Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link

© 2013 IBM Corporation

Arxan & Trusteer Present:

Securing Mobile Banking Apps –

You are only as strong as your weakest link

Trusteer: Ori Bach

Arxan: Jonathan Carter


© 2015 IBM Corporation2

IBM Security Systems

Agenda

• Mobile App and Payment Landscape

• How Criminals Can Attack Your App

• Comprehensive Protection Techniques

• Q&A



Mobile App and Payment Landscape



Mobile Banking Services Can be a Competitive Advantage

Mobile banking is the

most important deciding

factor when switching

banks (32%)

More important than fees

(24%) or branch location (21%)

or services (21%)… a survey

of mobile banking customers in

the U.S. 1

Mobile banking channel

development is the #1

technology priority of

N.A. retail banks (2013)

#1 Channel

The mobile payments

market will eventually

eclipse $1 trillion by 2017

$1tn

43%of 18-20 year olds

have used a

mobile banking

app in the past

12 months

29%Cash-based retail

payments in the U.S. have

fallen from 36% in 2002 to

29% in 2012

$

Of customers won't mobile bank because of security fears

19%

90%Of mobile banking app users use the app to check account balances or recent transactions



However, Security Is Front and Center and Must Be Addressed



Many Are Falling Short

• Majority of top 100 paid Android

and iOS Apps are available as

hacked versions on third-party

sites

• …as are many financial service,

retail, and healthcare apps

• (State of Mobile App Security,

Arxan, 2015)

• "Chinese App Store Offers

Pirated iOS Apps Without the

Need to Jailbreak” (Extreme Tech,

2013)

http://www-03.ibm.com/software/products/en/arxan-application-protection


IBM Security

7

You are only as strong as your weakest link

Application Risks Device Risks Session Risks

App hacking

App security vulnerabilities

Rooted / jailbroken devices

Outdated OS security vulnerabilities

Malware

Unsecure connection

SMS forwarding

Mobile ATO / cross-channel ATO



How Criminals Can Easily Attacks Your Mobile Banking App



Typical Software Security Lifecycle

Design, Build, TestPlan

High-Level Risk

Assessments

Security Policy Review

Define Security

Requirements

Security

Architecture

Review

Threat modeling Static Analysis

Dynamic Testing

Penetration

Testing

Test,

Deploy

Application

Monitoring

Secure Code

Review

Secure Coding

Training

Final Functional

& Security

Testing

Produces a

“Secure”

Application with

few, known and

acceptable

vulnerabilities

BUT

…



Even Secure Mobile Apps can be Hacked

z

Centralized, trusted environment

• Web apps

• Data center custom apps

Distributed or untrusted

environment “Apps in the Wild”

• Mobile Apps

• Internet of Things / Embedded

• Packaged Software

Vulnerability

Analysis and Flaw

Remediation

Vulnerability

Analysis and Flaw

Remediation

Application

Hardening and

Run-Time Protection

Application Environment Application Security Model

Attackers do not have easy

access to application binary

Attackers can easily access and

compromise application binary “Build It Secure” “Keep It Secure”



App Confidentiality and Integrity Risks

• Application binaries can be modified

• Run-time behavior of applications can be altered

• Malicious code can be injected into applications

Integrity Risk

(Code Modification or Code Injection Vulnerabilities)

• Sensitive information can be exposed

• Applications can be reverse-engineered back to the source code

• Code can be lifted and reused or repackaged

Confidentiality Risk

(Reverse Engineering or Code Analysis Vulnerabilities)



Anatomy of Attacks on Mobile Apps

Reverse-engineering app contents

1. Decrypt the mobile

app (iOS apps)

2. Open up and

examine the app

3. Create a hacked

version

11 110 01

0 1001110

1100 001

01 111 00

11 110 01

0 0101010

0101 110

011100 00

Extract and steal confidential data

Create a tampered,

cracked or patched

version of the app

Release / use the

hacked app

Use malware to

infect/patch the app

on other devices

4. Distribute App

https://www.arxan.com/how-to-hack-a-mobile-application



But isn’t My App Encrypted?

Well, yes, but …

iTunes Code Encryption Bypass

• It is easy for hackers to bypass iOS

encryption to progress a mobile app

attack.

//localhost/Users/dcathey/Documents/Trade Shows/UNC Security Symposium 2014/1 - iTunes Code Encryption Bypass Demo v0.2.mp4

//localhost/Users/dcathey/Documents/Trade Shows/UNC Security Symposium 2014/1 - iTunes Code Encryption Bypass Demo v0.2.mp4


IBM Security

14

Server-side Device ID is not effective for mobile devices

Mobile devices share many identical attributes

Mobile devices have the same attributes: OS, browser, fonts etc..

