How to secure your mobile application with RASP

Size: px

Start display at page:

Download "How to secure your mobile application with RASP"

Warren Pope
5 years ago
Views:

1 How to secure your mobile application with RASP Webinar - 13 December 2016

2 Agenda 1. Mobile Application Security Risk categories Protection layers including RASP Dirk Denayer Enterprise & Application Security 2. RASP Runtime Application Self-Protection SDK protection components Integration process Configuration Security assessement service Guillaume Teixeron Product Manager - OPEN 2

3 Mobile application risks some figures of successful breaches target the application layer of tested apps has at least one vulnerability Trustwave Global Security Report 2016

4 Mobile application risks 3 categories 1. Application vulnerabilities MY App 2. Platform weaknesses 3. Man-in-the-Middle Attacks

5 Mobile application protection 3 layers 1. Application protection MY App 2. RASP (Runtime Application Self Protection) 3. Protection of communication

6 1. Protecting the app Secure coding against reverse engineering MY App Secure storage against data theft and device cloning Secure activation against account takeover

7 2. Protecting execution Prevent MY App Stop Detect Notify RASP Anti-screen shots Debugger prevention Anti-repackaging Anti-code injection Anti-key logging Anti-screen reader Emulator protection Anti-screen mirroring

8 3. Protecting communication Transport layer Transport layer MY App Transport layer Transport layer Secure Channel

9 DIGIPASS for Apps technologies Jailbreak/Root Detection Client Scoring PIN Management Two-Factor Authentication Integration with Biometrics Device Binding Secure Storage Geolocation MY App DIGIPASS for APPS Transaction Signing Secure Channel CRONTO Support QR code Support Runtime Application Self-Protection (RASP)

10 seamless integration with your app Jailbreak/Root Detection Client Scoring PIN Management Two-Factor Authentication Integration with Biometrics Device Binding MY App Transaction Signing Secure Channel Secure Storage CRONTO Support Geolocation QR code Support Runtime Application Self-Protection (RASP)

DIGIPASS for Apps Jailbreak/Root Detection Client Scoring PIN Management Two-Factor Authentication Integration with Biometrics Device Binding Secure

11 DIGIPASS for Apps Jailbreak/Root Detection Client Scoring PIN Management Two-Factor Authentication Integration with Biometrics Device Binding Secure Storage Geolocation MY App DIGIPASS for APPS Transaction Signing Secure Channel CRONTO Support QR code Support Runtime Application Self-Protection (RASP)

12 Agenda 1. Mobile Application Security Risk categories Protection layers including RASP Dirk Denayer Enterprise & Application Security 2. RASP Runtime Application Self-Protection SDK protection components Integration process Configuration Security assessement service Guillaume Teixeron Product Manager - OPEN 12

13 What is Runtime Application Self Protection? Set of technologies used to add security functionalities directly to mobile applications for the detection and prevention of application-level intrusions 13

14 RASP Insights RASP works proactively and in real-time, which protects against zero-day attacks A secured runtime process App Layer (app code) (Objective C, Java or native) RASP does not require special permissions on the device OS tools/api (GUI, File, Network) RASP does not change User Experience OS components (Loader, Linker)

leakage prevention User initiated screenshot detection Keylogger detection

15 RASP features Protect Detect Hook detection Debugger detection Library injection detection Emulator detection Screen reader detection User input leakage prevention User initiated screenshot detection Keylogger detection System initiated screenshot detection React App RASP Sanity Check Notify app Terminate app

16 Anti-code injection Application validates the origin of any third party library loaded at run time. Mobile Application Security All libraries used by the application are whitelisted.

Keyboard can be operating system original keyboard or keyboard provided by trusted

17 Anti-key logging Application validates that the keyboard used by the operating system is a trusted keyboard. Keyboard can be operating system original keyboard or keyboard provided by trusted third party keyboard provided. Mobile Application Security Application may offer its own keyboard interface in case untrusted one is proposed by default.

18 Anti screen-reading RASP validates that no screen reader is activated on the device. In case screen reader is activated a malware could collect all information displayed by the application on the device without user noticing it. Mobile Application Security

19 Anti-user/system screenshots Application makes sure that application context is not backed up in the background by the operating system. Mobile Application Security This prevents that sensitive information persists in the phone memory after application termination.

20 Anti-screen mirroring Preemptively disabled by application. Working on the level of video stream output. Mobile Application Security

21 Debugger prevention Application prevents debugger from being attach to make reverse engineering more difficult. Mobile Application Security Running processes monitoring

22 Emulator detection Application detects if it is running in an emulator instead of a physical device. Mobile Application Security Application should stop its execution when detected at launch time. Examines OS input

23 RASP - Integration 23

24 RASP Integration Process Configuration Integration Signing Binding

25 RASP Integration Process Configuration Integration Signing Binding

26 RASP Integration Process Android 1 Integrate RASP SDK Add ShieldSDK.jar ios Link ShieldSDK.framework Add configuration file 2 Implement Callbacks Notify app after detection of security issue Using the ShieldCallbackManager

27 RASP Integration Process Configuration Integration Signing Binding

28 RASP Integration Process 3 Configure RASP Android ios Configuration is done via the customer portal of Vasco.

29 Authentication to the portal

30 Create new Android RASP Configuration

31 Create new ios RASP Configuration

32 Select App to bind

33 RASP Integration Process Configuration Integration Signing Binding

34 RASP Integration Process Android ios 4 Bind via customer portal A Binding Resources Business Logic RASP SDK Code Variables A Binding Resources RASP SDK Business Logic Config Info Resources Resources Business Logic Code Variables Business Logic Code Variables B Repacking prevention Resources Business Logic Resources RASP SDK Code Variables Cert Pub Key B Repacking prevention Code variables Resources RASP SDK Business Logic Config Info C Code Obfuscation Obfuscated Business Logic RASP SDK Code Variables Code variables Cert Pub Key Cert Pub Key

35 RASP Integration Process Configuration Integration Signing Binding

36 RASP Integration Process 5 Sign the application Android Sign the APK file with the keystore file ios Sign the app folder with the XCENT file

37 Security Assessment 37

38 RASP Security Assessment 38

39 Agenda 1. Mobile Application Security Risk categories Protection layers including RASP Dirk Denayer Enterprise & Application Security 2. RASP Runitme Application Self-Protection SDK protection components Integration Process Configuration Security assessement service Guillaume Teixeron Product Manager - OPEN 39

40 Documentation & Security assessement service DIGIPASS for Apps White paper A Developer s Guide to Securing Mobile Applications RASP webpage & White Paper RASP security assessement service on your mobile application & other requests : es-sc@vasco.com 40

41 Questions?

Deliver Strong Mobile App Security and the Ultimate User Experience

Deliver Strong Mobile App Security and the Ultimate User Experience The Presenters Will LaSala, Director of Services @ VASCO Will has been with VASCO since 2001 and over the years has been involved in