Mobile Payments: Protecting Apps and Data from Emerging Risks

© 2013 IBM Corporation
Arxan, IBM & FS-ISAC Present:
Mobile Payments: Protecting Apps and Data from
Emerging Risks
Tom Mulvehill, Mobile Security Strategy, IBM
Winston Bond, Technical Manager, Arxan Technologies

© 2015 IBM Corporation2
IBM Security Systems
Agenda
• Mobile App and Payment Landscape
• How Criminals Can Attack Your App
• Comprehensive Protection Techniques
• Q&A

Mobile App and Payment Landscape

Mobile Banking Services Can be a Competitive Advantage
Mobile banking is the
most important deciding
factor when switching
banks (32%)
More important than fees
(24%) or branch location (21%)
or services (21%)… a survey
of mobile banking customers in
the U.S. 1
Mobile banking channel
development is the #1
technology priority of
N.A. retail banks (2013)
#1 Channel
The mobile payments
market will eventually
eclipse $1 trillion by 2017
$1tn
43%
of 18-20 year olds
have used a
mobile banking
app in the past
12 months
29%
Cash-based retail
payments in the U.S. have
fallen from 36% in 2002 to
29% in 2012
$
Of customers won't
mobile bank because of
security fears
19%
90%Of mobile banking
app users use the
app to check
account balances
or recent
transactions

However, as mobile grows, so do security threats
“With the growing penetration of mobile devices in the enterprise, security testing
and protection of mobile applications and data become mandatory.”
Gartner
“Enterprise mobility… new systems of engagement. These new systems help
firms empower their customers, partners, and employees with context-aware
apps and smart products.”
Forrester
Arxan
Top mobile devices and apps hacked
97%Android 87%iOS
387 new threats every minute
and six every second
McAfee

What concerns does this create for the enterprise?

Security Is Front and Center and Must Be Addressed

IBM Security
8
You are only as strong as your weakest link
Application Risks Device Risks Session Risks
 App hacking
 App security vulnerabilities
 Rooted / jailbroken devices
 Outdated OS security
vulnerabilities
 Malware
 Unsecure connection
 SMS forwarding
 Mobile ATO /
cross-channel ATO

How Criminals Can Easily Attack Your
Mobile Banking App

10
Disruption in the Security Landscape
Centralized,
trusted environment
Distributed or untrusted
environment “Apps in the Wild”
• Web Apps
• Data Center Apps
Attackers do not have easy
access to application binary
+ Application Security Testing
(“Build it Secure”)
+ Application Self-Protection
(“Keep it Secure”)
• Mobile Apps
• Internet of Things
• Packaged Software
Attackers can easily access and
compromise application binary

11
Mobile Apps Are Vulnerable to Attacks
• Applications can be modified and tampered with,
e.g. Key Generation / Use algorithms can be
altered, causing key theft or data theft
• Run-time behavior of applications can be altered,
causing unsafe or improper operation
• Malicious code can be injected or hooked into
applications
Integrity Risk
(Code Modification or
Code Injection
Vulnerabilities)
• Private and sensitive information can be
exposed, including Cryptographic Keys that are
used to secure information
• Applications can be reverse-engineered back to
the source code
• Code and Intellectual Property (IP) can be
lifted, stolen, reused or repackaged
Confidentiality
Risk
(Reverse
Engineering or
Code Analysis
Vulnerabilities)

Particularly Crypto Keys
Cryptographic key hacking examples:
 Crypto keys extracted though memory
scrapping, allowing unauthorized
access to financial transactions (in
PoS systems)
 Exploiting forms of buffer overflow
attacks, like Heartbleed, to steal crypt
key
 Android APK integrity vulnerability
 And many more…
Unfortunately, many don’t protect their keys or think it is too difficult to protect them
 80% of respondents to Ponemon Institute survey identified broken cryptography as
most difficult risk to minimize (State of Mobile Application Insecurity, February 2015)
Growing trend of memory scrapping
(Source: Verizon 2015 Data Breach Investigations Report)
Hackers are relying on memory scraping
w/ increasing frequency -- it is essential to
protect keys in memory!

