Think Like a Hacker! New Attacks, New Approaches

© 2016 IBM Corporation

New Attacks, New Approaches

David MarshakSenior Product Manager, IBM Security

Sam RehmanChief Technology Officer, Arxan Technologies

Think Like a Hacker!

2 © 2016 IBM Corporation

Are Mobile Apps Really At Risk?

Dissecting a Mobile App “Break In”

Mobile App Protection Techniques

IBM & Arxan Partnership

Q&A

Agenda


Are Mobile Apps Really At Risk?


The Problem Is Real:State of Mobile Application Security Report 2016


What’s Happening With Hacked Apps?

The Payoff for Hackers…• Piracy

– and unauthorized distribution

• IP theft – e.g. proprietary algorithms via reverse

engineering

• Sensitive information – e.g. usernames, passwords, keys,

certificates

• Bypass security controls– e.g. authentication, encryption, licensing,

DRM, root/jailbreak detection, ads

• Insertion of malware or exploits– in the application and repackaging

Ratio of Malicious to Non Malicious Fake Apps*

*Trend Micro Research: Fake Apps Feigning Legitimacy (2014)


The Problem Is Real: Mobile Malware Growth’s Logarithmic

The number of new mobile malware samples jumped by 49% from Q4 2014 to Q1 2015.


The Risk Is Only Growing

• Increasing # of apps• Faster release cycles• Use of 3rd party components/

frameworks• Increasing functionality on client-side

– Competition– User Demand– e.g. - NFC, Host Card Emulation

• “Weaponized” Client used to attack backend services

• Increased IoT apps• Improved hacking tools

– Jailbreak detection avoidance– Cydia Mobile Substrate on Android


Typical Software Security Lifecycle

Design, Build, TestPlan

High-Level Risk Assessments

Security Policy Review

Define Security Requirements

Security Architecture

Review

Threat Modeling Static Analysis

Dynamic Testing

Penetration Testing

Test,Deploy

Application Monitoring

Secure Code Review

Secure Coding Training

Final Functional & Security Testing

Produces a “Secure” Application with few, known and

acceptable vulnerabilities

BUT …


Even Secure Mobile Apps Can Be Hacked!

Centralized, trusted environment• Web Apps• Data Center Custom Apps

Distributed or untrusted environment “Apps in the Wild”• Mobile Apps• Internet of Things / Embedded• Packaged Software

Vulnerability Analysis and Flaw Remediation

Vulnerability Analysis and Flaw Remediation

Application Hardening and Run-Time Protection

Application Environment Application Security Model

Attackers do not have easy access to application binary

Attackers can easily access and compromise application binary

“Build It Secure” “Keep It Secure”


Dissecting a Mobile App “Break In”


Anatomy of Attacks on Mobile Apps

Reverse-engineering app contents

1. Decrypt the mobile app (iOS apps)

2. Open up and examine the app

3. Create a hacked version

11 110 010 10011101100 00101 111 00

11 110 010 01010100101 110011100 00

Extract and steal confidential data

Create a tampered, cracked or patched version of the app

Release/ use the hacked app

Use malware to infect/patch the

app on other devices

4. Distribute app (optional)


The Hacker’s Toolbox


But Isn’t My App Encrypted?

Well, yes, but …

iTunes Code Encryption BypassIt’s easy for hackers to bypass iOS encryption to progress a mobile app attack.


What’s In Your App?

It’s easy to find out …On iOS

– class-dump


What’s In Your App?

It’s easy to find out …On iOS

– strings


Circumventing Branching StatementsIt’s easy to get back to the source. Would you post your source code online?Disassemblers / Decompilers

– idaPro– Hopper– baksmali– … and more!

Assembly Code

Pseudo Code


A Couple of Bytes Later …

Hex’d!NOP out the jailbreak detection

Pseudo Code


The Danger of Jailbreak

Method Swizzling is an Objective-C Feature

Method Swizzling Defined: The process of changing the implementation of an existing selector. It’s a technique made possible by the fact that method invocations in Objective-C can be changed at runtime, by changing how selectors are mapped to underlying functions in a class’s dispatch table.

