Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
Download as PPTX, PDF6 likes2,679 views
The document discusses the security risks associated with mobile banking applications and the importance of protecting them from cybercriminals. It highlights the various threats, such as app hacking and malware, while advocating for comprehensive protection techniques through advanced technologies like those offered by IBM and Arxan. The document emphasizes the necessity for robust security measures to maintain user trust and safeguard sensitive information in an evolving mobile landscape.
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
- 1. © 2013 IBM Corporation Arxan & Trusteer Present: Securing Mobile Banking Apps – You are only as strong as your weakest link Trusteer: Ori Bach Arxan: Jonathan Carter © 2015 IBM Corporation
- 2. © 2015 IBM Corporation2 IBM Security Systems Agenda • Mobile App and Payment Landscape • How Criminals Can Attack Your App • Comprehensive Protection Techniques • Q&A
- 3. © 2015 IBM Corporation3 IBM Security Systems Mobile App and Payment Landscape
- 4. © 2015 IBM Corporation4 IBM Security Systems Mobile Banking Services Can be a Competitive Advantage Mobile banking is the most important deciding factor when switching banks (32%) More important than fees (24%) or branch location (21%) or services (21%)… a survey of mobile banking customers in the U.S. 1 Mobile banking channel development is the #1 technology priority of N.A. retail banks (2013) #1 Channel The mobile payments market will eventually eclipse $1 trillion by 2017 $1tn 43% of 18-20 year olds have used a mobile banking app in the past 12 months 29% Cash-based retail payments in the U.S. have fallen from 36% in 2002 to 29% in 2012 $ Of customers won't mobile bank because of security fears 19% 90%Of mobile banking app users use the app to check account balances or recent transactions
- 5. © 2015 IBM Corporation5 IBM Security Systems However, Security Is Front and Center and Must Be Addressed
- 6. © 2015 IBM Corporation6 IBM Security Systems Many Are Falling Short • Majority of top 100 paid Android and iOS Apps are available as hacked versions on third-party sites • …as are many financial service, retail, and healthcare apps • (State of Mobile App Security, Arxan, 2015) • "Chinese App Store Offers Pirated iOS Apps Without the Need to Jailbreak” (Extreme Tech, 2013) http://www-03.ibm.com/software/products/en/arxan-application-protection
- 7. © 2015 IBM Corporation IBM Security 7 You are only as strong as your weakest link Application Risks Device Risks Session Risks App hacking App security vulnerabilities Rooted / jailbroken devices Outdated OS security vulnerabilities Malware Unsecure connection SMS forwarding Mobile ATO / cross-channel ATO
- 8. © 2015 IBM Corporation8 IBM Security Systems How Criminals Can Easily Attacks Your Mobile Banking App
- 9. © 2015 IBM Corporation9 IBM Security Systems Typical Software Security Lifecycle Design, Build, TestPlan High-Level Risk Assessments Security Policy Review Define Security Requirements Security Architecture Review Threat modeling Static Analysis Dynamic Testing Penetration Testing Test, Deploy Application Monitoring Secure Code Review Secure Coding Training Final Functional & Security Testing Produces a “Secure” Application with few, known and acceptable vulnerabilities BUT …
- 10. © 2015 IBM Corporation10 IBM Security Systems Even Secure Mobile Apps can be Hacked z Centralized, trusted environment • Web apps • Data center custom apps Distributed or untrusted environment “Apps in the Wild” • Mobile Apps • Internet of Things / Embedded • Packaged Software Vulnerability Analysis and Flaw Remediation Vulnerability Analysis and Flaw Remediation Application Hardening and Run-Time Protection Application Environment Application Security Model Attackers do not have easy access to application binary Attackers can easily access and compromise application binary “Build It Secure” “Keep It Secure”
- 11. © 2015 IBM Corporation11 IBM Security Systems App Confidentiality and Integrity Risks • Application binaries can be modified • Run-time behavior of applications can be altered • Malicious code can be injected into applications Integrity Risk (Code Modification or Code Injection Vulnerabilities) • Sensitive information can be exposed • Applications can be reverse-engineered back to the source code • Code can be lifted and reused or repackaged Confidentiality Risk (Reverse Engineering or Code Analysis Vulnerabilities)
- 12. © 2015 IBM Corporation12 IBM Security Systems Anatomy of Attacks on Mobile Apps Reverse-engineering app contents 1. Decrypt the mobile app (iOS apps) 2. Open up and examine the app 3. Create a hacked version 11 110 01 0 1001110 1100 001 01 111 00 11 110 01 0 0101010 0101 110 011100 00 Extract and steal confidential data Create a tampered, cracked or patched version of the app Release / use the hacked app Use malware to infect/patch the app on other devices 4. Distribute App https://www.arxan.com/how-to-hack-a-mobile-application
- 13. © 2015 IBM Corporation13 IBM Security Systems But isn’t My App Encrypted? Well, yes, but … iTunes Code Encryption Bypass • It is easy for hackers to bypass iOS encryption to progress a mobile app attack.
