IBM Security, profile picture
Uploaded byIBM Security
PPTX, PDF1,422 views

Mobile Payments: Protecting Apps and Data from Emerging Risks

This document summarizes a presentation about protecting mobile payments applications and data from security risks. It discusses the growing mobile payments landscape and threats from criminals attacking mobile apps. It then outlines techniques used by criminals to easily attack mobile banking apps, particularly focusing on reverse engineering apps to steal crypto keys and sensitive data. The presentation concludes by describing comprehensive protection techniques including application hardening, obfuscation, tamper detection, and cryptographic key protection like white-box cryptography.

Embed presentation

Downloaded 33 times
© 2013 IBM Corporation Arxan, IBM & FS-ISAC Present: Mobile Payments: Protecting Apps and Data from Emerging Risks Tom Mulvehill, Mobile Security Strategy, IBM Winston Bond, Technical Manager, Arxan Technologies
© 2015 IBM Corporation2 IBM Security Systems Agenda • Mobile App and Payment Landscape • How Criminals Can Attack Your App • Comprehensive Protection Techniques • Q&A
© 2015 IBM Corporation3 IBM Security Systems Mobile App and Payment Landscape
© 2015 IBM Corporation4 IBM Security Systems Mobile Banking Services Can be a Competitive Advantage Mobile banking is the most important deciding factor when switching banks (32%) More important than fees (24%) or branch location (21%) or services (21%)… a survey of mobile banking customers in the U.S. 1 Mobile banking channel development is the #1 technology priority of N.A. retail banks (2013) #1 Channel The mobile payments market will eventually eclipse $1 trillion by 2017 $1tn 43% of 18-20 year olds have used a mobile banking app in the past 12 months 29% Cash-based retail payments in the U.S. have fallen from 36% in 2002 to 29% in 2012 $ Of customers won't mobile bank because of security fears 19% 90%Of mobile banking app users use the app to check account balances or recent transactions
© 2015 IBM Corporation5 IBM Security Systems However, as mobile grows, so do security threats “With the growing penetration of mobile devices in the enterprise, security testing and protection of mobile applications and data become mandatory.” Gartner “Enterprise mobility… new systems of engagement. These new systems help firms empower their customers, partners, and employees with context-aware apps and smart products.” Forrester Arxan Top mobile devices and apps hacked 97%Android 87%iOS 387 new threats every minute and six every second McAfee
© 2015 IBM Corporation6 IBM Security Systems What concerns does this create for the enterprise?
© 2015 IBM Corporation7 IBM Security Systems Security Is Front and Center and Must Be Addressed
© 2015 IBM Corporation IBM Security 8 You are only as strong as your weakest link Application Risks Device Risks Session Risks  App hacking  App security vulnerabilities  Rooted / jailbroken devices  Outdated OS security vulnerabilities  Malware  Unsecure connection  SMS forwarding  Mobile ATO / cross-channel ATO
© 2015 IBM Corporation9 IBM Security Systems How Criminals Can Easily Attack Your Mobile Banking App
© 2015 IBM Corporation IBM Security Systems 10 Disruption in the Security Landscape Centralized, trusted environment Distributed or untrusted environment “Apps in the Wild” • Web Apps • Data Center Apps Attackers do not have easy access to application binary + Application Security Testing (“Build it Secure”) + Application Self-Protection (“Keep it Secure”) • Mobile Apps • Internet of Things • Packaged Software Attackers can easily access and compromise application binary
© 2015 IBM Corporation IBM Security Systems 11 Mobile Apps Are Vulnerable to Attacks • Applications can be modified and tampered with, e.g. Key Generation / Use algorithms can be altered, causing key theft or data theft • Run-time behavior of applications can be altered, causing unsafe or improper operation • Malicious code can be injected or hooked into applications Integrity Risk (Code Modification or Code Injection Vulnerabilities) • Private and sensitive information can be exposed, including Cryptographic Keys that are used to secure information • Applications can be reverse-engineered back to the source code • Code and Intellectual Property (IP) can be lifted, stolen, reused or repackaged Confidentiality Risk (Reverse Engineering or Code Analysis Vulnerabilities)