Cybercriminals can easily trick traditional device ID systems

Cybercriminals love mobile anonymity

14

Account Takeover via a Criminal Mobile Device


IBM Security

15

Online Banking

Cross channel account takeover attacks

Credentials

Theft

LO

GIN

Mo

bile

Lo

gin

The Bank’s Mobile Banking App / website

Customer

Credentials, data

Criminal


IBM Security

16

Rooted or Jailbroken Devices

New jailbreak techniques

Jailbreak and rooting evasion

Data sent/ received exposed

Including data sent over SSL

No defense against malware

SMS interceptors

Overlay attacks

Automated malware

Data stealers

Vulnerable and Compromised Devices


IBM Security

17

Financial Malware and Ransomware

Installing malicious up as “device admin”

App prevents user from deleting it


IBM Security

18

SVPENG Screen “injection”

Overlay on Google PlayOverlay on RussianBank Login Screen


IBM Security

19

Ransomware: Now on Mobile – cant remove the app!



Cybercriminals convince users to supply mobile phone number to install app on phone via malware or phishing

Users installs fake security application and enters activation code

Malware captures all SMS traffic, including OTP and forwards to fraudsters where fraudulent transfers via online and captured OTP need to bypass authentication

Example of SMS forwarding attack

Coordinated attacks across PC and mobile


IBM Security

21

OTP SMS forwarding for sale as underground service

21

User Name + Password

OTP SMS

Credentials

OTP SMS

TOR C&C



Mobile App & Mobile Payment Protection Techniques


IBM Security

23

IBM - An integrated approach to secure mobile banking

Build it Safe Keep It Safe Prevent Misuse

Hacking

App security vulnerabilities

Rooted / jailbroken devices

Credentials stealing malware

Data transferred over an unsecure connection

Account takeover fraud

SMS forwarding malware

IBM Security App Scan

IBM Security Access Manager

Trusteer Mobile SDK / Browser

Trusteer Pinpoint Criminal Detection

Arxan

Worklight


IBM Security

24

Detecting Vulnerable and Compromised Devices

Trusteer Mobile SDK detects mobile malware and rogue apps

Mobile Malware

SMS Interceptors , Device rooters, Data stealers, Generic downloaders

Rogue Apps

Access sensitive functions (like SMS)

Launch at startup

Not pre-approved by Trusteer

Reported as risk factors


IBM Security

25

Criminals attempt to

eavesdrops to app

on unsecure devices

Criminals looks for

security

vulnerabilities

Criminals attempts

to hack

application

Criminals deploys

credential stealing

malware

Holistic data protection with IBM Mobile Security

Mobile Banking

Access is prevented

from

jailbroken/rooted

devices detected by

Trusteer Mobile SDK

All vulnerabilities

removed with

Appscan

Hack fails due to

Arxan obfuscation

and runtime

protections

Access is prevented

from malware

infected devices

detected by Trusteer

Mobile SDK


IBM Security

26

Detecting Criminal Devices with Trusteer

Determines device location (GPS/Network triangulation)

Detects IP “Velocity” Condition

Trusteer Pinpoint Detection

Trusteer Mobile SDK



Online Banking

Detecting and responding to account takeover attacks

Restrict Access

Credentials

Theft

Trusteer PinpointMalware Detection

LO

GIN


Ap

p

Lo

gin

• Jailbroken / Rooted

Device

• Malware Infection

• New device ID

• Unpatched OS

• Unsecure Wi-Fi

connection

• Rogue App

Account Risk Device Risk+

• Proxy

• New Payee

• Spoofing

• Phished Incident

• Malware

Infection1 2

The Bank’s Mobile Banking

App

Trusteer Mobile SDK

Customer

Credentials, data

Criminal

ISAM Policy

and Runtime

Management



Online Banking

Stopping account takeover using SMS forwarding malware

Payment Denied

LO

GIN


Ap

p

Lo

gin

• Jailbroken / Rooted

Device

• Malware Infection

• New device ID

• Unpatched OS

• Unsecure Wi-Fi

connection

• Rogue App

Account Risk Device Risk+

• Proxy

• New Payee

• Spoofed device

• Phishing Incident

• Malware

Infection1 2

The Bank’s Mobile Banking

App

Trusteer Mobile SDK

Customer

OTP SMS Forwarded

Criminal

ISAM Policy

and Runtime

Management

Criminal initiates payment

requiring OTP authorization



Application Protection: Can you say: Ob-fu-sca-tion!