- 14. © 2014 IBM Corporation IBM Security 14 Server-side Device ID is not effective for mobile devices Mobile devices share many identical attributes Mobile devices have the same attributes: OS, browser, fonts etc.. Cybercriminals can easily trick traditional device ID systems Cybercriminals love mobile anonymity 14 Account Takeover via a Criminal Mobile Device
- 15. © 2014 IBM Corporation IBM Security 15 Online Banking Cross channel account takeover attacks Credentials Theft LOGIN MobileLogin The Bank’s Mobile Banking App / website Customer Credentials, data Criminal
- 16. © 2014 IBM Corporation IBM Security 16 Rooted or Jailbroken Devices New jailbreak techniques Jailbreak and rooting evasion Data sent/ received exposed Including data sent over SSL No defense against malware SMS interceptors Overlay attacks Automated malware Data stealers Vulnerable and Compromised Devices
- 17. © 2014 IBM Corporation IBM Security 17 Financial Malware and Ransomware Installing malicious up as “device admin” App prevents user from deleting it
- 18. © 2014 IBM Corporation IBM Security 18 SVPENG Screen “injection” Overlay on Google PlayOverlay on Russian Bank Login Screen
- 19. © 2014 IBM Corporation IBM Security 19 Ransomware: Now on Mobile – cant remove the app!
- 20. © 2015 IBM Corporation20 IBM Security Systems Cybercriminals convince users to supply mobile phone number to install app on phone via malware or phishing Users installs fake security application and enters activation code Malware captures all SMS traffic, including OTP and forwards to fraudsters where fraudulent transfers via online and captured OTP need to bypass authentication Example of SMS forwarding attack Coordinated attacks across PC and mobile
- 21. © 2014 IBM Corporation IBM Security 21 OTP SMS forwarding for sale as underground service 21 User Name + Password OTP SMS Credentials OTP SMS TOR C&C
- 22. © 2015 IBM Corporation22 IBM Security Systems Mobile App & Mobile Payment Protection Techniques
- 23. © 2015 IBM Corporation IBM Security 23 IBM - An integrated approach to secure mobile banking Build it Safe Keep It Safe Prevent Misuse Hacking App security vulnerabilities Rooted / jailbroken devices Credentials stealing malware Data transferred over an unsecure connection Account takeover fraud SMS forwarding malware IBM Security App Scan IBM Security Access Manager Trusteer Mobile SDK / Browser Trusteer Pinpoint Criminal Detection Arxan Worklight
- 24. © 2015 IBM Corporation IBM Security 24 Detecting Vulnerable and Compromised Devices Trusteer Mobile SDK detects mobile malware and rogue apps Mobile Malware SMS Interceptors , Device rooters, Data stealers, Generic downloaders Rogue Apps Access sensitive functions (like SMS) Launch at startup Not pre-approved by Trusteer Reported as risk factors
- 25. © 2015 IBM Corporation IBM Security 25 Criminals attempt to eavesdrops to app on unsecure devices Criminals looks for security vulnerabilities Criminals attempts to hack application Criminals deploys credential stealing malware Holistic data protection with IBM Mobile Security Mobile Banking Access is prevented from jailbroken/rooted devices detected by Trusteer Mobile SDK All vulnerabilities removed with Appscan Hack fails due to Arxan obfuscation and runtime protections Access is prevented from malware infected devices detected by Trusteer Mobile SDK
- 26. © 2015 IBM Corporation IBM Security 26 Detecting Criminal Devices with Trusteer Determines device location (GPS/Network triangulation) Detects IP “Velocity” Condition Trusteer Pinpoint Detection Trusteer Mobile SDK
- 27. © 2015 IBM Corporation27 IBM Security Systems Online Banking Detecting and responding to account takeover attacks Restrict Access Credentials Theft Trusteer Pinpoint Malware Detection LOGIN Trusteer Pinpoint Criminal Detection App Login • Jailbroken / Rooted Device • Malware Infection • New device ID • Unpatched OS • Unsecure Wi-Fi connection • Rogue App Account Risk Device Risk+ • Proxy • New Payee • Spoofing • Phished Incident • Malware Infection1 2 The Bank’s Mobile Banking App Trusteer Mobile SDK Customer Credentials, data Criminal ISAM Policy and Runtime Management
- 28. © 2015 IBM Corporation28 IBM Security Systems Online Banking Stopping account takeover using SMS forwarding malware Payment Denied LOGIN Trusteer Pinpoint Criminal Detection App Login • Jailbroken / Rooted Device • Malware Infection • New device ID • Unpatched OS • Unsecure Wi-Fi connection • Rogue App Account Risk Device Risk+ • Proxy • New Payee • Spoofed device • Phishing Incident • Malware Infection1 2 The Bank’s Mobile Banking App Trusteer Mobile SDK Customer OTP SMS Forwarded Criminal ISAM Policy and Runtime Management Criminal initiates payment requiring OTP authorization
- 29. © 2015 IBM Corporation29 IBM Security Systems Application Protection: Can you say: Ob-fu-sca-tion! Confuse the Hacker • Dummy Code Insertion • Instruction Merging • Block Shuffling • Function Inlining • … and More! Turns this into this …
- 30. © 2015 IBM Corporation30 IBM Security Systems Application Protection: Preventing Reverse Engineering Other Techniques • Method Renaming • String Encryption • … and More! String not found Where did it go?