© 2015 IBM Corporation12 IBM Security Systems Particularly Crypto Keys Cryptographic key hacking examples:  Crypto keys extracted though memory scrapping, allowing unauthorized access to financial transactions (in PoS systems)  Exploiting forms of buffer overflow attacks, like Heartbleed, to steal crypt key  Android APK integrity vulnerability  And many more… Unfortunately, many don’t protect their keys or think it is too difficult to protect them  80% of respondents to Ponemon Institute survey identified broken cryptography as most difficult risk to minimize (State of Mobile Application Insecurity, February 2015) Growing trend of memory scrapping (Source: Verizon 2015 Data Breach Investigations Report) Hackers are relying on memory scraping w/ increasing frequency -- it is essential to protect keys in memory!
© 2015 IBM Corporation13 IBM Security Systems Anatomy of Attacks on Mobile Apps Reverse-engineering app contents 1. Decrypt the mobile app (iOS apps) 2. Open up and examine the app 3. Create a hacked version 11 110 01 0 1001110 1100 001 01 111 00 11 110 01 0 0101010 0101 110 011100 00 Extract and steal confidential data Create a tampered, cracked or patched version of the app Release / use the hacked app Use malware to infect/patch the app on other devices 4. Distribute App https://www.arxan.com/how-to-hack-a-mobile-application
© 2015 IBM Corporation14 IBM Security Systems Reverse engineering of a mobile payment application Video: How to Hack an App via Reverse Engineering
© 2015 IBM Corporation15 IBM Security Systems Mobile App & Mobile Payment Protection Techniques
© 2015 IBM Corporation IBM Security 16 MobileFirst Protect (MaaS360) AppScan, Arxan, Trusteer M; bile SDK IBM Mobile Security Framework AirWatch, MobileIron, Good, Citrix, Microsoft, Mocana HP Fortify, Veracode, Proguard CA, Oracle, RSA • Manage multi-OS BYOD environment • Mitigate risks of lost and compromised devices • Separate enterprise and personal data • Enforce compliance with security policies • Distribute and control enterprise apps • Build and secure apps and protect them “in the wild” • Provide secure web, mobile, API access and identify device risk • Meet authentication ease-of-use expectation Extend Security Intelligence • Extend security information and event management (SIEM) to mobile platform • Incorporate mobile log management, anomaly detection, configuration and vulnerability management Manage Access and Fraud Safeguard Applications and Data Secure Content and Collaboration Protect Devices
© 2015 IBM Corporation IBM Security 17 Extend Security Intelligence Manage Access and Fraud Safeguard Applications and Data Secure Content and Collaboration Protect Devices Business imperatives for managing access and fraud “The CyberVor gang amassed over 4.5 billion records, mostly consisting of stolen credentials. To get such an impressive number of credentials, the CyberVors robbed over 420,000 web and FTP sites.” Hold Security $6.53 millionaverage cost of a U.S. data breach 2015 Cost of Data Breach Study, Ponemon Institute 95% of financial services incidents involve harvesting credentials stolen from customer devices 2015 Verizon Data Breech Report
© 2015 IBM Corporation IBM Security 18 Build, test and secure mobile apps before distributing to end users Safely distribute apps Deploy custom enterprise app catalogs; blacklist, whitelist and require apps; administer app volume purchase programs Test app security Identify vulnerabilities in development and pre-deployment; isolate data leakage risks; ensure proper use of cryptography Protect apps Harden mobile apps to defend against reverse engineering; prevent repacking of apps; protect apps from mobile malware Secure app data Protect enterprise apps with authentication, tunneling, copy / paste restrictions and prevent access from compromised devices
© 2015 IBM Corporation19 IBM Security Systems Application Protection: Can you say: Ob-fu-sca-tion! Confuse the Hacker • Dummy Code Insertion • Instruction Merging • Block Shuffling • Function Inlining • … and More! Turns this into this …
© 2015 IBM Corporation20 IBM Security Systems Application Protection: Preventing Reverse Engineering Other Techniques • Method Renaming • String Encryption • … and More! String not found Where did it go?
© 2015 IBM Corporation21 IBM Security Systems Application Protection: Preventing Tampering Common Techniques Checksum -- Has the binary changed? If so, let me know so I can do something about it! Method Swizzling Detection -- Is someone hijacking my code? Debug Detection Is a Debugger Running?
