How to secure your mobile application with RASP Webinar - 13 December 2016
Agenda 1. Mobile Application Security Risk categories Protection layers including RASP Dirk Denayer Enterprise & Application Security 2. RASP Runtime Application Self-Protection SDK protection components Integration process Configuration Security assessement service Guillaume Teixeron Product Manager - OPEN 2
Mobile application risks some figures of successful breaches target the application layer of tested apps has at least one vulnerability Trustwave Global Security Report 2016
Mobile application risks 3 categories 1. Application vulnerabilities MY App 2. Platform weaknesses 3. Man-in-the-Middle Attacks
Mobile application protection 3 layers 1. Application protection MY App 2. RASP (Runtime Application Self Protection) 3. Protection of communication
1. Protecting the app Secure coding against reverse engineering MY App Secure storage against data theft and device cloning Secure activation against account takeover
2. Protecting execution Prevent MY App Stop Detect Notify RASP Anti-screen shots Debugger prevention Anti-repackaging Anti-code injection Anti-key logging Anti-screen reader Emulator protection Anti-screen mirroring
3. Protecting communication Transport layer Transport layer MY App Transport layer Transport layer Secure Channel
DIGIPASS for Apps technologies Jailbreak/Root Detection Client Scoring PIN Management Two-Factor Authentication Integration with Biometrics Device Binding Secure Storage Geolocation MY App DIGIPASS for APPS Transaction Signing Secure Channel CRONTO Support QR code Support Runtime Application Self-Protection (RASP)
seamless integration with your app Jailbreak/Root Detection Client Scoring PIN Management Two-Factor Authentication Integration with Biometrics Device Binding MY App Transaction Signing Secure Channel Secure Storage CRONTO Support Geolocation QR code Support Runtime Application Self-Protection (RASP)
DIGIPASS for Apps Jailbreak/Root Detection Client Scoring PIN Management Two-Factor Authentication Integration with Biometrics Device Binding Secure Storage Geolocation MY App DIGIPASS for APPS Transaction Signing Secure Channel CRONTO Support QR code Support Runtime Application Self-Protection (RASP)
Agenda 1. Mobile Application Security Risk categories Protection layers including RASP Dirk Denayer Enterprise & Application Security 2. RASP Runtime Application Self-Protection SDK protection components Integration process Configuration Security assessement service Guillaume Teixeron Product Manager - OPEN 12
What is Runtime Application Self Protection? Set of technologies used to add security functionalities directly to mobile applications for the detection and prevention of application-level intrusions 13
RASP Insights RASP works proactively and in real-time, which protects against zero-day attacks A secured runtime process App Layer (app code) (Objective C, Java or native) RASP does not require special permissions on the device OS tools/api (GUI, File, Network) RASP does not change User Experience OS components (Loader, Linker)
RASP features Protect Detect Hook detection Debugger detection Library injection detection Emulator detection Screen reader detection User input leakage prevention User initiated screenshot detection Keylogger detection System initiated screenshot detection React App RASP Sanity Check Notify app Terminate app
Anti-code injection Application validates the origin of any third party library loaded at run time. Mobile Application Security All libraries used by the application are whitelisted.
Anti-key logging Application validates that the keyboard used by the operating system is a trusted keyboard. Keyboard can be operating system original keyboard or keyboard provided by trusted third party keyboard provided. Mobile Application Security Application may offer its own keyboard interface in case untrusted one is proposed by default.
Anti screen-reading RASP validates that no screen reader is activated on the device. In case screen reader is activated a malware could collect all information displayed by the application on the device without user noticing it. Mobile Application Security
Anti-user/system screenshots Application makes sure that application context is not backed up in the background by the operating system. Mobile Application Security This prevents that sensitive information persists in the phone memory after application termination.
Anti-screen mirroring Preemptively disabled by application. Working on the level of video stream output. Mobile Application Security
Debugger prevention Application prevents debugger from being attach to make reverse engineering more difficult. Mobile Application Security Running processes monitoring
Emulator detection Application detects if it is running in an emulator instead of a physical device. Mobile Application Security Application should stop its execution when detected at launch time. Examines OS input
RASP - Integration 23
RASP Integration Process Configuration Integration Signing Binding
RASP Integration Process Configuration Integration Signing Binding
RASP Integration Process Android 1 Integrate RASP SDK Add ShieldSDK.jar ios Link ShieldSDK.framework Add configuration file 2 Implement Callbacks Notify app after detection of security issue Using the ShieldCallbackManager
RASP Integration Process Configuration Integration Signing Binding
RASP Integration Process 3 Configure RASP Android ios Configuration is done via the customer portal of Vasco.
Authentication to the portal
Create new Android RASP Configuration
Create new ios RASP Configuration
Select App to bind
RASP Integration Process Configuration Integration Signing Binding
RASP Integration Process Android ios 4 Bind via customer portal A Binding Resources Business Logic RASP SDK Code Variables A Binding Resources RASP SDK Business Logic Config Info Resources Resources Business Logic Code Variables Business Logic Code Variables B Repacking prevention Resources Business Logic Resources RASP SDK Code Variables Cert Pub Key B Repacking prevention Code variables Resources RASP SDK Business Logic Config Info C Code Obfuscation Obfuscated Business Logic RASP SDK Code Variables Code variables Cert Pub Key Cert Pub Key
RASP Integration Process Configuration Integration Signing Binding
RASP Integration Process 5 Sign the application Android Sign the APK file with the keystore file ios Sign the app folder with the XCENT file
Security Assessment 37
RASP Security Assessment 38
Agenda 1. Mobile Application Security Risk categories Protection layers including RASP Dirk Denayer Enterprise & Application Security 2. RASP Runitme Application Self-Protection SDK protection components Integration Process Configuration Security assessement service Guillaume Teixeron Product Manager - OPEN 39
Documentation & Security assessement service DIGIPASS for Apps https://www.vasco.com/products/application-security/digipass-for-apps.html White paper A Developer s Guide to Securing Mobile Applications https://www.vasco.com/news/your-guide-to-secure-mobile-applications/ RASP webpage & White Paper https://www.vasco.com/glossary/rasp-security.html RASP security assessement service on your mobile application & other requests : es-sc@vasco.com 40
Questions?
es-sc@vasco.com