How to secure your mobile application with RASP

Similar documents
Deliver Strong Mobile App Security and the Ultimate User Experience

Digital Identity Trends in Banking

Trending: Mobile Payments. Dan McLoughlin, VASCO Data Security Julian Sawyer, Starling Bank

The Android security jungle: pitfalls, threats and survival tips. Scott

CLX.MAP & Mobile Security

Biometric Sensor SDK. Integration Guide 4.17

Bank Infrastructure - Video - 1

PSD2 webinar session - Q&A

MOBILE SECURITY OVERVIEW. Tim LeMaster

Tale of a mobile application ruining the security of global solution because of a broken API design. SIGS Geneva 21/09/2016 Jérémy MATOS

CLASS AGENDA. 9:00 9:15 a.m. 9:15 10:00 a.m. 10:00 12:00 p.m. 12:00 1:00 p.m. 1:00 3:00 p.m. 3:00 5:00 p.m.

The Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez

PSD2 Compliance - Q&A

Mobile software security Building trust in mobile apps

Mobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.

Breaking and Securing Mobile Apps

Root Detection SDK. Integration Guide 4.17

SentinelOne Technical Brief

SentinelOne Technical Brief

Security Philosophy. Humans have difficulty understanding risk

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Thursday, October 25, 12. How we tear into that little green man

ME?

SECURE OFFICE OF THE FUTURE

VirtualSwindle: An Automated Attack Against In-App Billing on Android

Securing the SMB Cloud Generation

Tongbo Luo Cong Zheng Zhi Xu Xin Ouyang ANTI-PLUGIN: DON T LET YOUR APP PLAY AS AN ANDROID PLUGIN

Weak Spots Enterprise Mobility Management. Dr. Johannes Hoffmann

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

MOBILE THREAT PREVENTION

RHM Presentation. Maas 360 Mobile device management

Getting Started with Android Development Zebra Android Link-OS SDK Android Studio

When providing a native mobile app ruins the security of your existing web solution. CyberSec Conference /11/2015 Jérémy MATOS

Ch 7: Mobile Device Management. CNIT 128: Hacking Mobile Devices. Updated

The Mobile Risk Management Company. Overview of Fixmo and Mobile Risk Management (MRM) Solutions

Rationalizing Android Development. Philipp Kumar

Invisible Mobile Banking Channel Security

INVISIBLE MOBILE BANKING CHANNEL SECURITY WHITE PAPER

Android security enforcements

MOBILE DEFEND. Powering Robust Mobile Security Solutions

Access Control for Plugins in Cordova-based Hybrid Applications

Android Application Sandbox. Thomas Bläsing DAI-Labor TU Berlin

Universal Representation of a Consumer's Identity Is it Possible? Presenter: Rob Harris, VP of Product Strategy, FIS

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Mobile Security 2013 Phenomenal Cosmic Power, Itty Bitty Living Space

Index. D, E Damn Vulnerable ios application (DVIA), Data Execution Prevention (DEP), 3 Data storage security,

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

Quick Heal Mobile Security. Free protection for your Android phone against virus attacks, unwanted calls, and theft.

Building a Resilient Security Posture for Effective Breach Prevention

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

MOBILE THREAT LANDSCAPE. February 2018

Tales of Practical Android Penetration Testing (Mobile Pentest Toolkit) Alexander Subbotin OWASP Bucharest AppSec 2018

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

PCI Compliance Updates

Mobility & Security Enhancing User Experience

RESEARCH INSIGHTS. How we are breaking in: Mobile Security. Author: Thomas Cannon

Copyright

Managing Microsoft 365 Identity and Access

C and C++ Secure Coding 4-day course. Syllabus

Zimperium Global Threat Data

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

Windows 10 Security & Audit

Mobile hacking. Marit Iren Rognli Tokle

Mobile devices boon or curse

OWASP German Chapter Stammtisch Initiative/Ruhrpott. Android App Pentest Workshop 101

Changing face of endpoint security

Microsoft Intune App Protection Policies Integration. VMware Workspace ONE UEM 1811

Authentication Technology for a Smart eid Infrastructure.