© 2015 IBM Corporation22 IBM Security Systems Application Protection: A Number of Guards Can Be Leveraged Defend against compromise Detect attacks at run time React to ward off attacks • Advanced Obfuscation • Code and Resource Encryption • Pre-Damage • Metadata Removal • Checksum • Debug Detection • Resource Verification • Jailbreak/Root Detection • Swizzling Detection • Hook Detection • Shut Down (Exit, Fail) • Self-Repair • Custom Reactions • Alert / Phone Home
© 2015 IBM Corporation23 IBM Security Systems Arxan Cryptographic Key Protection  Sophisticated implementation of “White-box cryptography”  Intended for any security system that employs cryptographic algorithms and keys, in an open and untrusted environment  Result: Keys are never present in either the static form or in runtime memory  Protects: Static keys, Dynamic keys, and Sensitive user data  How it works – Combines mathematical algorithms with data and code obfuscation techniques to transform the key and related operations so keys cannot be discovered at any time – Supports all major algorithms – Clearly separates the data into two domains: Open Domain vs Encrypted Domain – Provides comprehensive protection in conjunction with Arxan’s guarding technology Encrypted Domain Mobile Application Crypto Routines Static & Dynamic Keys Secret Data
© 2015 IBM Corporation24 IBM Security Systems This Approach Yields the Most Protected Form of Data: White-box Form Forms of Data Classical form Untransformed data (in the clear) Obfuscated form Transformed (reversible) data; inputs and outputs of ciphers can be obfuscated White-box form Maximally secure (for keys) and non-reversible
© 2015 IBM Corporation25 IBM Security Systems How Are Code and Key Protection Implemented?
© 2015 IBM Corporation26 IBM Security Systems Why Arxan Protection? For key protection  ‘Gold standard’ protection • All major cryptography standards and functionality • Offers a smaller footprint than other solutions • Delivers better performance  Easy Integration • Conformance to common API calls like OpenSSL, allows straight-forward replacement of existing cryptographic libraries For application protection  ‘Gold standard’ protection strength • Multi-layered Guards • Static & Run-Time Guards • No binary patterns or agents, no single point of failure • Customizable to your application • Automated randomization for each build  No disruption to SDLC or source code with unique binary-based Guard injection Arxan Solutions are  Proven • Protected apps deployed on over 300 million devices • Hundreds of satisfied customers across Fortune 500  Cross platform support -- > 7 mobile platforms alone  Unique IP ownership: 10+ patents  Integrated with other IBM security and mobility solutions
© 2015 IBM Corporation27 IBM Security Systems World’s Strongest App Protection, Now Sold & Supported by IBM Benefit of your existing trusted relationship with IBM • Arxan’s technology now available from IBM: Sales, Solution, Services, Support from IBM, with close collaboration between IBM and Arxan to ensure your success • Leverage your existing procurement frameworks and contract vehicles (IBM Passport Advantage, ELAs, Perpetual License, Elite Support, etc) for purchasing Arxan products and take advantage of your relationship pricing and special discounts from IBM Leverage Arxan as part of comprehensive solution portfolio from IBM to holistically secure mobile apps, with value-adding validated integrations • Enables unique ‘Scan + Protect’ application security strategy and best practice for building it secure during development (AppScan) and keeping it secure deployed “in the wild” (Arxan) • Value-adding Arxan integrations, validations, and interoperability testing with other IBM products (e.g., IBM AppScan, IBM Trusteer, IBM Worklight)
© 2015 IBM Corporation28 IBM Security Systems NEXT STEP: Contact your IBM representative or email IBM@Arxan.com for more information Free Evaluation of “Arxan Application Protection for IBM Solutions” Now offered as part of IBM’s Security Portfolio Special Offer
© 2015 IBM Corporation29 IBM Security Systems Additional Resources Arxan/IBM White Paper: Securing Mobile Apps in the Wild http://www.arxan.com/securing-mobile-apps-in-the-wild-with-app-hardening-and-run- time-protection/ How to Hack An App https://www.youtube.com/watch?v=VAccZnsJH00 IBM Whitepaper: Old Techniques, New Channel: Mobile Malware Adapting PC Threat Techniques https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg- WW_Security_Organic&S_PKG=ov26530&S_TACT=C341006W&S_CMP=web_opp_s ec_trusteer_msdk/
© 2015 IBM Corporation30 IBM Security Systems Q&A
© 2015 IBM Corporation31 IBM Security Systems Thank You! Tom Mulvehill tom.mulvehill@us.ibm.com Winston Bond wbond@arxan.com