But on jailbroken devices, method swizzling can be used by hackers to change your application’s behavior!


Last Step: Distribute App

Put on non-iOS / Android app stores– Many with no/limited review process

Apple App Store has review process– But there are ways to get through it

3 options for Android App distribution– None have formal review process

Sample App Stores

There are a number of ways to distribute hacked apps

Read New Blog: “Do You Know How You’re Getting Hacked?”

https://securityintelligence.com/do-you-know-how-youre-getting-hacked/


Mobile App Protection Techniques


Confuse and Slow the Hacker Down: Obfuscation

Confuse the Hacker• Dummy Code Insertion

• Instruction Merging

• Block Shuffling

• Function Inlining

• … and More!

Turns this into this …


Preventing Reverse Engineering

Other Techniques• Method Renaming

• String Encryption

• … and More!

String not found

Where did it go?


Preventing Tampering

Common Techniques

Jailbreak DetectionAm I on a

jailbroken device?

ChecksumHas the binary changed?

If so, let me know so I can do something about it!

Method Swizzling Detection

Is someone hijacking my code? Debug Detection

Is a debugger running?


Some Best Practices

… and Other Considerations

• It’s more than just obfuscation – use multiple techniques

• Take action upon detection, e.g. phone home, fail, limit functionality

• Add some variability, e.g. frequency of use, techniques used

• Update internal policies related to SDLC ensuring binary risks are covered

• Don’t show your cards to the hacker


Steps To Protect An Application With Arxan

Arxan GuardSpec

Original App(to be released)

Arxan Guards

Arxan Protection Engine (Guard Injection Engine)

ProtectedApp(now ready for release)

Identify risks and define what requires protection.

Defines which Guards to place in mobile app to protect the app and where to place them.

Engine automates insertion of Guard Network in the app during the normal build process, without a need to modify source code.

Many different Guard types; thousands of Guard instances.

Protected version of app with Guards dissolved into binary, cannot be identified or isolated.

1

2

34

Arxan Application Protection for IBM Solutions


IBM and Arxan Partnership


Device Security Content Security Application Security Transaction Security Device as ID

Provision, manage and secure Corporate and BYOD devices

Secure enterprise content access and sharing

Develop vulnerability free, tamper proof and risk aware applications

Prevent & detect high risk mobile transactions from employees, customers and partners

Mobile Identity Platform

Security Intelligence

A unified architecture for integrating mobile security information & event management (SIEM), log management, anomaly detection, and configuration & vulnerability management


Enterprise Applicationsand Cloud Services

Identity, Fraud,and Data Protection

Content SecurityApplication Security

Transaction Security

Device Security

DATA

Personal and Consumer Enterprise

IBM Mobile Security Framework


Mobile Application SecurityStatic Analysis of

Source Code

IBM AppScan Source/ IBM MobileFirst

Application Scanning

Dynamic Analysis of Back End Calls

IBM AppScan Standard

Dynamic Analysis of Binary Code

IBM AppScan Mobile Analyzer

Hardening of Binary Code



Enterprise Applicationsand Cloud Services

Identity, Fraud,and Data Protection

Content SecurityApplication Security

Transaction Security

Device Security

DATA

Personal and Consumer Enterprise

IBM Mobile Application Security Framework


Addresses OWASP 2016 Mobile Top Ten Risks

Arxan Application Protection for IBM Solutions Resolves the “Code Tampering”

and “Reverse Engineering” risks – a new addition for 2016

Adds multi-layered security and run-time protection to mitigate exploitation of other OWASP Mobile Top Ten Risks

