Embed Size (px)
DESCRIPTION
Take a deep-dive into the benefits of incorporating improved security protection into your organization’s mobile application development lifecycle, from testing phase to run-time. In this on-demand webinar, you’ll learn how to: - Better identify application integrity risks (vulnerable portions of your apps that could serve as attractive attack targets to hackers, even after you’ve adhered to safe-coding practices), and to bolster your overall level of mobile security protection. - Deploy protection tools—based on AppScan-aided risk assessment technology and supplemented by manual analysis—to design and implement “defend”, “detect”, and “react” protections inside your applications, without modifying their source code. - Augment your code-testing with proactive protections inside your mobile applications, by learning more about IBM’s and Arxan’s partnered solutions. View the full on-demand webcast: https://www2.gotomeeting.com/register/607714898
Citation preview
© 2014 IBM Corporation
IBM Security Systems
1
© 2014 IBM Corporation
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile Application Development Lifecycle
© 2014 IBM Corporation
IBM Security Systems
2
Mobile Application Security Landscape
Mobile Risks and Attack Vectors
Incorporating Protection Into Your Mobile Application Development Lifecycle
Agenda
© 2014 IBM Corporation
IBM Security Systems
3
Threats are Increasing – Old and New Targets
??????????????????????XSS and SQL Injection Exploitations
Mobile Devices Targeted
Web Application Vulnerabilities
??????????????????????Mobile Malware Increasing
Malicious code infects more than
11.6 millionmobile devicesat any given time
Source: InfoSec, "Mobile Malware Infects Millions; LTE Spurs Growth," January 2014
Mobile devices and apps that we rely on are under attack
90% of top mobile apps
have been hacked
Source: Arxan Technologies, “App Economy under Attack: Report Reveals More than 90 Percent of the Top 100 Mobile Apps Have Been Hacked”
Web Application Vulnerabilities
XSS and SQL injection exploits continue in high numbers
Source: IBM X-Force Threat Intelligence Quarterly, 1Q 2014Source: IBM X-Force Threat
Intelligence Quarterly, 1Q 2014
33% of vulnerability
disclosures are web application vulnerabilities
© 2014 IBM Corporation
IBM Security Systems
4
Mobile Malware Growth’s Logarithmic
© 2014 IBM Corporation
IBM Security Systems
5
Mobile Apps Under Attack
• “78 percent of top 100 paid Android and iOS Apps are available as hacked versions on third-party sites” (“State of Security in the App Economy”, Arxan, 2013)
• "Chinese App Store Offers Pirated iOS Apps Without the Need to Jailbreak” (Extreme Tech, 2013)
• “86% of Mobile Malware is legit apps repackaged with malicious payloads” (NC State University, 2012)
© 2014 IBM Corporation
IBM Security Systems
6
Mobile Risks and Attack Vectors
© 2014 IBM Corporation
IBM Security Systems
7
Data leakage– Malware attacks– Account information on
mobile devices Cracking mobile apps
– Easy access to applications– Reverse-engineering
Little to no App control– BYOD– Consumer devices
OWASP Mobile Top 10 Risks (RC 2014 V1)
#2 Insecure Data Storage#4 Unintended Data Leakage#10 Lack of Binary Protections
User vs. Enterprise Risk
Threat from Malware- Trojans and Spyware
Phishing
Fake Android marketplace- Malware bundled with
apps
Unauthorized Use of:- Contact DB- Email- SMS (text messages)- Phone (placing calls)- GPS (public location)- Data on device
User Enterprise
© 2014 IBM Corporation
IBM Security Systems
8
App Confidentiality and Integrity Risks
• Application binaries can be modified• Run-time behavior of applications can
be altered• Malicious code can be injected into
applications
Integrity Risk
(Code Modification or Code Injection Vulnerabilities)
• Sensitive information can be exposed• Applications can be reverse-engineered
back to the source code • Code can be lifted and reused or
repackaged
Confidentiality Risk
(Reverse Engineering or Code Analysis Vulnerabilities)
© 2014 IBM Corporation
IBM Security Systems
9
Lots of Ways to Hack an App
© 2014 IBM Corporation
IBM Security Systems
10
“Tools of the Trade” for Mobile Pen-Testers or Black Hats
Category Example Tools
App decryption / unpacking / conversion
• Clutch• APKTool• dex2jar
Static binary analysis, disassembly, decompilation
• IDA Pro & Hex Rays (disassembler/decompiler) • Hopper (disassembler/decompiler) • JD-GUI (decompiler)• Baksmali (disassembler)• Info dumping: class-dump-z (classes), nm (symbols), strings
Runtime binary analysis • GDB (debugger)• ADB (debugger)• Introspy (tracer/analyzer)• Snoop-It (debugging/tracing, manipulation)• Sogeti tools (dump key chain or filesystem, custom ramdisk boot, PIN brute force)
Runtime manipulation, code injection, method swizzling, patching
• Cydia Substrate (code modification platform) (MobileHooker, MobileLoader)• Cycript / Cynject• DYLD• Theos suite• Hex editors
Jailbreak detection evasion
• xCon, BreakThrough, tsProtector
Integrated pen-test toolsets
• AppUse (custom "hostile" Android ROM loaded with hooks, ReFrameworker runtime manipulator, reversing tools)
• Snoop-It (iOS monitoring, dynamic binary analysis, manipulation)• iAnalyzer (iOS app decrypting, static/dynamic binary analysis, tampering)
© 2014 IBM Corporation
IBM Security Systems
11
Real Life Android Vulnerabilities
• Android Java APK Reverse Engineering• Hackers can easily reverse engineer
binary code (the executable) back to source code and primed for code tampering
• Baksmali Code Modification• Hackers can easily crack open and
disassemble (Baksmali) mobile code
Video 1
Video 2
© 2014 IBM Corporation
IBM Security Systems
12
Incorporating Protection Into Your Mobile Application Development Lifecycle
© 2014 IBM Corporation
IBM Security Systems
13
Build and Keep It Secure
Secure and Protected
Application
Free of critical flaws and vulnerabilities
Protects itself against attacks
Build It Secure
ApplicationDevelopmen
t
IBM WorklightBuild and
Manage Mobile Apps
Vulnerability Analysis& Testing
IBM SecurityAppScanIdentifies
Vulnerabilities
Keep It Secure
ApplicationProtection
Release &Deployment
Arxan Application Protection for IBM Solutions
Defends, Detects & Reacts
Mobile application security risk is real and impacts Users and Enterprise
Don’t procrastinate – be proactive!