More Related Content

PPTX
How Vulnerable is Your Critical Data?
byIBM Security
 
PDF
Data security in a big data environment sweden
byIBM Sverige
 
PPTX
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
byIBM Security
 
PPTX
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
byIBM Security
 
PDF
Bridging the Data Security Gap
byxband
 
PDF
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
byIBM Security
 
PPTX
Cyber Crime Threat Landscape - A Focus on the Financial Industry
byWilliam McBorrough
 
PPTX
Cyber Security Landscape: Changes, Threats and Challenges
byBloxx
 
How Vulnerable is Your Critical Data?
byIBM Security
 
Data security in a big data environment sweden
byIBM Sverige
 
Safeguard Healthcare Identities and Data with Identity Governance and Intelli...
byIBM Security
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
byIBM Security
 
Bridging the Data Security Gap
byxband
 
Building a Next-Generation Security Operation Center Based on IBM QRadar and ...
byIBM Security
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
byWilliam McBorrough
 
Cyber Security Landscape: Changes, Threats and Challenges
byBloxx
 

What's hot

PDF
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
byPeter Tutty
 
PDF
Guardium Data Activiy Monitor For C- Level Executives
byCamilo Fandiño Gómez
 
PPTX
Presentation ibm info sphere guardium enterprise-wide database protection a...
bysolarisyougood
 
PPTX
Proven Practices to Protect Critical Data - DarkReading VTS Deck
byNetIQ
 
PPTX
IT Security Essentials
bySkoda Minotti
 
PPTX
Webinar: Be Cyber Smart – Stories from the Trenches
byWithum
 
PPTX
Data Security: Why You Need Data Loss Prevention & How to Justify It
byMarc Crudgington, MBA
 
PDF
IBM InfoSphere Guardium overview
bynazeer325
 
PDF
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
byDMI
 
PPTX
CIO Summit: Data Security in a Mobile World
byiMIS
 
PPTX
4 Ways to Build your Immunity to Cyberthreats
byIBM Security
 
PDF
The Cyber Security Landscape: An OurCrowd Briefing for Investors
byOurCrowd
 
PPTX
MYTHBUSTERS: Can You Secure Payments in the Cloud?
byKurt Hagerman
 
PDF
Supply Chain Risk Management corrected - Whitepaper
byNIIT Technologies
 
PDF
"Thinking diffrent" about your information security strategy
byJason Clark
 
PDF
An Introduction to zOS Real-time Infrastructure and Security Practices
byJerry Harding
 
PPTX
Borderless Breaches and Migrating Malware: How Cybercrime is Breaking Down Ba...
byIBM Security
 
IBM Security Guardium Data Activity Monitor (Data Sheet-USEN)
byPeter Tutty
 
Guardium Data Activiy Monitor For C- Level Executives
byCamilo Fandiño Gómez
 
Presentation ibm info sphere guardium enterprise-wide database protection a...
bysolarisyougood
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
byNetIQ
 
IT Security Essentials
bySkoda Minotti
 
Webinar: Be Cyber Smart – Stories from the Trenches
byWithum
 
Data Security: Why You Need Data Loss Prevention & How to Justify It
byMarc Crudgington, MBA
 
IBM InfoSphere Guardium overview
bynazeer325
 
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
byDMI
 
CIO Summit: Data Security in a Mobile World
byiMIS
 
4 Ways to Build your Immunity to Cyberthreats
byIBM Security
 
The Cyber Security Landscape: An OurCrowd Briefing for Investors
byOurCrowd
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
byKurt Hagerman
 
Supply Chain Risk Management corrected - Whitepaper
byNIIT Technologies
 
"Thinking diffrent" about your information security strategy
byJason Clark
 
An Introduction to zOS Real-time Infrastructure and Security Practices
byJerry Harding
 
Borderless Breaches and Migrating Malware: How Cybercrime is Breaking Down Ba...
byIBM Security
 

Similar to Mobile Payments: Protecting Apps and Data from Emerging Risks

PPTX
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
byIBM Security
 
PPTX
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
byIBM Security
 
PDF
How to Hack a Cryptographic Key
byIBM Security
 
PPTX
IBM Seguridad Móvil - Acompaña tu estrategia BYOD
byCamilo Fandiño Gómez
 
PPTX
Are We There Yet? The Path Towards Securing the Mobile Enterprise
byIBM Security
 
PPTX
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting Serious
byIBM Security
 
PPTX
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
byIBM Security
 
PDF
Information Risk and Protection
byxband
 
PDF
ISACA CACS 2012 - Mobile Device Security and Privacy
byMichael Davis
 
PDF
Unified application security analyser
byTim Youm
 
PPTX
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
byIBM Security
 
PPT
MDM is not Enough - Parmelee
byProlifics
 
PDF
2015 Mobile Security Trends: Are You Ready?
byIBM Security
 
PDF
Surviving the Mobile Phenomenon: Securing Mobile Access with Risk-Based Authe...
byIBM Security
 
PDF
Malware on Smartphones and Tablets: The Inconvenient Truth
byIBM Security
 
PPTX
Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...
byIBM Security
 
PDF
mHealth Summit EU 2015
by3GDR
 
PDF
Make Mobilization Work - Properly Implementing Mobile Security
byMichael Davis
 
PPT
Mobile code mining for discovery and exploits nullcongoa2013
byBlueinfy Solutions
 
