM Corporation
Steps To Protect An Application With Arxan
Arxan GuardSpec
Original App(to be released)
Arxan Guards
Arxan Protection Engine (Guard Injection Engine)
ProtectedApp(now ready for release)
Identify risks and define what requires protection.
Defines which Guards to place in mobile app to protect the app and where to place them.
Engine automates insertion of Guard Network in the app during the normal build process, without a need to modify source code.
Many different Guard types; thousands of Guard instances.
Protected version of app with Guards dissolved into binary, cannot be identified or isolated.
1
2
34
Arxan Application Protection for IBM Solutions
© 2016 IBM Corporation
IBM and Arxan Partnership
27 © 2016 IBM Corporation
Device Security Content Security Application Security Transaction Security Device as ID
Provision, manage and secure Corporate and BYOD devices
Secure enterprise content access and sharing
Develop vulnerability free, tamper proof and risk aware applications
Prevent & detect high risk mobile transactions from employees, customers and partners
Mobile Identity Platform
Security Intelligence
A unified architecture for integrating mobile security information & event management (SIEM), log management, anomaly detection, and configuration & vulnerability management
Security Intelligence
Enterprise Applicationsand Cloud Services
Identity, Fraud,and Data Protection
Content SecurityApplication Security
Transaction Security
Device Security
DATA
Personal and Consumer Enterprise
IBM Mobile Security Framework
28 © 2016 IBM Corporation
Mobile Application SecurityStatic Analysis of
Source Code
IBM AppScan Source/ IBM MobileFirst
Application Scanning
Dynamic Analysis of Back End Calls
IBM AppScan Standard
Dynamic Analysis of Binary Code
IBM AppScan Mobile Analyzer
Hardening of Binary Code
Arxan Application Protection for IBM Solutions
Security Intelligence
Enterprise Applicationsand Cloud Services
Identity, Fraud,and Data Protection
Content SecurityApplication Security
Transaction Security
Device Security
DATA
Personal and Consumer Enterprise
IBM Mobile Application Security Framework
29 © 2016 IBM Corporation
Addresses OWASP 2016 Mobile Top Ten Risks
Arxan Application Protection for IBM Solutions Resolves the “Code Tampering”
and “Reverse Engineering” risks – a new addition for 2016
Adds multi-layered security and run-time protection to mitigate exploitation of other OWASP Mobile Top Ten Risks
IBM Security AppScan Identifies vulnerabilities (e.g.,
programming flaws) that can result in OWASP Mobile Top Ten Risks
Provides remediation guidance
M1: Improper Platform Usage
M2: Insecure Data Storage
M3: Insecure Communication
M4: Insecure Authentication
M5: Insufficient Cryptography
M6: Insecure Authorization
M7: Client Code Quality
M8: Code Tampering
M9: Reverse Engineering
M10: Extraneous
Functionality
30 © 2016 IBM Corporation
Build It and Keep It Secure: Scan & Protect
Arxan augments IBM’s solution portfolio with Application Hardening and Run-time Protection
Build It Secure Keep It Secure
ApplicationDevelopment
Vulnerability Analysis& Testing
ApplicationProtection
Release &Deployment
IBM MobileFirst Platform and Native
Build and Manage Mobile Apps
IBM AppScan Source and Mobile
Analyzer
Identifies Vulnerabilities
Arxan Application Protection for IBM Solutions
Defends, Detects, and Reacts to Attacks
Secure and Protected
Application
Extends security from testing to run-time code protection Mitigates risks comprehensively against hacking attacks and exploits Gain the world’s strongest multi-layer protection (defend, detect, react)
Free of critical flaws and vulnerabilities
Protects itself against attacks
http://www-03.ibm.com/software/products/en/arxan-application-protection
© 2016 IBM Corporation
Q&A
32 © 2016 IBM Corporation
Learn More About IBM & Arxan
Blog & Link to Report: 2016 Arxan State of Application Security YouTube Video: Enhance Mobile Security Protection with Arxan
Application Protection for IBM Solutions Blog: Leverage White-Box Cryptography & Tamper-Resistance to Advance API
Protection Blog: Do You Know How You’re Getting Hacked?
32
33 © 2016 IBM Corporation
NEXT STEP: Contact your IBM representative or email [email protected] for more information
Event participants eligible for Free Evaluation of “Arxan Application Protection for IBM Solutions”Now offered as part of IBM’s Security Portfolio
Special Offers to Participants
Curious how your app binary is exposed to hacking? Get Free Assessment of your app’s binary exposures in 9 categories
34 © 2016 IBM Corporation
Additional Resources
IBM / Arxan White Paper: Securing Mobile Apps in the Wild
http://www.arxan.com/securing-mobile-apps-in-the-wild-with-app-hardening-and-run-time-protection/
IBM / Arxan Short Demos: Securing Mobile Apps in the Wild• Risks for mobile apps and how to protect them• How to protect mobile apps against attacks• Demo of how easy it is to hack an app
http://www.arxan.com/solutions/arxan-mobile-app-protection-with-ibm/
35 © 2016 IBM Corporation
133 countries where IBM delivers managed security services
20 industry analyst reports rankIBM Security as a LEADER
TOP 3 enterprise security software vendor in total revenue
10K clients protected including…
24 of the top 33 banks in Japan, North America, and Australia
Learn more about IBM Security
Visit our web page IBM.com/Security
Watch our videosIBM Security YouTube Channel
View upcoming webinars & blogsSecurityIntelligence.com
Follow us on Twitter@ibmsecurity
36 © 2016 IBM Corporation
David MarshakSenior Product Manager, Application Security
Sam RehmanChief Technology Officer
Thank You!
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOUwww.ibm.com/security
David MarshakSenior Product Manager, Application Security
Sam RehmanChief Technology [email protected]
© 2016 IBM Corporation
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.
Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at “Copyright and trademark information” www.ibm.com/legal/copytrade.shtml
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity.
IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM’s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
Legal notices and disclaimers