Anatomy of Attacks on Mobile Apps
Reverse-engineering app contents
1. Decrypt the mobile
app (iOS apps)
2. Open up and
examine the app
3. Create a hacked
version
11 110 01
0 1001110
1100 001
01 111 00
11 110 01
0 0101010
0101 110
011100 00
Extract and steal confidential data
Create a tampered,
cracked or patched
version of the app
Release / use the
hacked app
Use malware to
infect/patch the app
on other devices
4. Distribute App
https://www.arxan.com/how-to-hack-a-mobile-application

Reverse engineering of a mobile payment application
Video: How to Hack an App
via Reverse Engineering

Mobile App & Mobile Payment
Protection Techniques

IBM Security
16
MobileFirst
Protect (MaaS360)
AppScan, Arxan, Trusteer M;
bile SDK
IBM Mobile Security Framework
AirWatch, MobileIron, Good,
Citrix, Microsoft, Mocana
HP Fortify, Veracode, Proguard CA, Oracle, RSA
• Manage multi-OS
BYOD environment
• Mitigate risks of lost
and compromised
devices
• Separate enterprise
and personal data
• Enforce compliance
with security policies
• Distribute and control
enterprise apps
• Build and secure apps
and protect them
“in the wild”
• Provide secure web,
mobile, API access and
identify device risk
• Meet authentication
ease-of-use expectation
Extend Security Intelligence
• Extend security information and event management (SIEM) to mobile platform
• Incorporate mobile log management, anomaly detection, configuration and vulnerability management
Manage Access
and Fraud
Safeguard
Applications and Data
Secure Content
and Collaboration
Protect
Devices

IBM Security
17
Extend Security Intelligence
Manage
Access and Fraud
Safeguard
Applications and Data
Secure Content
and Collaboration
Protect
Devices
Business imperatives for managing access and fraud
“The CyberVor gang amassed over 4.5 billion records,
mostly consisting of stolen credentials.
To get such an impressive number of credentials,
the CyberVors robbed over 420,000 web and FTP sites.”
Hold Security
$6.53 millionaverage cost of a U.S. data breach
2015 Cost of Data Breach Study, Ponemon Institute
95% of financial services incidents
involve harvesting credentials
stolen from customer devices
2015 Verizon Data Breech Report

IBM Security
18
Build, test and secure mobile apps before
distributing to end users
Safely distribute apps
Deploy custom enterprise
app catalogs; blacklist,
whitelist and require
apps; administer app
volume purchase
programs
Test app security
Identify vulnerabilities
in development and
pre-deployment;
isolate data leakage
risks; ensure proper
use of cryptography
Protect apps
Harden mobile apps
to defend against
reverse engineering;
prevent repacking
of apps; protect apps
from mobile malware
Secure app data
Protect enterprise apps
with authentication,
tunneling, copy / paste
restrictions and prevent
access from
compromised devices

Application Protection:
Can you say: Ob-fu-sca-tion!
Confuse the Hacker
• Dummy Code
Insertion
• Instruction Merging
• Block Shuffling
• Function Inlining
• … and More!
Turns this
into this …

Application Protection: Preventing Reverse Engineering
Other Techniques
• Method Renaming
• String Encryption
• … and More!
String not
found
Where did
it go?

Application Protection: Preventing Tampering
Common Techniques
Checksum -- Has the
binary changed?
If so, let me know so I can do something about it!
Method Swizzling
Detection --
Is someone hijacking
my code?
Debug Detection
Is a Debugger Running?