PPTX
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
byIBM Security
 
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
byIBM Security
 
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
byIBM Security
 
How to Hack a Cryptographic Key
byIBM Security
 
IBM Seguridad Móvil - Acompaña tu estrategia BYOD
byCamilo Fandiño Gómez
 
Are We There Yet? The Path Towards Securing the Mobile Enterprise
byIBM Security
 
The Cybercriminal Approach to Mobile Fraud: Now They’re Getting Serious
byIBM Security
 
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
byIBM Security
 
Information Risk and Protection
byxband
 
ISACA CACS 2012 - Mobile Device Security and Privacy
byMichael Davis
 
Unified application security analyser
byTim Youm
 
Protecting Mission-Critical Source Code from Application Security Vulnerabili...
byIBM Security
 
MDM is not Enough - Parmelee
byProlifics
 
2015 Mobile Security Trends: Are You Ready?
byIBM Security
 
Surviving the Mobile Phenomenon: Securing Mobile Access with Risk-Based Authe...
byIBM Security
 
Malware on Smartphones and Tablets: The Inconvenient Truth
byIBM Security
 
Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...
byIBM Security
 
mHealth Summit EU 2015
by3GDR
 
Make Mobilization Work - Properly Implementing Mobile Security
byMichael Davis
 
Mobile code mining for discovery and exploits nullcongoa2013
byBlueinfy Solutions
 
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
byIBM Security
 

More from IBM Security

PPTX
Automation: Embracing the Future of SecOps
byIBM Security
 
PDF
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
byIBM Security
 
PDF
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
byIBM Security
 
PPTX
Integrated Response with v32 of IBM Resilient
byIBM Security
 
PDF
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
byIBM Security
 
PDF
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
byIBM Security
 
PDF
Accelerating SOC Transformation with IBM Resilient and Carbon Black
byIBM Security
 
PDF
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
byIBM Security
 
PPTX
Are You Ready to Move Your IAM to the Cloud?
byIBM Security
 
PPTX
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
byIBM Security
 
PPTX
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
byIBM Security
 
PPTX
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
byIBM Security
 
PPTX
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
byIBM Security
 
PDF
WannaCry Ransomware Attack: What to Do Now
byIBM Security
 
PPTX
How to Improve Threat Detection & Simplify Security Operations
byIBM Security
 
PPTX
IBM QRadar UBA
byIBM Security
 
PDF
Mobile Vision 2020
byIBM Security
 
PDF
Retail Mobility, Productivity and Security
byIBM Security
 
PDF
Close the Loop on Incident Response
byIBM Security
 
PDF
Orchestrate Your Security Defenses; Protect Against Insider Threats
byIBM Security
 
Automation: Embracing the Future of SecOps
byIBM Security
 
Leaders & Laggards: The Latest Findings from the Ponemon Institute’s Study on...
byIBM Security
 
Bridging the Gap between Privacy and Security: Using Technology to Manage Com...
byIBM Security
 
Integrated Response with v32 of IBM Resilient
byIBM Security
 
The Resilient End-of-Year Review: The Top Cyber Security Trends in 2018 and P...
byIBM Security
 
Leveraging Validated and Community Apps to Build a Versatile and Orchestrated...
byIBM Security
 
Accelerating SOC Transformation with IBM Resilient and Carbon Black
byIBM Security
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
byIBM Security
 
Are You Ready to Move Your IAM to the Cloud?
byIBM Security
 
Orchestrate Your Security Defenses to Optimize the Impact of Threat Intelligence
byIBM Security
 
Your Mainframe Environment is a Treasure Trove: Is Your Sensitive Data Protec...
byIBM Security
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
byIBM Security
 
Understanding the Impact of Today's Security Breaches: The 2017 Ponemon Cost ...
byIBM Security
 
WannaCry Ransomware Attack: What to Do Now
byIBM Security
 
How to Improve Threat Detection & Simplify Security Operations
byIBM Security
 
IBM QRadar UBA
byIBM Security
 
Mobile Vision 2020
byIBM Security
 
Retail Mobility, Productivity and Security
byIBM Security
 
Close the Loop on Incident Response
byIBM Security
 
Orchestrate Your Security Defenses; Protect Against Insider Threats
byIBM Security
 

Recently uploaded

PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
PPTX
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
PDF
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PPTX
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
PDF
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
PDF
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
PDF
Supercharge Your JVM with Project Leyden
byAna-Maria Mihalceanu
 
PDF
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PDF
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
PPTX
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PDF
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Exclusive Hands-On Workshop: Agentic Automation with UiPath (First Edition)
byanabulhac
 
