Upload
hatuong
View
217
Download
2
Embed Size (px)
Citation preview
Deliver Strong Mobile App Security and the Ultimate User Experience”
The PresentersWill LaSala, Director of Services @ VASCOWill has been with VASCO since 2001 and over the years has been involved in all aspects of product implementation within financial institutions and mobile application developers. Will also oversees the VASCO professional services group helping banks, enterprises, and ASPs in with custom mobile application security, identity management, and authentication projects. He brings to the table over 20 years of software and cyber security experience. Will’s research interests are focused around the use of mobile technology to improve user experience.
Andrew Showstead, Director of Technical Consultancy and Market Solutions @ VASCOAndrew oversees engineering and product implementation aspects of mobile application security and fraud prevention projects for the enterprise clients. He is also a technical team lead tasked with researching and developing new markets for VASCO in North America. Andrew comes back to VASCO after serving as a Chief Technology Officer for nJuvo Inc. where he led the development of an Internet security product for payment fraud prevention. His research interests include identity federation and the use of embedded technologies to simplify security.
Founded in 1991
Publicly traded on the NASDAQ since 1997 (VDSI)
More than 10,000 customers in 100 countries
50+ consecutive quarters of profitability
17+ global offices
Company Highlights
About VASCO
WHAT’S THE PROBLEM WITH MY MOBILE EXPERIENCE?
5
The Growth of Mobile App Fraud
6
1. Corruption of the execution environment• Application sandboxing is broken on rooted device: the data you store on
the device can be read or updated by any other application running on the same device
• Default keyboard is replaced by keyboard including a keylogger• Screen reader record application display and forward information
2. Reverse engineering of the application through instrumentation and debugging
3. Modification of the application• Modified and repackage applications are published on alternative store for
phishing attacks
Threats to Your Mobile App
7
Browser
System
Phone/SMS
Apps
Malware
PhishingPharmingClickjackingMan-in-the-MiddleBuffer OverflowData Caching
No Passcode/Weak PasscodeIOS JailbreakingAndroid RootingOS Data CachingPasswords & Data AccessibleCarrier-Loaded SoftwareNo Encryption/Weak EncryptionUser-Initiated Code
Baseband AttacksSMishing
Sensitive Data StorageNo Encryption/Weak
EncryptionImproper SSL Validation
Config ManipulationDynamic Runtime Injection
Unintended PermissionsEscalated Privileges
Device Attack Surface: What behaviors can present issues?
*2014 VIA Forensics
Mobile Vulnerabilities
Mobile Vulnerability – Reverse Engineering
8
MY Bank
Threats to the application
9
MY Bank
100%4:22 PM
MY Bank
Threats to the application
10
MY Bank
100%4:22 PM
MY Bank
Threats to the application
11
MY Bank
100%4:22 PM
MY Bank
Threats to the application
12
MY Bank
100%4:22 PM
MY Bank
Password?!
My Bank Too…
BEST PRACTICES
14
Avoid Storing data on the mobile – Apply persistent protection when you must
Consider the Platform – apply rootkit/jailbreak protections
Secure Provisioning is a must-have, and Implement a Secure Encrypted Channel
Protect the User Interface from Malicious Compromise
Two-Factor Authentication can be achieved through an easy user experience
Secure your Transactions and Document Signing Process
Threats to the Application
SECURING THE MOBILE EXPERIENCE: DIGIPASS FOR APPS
17
RASP or application shielding is a set of technologies used to add security functionality directly to mobile applications for the detection and prevention of
application-level intrusions
What is Runtime Application Self-Protection
18
• Proactively shields applications from malware
• Controls execution, and preventing real-time attacks
• Protects the integrity of mobile applications to ensure data and transactions are not compromised
• Maintains a mobile application's run time integrity even if a user inadvertently downloads malware onto their device
What Does RASP Do?
19
http://www.forbes.com/sites/sap/2015/03/10/most-cyber-attacks-occur-from-this-common-vulnerability/#122ee06741ae
The hackers may be gaining access through applications and solutions... many organizations have significant network security in place but it’s not enough as 84% of all cyber-attacks are happening on the application layer.
Only 1% of all apps today have a Runtime Application Self-Protection running but by 2020, 44% of all applications will be leveraging some type of RASP protection
http://www.technavio.com/report/global-it-security-global-runtime-application-self-protection-security-market-2016-2020
Why Do I Need RASP?
23
MYApp
real-time queuing
Approve Deny
ACHIEVING THE BEST PRACTICES
27
Avoid Storing data on the mobile – Apply persistent protection when you must
Consider the Platform – apply rootkit/jailbreak protections
Secure Provisioning is a must-have, and Implement a Secure Encrypted Channel
Protect the User Interface from Malicious Compromise
Two-Factor Authentication can be achieved through an easy user experience
Secure your Transactions and Document Signing Process
DIGIPASSfor Apps
DIGIPASSfor Apps
DIGIPASSfor Apps
DIGIPASSfor Apps
RASP
RASP
Achieving Best Security Practice with DIGIPASS for APPS
WHAT’S NEXT?Contact the VASCO team to get a live demo that: • - demonstrates compromised app behavior• - outlines DIGIPASS for APPS protection mechanisms• - [email protected]