Deploying your high-value mobile app to untrusted environments such as consumer mobile devices can be a risky proposition. Are some of your customers’ devices compromised? Do your users also download apps from untrusted sources? Is there malware residing on their devices that target apps such as yours? Despite your best efforts to code secure apps, assess their security posture, and remediate any identified vulnerabilities – it’s not quite enough in today’s mobile threat landscape. Safeguarding mobile apps during runtime and empowering them to protect themselves in hostile environments is becoming a necessity in the face of ever-evolving mobile attack tactics and techniques. During this webinar, we will: Discuss today’s mobile app threat landscape Explain how changing distribution models (e.g., Fortnite for Android) affect your app’s security Illustrate the potential financial impact of mobile threats on a business’s bottom line Demonstrate mobile overlay and other attacks Reveal how mobile apps can protect themselves against these attacks with app shielding and runtime protection

1. MOBILE THREATS & TRENDS CHANGING
MOBILE APP SECURITY
September 18, 2018

2. RECENT TRENDS
© 2018 OneSpan North America Inc. 2

3. #1: MOBILE FRAUD IN GENERAL IS INCREASING
of fraud transactions
came from mobile apps &
browsers in Q2 2018
(↑ 9% over Q1 & ↑ 16%YOY)
71%
https://www.rsa.com/en-us/offers/rsa-fraud-report-q218

4. #2 REPACKAGED OR FORGED/ROGUE MOBILE APPS ON THE RISE
>9K rogue apps in Q2 2018
• >25% of fraud in Q2 2018
• 13% increase over Q1 2018
Repackaging attacks
1. Attacker downloads app from
official stores
2. Reverse-engineers the app
3. Adds malicious functionality
4. Distributes tainted copy to
unsuspecting users
© 2018 OneSpan North America Inc. 4
https://www.rsa.com/en-us/offers/rsa-fraud-report-q218

5. #3: MOBILE BANKING TROJANS & OVERLAY ATTACKS ESCALATING
3.2Xmore mobile
banking Trojan
installation packages
in Q2 2018 over Q1
https://securelist.com/it-threat-evolution-q2-2018-statistics/87170/

6. #4: NON-TRADITIONAL DISTRIBUTION MODELS (“SIDELOADING”)
© 2018 OneSpan North America Inc. 6
https://www.kaspersky.com/blog/fortnite-security/23685/
• Users essentially have to compromise their device’s security
• Devices that download apps from sources other than Google
Play are 9X more likely to download malware
• 15 million downloads & 23 million players (21 days after beta)
• Fortnite was vulnerable to “man-in-the-disk attacks”

7. WHY ARE MOBILE THREATS ON THE RISE?

8. ATTACKERS FOCUS ON THE MONEY & SHIFT W/ CONSUMERS
2B
Mobile banking users
forecasted for 2018
200M
Estimated increase in
mobile users over 2017
50%Of global banked
population are mobile
banking users
Futureproofing Digital Banking 2018,by Juniper Research published March 2018

9. …AND IT’S NOT JUST BANKING
$86Bspent in app stores in 2017
2Xgrowth in two years
https://www.appannie.com/en/insights/market-data/app-annie-2017-retrospective/#download

10. MOBILE APP COMPETITION IS FIERCE
>3.1MApps on the
Google Play Store
>1.9MApps on the
Apple App Store
Priority becomes differentiating (adding/improving functionality) more quickly…

11. MOBILE APP DEVELOPMENT AND SECURITY CHALLENGES
• Balancing revenue-generating/retaining activities (e.g., new features) with security
• Lack of security expertise
• Mobile threats constantly evolve
© 2018 OneSpan North America Inc.
11
of developers know it’s
important but say they
don’t have enough time
to spend on security48% https://info.signalsciences.com/devsecops-community-survey-2018

12. DIVING DEEPER INTO MOBILE APP ATTACKS
© 2018 OneSpan North America Inc. 12

13. MOBILE MALWARE DELIVERY EXAMPLE
© 2018 OneSpan North America Inc. 13

14. OVERLAY ATTACK
EXPLAINED
© 2018 OneSpan North America Inc.14
Example of legitimate screen Example of malicious overlay screen