PDF
Sylvester Konadu Worcester MA - An Accomplished IT Analyst
bySylvester Konadu Worcester
 
PDF
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
Unleash AI power with the Dell Pro 14 Plus - Interactive PDF
byPrincipled Technologies
 
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
Supercharge Your JVM with Project Leyden
byAna-Maria Mihalceanu
 
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
WebXR in Android and Linux with OpenXR
byIgalia
 
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
Getting Started with MSP360 Backup for M365/Google
byMSP360
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
Transparency Exchange API: How Do You Find the SBOM for a Smart Light Bulb?
byPavel Shukhman
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Exclusive Hands-On Workshop: Agentic Automation with UiPath (First Edition)
byanabulhac
 
Sylvester Konadu Worcester MA - An Accomplished IT Analyst
bySylvester Konadu Worcester
 
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 

Mobile Payments: Protecting Apps and Data from Emerging Risks

  • 1.
    © 2013 IBMCorporation Arxan, IBM & FS-ISAC Present: Mobile Payments: Protecting Apps and Data from Emerging Risks Tom Mulvehill, Mobile Security Strategy, IBM Winston Bond, Technical Manager, Arxan Technologies
  • 2.
    © 2015 IBMCorporation2 IBM Security Systems Agenda • Mobile App and Payment Landscape • How Criminals Can Attack Your App • Comprehensive Protection Techniques • Q&A
  • 3.
    © 2015 IBMCorporation3 IBM Security Systems Mobile App and Payment Landscape
  • 4.
    © 2015 IBMCorporation4 IBM Security Systems Mobile Banking Services Can be a Competitive Advantage Mobile banking is the most important deciding factor when switching banks (32%) More important than fees (24%) or branch location (21%) or services (21%)… a survey of mobile banking customers in the U.S. 1 Mobile banking channel development is the #1 technology priority of N.A. retail banks (2013) #1 Channel The mobile payments market will eventually eclipse $1 trillion by 2017 $1tn 43% of 18-20 year olds have used a mobile banking app in the past 12 months 29% Cash-based retail payments in the U.S. have fallen from 36% in 2002 to 29% in 2012 $ Of customers won't mobile bank because of security fears 19% 90%Of mobile banking app users use the app to check account balances or recent transactions
  • 5.
    © 2015 IBMCorporation5 IBM Security Systems However, as mobile grows, so do security threats “With the growing penetration of mobile devices in the enterprise, security testing and protection of mobile applications and data become mandatory.” Gartner “Enterprise mobility… new systems of engagement. These new systems help firms empower their customers, partners, and employees with context-aware apps and smart products.” Forrester Arxan Top mobile devices and apps hacked 97%Android 87%iOS 387 new threats every minute and six every second McAfee
  • 6.
    © 2015 IBMCorporation6 IBM Security Systems What concerns does this create for the enterprise?
  • 7.
    © 2015 IBMCorporation7 IBM Security Systems Security Is Front and Center and Must Be Addressed
  • 8.
    © 2015 IBMCorporation IBM Security 8 You are only as strong as your weakest link Application Risks Device Risks Session Risks  App hacking  App security vulnerabilities  Rooted / jailbroken devices  Outdated OS security vulnerabilities  Malware  Unsecure connection  SMS forwarding  Mobile ATO / cross-channel ATO
  • 9.
    © 2015 IBMCorporation9 IBM Security Systems How Criminals Can Easily Attack Your Mobile Banking App
  • 10.
    © 2015 IBMCorporation IBM Security Systems 10 Disruption in the Security Landscape Centralized, trusted environment Distributed or untrusted environment “Apps in the Wild” • Web Apps • Data Center Apps Attackers do not have easy access to application binary + Application Security Testing (“Build it Secure”) + Application Self-Protection (“Keep it Secure”) • Mobile Apps • Internet of Things • Packaged Software Attackers can easily access and compromise application binary
  • 11.
    © 2015 IBMCorporation IBM Security Systems 11 Mobile Apps Are Vulnerable to Attacks • Applications can be modified and tampered with, e.g. Key Generation / Use algorithms can be altered, causing key theft or data theft • Run-time behavior of applications can be altered, causing unsafe or improper operation • Malicious code can be injected or hooked into applications Integrity Risk (Code Modification or Code Injection Vulnerabilities) • Private and sensitive information can be exposed, including Cryptographic Keys that are used to secure information • Applications can be reverse-engineered back to the source code • Code and Intellectual Property (IP) can be lifted, stolen, reused or repackaged Confidentiality Risk (Reverse Engineering or Code Analysis Vulnerabilities)