Application Protection: A Number of Guards Can Be
Leveraged
Defend
against
compromise
Detect
attacks at
run time
React
to ward off
attacks
• Advanced Obfuscation
• Code and Resource
Encryption
• Pre-Damage
• Metadata Removal
• Checksum
• Debug Detection
• Resource Verification
• Jailbreak/Root Detection
• Swizzling Detection
• Hook Detection
• Shut Down (Exit, Fail)
• Self-Repair
• Custom Reactions
• Alert / Phone Home

Arxan Cryptographic Key Protection
 Sophisticated implementation of “White-box cryptography”
 Intended for any security system that employs cryptographic algorithms and keys, in
an open and untrusted environment
 Result: Keys are never present in either the static form or in runtime memory
 Protects: Static keys, Dynamic keys, and Sensitive user data
 How it works
– Combines mathematical algorithms with
data and code obfuscation techniques to
transform the key and related operations
so keys cannot be discovered at any time
– Supports all major algorithms
– Clearly separates the data into two
domains: Open Domain vs Encrypted
Domain
– Provides comprehensive protection in
conjunction with Arxan’s guarding
technology
Encrypted Domain
Mobile Application
Crypto
Routines
Static &
Dynamic Keys
Secret
Data

This Approach Yields the Most Protected Form of Data:
White-box Form
Forms of Data
Classical form Untransformed data (in the clear)
Obfuscated form Transformed (reversible) data;
inputs and outputs of ciphers can
be obfuscated
White-box form Maximally secure (for keys) and
non-reversible

How Are Code and Key Protection Implemented?

Why Arxan Protection?
For key protection
 ‘Gold standard’ protection
• All major cryptography
standards and functionality
• Offers a smaller footprint
than other solutions
• Delivers better performance
 Easy Integration
• Conformance to common
API calls like OpenSSL,
allows straight-forward
replacement of existing
cryptographic libraries
For application protection
 ‘Gold standard’ protection strength
• Multi-layered Guards
• Static & Run-Time Guards
• No binary patterns or agents, no single
point of failure
• Customizable to your application
• Automated randomization for each build
 No disruption to SDLC or source code
with unique binary-based Guard
injection
Arxan Solutions are
 Proven
• Protected apps deployed on over 300 million devices
• Hundreds of satisfied customers across Fortune 500
 Cross platform support -- > 7 mobile platforms alone
 Unique IP ownership: 10+ patents
 Integrated with other IBM security and mobility solutions

World’s Strongest App Protection, Now Sold & Supported
by IBM
Benefit of your existing trusted relationship with IBM
• Arxan’s technology now available from IBM: Sales, Solution, Services, Support from
IBM, with close collaboration between IBM and Arxan to ensure your success
• Leverage your existing procurement frameworks and contract vehicles (IBM Passport
Advantage, ELAs, Perpetual License, Elite Support, etc) for purchasing Arxan products
and take advantage of your relationship pricing and special discounts from IBM
Leverage Arxan as part of comprehensive solution portfolio from IBM
to holistically secure mobile apps, with value-adding validated integrations
• Enables unique ‘Scan + Protect’ application security strategy and best practice for
building it secure during development (AppScan) and keeping it secure deployed
“in the wild” (Arxan)
• Value-adding Arxan integrations, validations, and interoperability testing with other
IBM products (e.g., IBM AppScan, IBM Trusteer, IBM Worklight)

NEXT STEP: Contact your IBM representative or email
IBM@Arxan.com for more information
Free Evaluation of “Arxan Application
Protection for IBM Solutions”
Now offered as part of IBM’s Security Portfolio
Special Offer

Additional Resources
Arxan/IBM White Paper: Securing
Mobile Apps in the Wild
http://www.arxan.com/securing-mobile-apps-in-the-wild-with-app-hardening-and-run-
time-protection/
How to Hack An App
https://www.youtube.com/watch?v=VAccZnsJH00
IBM Whitepaper: Old Techniques, New Channel:
Mobile Malware Adapting PC Threat Techniques
https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-
WW_Security_Organic&S_PKG=ov26530&S_TACT=C341006W&S_CMP=web_opp_s
ec_trusteer_msdk/

Q&A

Thank You!
Tom Mulvehill
tom.mulvehill@us.ibm.com
Winston Bond
wbond@arxan.com

Mobile Payments: Protecting Apps and Data from Emerging Risks

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Mobile Payments: Protecting Apps and Data from Emerging Risks

Similar to Mobile Payments: Protecting Apps and Data from Emerging Risks (20)

More from IBM Security

More from IBM Security (20)

Recently uploaded

Recently uploaded (20)

Mobile Payments: Protecting Apps and Data from Emerging Risks