• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
SmartDevCon - Katowice - 2013
 

SmartDevCon - Katowice - 2013

on

  • 619 views

As most people are aware, there has been an expansion in mobile banking applications in recent years. The Czech Republic is no exception to this, as nearly all banks have developed a mobile ...

As most people are aware, there has been an expansion in mobile banking applications in recent years. The Czech Republic is no exception to this, as nearly all banks have developed a mobile application for their modern mobile operating systems. Although different banks solve their security concepts in different ways, it is possible to discuss typical situations and problems that inevitably appear while designing mobile banking applications.

Statistics

Views

Total Views
619
Views on SlideShare
606
Embed Views
13

Actions

Likes
1
Downloads
3
Comments
1

3 Embeds 13

https://twitter.com 7
http://192.168.6.184 4
http://192.168.6.179 2

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution-NonCommercial-NoDerivs LicenseCC Attribution-NonCommercial-NoDerivs LicenseCC Attribution-NonCommercial-NoDerivs License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    SmartDevCon - Katowice - 2013 SmartDevCon - Katowice - 2013 Presentation Transcript

    • Mobile Banking Security Petr Dvořák Partner & Mobile Strategy Consultant petr@inmite.eu SmartDevCon 2013 - Katowice
    • 2008 Company founded in with mission to improve the world with high-tech solutions.
    • 100% Year-by-year growth in employee count and financial results.
    • First versions of apps for KB and Česká spořitelna were developed with Cleverlance Enterprise Solutions a.s.
    • securityconcerns For about 20% of smartphone users who don’t use the mobile banking, were the primary reason for making the decision.
    • Mobile Banking Security
    • Outline • Features of the mobile devices. • Mobile banking architecture. • The current status of mobile banking security. • Topics for 2013/14.
    • Mobile Devices
    • Mobile Devices • Smartphones and tablets. • Cheap. Ubiquitous. • Highly portable, mobile. • Always on-line (GSM i Wi-Fi). • With sensors.
    • Mobile Operating Systems • Rich application platform with stores. • iOS: Mac OS X, Objective-C / Cocoa. • Android: Linux, Java (Dalvik). • Relatively simple runtime modification. • Benevolent memory management. Simple attack after jailbreak or failbreak.
    • Mobile Bankig Architecture
    • Overview Front-end Facing Server IntegrationPlatform Transaction System Authentication System ... XML/JSON over REST Penetration testing before “big” releases.
    • Mobile Banking App Ideally, a native application. Various operating systems
    • Mobile Banking App Objective-C
    • Mobile Banking App Java
    • Mobile Banking App C/C++ (shared code)
    • Current Status
    • Current Status • Typically“adequate”level of security. • No consensus on“How”. • UX vs. security compromise. • Old and new topics. • Coming problems are foreseen.
    • The Good Old Attacks • MITM attack. • Fake app. • After-theft attack. • Reverse engineering.
    • MITM Attack • iOS - trivial (Wi-Fi, e-mail). • Android - less trivial (SD card). • Signing on application level. • Strict SSL certificate validation.
    • MITM Attack • iOS - trivial (Wi-Fi, e-mail). • Android - less trivial (SD card). • Signing on application level. • Strict SSL certificate validation.
    • MITM Attack • iOS - trivial (Wi-Fi, e-mail). • Android - less trivial (SD card). • Signing on application level. • Strict SSL certificate validation. What happens if the certificate expires?
    • Fake App • iOS -“impossible”(review). • Android - Trivial (open). • Manual Google Play (and App Store) checks. • User ratings. Users are waiting eagerly.
    • Fake App • iOS -“impossible”(review). • Android - Trivial (open). • Manual Google Play (and App Store) checks. • User ratings. The best defense: release an app, make it great and share it!
    • After-Theft Attack (ATA) • Theft or loss of the device. • Small real impact, large fear on the users’side. • Attack subtype: • Side channels. • Guessing password. • Password mining.
    • ATA: Side Channels • Usage of the same password for many apps. • Weak password storage. • Fingerprints on the display. Don’t attack the banking itself.
    • ATA: Side Channels
    • ATA: Password Guessing • Limit the attempt count. • Random shared key (symmetric cipher). • Sequence / Freshness. • The“unlocking password”may be simple. In the case of the right implementation of partial verification.
    • ATA: Password Guessing • Anti-DoS features required. • Recognize if user has the device, or just guesses and asks server. • Multi-factor authentication. The opposite requirement than limiting the attempt count.
    • ATA: Password Mining • Memory dump or runtime attack. • Strict memory management required. • Low-level implementation (C/C++ module). • Android NDK. Jailbreak + Cycript.
    • ATA: Password Mining Application Starts Application Closed Application terminated User: The app is done. Attacker steals the device or she steals it... Malware? Game over... Password entered System: I will keep it for a while.
    • ATA: Password Mining • Erasing keys and intermittent values from the memory. • Harder decompilation of the security implementation. • Special secure keyboard with Vernam cipher for secure PIN entry.
    • Reverse Engineering • Uncovering implementation details attracts“the curious guys”. • Opens up unnecessary discussion = reputation risk. • Discovering other implementation weaknesses.
    • Reverse Engineering Dark side of iOS by Kuba Břečka @kubabrecka 11:15
    • Topics for 2013/14
    • Application Starts Application Closed Application terminated User: The app is done. Attacker steals the device or she steals it... Malware? Game over... Password entered System: I will keep it for a while.
    • Mobile Malware • Problem mainly for Android OS. • Intensity will increase. • Hijacking authorization SMS (Eurograbber). • Hijacking URL schemes and intents. • Mobile anti-viruses will not save the day. Quite easily...
    • Stronger Authorization • Current mobile banks are retail oriented. • Almost no SME and enterprise oriented solutions. • Feature-wise and security-wise.
    • HW Token, ARM TrustZone, ... Many options.
    • HW Token, ARM TrustZone, ... Many options.None is totally great. ☹
    • evangelization One big challenge we are facing is of both app users and app developers on the subject of mobile security.
    • Thank you! Petr Dvořák Partner & Mobile Strategy Consultant petr@inmite.eu finance.inmite.eu