  • 12.
    © 2015 IBMCorporation12 IBM Security Systems Particularly Crypto Keys Cryptographic key hacking examples:  Crypto keys extracted though memory scrapping, allowing unauthorized access to financial transactions (in PoS systems)  Exploiting forms of buffer overflow attacks, like Heartbleed, to steal crypt key  Android APK integrity vulnerability  And many more… Unfortunately, many don’t protect their keys or think it is too difficult to protect them  80% of respondents to Ponemon Institute survey identified broken cryptography as most difficult risk to minimize (State of Mobile Application Insecurity, February 2015) Growing trend of memory scrapping (Source: Verizon 2015 Data Breach Investigations Report) Hackers are relying on memory scraping w/ increasing frequency -- it is essential to protect keys in memory!
  • 13.
    © 2015 IBMCorporation13 IBM Security Systems Anatomy of Attacks on Mobile Apps Reverse-engineering app contents 1. Decrypt the mobile app (iOS apps) 2. Open up and examine the app 3. Create a hacked version 11 110 01 0 1001110 1100 001 01 111 00 11 110 01 0 0101010 0101 110 011100 00 Extract and steal confidential data Create a tampered, cracked or patched version of the app Release / use the hacked app Use malware to infect/patch the app on other devices 4. Distribute App https://www.arxan.com/how-to-hack-a-mobile-application
  • 14.
    © 2015 IBMCorporation14 IBM Security Systems Reverse engineering of a mobile payment application Video: How to Hack an App via Reverse Engineering
  • 15.
    © 2015 IBMCorporation15 IBM Security Systems Mobile App & Mobile Payment Protection Techniques
  • 16.
    © 2015 IBMCorporation IBM Security 16 MobileFirst Protect (MaaS360) AppScan, Arxan, Trusteer M; bile SDK IBM Mobile Security Framework AirWatch, MobileIron, Good, Citrix, Microsoft, Mocana HP Fortify, Veracode, Proguard CA, Oracle, RSA • Manage multi-OS BYOD environment • Mitigate risks of lost and compromised devices • Separate enterprise and personal data • Enforce compliance with security policies • Distribute and control enterprise apps • Build and secure apps and protect them “in the wild” • Provide secure web, mobile, API access and identify device risk • Meet authentication ease-of-use expectation Extend Security Intelligence • Extend security information and event management (SIEM) to mobile platform • Incorporate mobile log management, anomaly detection, configuration and vulnerability management Manage Access and Fraud Safeguard Applications and Data Secure Content and Collaboration Protect Devices
  • 17.
    © 2015 IBMCorporation IBM Security 17 Extend Security Intelligence Manage Access and Fraud Safeguard Applications and Data Secure Content and Collaboration Protect Devices Business imperatives for managing access and fraud “The CyberVor gang amassed over 4.5 billion records, mostly consisting of stolen credentials. To get such an impressive number of credentials, the CyberVors robbed over 420,000 web and FTP sites.” Hold Security $6.53 millionaverage cost of a U.S. data breach 2015 Cost of Data Breach Study, Ponemon Institute 95% of financial services incidents involve harvesting credentials stolen from customer devices 2015 Verizon Data Breech Report
  • 18.
    © 2015 IBMCorporation IBM Security 18 Build, test and secure mobile apps before distributing to end users Safely distribute apps Deploy custom enterprise app catalogs; blacklist, whitelist and require apps; administer app volume purchase programs Test app security Identify vulnerabilities in development and pre-deployment; isolate data leakage risks; ensure proper use of cryptography Protect apps Harden mobile apps to defend against reverse engineering; prevent repacking of apps; protect apps from mobile malware Secure app data Protect enterprise apps with authentication, tunneling, copy / paste restrictions and prevent access from compromised devices
  • 19.
    © 2015 IBMCorporation19 IBM Security Systems Application Protection: Can you say: Ob-fu-sca-tion! Confuse the Hacker • Dummy Code Insertion • Instruction Merging • Block Shuffling • Function Inlining • … and More! Turns this into this …
  • 20.
    © 2015 IBMCorporation20 IBM Security Systems Application Protection: Preventing Reverse Engineering Other Techniques • Method Renaming • String Encryption • … and More! String not found Where did it go?
  • 21.
    © 2015 IBMCorporation21 IBM Security Systems Application Protection: Preventing Tampering Common Techniques Checksum -- Has the binary changed? If so, let me know so I can do something about it! Method Swizzling Detection -- Is someone hijacking my code? Debug Detection Is a Debugger Running?
  • 22.
