Tech mahindra whitepaper modified mobile app store architecture with pro active security control
- 1. Modified Mobile App- Abstract: A pro-active mobile security control system around the apps submission process that Store Architecture with identifies and prevents publishing malicious intent apps on the stores is very much required. Pro-active Security This white-paper highlights modification in the generic architecture of an app-store for pro- Control actively integrating the apps security control system and that can fit or plug-in into the existing Author app-stores easily. Rajesh Kumar Mobile Security R&D and Services 7th November 2011 © Tech Mahindra Limited 2010 © Tech Mahindra Limited 2011
- 2. Table of Contents Table of Contents ............................................................................ 1 Introduction .................................................................................... 2 Apps Development and Distribution .................................................. 2 The App Store Architecture .............................................................. 3 Modified Architecture with Pro-active Security Control ...................... 4 Apps Security Module ...................................................................... 5 Security Test Scope .......................................................................... 5 About Author .................................................................................. 6 About Tech Mahindra Limited .......................................................... 6 1 © Tech Mahindra Limited 2011
- 3. Introduction Smartphones are enjoying ever-increasing users, business and popularity today. The integration of new high-speed wireless technologies, multimedia capabilities, document editors, millions of social-sites users, availability of centralized apps- stores, and new generation developers, previously found on Personal Computers, is leading the smartphones becoming real powerhouses. This has also brought cyber risks, not only the malware infecting the operations of phone, but also phishing of applications, targeting users with Trojans and Spywares for stealing personal information, high billing by making hidden calls and sms to premium numbers, and malvertising. As smart-phones have small apps widely downloaded from centralized app-stores free or commercially, they are exposed to additional risks: they are also an attractive way for hackers for centralized distribution of a malicious app embedded with financial fraud and network traffic generator. Currently most of the stores are implemented with certificate based trust-chain and abuse reporting by end-users which are not sufficient to control security incidents reported in malware apps. To avoid such scenarios, app-stores should employ pro-active malware and security assessment and control systems for mobile apps in the app-store infrastructure. This security system will result in a way where only safe apps are published in the apps- store and thus protecting billions of downloading by million of users from thousands of malware apps. Apps Development and Distribution Mobile App-stores are evolving and million of users visit for downloading latest apps making it the primary distribution channels for 45% of developers across platforms. Three platforms namely Android, iOS and Mobile-web are leading among developers as surveyed and published by app-store analysts. Many dedicated app stores for the classified customers, enterprise and business applications can be launched in future. 2 © Tech Mahindra Limited 2011
- 4. The App Store Architecture Hackers are effectively able to turn mobile malware into biggest consumer problem. Bank users are relatively increasing who bank from their mobile devices. If we add application zero-day vulnerabilities into current mobile malware threats, the risk will be catastrophic. In the current app-store architecture, security system is not adopted as part in the apps publishing infrastructure or its life-cycle. In general, an app store includes following main key components as depicted in the below figure. Administrative console, Product catalogs, A central apps/content repository, and Sales promotional channels. 3 © Tech Mahindra Limited 2011
- 5. Modified Architecture with Pro-active Security Control Hackers and fraudsters are two steps ahead in acquiring tools and techniques to effectively turn mobile malware and application vulnerabilities into the biggest security problem. This brings challenges for security vendors and content providers like Google, Android-market and others to take-off 50 or more malicious apps from their app-stores after thousand of users have already downloaded and reported. This mitigation mechanism cannot effectively stop the malware apps getting published in the stores. Publishers can black-list old user-ids and certificates which can be overridden or bypassed by creation of new user-ids and certificates. Building a power-packed fraudulent application for stealing and abusing identity, financial fraud, malware repackaging is almost simple. Distributing these apps on the apps-store is even simpler. A pro-active mobile security control system around the apps submission process that identifies and prevents publishing malicious intent apps on the stores is very much required. The current app-store architecture needs to be augmented with in- line security module. This modified architecture is integrated with a pro-active mobile apps security control system that can fit or plug-in into the existing app-store easily as depicted in the below figure. This mitigation mechanism would be effective for discarding or denying the malware intent apps and vulnerability exposed apps in the apps submission process by the security system scanner pro-actively. 4 © Tech Mahindra Limited 2011
- 6. Apps Security Module When the developer decides to self publish the app in the App-store as free or paid subscription, the in-line comprehensive security test should be activated that consists of all or some of the below sub-modules for each application. 1. Malware Intent test 2. Anti-virus and Anti-malware test 3. Dynamic behavior security test 4. Secure code-review test Security Test Scope Following security checks are the minimum to be done for any apps in the process of publishing to the app-store. Malware review Financial Fraud Unsecure Connectivity System Control and Resource Exhaustion Test Vulnerable Interfaces Network Traffic Analysis Secure Programming This would marginally reduce the Rogue applications, malicious websites, malware in the app-store among top mobile threats. 5 © Tech Mahindra Limited 2011
- 7. About Author Rajesh Kumar leads Mobile Security R&D and Services in Tech Mahindra Limited. His 18 years of industry experience begins along with the evolvement of application proxy and network firewalling security system. His current assignment includes development of mobile security control systems and services around mobile apps, mobile networks, and enterprise mobility. He developed various enterprise systems, network services and their architectures while working with Indian Space Research Organization, ISRO in his earlier organization. His qualifications include Bachelor of Engg in Computer science & engg subject from BIT Sindri, India and Post Graduate Certificate in Business management from XIM Bhubaneswar, India. About Tech Mahindra Limited Tech Mahindra has in-house developed App-store security solution and service ‘MobiSecure’ to check malicious apps before them getting published in the app- store. The service is capable of testing thousands of mobile apps that are ready in a day. Tech Mahindra is part of the US $12.5 billion Mahindra Group, in partnership with British Telecommunications plc (BT), one of the world’s leading communications service providers. Focused primarily on the telecommunications industry, Tech Mahindra is a leading global systems integrator and business transformation consulting organization. Tech Mahindra has recently expanded its IT portfolio by acquiring the leading global business and information technology services company, Mahindra Satyam (earlier known as Satyam Computer Services). Tech Mahindra’s capabilities spread across a broad spectrum, including Business Support Systems (BSS), Operations Support Systems (OSS), Network Design & Engineering, Next Generation Networks, Mobility Solutions, Security consulting and Testing. The solutions portfolio includes Consulting, Application Development & Management, Network Services, Solution Integration, Product Engineering, Infrastructure Managed Services, Remote Infrastructure Management and BSG (comprises BPO, Services and Consulting). With an array of service offerings for TSPs, TEMs and ISVs, Tech Mahindra is a chosen transformation partner for several leading wireline, wireless and broadband operators in Europe, Asia-Pacific and North America. For Security Services, kindly visit our website http://www.techmahindra.com/security/ For further information or to have a sales representative contact you, mail at security.sales@techmahindra.com. 6 © Tech Mahindra Limited 2011