Confuse the Hacker

• Dummy Code

Insertion

• Instruction Merging

• Block Shuffling

• Function Inlining

• … and More!

Turns this

into this …



Application Protection: Preventing Reverse

Engineering

Other Techniques

• Method Renaming

• String Encryption

• … and More!

String not

found

Where did

it go?



Application Protection: Preventing Tampering

Common Techniques

Checksum -- Has the

binary changed?

If so, let me know so I can do something about it!

Method SwizzlingDetection --

Is someone hijacking my code?

Debug Detection

Is a Debugger Running?



Application Protection: A Number of Guards Can Be

Leveraged

Defendagainst

compromise

• Advanced Obfuscation

• Encryption

• Pre-Damage

• Metadata Removal

Detectattacks at

run-time

• Checksum

• Debugger Detection

• Resource Verification

• Resource Encryption

• Jailbreak/Root Detection

• Swizzling Detection

• Hook Detection

Reactto ward off

attacks

• Shut Down (Exit, Fail)

• Self-Repair

• Custom Reactions

• Alert / Phone Home



Application Protection: Multi-Layered Protection – Example



Mobile payment, with the existing retail PoS

infrastructure

HCE mobile apps have particular needs

Need protection of keys and cryptography

• Offline, as well as online

Need to work on any Android device

• From any manufacturer

• With any mobile operator

Should be portable to other platforms

• Once they support HCE too

Arxan’s innovative solution

TransformIT®

• Whitebox cryptography

PLUS Application protection technology

• Anti reverse-engineering

• Tamper resistance

Application Protection: Mobile Payment Apps: Host Card

Emulation



Application Protection: Why Arxan?

‘Gold standard’ protection strength– Multi-layer Guard Network – Static & run-time Guards– Customizable to your application– Automated randomization for each build

No disruption to SDLC or source code with unique binary-based Guard injection

Cross platform support -- > 7 mobile platforms alone

Proven– Protected apps deployed on over 300 million devices – Hundreds of satisfied customers across Fortune 500

Unique IP ownership: 10+ patents

Integrated with other IBM security and mobility solutions



World’s Strongest App Protection, Now Sold & Supported by IBM

Benefit of your existing trusted relationship with IBM

• Arxan’s technology now available from IBM: Sales, Solution, Services, Support from

IBM, with close collaboration between IBM and Arxan to ensure your success

• Leverage your existing procurement frameworks and contract vehicles (IBM Passport

Advantage, ELAs, Perpetual License, Elite Support, etc) for purchasing Arxan products

and take advantage of your relationship pricing and special discounts from IBM

Leverage Arxan as part of comprehensive solution portfolio from IBM

to holistically secure mobile apps, with value-adding validated integrations

• Enables unique ‘Scan + Protect’ application security strategy and best practice for

building it secure during development (AppScan) and keeping it secure deployed

“in the wild” (Arxan)

• Value-adding Arxan integrations, validations, and interoperability testing with other

IBM products (e.g., IBM AppScan, IBM Trusteer, IBM Worklight)



NEXT STEP: Contact your IBM representative or email

[email protected] for more information

Webinar participants eligible for Free Evaluation of “Arxan Application Protection for IBM Solutions”Now offered as part of IBM’s Security Portfolio

Special Offer for Webinar Participants



Additional Resources

Arxan/IBM White Paper: Securing

Mobile Apps in the Wildhttp://www.arxan.com/securing-mobile-apps-in-the-wild-with-app-hardening-and-run-

time-protection/

How to Hack An App

https://www.youtube.com/watch?v=VAccZnsJH00

IBM Whitepaper: Old Techniques, New Channel:

Mobile Malware Adapting PC Threat Techniqueshttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-

WW_Security_Organic&S_PKG=ov26530&S_TACT=C341006W&S_CMP=web_opp_s

ec_trusteer_msdk/

http://www.arxan.com/securing-mobile-apps-in-the-wild-with-app-hardening-and-run-time-protection/

https://www.youtube.com/watch?v=VAccZnsJH00

https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-WW_Security_Organic&S_PKG=ov26530&S_TACT=C341006W&S_CMP=web_opp_sec_trusteer_msdk

http://www.arxan.com/securing-mobile-apps-in-the-wild-with-app-hardening-and-run-time-protection/



Q&A



Thank You! Ori Bach

[email protected]

Jonathan Carter

[email protected]

Technology

Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link