© 2014 IBM Corporation
IBM Security Systems
14
OWASP Mobile Top 10 Risks
Source: https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
© 2014 IBM Corporation
IBM Security Systems
15
AppScan Vulnerability Analysis
© 2014 IBM Corporation
IBM Security Systems
16
Experts Recommend Protecting Binary Code
Consultants AnalystsOWASP
Mobile Top 10 Risks
“Protect Your Binary”
© 2014 IBM Corporation
IBM Security Systems
17
Risks Identified with the New AppScan Rules
New Custom Rules for AppScan identify key OWASP M10 issues:
OWASP M10 Issues That New AppScan Custom Rules Cover
1. Repackaging 6. Exposed Data Symbols
2. Swizzle With Behavioral Change 7. Exposed String Tables
3. Security Control Bypass 8. Cryptographic Key Interception
4. Automated Jailbreak Breaking 9. Presentation Layer Modification
5. Exposed Method Signatures 10.Application Decryption
© 2014 IBM Corporation
IBM Security Systems
18
A Number of Guards Can Be Leveraged
Defend against compromise
• Advanced Obfuscation• Encryption• Pre-Damage• Metadata Removal
Detect attacks at run-time
• Checksum• Debugger Detection• Resource Verification• Resource Encryption• Jailbreak/Root Detection• Swizzling Detection• Hook Detection
React to ward off attacks
• Shut Down (Exit, Fail)• Self-Repair• Custom Reactions• Alert / Phone Home
© 2014 IBM Corporation
IBM Security Systems
19
AppScan / Arxan Integration
© 2014 IBM Corporation
IBM Security Systems
20
Arxan® + IBM AppScan® Solution Components
Solution Components Benefits
1. Technical guide • How to integrate IBM Security AppScan®
and Arxan into the SDLC to use them in conjunction
Control full scope of risks and build in security from testing to run-time protection
2. Augmented IBM Security AppScan® rules • Custom scan configuration for AppScan to
better identify app integrity risksInform required protections against app integrity attacks that can compromise even ‘flawless’ code
3. Usage of Arxan protection tools• Informs creation of Arxan GuardSpec
based on AppScan-aided integrity risk assessment, supplemented by manual analysis
Design and implement "defend", "detect", and "react" app integrity protections inside your app, without modifying its source code
4. Tested and validated • Demonstration with a sample app Helps ensure interoperability and support
© 2014 IBM Corporation
IBM Security Systems
21
Why Arxan?
‘Gold standard’ protection strength Multi-layer Guard Network Static & run-time Guards Customizable to your application Automated randomization for each build
No disruption to SDLC or source code with unique binary-based Guard injection
Cross platform support -- > 7 mobile platforms alone
Proven– Protected apps deployed on over 300 million devices – Hundreds of satisfied customers across Fortune 500
Unique IP ownership: 10+ patents
Integrated with other IBM security and mobility solutions
© 2014 IBM Corporation
IBM Security Systems
22
Additional Resources
How to Protect Worklight Apps with Arxan from IBMDate: Thursday, September 4Time: 11AM EDT / 4 PM GMT
Register:http://www.arxan.com/resources/arxan-and-ibm-app-protection-webinars/
Arxan/IBM White Paper: Securing Mobile Apps in the Wild
http://www.arxan.com/securing-mobile-apps-in-the-wild-with-app-hardening-and-run-time-protection/
© 2014 IBM Corporation
IBM Security Systems
23
Additional Resources
Contact your IBM representative or email us at [email protected] for more information
Webinar Participants Eligible for Free Evaluation of Arxan Application Protection Software – Now offered as part of IBM’s Security Portfolio
© 2014 IBM Corporation
IBM Security Systems
24
Tom Mulvehill
IBM Product [email protected]
Will Frontiero
IBM Software Engineering
Jonathan Carter
Arxan Technical Director
Thank You!