IBM Security AppScan Identifies vulnerabilities (e.g.,

programming flaws) that can result in OWASP Mobile Top Ten Risks

Provides remediation guidance

M1: Improper Platform Usage

M2: Insecure Data Storage

M3: Insecure Communication

M4: Insecure Authentication

M5: Insufficient Cryptography

M6: Insecure Authorization

M7: Client Code Quality

M8: Code Tampering

M9: Reverse Engineering

M10: Extraneous

Functionality


Build It and Keep It Secure: Scan & Protect

Arxan augments IBM’s solution portfolio with Application Hardening and Run-time Protection

Build It Secure Keep It Secure

ApplicationDevelopment

Vulnerability Analysis& Testing

ApplicationProtection

Release &Deployment

IBM MobileFirst Platform and Native

Build and Manage Mobile Apps

IBM AppScan Source and Mobile

Analyzer

Identifies Vulnerabilities


Defends, Detects, and Reacts to Attacks

Secure and Protected

Application

Extends security from testing to run-time code protection Mitigates risks comprehensively against hacking attacks and exploits Gain the world’s strongest multi-layer protection (defend, detect, react)

Free of critical flaws and vulnerabilities

Protects itself against attacks

http://www-03.ibm.com/software/products/en/arxan-application-protection


Q&A


Learn More About IBM & Arxan

Blog & Link to Report: 2016 Arxan State of Application Security YouTube Video: Enhance Mobile Security Protection with Arxan

Application Protection for IBM Solutions Blog: Leverage White-Box Cryptography & Tamper-Resistance to Advance API

Protection Blog: Do You Know How You’re Getting Hacked?

32

https://securityintelligence.com/2016-state-of-application-security-top-health-care-apps-in-critical-condition/





https://www.youtube.com/watch?v=gFZjtvPOgxo&list=PL3AF0F7A2FD4C5415&index=9




https://securityintelligence.com/leverage-white-box-cryptography-and-tamper-resistance-to-advance-api-protection/






NEXT STEP: Contact your IBM representative or email [email protected] for more information

Event participants eligible for Free Evaluation of “Arxan Application Protection for IBM Solutions”Now offered as part of IBM’s Security Portfolio

Special Offers to Participants

Curious how your app binary is exposed to hacking? Get Free Assessment of your app’s binary exposures in 9 categories


Additional Resources

IBM / Arxan White Paper: Securing Mobile Apps in the Wild

http://www.arxan.com/securing-mobile-apps-in-the-wild-with-app-hardening-and-run-time-protection/

IBM / Arxan Short Demos: Securing Mobile Apps in the Wild• Risks for mobile apps and how to protect them• How to protect mobile apps against attacks• Demo of how easy it is to hack an app

http://www.arxan.com/solutions/arxan-mobile-app-protection-with-ibm/





http://www.arxan.com/solutions/arxan-mobile-app-protection-with-ibm/


133 countries where IBM delivers managed security services

20 industry analyst reports rankIBM Security as a LEADER

TOP 3 enterprise security software vendor in total revenue

10K clients protected including…

24 of the top 33 banks in Japan, North America, and Australia

Learn more about IBM Security

Visit our web page IBM.com/Security

Watch our videosIBM Security YouTube Channel

View upcoming webinars & blogsSecurityIntelligence.com

Follow us on Twitter@ibmsecurity

https://www.youtube.com/channel/UClAgZm2OXFpX8WoMsOpWoXA

http://securityintelligence.com/

http://www.twitter.com/ibmsecurity


David MarshakSenior Product Manager, Application Security

[email protected]

Sam RehmanChief Technology Officer

[email protected]

Thank You!

mailto:[email protected]



© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOUwww.ibm.com/security

David MarshakSenior Product Manager, Application Security

[email protected]

Sam RehmanChief Technology [email protected]




http://www.ibm.com/security

http://www.ibm.com/security


Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.

Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at “Copyright and trademark information” www.ibm.com/legal/copytrade.shtml

Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.

U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity.

IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.

Any statements regarding IBM’s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.

Legal notices and disclaimers

Think Like a Hacker! New Attacks, New Approaches

Technology

Transcript of Think Like a Hacker! New Attacks, New Approaches