5 Key Ways to Incorporate Security Protection into your Organization’s Mobile Application Development Lifecycle

1,546 views
1,301 views

Published on

Take a deep-dive into the benefits of incorporating improved security protection into your organization’s mobile application development lifecycle, from testing phase to run-time.

In this on-demand webinar, you’ll learn how to:

- Better identify application integrity risks (vulnerable portions of your apps that could serve as attractive attack targets to hackers, even after you’ve adhered to safe-coding practices), and to bolster your overall level of mobile security protection.

- Deploy protection tools—based on AppScan-aided risk assessment technology and supplemented by manual analysis—to design and implement “defend”, “detect”, and “react” protections inside your applications, without modifying their source code.

- Augment your code-testing with proactive protections inside your mobile applications, by learning more about IBM’s and Arxan’s partnered solutions.

View the full on-demand webcast: http://securityintelligence.com/events/incorporating-security-protection-organizations-mobile-application-development-lifecycle/#.VYxU1_lVhBf

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,546
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
42
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

5 Key Ways to Incorporate Security Protection into your Organization’s Mobile Application Development Lifecycle

  1. 1. © 2014 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation 5 Key Ways to Incorporate Security Protection into your Organization’s Mobile Application Development Lifecycle
  2. 2. © 2014 IBM Corporation IBM Security Systems 2 Mobile Application Security Landscape Mobile Risks and Attack Vectors Incorporating Protection Into Your Mobile Application Development Lifecycle Agenda
  3. 3. © 2014 IBM Corporation IBM Security Systems 3 Threats are Increasing – Old and New Targets ??????????????????????XSS and SQL Injection Exploitations Mobile Devices Targeted Web Application Vulnerabilities ??????????????????????Mobile Malware Increasing Malicious code infects more than 11.6 million mobile devices at any given time Source: InfoSec, "Mobile Malware Infects Millions; LTE Spurs Growth," January 2014 Mobile devices and apps that we rely on are under attack 90% of top mobile apps have been hacked Source: Arxan Technologies, “App Economy under Attack: Report Reveals More than 90 Percent of the Top 100 Mobile Apps Have Been Hacked” Web Application Vulnerabilities XSS and SQL injection exploits continue in high numbers Source: IBM X-Force Threat Intelligence Quarterly, 1Q 2014 Source: IBM X-Force Threat Intelligence Quarterly, 1Q 2014 33% of vulnerability disclosures are web application vulnerabilities
  4. 4. © 2014 IBM Corporation IBM Security Systems 4 Mobile Malware Growth’s Logarithmic
  5. 5. © 2014 IBM Corporation IBM Security Systems 5 Mobile Apps Under Attack • “78 percent of top 100 paid Android and iOS Apps are available as hacked versions on third-party sites” (“State of Security in the App Economy”, Arxan, 2013) • "Chinese App Store Offers Pirated iOS Apps Without the Need to Jailbreak” (Extreme Tech, 2013) • “86% of Mobile Malware is legit apps repackaged with malicious payloads” (NC State University, 2012)
  6. 6. © 2014 IBM Corporation IBM Security Systems 6 Mobile Risks and Attack Vectors
  7. 7. © 2014 IBM Corporation IBM Security Systems 7  Data leakage – Malware attacks – Account information on mobile devices  Cracking mobile apps – Easy access to applications – Reverse-engineering  Little to no App control – BYOD – Consumer devices OWASP Mobile Top 10 Risks (RC 2014 V1) #2 Insecure Data Storage #4 Unintended Data Leakage #10 Lack of Binary Protections User vs. Enterprise Risk  Threat from Malware - Trojans and Spyware  Phishing  Fake Android marketplace - Malware bundled with apps  Unauthorized Use of: - Contact DB - Email - SMS (text messages) - Phone (placing calls) - GPS (public location) - Data on device User Enterprise
  8. 8. © 2014 IBM Corporation IBM Security Systems 8 App Confidentiality and Integrity Risks • Application binaries can be modified • Run-time behavior of applications can be altered • Malicious code can be injected into applications Integrity Risk (Code Modification or Code Injection Vulnerabilities) • Sensitive information can be exposed • Applications can be reverse-engineered back to the source code • Code can be lifted and reused or repackaged Confidentiality Risk (Reverse Engineering or Code Analysis Vulnerabilities)
  9. 9. © 2014 IBM Corporation IBM Security Systems 9 Lots of Ways to Hack an App
  10. 10. © 2014 IBM Corporation IBM Security Systems 10 “Tools of the Trade” for Mobile Pen-Testers or Black Hats Category Example Tools App decryption / unpacking / conversion • Clutch • APKTool • dex2jar Static binary analysis, disassembly, decompilation • IDA Pro & Hex Rays (disassembler/decompiler) • Hopper (disassembler/decompiler) • JD-GUI (decompiler) • Baksmali (disassembler) • Info dumping: class-dump-z (classes), nm (symbols), strings Runtime binary analysis • GDB (debugger) • ADB (debugger) • Introspy (tracer/analyzer) • Snoop-It (debugging/tracing, manipulation) • Sogeti tools (dump key chain or filesystem, custom ramdisk boot, PIN brute force) Runtime manipulation, code injection, method swizzling, patching • Cydia Substrate (code modification platform) (MobileHooker, MobileLoader) • Cycript / Cynject • DYLD • Theos suite • Hex editors Jailbreak detection evasion • xCon, BreakThrough, tsProtector Integrated pen-test toolsets • AppUse (custom "hostile" Android ROM loaded with hooks, ReFrameworker runtime manipulator, reversing tools) • Snoop-It (iOS monitoring, dynamic binary analysis, manipulation) • iAnalyzer (iOS app decrypting, static/dynamic binary analysis, tampering)