15. CODE INJECTION ATTACK EXPLAINED
• ~3 min
© 2018 OneSpan North America Inc. 15
Bad Guy
1
2
3
4

16. WHAT IS DUE CARE WHEN IT COMES
TO MOBILE APP SECURITY?
© 2018 OneSpan North America Inc. 16

17. YOU CAN’T COUNT ON THE PLATFORMS ALONE FOR SECURITY
• Apple/Google constantly working to
improve the situation
• Security is a journey, not a destination
• Known/unknown vulnerabilities in the OS &
resulting periods of exposure
• Incentives for Android/iOS vulnerabilities
• Bad apps still make it onto the stores
• APIs must be implemented correctly
• Defense-in-depth requires going beyond
what’s offered by Android and iOS
© 2018 OneSpan North America Inc. 17

18. 18
Differing levels of security based on the app in question
L1: Baseline for mobile app security
L2: Defense-in-depth measures for more sensitive apps
R: Protection against client-side attacks (reverse-engineering)
OWASP MOBILE APP SECURITYVERIFICATION STANDARD (MASVS)
“The MASVS is a community effort to establish a framework of security requirements
needed to design, develop and test secure mobile apps on iOS and Android.
https://github.com/OWASP/owasp-masvs/releases/download/1.0/OWASP_Mobile_AppSec_Verification_Standard_v1.0.pdf

19. 19
It all starts with answering questions including but not limited to:
• Can attackers monetize data handled by your app?
• Is data handled by your app regulated?
• Does your app handle financial transactions?
• Are there motivated adversaries interested in your source code?
WHAT LEVEL OF SECURITY DOESYOUR APP NEED?
Verification Level Examples
MASVS-L1 Basic security for any mobile app that doesn’t qualify for any of the higher levels
MASVS-L2
• Fitness/Health Care: PII, PHI, regulations (HIPAA, etc.)
• Financial: PII, payment card info, regulations (PCI DSS, FFIEC, etc.)
MASVS-L1+R
• Gaming: prevent cheating/modification
• IP needs protection
MASVS-L2+R
• Financial: L2 requirements plus resilience against tampering and malware
• Apps that store data on device, but support a wide range of devices and OS versions
?

20. Fewest vulnerabilities possible
• Strong authentication mechanism
• Connect over HTTPS
• Proper verification of the certificate of the server
• Sensitive data stored securely on device
• Use of strong cryptography (e.g., NOT ECB mode, SHA1, MD5, etc.)
How can this be achieved?
• Including security & approved methods in product requirements
• Secure code training for developers
• Automated security testing throughout the SDLC
• Penetration testing prior to release
WHAT MAKES A MOBILE APP SECURE?
INTERNAL PERSPECTIVE

21. Hardened against external threats
• Fortified against reverse engineering
• Resistant to runtime tampering
• Resistant to repackaging
• Can defend against client-side attacks
• Overlay attacks
• Rogue keyboards
How can this be achieved?
Mobile app shielding and runtime protection
—also called mobile runtime application self protection or (RASP)
WHAT MAKES A MOBILE APP SECURE
EXTERNAL PERSPECTIVE

22. SUMMARY
22

23. KEY TAKEAWAYS
© 2018 OneSpan North America Inc. 23
MOBILETHREATS
ARE INCREASING
INTHE WILD
DEPENDING ONTHE
PLATFORMS ALONE WILL
LEAVEYOU EXPOSED
PROTECTINGYOUR APP IN
UNTRUSTED ENVIRONMENTS
IS ESSENTIAL
1 2 3

24. A KEY SOLUTION WITHIN A COMPLETE APP SECURITY PORTFOLIO
© 2018 OneSpan North America Inc. 24
APP SHIELDING AND
RUNTIME PROTECTION
JAILBREAK AND
ROOT DETECTION
DEVICE IDENTIFICATION
DEVICE BINDING
SECURE STORAGE
SECURE CHANNEL
PUSH NOTIFICATION
QR CODE SUPPORT
GEOLOCATION
BEHAVIORAL BIOMETRICS
AUTHENTICATION
FACE AUTHENTICATION
FINGERPRINT
AUTHENTICATION
RISK-BASED
AUTHENTICATION
CRONTO
AUTHENTICATION
TRANSACTION SIGNING
E-SIGNATURES
®

25. MOBILE APP SHIELDING & RUNTIME PROTECTION
1 2 3
SHIELD IT TEST IT TRUST IT
SEE FORYOURSELF RUNTIME ATTACK DEFENSEEASY INTEGRATION

26. Q&A