    © 2015 IBMCorporation22 IBM Security Systems Application Protection: A Number of Guards Can Be Leveraged Defend against compromise Detect attacks at run time React to ward off attacks • Advanced Obfuscation • Code and Resource Encryption • Pre-Damage • Metadata Removal • Checksum • Debug Detection • Resource Verification • Jailbreak/Root Detection • Swizzling Detection • Hook Detection • Shut Down (Exit, Fail) • Self-Repair • Custom Reactions • Alert / Phone Home
  • 23.
    © 2015 IBMCorporation23 IBM Security Systems Arxan Cryptographic Key Protection  Sophisticated implementation of “White-box cryptography”  Intended for any security system that employs cryptographic algorithms and keys, in an open and untrusted environment  Result: Keys are never present in either the static form or in runtime memory  Protects: Static keys, Dynamic keys, and Sensitive user data  How it works – Combines mathematical algorithms with data and code obfuscation techniques to transform the key and related operations so keys cannot be discovered at any time – Supports all major algorithms – Clearly separates the data into two domains: Open Domain vs Encrypted Domain – Provides comprehensive protection in conjunction with Arxan’s guarding technology Encrypted Domain Mobile Application Crypto Routines Static & Dynamic Keys Secret Data
  • 24.
    © 2015 IBMCorporation24 IBM Security Systems This Approach Yields the Most Protected Form of Data: White-box Form Forms of Data Classical form Untransformed data (in the clear) Obfuscated form Transformed (reversible) data; inputs and outputs of ciphers can be obfuscated White-box form Maximally secure (for keys) and non-reversible
  • 25.
    © 2015 IBMCorporation25 IBM Security Systems How Are Code and Key Protection Implemented?
  • 26.
    © 2015 IBMCorporation26 IBM Security Systems Why Arxan Protection? For key protection  ‘Gold standard’ protection • All major cryptography standards and functionality • Offers a smaller footprint than other solutions • Delivers better performance  Easy Integration • Conformance to common API calls like OpenSSL, allows straight-forward replacement of existing cryptographic libraries For application protection  ‘Gold standard’ protection strength • Multi-layered Guards • Static & Run-Time Guards • No binary patterns or agents, no single point of failure • Customizable to your application • Automated randomization for each build  No disruption to SDLC or source code with unique binary-based Guard injection Arxan Solutions are  Proven • Protected apps deployed on over 300 million devices • Hundreds of satisfied customers across Fortune 500  Cross platform support -- > 7 mobile platforms alone  Unique IP ownership: 10+ patents  Integrated with other IBM security and mobility solutions
  • 27.
    © 2015 IBMCorporation27 IBM Security Systems World’s Strongest App Protection, Now Sold & Supported by IBM Benefit of your existing trusted relationship with IBM • Arxan’s technology now available from IBM: Sales, Solution, Services, Support from IBM, with close collaboration between IBM and Arxan to ensure your success • Leverage your existing procurement frameworks and contract vehicles (IBM Passport Advantage, ELAs, Perpetual License, Elite Support, etc) for purchasing Arxan products and take advantage of your relationship pricing and special discounts from IBM Leverage Arxan as part of comprehensive solution portfolio from IBM to holistically secure mobile apps, with value-adding validated integrations • Enables unique ‘Scan + Protect’ application security strategy and best practice for building it secure during development (AppScan) and keeping it secure deployed “in the wild” (Arxan) • Value-adding Arxan integrations, validations, and interoperability testing with other IBM products (e.g., IBM AppScan, IBM Trusteer, IBM Worklight)
  • 28.
    © 2015 IBMCorporation28 IBM Security Systems NEXT STEP: Contact your IBM representative or email [email protected] for more information Free Evaluation of “Arxan Application Protection for IBM Solutions” Now offered as part of IBM’s Security Portfolio Special Offer
  • 29.
    © 2015 IBMCorporation29 IBM Security Systems Additional Resources Arxan/IBM White Paper: Securing Mobile Apps in the Wild http://www.arxan.com/securing-mobile-apps-in-the-wild-with-app-hardening-and-run- time-protection/ How to Hack An App https://www.youtube.com/watch?v=VAccZnsJH00 IBM Whitepaper: Old Techniques, New Channel: Mobile Malware Adapting PC Threat Techniques https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg- WW_Security_Organic&S_PKG=ov26530&S_TACT=C341006W&S_CMP=web_opp_s ec_trusteer_msdk/
  • 30.
    © 2015 IBMCorporation30 IBM Security Systems Q&A
  • 31.
    © 2015 IBMCorporation31 IBM Security Systems Thank You! Tom Mulvehill [email protected] Winston Bond [email protected]