Deliver Strong Mobile App Security and the Ultimate User Experience
The Presenters Will LaSala, Director of Services @ VASCO Will has been with VASCO since 2001 and over the years has been involved in all aspects of product implementation within financial institutions and mobile application developers. Will also oversees the VASCO professional services group helping banks, enterprises, and ASPs in with custom mobile application security, identity management, and authentication projects. He brings to the table over 20 years of software and cyber security experience. Will s research interests are focused around the use of mobile technology to improve user experience. Andrew Showstead, Director of Technical Consultancy and Market Solutions @ VASCO Andrew oversees engineering and product implementation aspects of mobile application security and fraud prevention projects for the enterprise clients. He is also a technical team lead tasked with researching and developing new markets for VASCO in North America. Andrew comes back to VASCO after serving as a Chief Technology Officer for njuvo Inc. where he led the development of an Internet security product for payment fraud prevention. His research interests include identity federation and the use of embedded technologies to simplify security.
About VASCO Company Highlights Founded in 1991 Publicly traded on the NASDAQ since 1997 (VDSI) More than 10,000 customers in 100 countries 50+ consecutive quarters of profitability 17+ global offices
WHAT S THE PROBLEM WITH MY MOBILE EXPERIENCE?
The Growth of Mobile App Fraud 5
6 Threats to Your Mobile App 1. Corruption of the execution environment Application sandboxing is broken on rooted device: the data you store on the device can be read or updated by any other application running on the same device Default keyboard is replaced by keyboard including a keylogger Screen reader record application display and forward information 2. Reverse engineering of the application through instrumentation and debugging 3. Modification of the application Modified and repackage applications are published on alternative store for phishing attacks
7 Mobile Vulnerabilities *2014 VIA Forensics Device Attack Surface: What behaviors can present issues? Browser Phishing Pharming Clickjacking Man-in-the-Middle Buffer Overflow Data Caching System No Passcode/Weak Passcode IOS Jailbreaking Android Rooting OS Data Caching Passwords & Data Accessible Carrier-Loaded Software No Encryption/Weak Encryption User-Initiated Code Malware Phone/SMS Baseband Attacks SMishing Apps Sensitive Data Storage No Encryption/Weak Encryption Improper SSL Validation Config Manipulation Dynamic Runtime Injection Unintended Permissions Escalated Privileges
8 Mobile Vulnerability Reverse Engineering MY Bank
4:22 PM 100% 9 Threats to the application MY Bank MY Bank
4:22 PM 100% 10 Threats to the application MY Bank MY Bank
4:22 PM 100% 11 Threats to the application MY Bank MY Bank
4:22 PM 100% 12 Threats to the application MY Bank My Bank Too Password?! MY Bank
BEST PRACTICES
Threats to the Application Consider the Platform apply rootkit/jailbreak protections Protect the User Interface from Malicious Compromise Secure Provisioning is a must-have, and Implement a Secure Encrypted Channel Avoid Storing data on the mobile Apply persistent protection when you must Two-Factor Authentication can be achieved through an easy user experience Secure your Transactions and Document Signing Process 14
SECURING THE MOBILE EXPERIENCE: DIGIPASS FOR APPS
17 What is Runtime Application Self-Protection RASP or application shielding is a set of technologies used to add security functionality directly to mobile applications for the detection and prevention of application-level intrusions
18 What Does RASP Do? Proactively shields applications from malware Controls execution, and preventing real-time attacks Protects the integrity of mobile applications to ensure data and transactions are not compromised Maintains a mobile application's run time integrity even if a user inadvertently downloads malware onto their device
19 Why Do I Need RASP? The hackers may be gaining access through applications and solutions... many organizations have significant network security in place but it s not enough as 84% of all cyber-attacks are happening on the application layer. Only 1% of all apps today have a Runtime Application Self-Protection running but by 2020, 44% of all applications will be leveraging some type of RASP protection http://www.forbes.com/sites/sap/2015/03/10/most-cyber-attacksoccur-from-this-common-vulnerability/#122ee06741ae http://www.technavio.com/report/global-it-security-global-runtimeapplication-self-protection-security-market-2016-2020
23 MY App real-time queuing Approve Deny
ACHIEVING THE BEST PRACTICES
Achieving Best Security Practice with DIGIPASS for APPS RASP RASP DIGIPASS for Apps DIGIPASS for Apps DIGIPASS for Apps DIGIPASS for Apps Consider the Platform apply rootkit/jailbreak protections Protect the User Interface from Malicious Compromise Secure Provisioning is a must-have, and Implement a Secure Encrypted Channel Avoid Storing data on the mobile Apply persistent protection when you must Two-Factor Authentication can be achieved through an easy user experience Secure your Transactions and Document Signing Process 27
WHAT S NEXT? Contact the VASCO team to get a live demo that: - demonstrates compromised app behavior - outlines DIGIPASS for APPS protection mechanisms - info-usa@vasco.com