Mobile Threats and Trends Changing Mobile App Security
1 like579 views
The document discusses the rising mobile threats and trends in app security as of September 2018, highlighting a significant increase in mobile fraud, rogue apps, and mobile banking trojans. It emphasizes the importance of security in mobile app development amid evolving threats and provides guidance on the levels of security apps should implement based on their nature and functions. The report suggests that developers should prioritize security alongside functionality by incorporating best practices and continuous testing throughout the development lifecycle.
Mobile Threats and Trends Changing Mobile App Security
- 1. MOBILE THREATS & TRENDS CHANGING MOBILE APP SECURITY September 18, 2018
- 2. RECENT TRENDS © 2018 OneSpan North America Inc. 2
- 3. #1: MOBILE FRAUD IN GENERAL IS INCREASING of fraud transactions came from mobile apps & browsers in Q2 2018 (↑ 9% over Q1 & ↑ 16%YOY) 71% https://www.rsa.com/en-us/offers/rsa-fraud-report-q218
- 4. #2 REPACKAGED OR FORGED/ROGUE MOBILE APPS ON THE RISE >9K rogue apps in Q2 2018 • >25% of fraud in Q2 2018 • 13% increase over Q1 2018 Repackaging attacks 1. Attacker downloads app from official stores 2. Reverse-engineers the app 3. Adds malicious functionality 4. Distributes tainted copy to unsuspecting users © 2018 OneSpan North America Inc. 4 https://www.rsa.com/en-us/offers/rsa-fraud-report-q218
- 5. #3: MOBILE BANKING TROJANS & OVERLAY ATTACKS ESCALATING 3.2Xmore mobile banking Trojan installation packages in Q2 2018 over Q1 https://securelist.com/it-threat-evolution-q2-2018-statistics/87170/
- 6. #4: NON-TRADITIONAL DISTRIBUTION MODELS (“SIDELOADING”) © 2018 OneSpan North America Inc. 6 https://www.kaspersky.com/blog/fortnite-security/23685/ • Users essentially have to compromise their device’s security • Devices that download apps from sources other than Google Play are 9X more likely to download malware • 15 million downloads & 23 million players (21 days after beta) • Fortnite was vulnerable to “man-in-the-disk attacks”
- 7. WHY ARE MOBILE THREATS ON THE RISE?
- 8. ATTACKERS FOCUS ON THE MONEY & SHIFT W/ CONSUMERS 2B Mobile banking users forecasted for 2018 200M Estimated increase in mobile users over 2017 50%Of global banked population are mobile banking users Futureproofing Digital Banking 2018,by Juniper Research published March 2018
- 9. …AND IT’S NOT JUST BANKING $86Bspent in app stores in 2017 2Xgrowth in two years https://www.appannie.com/en/insights/market-data/app-annie-2017-retrospective/#download
- 10. MOBILE APP COMPETITION IS FIERCE >3.1MApps on the Google Play Store >1.9MApps on the Apple App Store Priority becomes differentiating (adding/improving functionality) more quickly…
- 11. MOBILE APP DEVELOPMENT AND SECURITY CHALLENGES • Balancing revenue-generating/retaining activities (e.g., new features) with security • Lack of security expertise • Mobile threats constantly evolve © 2018 OneSpan North America Inc. 11 of developers know it’s important but say they don’t have enough time to spend on security48% https://info.signalsciences.com/devsecops-community-survey-2018
- 12. DIVING DEEPER INTO MOBILE APP ATTACKS © 2018 OneSpan North America Inc. 12
- 13. MOBILE MALWARE DELIVERY EXAMPLE © 2018 OneSpan North America Inc. 13
- 14. OVERLAY ATTACK EXPLAINED © 2018 OneSpan North America Inc.14 Example of legitimate screen Example of malicious overlay screen
- 15. CODE INJECTION ATTACK EXPLAINED • ~3 min © 2018 OneSpan North America Inc. 15 Bad Guy 1 2 3 4
- 16. WHAT IS DUE CARE WHEN IT COMES TO MOBILE APP SECURITY? © 2018 OneSpan North America Inc. 16
- 17. YOU CAN’T COUNT ON THE PLATFORMS ALONE FOR SECURITY • Apple/Google constantly working to improve the situation • Security is a journey, not a destination • Known/unknown vulnerabilities in the OS & resulting periods of exposure • Incentives for Android/iOS vulnerabilities • Bad apps still make it onto the stores • APIs must be implemented correctly • Defense-in-depth requires going beyond what’s offered by Android and iOS © 2018 OneSpan North America Inc. 17
- 18. 18 Differing levels of security based on the app in question L1: Baseline for mobile app security L2: Defense-in-depth measures for more sensitive apps R: Protection against client-side attacks (reverse-engineering) OWASP MOBILE APP SECURITYVERIFICATION STANDARD (MASVS) “The MASVS is a community effort to establish a framework of security requirements needed to design, develop and test secure mobile apps on iOS and Android. https://github.com/OWASP/owasp-masvs/releases/download/1.0/OWASP_Mobile_AppSec_Verification_Standard_v1.0.pdf
- 19. 19 It all starts with answering questions including but not limited to: • Can attackers monetize data handled by your app? • Is data handled by your app regulated? • Does your app handle financial transactions? • Are there motivated adversaries interested in your source code? WHAT LEVEL OF SECURITY DOESYOUR APP NEED? Verification Level Examples MASVS-L1 Basic security for any mobile app that doesn’t qualify for any of the higher levels MASVS-L2 • Fitness/Health Care: PII, PHI, regulations (HIPAA, etc.) • Financial: PII, payment card info, regulations (PCI DSS, FFIEC, etc.) MASVS-L1+R • Gaming: prevent cheating/modification • IP needs protection MASVS-L2+R • Financial: L2 requirements plus resilience against tampering and malware • Apps that store data on device, but support a wide range of devices and OS versions ?
- 20. Fewest vulnerabilities possible • Strong authentication mechanism • Connect over HTTPS • Proper verification of the certificate of the server • Sensitive data stored securely on device • Use of strong cryptography (e.g., NOT ECB mode, SHA1, MD5, etc.) How can this be achieved? • Including security & approved methods in product requirements • Secure code training for developers • Automated security testing throughout the SDLC • Penetration testing prior to release WHAT MAKES A MOBILE APP SECURE? INTERNAL PERSPECTIVE
- 21. Hardened against external threats • Fortified against reverse engineering • Resistant to runtime tampering • Resistant to repackaging • Can defend against client-side attacks • Overlay attacks • Rogue keyboards How can this be achieved? Mobile app shielding and runtime protection —also called mobile runtime application self protection or (RASP) WHAT MAKES A MOBILE APP SECURE EXTERNAL PERSPECTIVE
- 22. SUMMARY 22
- 23. KEY TAKEAWAYS © 2018 OneSpan North America Inc. 23 MOBILETHREATS ARE INCREASING INTHE WILD DEPENDING ONTHE PLATFORMS ALONE WILL LEAVEYOU EXPOSED PROTECTINGYOUR APP IN UNTRUSTED ENVIRONMENTS IS ESSENTIAL 1 2 3
- 24. A KEY SOLUTION WITHIN A COMPLETE APP SECURITY PORTFOLIO © 2018 OneSpan North America Inc. 24 APP SHIELDING AND RUNTIME PROTECTION JAILBREAK AND ROOT DETECTION DEVICE IDENTIFICATION DEVICE BINDING SECURE STORAGE SECURE CHANNEL PUSH NOTIFICATION QR CODE SUPPORT GEOLOCATION BEHAVIORAL BIOMETRICS AUTHENTICATION FACE AUTHENTICATION FINGERPRINT AUTHENTICATION RISK-BASED AUTHENTICATION CRONTO AUTHENTICATION TRANSACTION SIGNING E-SIGNATURES ®
- 25. MOBILE APP SHIELDING & RUNTIME PROTECTION 1 2 3 SHIELD IT TEST IT TRUST IT SEE FORYOURSELF RUNTIME ATTACK DEFENSEEASY INTEGRATION
- 26. Q&A