Deploying your high-value mobile app to untrusted environments such as consumer mobile devices can be a risky proposition. Are some of your customers’ devices compromised? Do your users also download apps from untrusted sources? Is there malware residing on their devices that target apps such as yours?
Despite your best efforts to code secure apps, assess their security posture, and remediate any identified vulnerabilities – it’s not quite enough in today’s mobile threat landscape. Safeguarding mobile apps during runtime and empowering them to protect themselves in hostile environments is becoming a necessity in the face of ever-evolving mobile attack tactics and techniques.
During this webinar, we will:
Discuss today’s mobile app threat landscape
Explain how changing distribution models (e.g., Fortnite for Android) affect your app’s security
Illustrate the potential financial impact of mobile threats on a business’s bottom line
Demonstrate mobile overlay and other attacks
Reveal how mobile apps can protect themselves against these attacks with app shielding and runtime protection
3. #1: MOBILE FRAUD IN GENERAL IS INCREASING
of fraud transactions
came from mobile apps &
browsers in Q2 2018
(↑ 9% over Q1 & ↑ 16%YOY)
71%
https://www.rsa.com/en-us/offers/rsa-fraud-report-q218
8. ATTACKERS FOCUS ON THE MONEY & SHIFT W/ CONSUMERS
2B
Mobile banking users
forecasted for 2018
200M
Estimated increase in
mobile users over 2017
50%Of global banked
population are mobile
banking users
Futureproofing Digital Banking 2018,by Juniper Research published March 2018
9. …AND IT’S NOT JUST BANKING
$86Bspent in app stores in 2017
2Xgrowth in two years
https://www.appannie.com/en/insights/market-data/app-annie-2017-retrospective/#download
10. MOBILE APP COMPETITION IS FIERCE
>3.1MApps on the
Google Play Store
>1.9MApps on the
Apple App Store
Priority becomes differentiating (adding/improving functionality) more quickly…
18. 18
Differing levels of security based on the app in question
L1: Baseline for mobile app security
L2: Defense-in-depth measures for more sensitive apps
R: Protection against client-side attacks (reverse-engineering)
OWASP MOBILE APP SECURITYVERIFICATION STANDARD (MASVS)
“The MASVS is a community effort to establish a framework of security requirements
needed to design, develop and test secure mobile apps on iOS and Android.
https://github.com/OWASP/owasp-masvs/releases/download/1.0/OWASP_Mobile_AppSec_Verification_Standard_v1.0.pdf
19. 19
It all starts with answering questions including but not limited to:
• Can attackers monetize data handled by your app?
• Is data handled by your app regulated?
• Does your app handle financial transactions?
• Are there motivated adversaries interested in your source code?
WHAT LEVEL OF SECURITY DOESYOUR APP NEED?
Verification Level Examples
MASVS-L1 Basic security for any mobile app that doesn’t qualify for any of the higher levels
MASVS-L2
• Fitness/Health Care: PII, PHI, regulations (HIPAA, etc.)
• Financial: PII, payment card info, regulations (PCI DSS, FFIEC, etc.)
MASVS-L1+R
• Gaming: prevent cheating/modification
• IP needs protection
MASVS-L2+R
• Financial: L2 requirements plus resilience against tampering and malware
• Apps that store data on device, but support a wide range of devices and OS versions
?
20. Fewest vulnerabilities possible
• Strong authentication mechanism
• Connect over HTTPS
• Proper verification of the certificate of the server
• Sensitive data stored securely on device
• Use of strong cryptography (e.g., NOT ECB mode, SHA1, MD5, etc.)
How can this be achieved?
• Including security & approved methods in product requirements
• Secure code training for developers
• Automated security testing throughout the SDLC
• Penetration testing prior to release
WHAT MAKES A MOBILE APP SECURE?
INTERNAL PERSPECTIVE
21. Hardened against external threats
• Fortified against reverse engineering
• Resistant to runtime tampering
• Resistant to repackaging
• Can defend against client-side attacks
• Overlay attacks
• Rogue keyboards
How can this be achieved?
Mobile app shielding and runtime protection
—also called mobile runtime application self protection or (RASP)
WHAT MAKES A MOBILE APP SECURE
EXTERNAL PERSPECTIVE