How Next Generation Trusted Identities Can Help Transform Your Business

IBM Future of Work Forum

Are Your Mobile Apps Well Protected? Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic Unviersity

STREAM Integrated Risk Manager Multi-user Deployment Options

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Ch 8: Mobile Development Security. CNIT 128: Hacking Mobile Devices. Revised

Endpoint Protection : Last line of defense?

Publishing Enterprise Web Applications to BYOD using a Granular. Trust Model. Shachaf Levi IT Client Security & Connectivity May 2013.

McAfee MVISION Mobile Threat Detection Android App Product Guide

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Data Protection in Practice

droidcon Greece Thessaloniki September 2015

<Partner Name> <Partner Product> RSA SECURID ACCESS. NetMove SaAT Secure Starter. Standard Agent Client Implementation Guide

A Developer's Guide to Security on Cortex-M based MCUs

Cyber Moving Targets. Yashar Dehkan Asl

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Secure Authentication for Internet environment using Biometric and One-Time Password

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

RISKS HIDING IN PLAIN SIGHT: MOBILE APP CYBER THREAT & VULNERABILITY BENCHMARKS. BRIAN LAWRENCE SENIOR SECURITY ENGINEER

Chat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev

About NitroSecurity. Application Data Monitor. Log Mgmt Database Monitor SIEM IDS / IPS. NitroEDB

TIS/App Delivery Mobility Job Aid: Install and Configure Microsoft Outlook on Your Android Phone. Overview. Job Aid: Outlook for Mobile - Android

LET S TALK MONEY. Fahad Pervaiz. Sam Castle, Galen Weld, Franziska Roesner, Richard Anderson

THE POWER AND RISK OF MOBILE. White paper

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

THE FUTURE OF AUTHENTICATION FOR THE INTERNET OF THINGS

Identity & Access Management

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

McAfee Network Security Platform 8.3

12/5/2013. work-life blur. more mobile. digital generation. multiple devices. tech. fast savvy

Transcription:

How to secure your mobile application with RASP Webinar - 13 December 2016

Agenda 1. Mobile Application Security Risk categories Protection layers including RASP Dirk Denayer Enterprise & Application Security 2. RASP Runtime Application Self-Protection SDK protection components Integration process Configuration Security assessement service Guillaume Teixeron Product Manager - OPEN 2

Mobile application risks some figures of successful breaches target the application layer of tested apps has at least one vulnerability Trustwave Global Security Report 2016

Mobile application risks 3 categories 1. Application vulnerabilities MY App 2. Platform weaknesses 3. Man-in-the-Middle Attacks

Mobile application protection 3 layers 1. Application protection MY App 2. RASP (Runtime Application Self Protection) 3. Protection of communication

1. Protecting the app Secure coding against reverse engineering MY App Secure storage against data theft and device cloning Secure activation against account takeover

2. Protecting execution Prevent MY App Stop Detect Notify RASP Anti-screen shots Debugger prevention Anti-repackaging Anti-code injection Anti-key logging Anti-screen reader Emulator protection Anti-screen mirroring

3. Protecting communication Transport layer Transport layer MY App Transport layer Transport layer Secure Channel

DIGIPASS for Apps technologies Jailbreak/Root Detection Client Scoring PIN Management Two-Factor Authentication Integration with Biometrics Device Binding Secure Storage Geolocation MY App DIGIPASS for APPS Transaction Signing Secure Channel CRONTO Support QR code Support Runtime Application Self-Protection (RASP)

seamless integration with your app Jailbreak/Root Detection Client Scoring PIN Management Two-Factor Authentication Integration with Biometrics Device Binding MY App Transaction Signing Secure Channel Secure Storage CRONTO Support Geolocation QR code Support Runtime Application Self-Protection (RASP)

DIGIPASS for Apps Jailbreak/Root Detection Client Scoring PIN Management Two-Factor Authentication Integration with Biometrics Device Binding Secure Storage Geolocation MY App DIGIPASS for APPS Transaction Signing Secure Channel CRONTO Support QR code Support Runtime Application Self-Protection (RASP)