- 31. © 2015 IBM Corporation31 IBM Security Systems Application Protection: Preventing Tampering Common Techniques Checksum -- Has the binary changed? If so, let me know so I can do something about it! Method Swizzling Detection -- Is someone hijacking my code? Debug Detection Is a Debugger Running?
- 32. © 2015 IBM Corporation32 IBM Security Systems Application Protection: A Number of Guards Can Be Leveraged Defend against compromise • Advanced Obfuscation • Encryption • Pre-Damage • Metadata Removal Detect attacks at run-time • Checksum • Debugger Detection • Resource Verification • Resource Encryption • Jailbreak/Root Detection • Swizzling Detection • Hook Detection React to ward off attacks • Shut Down (Exit, Fail) • Self-Repair • Custom Reactions • Alert / Phone Home
- 33. © 2015 IBM Corporation33 IBM Security Systems Application Protection: Multi-Layered Protection – Example
- 34. © 2015 IBM Corporation34 IBM Security Systems Mobile payment, with the existing retail PoS infrastructure HCE mobile apps have particular needs Need protection of keys and cryptography • Offline, as well as online Need to work on any Android device • From any manufacturer • With any mobile operator Should be portable to other platforms • Once they support HCE too Arxan’s innovative solution TransformIT® • Whitebox cryptography PLUS Application protection technology • Anti reverse-engineering • Tamper resistance Application Protection: Mobile Payment Apps: Host Card Emulation
- 35. © 2015 IBM Corporation35 IBM Security Systems Application Protection: Why Arxan? ‘Gold standard’ protection strength – Multi-layer Guard Network – Static & run-time Guards – Customizable to your application – Automated randomization for each build No disruption to SDLC or source code with unique binary- based Guard injection Cross platform support -- > 7 mobile platforms alone Proven – Protected apps deployed on over 300 million devices – Hundreds of satisfied customers across Fortune 500 Unique IP ownership: 10+ patents Integrated with other IBM security and mobility solutions
- 36. © 2015 IBM Corporation36 IBM Security Systems World’s Strongest App Protection, Now Sold & Supported by IBM Benefit of your existing trusted relationship with IBM • Arxan’s technology now available from IBM: Sales, Solution, Services, Support from IBM, with close collaboration between IBM and Arxan to ensure your success • Leverage your existing procurement frameworks and contract vehicles (IBM Passport Advantage, ELAs, Perpetual License, Elite Support, etc) for purchasing Arxan products and take advantage of your relationship pricing and special discounts from IBM Leverage Arxan as part of comprehensive solution portfolio from IBM to holistically secure mobile apps, with value-adding validated integrations • Enables unique ‘Scan + Protect’ application security strategy and best practice for building it secure during development (AppScan) and keeping it secure deployed “in the wild” (Arxan) • Value-adding Arxan integrations, validations, and interoperability testing with other IBM products (e.g., IBM AppScan, IBM Trusteer, IBM Worklight)
- 37. © 2015 IBM Corporation37 IBM Security Systems NEXT STEP: Contact your IBM representative or email IBM@Arxan.com for more information Webinar participants eligible for Free Evaluation of “Arxan Application Protection for IBM Solutions” Now offered as part of IBM’s Security Portfolio Special Offer for Webinar Participants
- 38. © 2015 IBM Corporation38 IBM Security Systems Additional Resources Arxan/IBM White Paper: Securing Mobile Apps in the Wild http://www.arxan.com/securing-mobile-apps-in-the-wild-with-app-hardening-and-run- time-protection/ How to Hack An App https://www.youtube.com/watch?v=VAccZnsJH00 IBM Whitepaper: Old Techniques, New Channel: Mobile Malware Adapting PC Threat Techniques https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg- WW_Security_Organic&S_PKG=ov26530&S_TACT=C341006W&S_CMP=web_opp_s ec_trusteer_msdk/
- 39. © 2015 IBM Corporation39 IBM Security Systems Q&A
- 40. © 2015 IBM Corporation40 IBM Security Systems Thank You! Ori Bach ORIBACH@il.ibm.com Jonathan Carter jcarter@arxan.com