  11. 11. © 2014 IBM Corporation IBM Security Systems 11 Real Life Android Vulnerabilities • Android Java APK Reverse Engineering • Hackers can easily reverse engineer binary code (the executable) back to source code and primed for code tampering • Baksmali Code Modification • Hackers can easily crack open and disassemble (Baksmali) mobile code Video 1 Video 2
  12. 12. © 2014 IBM Corporation IBM Security Systems 12 Incorporating Protection Into Your Mobile Application Development Lifecycle
  13. 13. © 2014 IBM Corporation IBM Security Systems 13 Build and Keep It Secure Secure and Protected Application Free of critical flaws and vulnerabilities Protects itself against attacks Build It Secure Application Development IBM Worklight Build and Manage Mobile Apps Vulnerability Analysis & Testing IBM Security AppScan Identifies Vulnerabilities Keep It Secure Application Protection Release & Deployment Arxan Application Protection for IBM Solutions Defends, Detects & Reacts  Mobile application security risk is real and impacts Users and Enterprise  Don’t procrastinate – be proactive!
  14. 14. © 2014 IBM Corporation IBM Security Systems 14 OWASP Mobile Top 10 Risks Source: https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
  15. 15. © 2014 IBM Corporation IBM Security Systems 15 AppScan Vulnerability Analysis
  16. 16. © 2014 IBM Corporation IBM Security Systems 16 Experts Recommend Protecting Binary Code Consultants Analysts OWASP Mobile Top 10 Risks “Protect Your Binary”
  17. 17. © 2014 IBM Corporation IBM Security Systems 17 Risks Identified with the New AppScan Rules New Custom Rules for AppScan identify key OWASP M10 issues: OWASP M10 Issues That New AppScan Custom Rules Cover 1. Repackaging 6. Exposed Data Symbols 2. Swizzle With Behavioral Change 7. Exposed String Tables 3. Security Control Bypass 8. Cryptographic Key Interception 4. Automated Jailbreak Breaking 9. Presentation Layer Modification 5. Exposed Method Signatures 10.Application Decryption
  18. 18. © 2014 IBM Corporation IBM Security Systems 18 A Number of Guards Can Be Leveraged Defend against compromise • Advanced Obfuscation • Encryption • Pre-Damage • Metadata Removal Detect attacks at run-time • Checksum • Debugger Detection • Resource Verification • Resource Encryption • Jailbreak/Root Detection • Swizzling Detection • Hook Detection React to ward off attacks • Shut Down (Exit, Fail) • Self-Repair • Custom Reactions • Alert / Phone Home
  19. 19. © 2014 IBM Corporation IBM Security Systems 19 AppScan / Arxan Integration
  20. 20. © 2014 IBM Corporation IBM Security Systems 20 Arxan® + IBM AppScan® Solution Components Solution Components Benefits 1. Technical guide • How to integrate IBM Security AppScan® and Arxan into the SDLC to use them in conjunction Control full scope of risks and build in security from testing to run-time protection 2. Augmented IBM Security AppScan® rules • Custom scan configuration for AppScan to better identify app integrity risks Inform required protections against app integrity attacks that can compromise even ‘flawless’ code 3. Usage of Arxan protection tools • Informs creation of Arxan GuardSpec based on AppScan-aided integrity risk assessment, supplemented by manual analysis Design and implement "defend", "detect", and "react" app integrity protections inside your app, without modifying its source code 4. Tested and validated • Demonstration with a sample app Helps ensure interoperability and support
  21. 21. © 2014 IBM Corporation IBM Security Systems 21 Why Arxan?  ‘Gold standard’ protection strength  Multi-layer Guard Network  Static & run-time Guards  Customizable to your application  Automated randomization for each build  No disruption to SDLC or source code with unique binary- based Guard injection  Cross platform support -- > 7 mobile platforms alone  Proven – Protected apps deployed on over 300 million devices – Hundreds of satisfied customers across Fortune 500  Unique IP ownership: 10+ patents  Integrated with other IBM security and mobility solutions
  22. 22. © 2014 IBM Corporation IBM Security Systems 22 Additional Resources How to Protect Worklight Apps with Arxan from IBM Date: Thursday, September 4 Time: 11AM EDT / 4 PM GMT Register: http://www.arxan.com/resources/arxan-and-ibm-app- protection-webinars/ Arxan/IBM White Paper: Securing Mobile Apps in the Wild http://www.arxan.com/securing-mobile-apps-in-the-wild-with-app- hardening-and-run-time-protection/
  23. 23. © 2014 IBM Corporation IBM Security Systems 23 Additional Resources Contact your IBM representative or email us at IBM@Arxan.com for more information Webinar Participants Eligible for Free Evaluation of Arxan Application Protection Software – Now offered as part of IBM’s Security Portfolio
  24. 24. © 2014 IBM Corporation IBM Security Systems 24 Tom Mulvehill IBM Product Management tom.mulvehill@us.ibm.com Will Frontiero IBM Software Engineering wfronti@us.ibm.com Jonathan Carter Arxan Technical Director jcarter@arxan.com Thank You!

×