Agenda 1. Mobile Application Security Risk categories Protection layers including RASP Dirk Denayer Enterprise & Application Security 2. RASP Runtime Application Self-Protection SDK protection components Integration process Configuration Security assessement service Guillaume Teixeron Product Manager - OPEN 12

What is Runtime Application Self Protection? Set of technologies used to add security functionalities directly to mobile applications for the detection and prevention of application-level intrusions 13

RASP Insights RASP works proactively and in real-time, which protects against zero-day attacks A secured runtime process App Layer (app code) (Objective C, Java or native) RASP does not require special permissions on the device OS tools/api (GUI, File, Network) RASP does not change User Experience OS components (Loader, Linker)

RASP features Protect Detect Hook detection Debugger detection Library injection detection Emulator detection Screen reader detection User input leakage prevention User initiated screenshot detection Keylogger detection System initiated screenshot detection React App RASP Sanity Check Notify app Terminate app

Anti-code injection Application validates the origin of any third party library loaded at run time. Mobile Application Security All libraries used by the application are whitelisted.

Anti-key logging Application validates that the keyboard used by the operating system is a trusted keyboard. Keyboard can be operating system original keyboard or keyboard provided by trusted third party keyboard provided. Mobile Application Security Application may offer its own keyboard interface in case untrusted one is proposed by default.

Anti screen-reading RASP validates that no screen reader is activated on the device. In case screen reader is activated a malware could collect all information displayed by the application on the device without user noticing it. Mobile Application Security

Anti-user/system screenshots Application makes sure that application context is not backed up in the background by the operating system. Mobile Application Security This prevents that sensitive information persists in the phone memory after application termination.

Anti-screen mirroring Preemptively disabled by application. Working on the level of video stream output. Mobile Application Security

Debugger prevention Application prevents debugger from being attach to make reverse engineering more difficult. Mobile Application Security Running processes monitoring

Emulator detection Application detects if it is running in an emulator instead of a physical device. Mobile Application Security Application should stop its execution when detected at launch time. Examines OS input

RASP - Integration 23

RASP Integration Process Configuration Integration Signing Binding

RASP Integration Process Configuration Integration Signing Binding

RASP Integration Process Android 1 Integrate RASP SDK Add ShieldSDK.jar ios Link ShieldSDK.framework Add configuration file 2 Implement Callbacks Notify app after detection of security issue Using the ShieldCallbackManager

RASP Integration Process Configuration Integration Signing Binding

RASP Integration Process 3 Configure RASP Android ios Configuration is done via the customer portal of Vasco.

Authentication to the portal

Create new Android RASP Configuration

Create new ios RASP Configuration

Select App to bind

RASP Integration Process Configuration Integration Signing Binding

RASP Integration Process Android ios 4 Bind via customer portal A Binding Resources Business Logic RASP SDK Code Variables A Binding Resources RASP SDK Business Logic Config Info Resources Resources Business Logic Code Variables Business Logic Code Variables B Repacking prevention Resources Business Logic Resources RASP SDK Code Variables Cert Pub Key B Repacking prevention Code variables Resources RASP SDK Business Logic Config Info C Code Obfuscation Obfuscated Business Logic RASP SDK Code Variables Code variables Cert Pub Key Cert Pub Key

RASP Integration Process Configuration Integration Signing Binding

RASP Integration Process 5 Sign the application Android Sign the APK file with the keystore file ios Sign the app folder with the XCENT file

Security Assessment 37

RASP Security Assessment 38

Agenda 1. Mobile Application Security Risk categories Protection layers including RASP Dirk Denayer Enterprise & Application Security 2. RASP Runitme Application Self-Protection SDK protection components Integration Process Configuration Security assessement service Guillaume Teixeron Product Manager - OPEN 39

Documentation & Security assessement service DIGIPASS for Apps https://www.vasco.com/products/application-security/digipass-for-apps.html White paper A Developer s Guide to Securing Mobile Applications https://www.vasco.com/news/your-guide-to-secure-mobile-applications/ RASP webpage & White Paper https://www.vasco.com/glossary/rasp-security.html RASP security assessement service on your mobile application & other requests : es-sc@vasco.com 40

Questions?

es-sc@vasco.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback