© 2013 IBM Corporation Arxan & Trusteer Present: Securing Mobile Banking Apps – You are only as strong as your weakest link Trusteer: Ori Bach Arxan: Jonathan Carter © 2015 IBM Corporation
Jul 16, 2015
© 2013 IBM Corporation
Arxan & Trusteer Present:
Securing Mobile Banking Apps –
You are only as strong as your weakest link
Trusteer: Ori Bach
Arxan: Jonathan Carter
© 2015 IBM Corporation
© 2015 IBM Corporation2
IBM Security Systems
Agenda
• Mobile App and Payment Landscape
• How Criminals Can Attack Your App
• Comprehensive Protection Techniques
• Q&A
© 2015 IBM Corporation4
IBM Security Systems
Mobile Banking Services Can be a Competitive Advantage
Mobile banking is the
most important deciding
factor when switching
banks (32%)
More important than fees
(24%) or branch location (21%)
or services (21%)… a survey
of mobile banking customers in
the U.S. 1
Mobile banking channel
development is the #1
technology priority of
N.A. retail banks (2013)
#1 Channel
The mobile payments
market will eventually
eclipse $1 trillion by 2017
$1tn
43%of 18-20 year olds
have used a
mobile banking
app in the past
12 months
29%Cash-based retail
payments in the U.S. have
fallen from 36% in 2002 to
29% in 2012
$
Of customers won't mobile bank because of security fears
19%
90%Of mobile banking app users use the app to check account balances or recent transactions
© 2015 IBM Corporation5
IBM Security Systems
However, Security Is Front and Center and Must Be Addressed
© 2015 IBM Corporation6
IBM Security Systems
Many Are Falling Short
• Majority of top 100 paid Android
and iOS Apps are available as
hacked versions on third-party
sites
• …as are many financial service,
retail, and healthcare apps
• (State of Mobile App Security,
Arxan, 2015)
• "Chinese App Store Offers
Pirated iOS Apps Without the
Need to Jailbreak” (Extreme Tech,
2013)
http://www-03.ibm.com/software/products/en/arxan-application-protection
© 2015 IBM Corporation
IBM Security
7
You are only as strong as your weakest link
Application Risks Device Risks Session Risks
App hacking
App security vulnerabilities
Rooted / jailbroken devices
Outdated OS security vulnerabilities
Malware
Unsecure connection
SMS forwarding
Mobile ATO / cross-channel ATO
© 2015 IBM Corporation8
IBM Security Systems
How Criminals Can Easily Attacks Your Mobile Banking App
© 2015 IBM Corporation9
IBM Security Systems
Typical Software Security Lifecycle
Design, Build, TestPlan
High-Level Risk
Assessments
Security Policy Review
Define Security
Requirements
Security
Architecture
Review
Threat modeling Static Analysis
Dynamic Testing
Penetration
Testing
Test,
Deploy
Application
Monitoring
Secure Code
Review
Secure Coding
Training
Final Functional
& Security
Testing
Produces a
“Secure”
Application with
few, known and
acceptable
vulnerabilities
BUT
…
© 2015 IBM Corporation10
IBM Security Systems
Even Secure Mobile Apps can be Hacked
z
Centralized, trusted environment
• Web apps
• Data center custom apps
Distributed or untrusted
environment “Apps in the Wild”
• Mobile Apps
• Internet of Things / Embedded
• Packaged Software
Vulnerability
Analysis and Flaw
Remediation
Vulnerability
Analysis and Flaw
Remediation
Application
Hardening and
Run-Time Protection
Application Environment Application Security Model
Attackers do not have easy
access to application binary
Attackers can easily access and
compromise application binary “Build It Secure” “Keep It Secure”
© 2015 IBM Corporation11
IBM Security Systems
App Confidentiality and Integrity Risks
• Application binaries can be modified
• Run-time behavior of applications can be altered
• Malicious code can be injected into applications
Integrity Risk
(Code Modification or Code Injection Vulnerabilities)
• Sensitive information can be exposed
• Applications can be reverse-engineered back to the source code
• Code can be lifted and reused or repackaged
Confidentiality Risk
(Reverse Engineering or Code Analysis Vulnerabilities)
© 2015 IBM Corporation12
IBM Security Systems
Anatomy of Attacks on Mobile Apps
Reverse-engineering app contents
1. Decrypt the mobile
app (iOS apps)
2. Open up and
examine the app
3. Create a hacked
version
11 110 01
0 1001110
1100 001
01 111 00
11 110 01
0 0101010
0101 110
011100 00
Extract and steal confidential data
Create a tampered,
cracked or patched
version of the app
Release / use the
hacked app
Use malware to
infect/patch the app
on other devices
4. Distribute App
https://www.arxan.com/how-to-hack-a-mobile-application
© 2015 IBM Corporation13
IBM Security Systems
But isn’t My App Encrypted?
Well, yes, but …
iTunes Code Encryption Bypass
• It is easy for hackers to bypass iOS
encryption to progress a mobile app
attack.
© 2014 IBM Corporation
IBM Security
14
Server-side Device ID is not effective for mobile devices
Mobile devices share many identical attributes
Mobile devices have the same attributes: OS, browser, fonts etc..
Cybercriminals can easily trick traditional device ID systems
Cybercriminals love mobile anonymity
14
Account Takeover via a Criminal Mobile Device
© 2014 IBM Corporation
IBM Security
15
Online Banking
Cross channel account takeover attacks
Credentials
Theft
LO
GIN
Mo
bile
Lo
gin
The Bank’s Mobile Banking App / website
Customer
Credentials, data
Criminal
© 2014 IBM Corporation
IBM Security
16
Rooted or Jailbroken Devices
New jailbreak techniques
Jailbreak and rooting evasion
Data sent/ received exposed
Including data sent over SSL
No defense against malware
SMS interceptors
Overlay attacks
Automated malware
Data stealers
Vulnerable and Compromised Devices
© 2014 IBM Corporation
IBM Security
17
Financial Malware and Ransomware
Installing malicious up as “device admin”
App prevents user from deleting it
© 2014 IBM Corporation
IBM Security
18
SVPENG Screen “injection”
Overlay on Google PlayOverlay on RussianBank Login Screen
© 2015 IBM Corporation20
IBM Security Systems
Cybercriminals convince users to supply mobile phone number to install app on phone via malware or phishing
Users installs fake security application and enters activation code
Malware captures all SMS traffic, including OTP and forwards to fraudsters where fraudulent transfers via online and captured OTP need to bypass authentication
Example of SMS forwarding attack
Coordinated attacks across PC and mobile
© 2014 IBM Corporation
IBM Security
21
OTP SMS forwarding for sale as underground service
21
User Name + Password
OTP SMS
Credentials
OTP SMS
TOR C&C
© 2015 IBM Corporation
IBM Security
23
IBM - An integrated approach to secure mobile banking
Build it Safe Keep It Safe Prevent Misuse
Hacking
App security vulnerabilities
Rooted / jailbroken devices
Credentials stealing malware
Data transferred over an unsecure connection
Account takeover fraud
SMS forwarding malware
IBM Security App Scan
IBM Security Access Manager
Trusteer Mobile SDK / Browser
Trusteer Pinpoint Criminal Detection
Arxan
Worklight
© 2015 IBM Corporation
IBM Security
24
Detecting Vulnerable and Compromised Devices
Trusteer Mobile SDK detects mobile malware and rogue apps
Mobile Malware
SMS Interceptors , Device rooters, Data stealers, Generic downloaders
Rogue Apps
Access sensitive functions (like SMS)
Launch at startup
Not pre-approved by Trusteer
Reported as risk factors
© 2015 IBM Corporation
IBM Security
25
Criminals attempt to
eavesdrops to app
on unsecure devices
Criminals looks for
security
vulnerabilities
Criminals attempts
to hack
application
Criminals deploys
credential stealing
malware
Holistic data protection with IBM Mobile Security
Mobile Banking
Access is prevented
from
jailbroken/rooted
devices detected by
Trusteer Mobile SDK
All vulnerabilities
removed with
Appscan
Hack fails due to
Arxan obfuscation
and runtime
protections
Access is prevented
from malware
infected devices
detected by Trusteer
Mobile SDK
© 2015 IBM Corporation
IBM Security
26
Detecting Criminal Devices with Trusteer
Determines device location (GPS/Network triangulation)
Detects IP “Velocity” Condition
Trusteer Pinpoint Detection
Trusteer Mobile SDK
© 2015 IBM Corporation27
IBM Security Systems
Online Banking
Detecting and responding to account takeover attacks
Restrict Access
Credentials
Theft
Trusteer PinpointMalware Detection
LO
GIN
Trusteer Pinpoint Criminal Detection
Ap
p
Lo
gin
• Jailbroken / Rooted
Device
• Malware Infection
• New device ID
• Unpatched OS
• Unsecure Wi-Fi
connection
• Rogue App
Account Risk Device Risk+
• Proxy
• New Payee
• Spoofing
• Phished Incident
• Malware
Infection1 2
The Bank’s Mobile Banking
App
Trusteer Mobile SDK
Customer
Credentials, data
Criminal
ISAM Policy
and Runtime
Management
© 2015 IBM Corporation28
IBM Security Systems
Online Banking
Stopping account takeover using SMS forwarding malware
Payment Denied
LO
GIN
Trusteer Pinpoint Criminal Detection
Ap
p
Lo
gin
• Jailbroken / Rooted
Device
• Malware Infection
• New device ID
• Unpatched OS
• Unsecure Wi-Fi
connection
• Rogue App
Account Risk Device Risk+
• Proxy
• New Payee
• Spoofed device
• Phishing Incident
• Malware
Infection1 2
The Bank’s Mobile Banking
App
Trusteer Mobile SDK
Customer
OTP SMS Forwarded
Criminal
ISAM Policy
and Runtime
Management
Criminal initiates payment
requiring OTP authorization
© 2015 IBM Corporation29
IBM Security Systems
Application Protection: Can you say: Ob-fu-sca-tion!
Confuse the Hacker
• Dummy Code
Insertion
• Instruction Merging
• Block Shuffling
• Function Inlining
• … and More!
Turns this
into this …
© 2015 IBM Corporation30
IBM Security Systems
Application Protection: Preventing Reverse
Engineering
Other Techniques
• Method Renaming
• String Encryption
• … and More!
String not
found
Where did
it go?
© 2015 IBM Corporation31
IBM Security Systems
Application Protection: Preventing Tampering
Common Techniques
Checksum -- Has the
binary changed?
If so, let me know so I can do something about it!
Method SwizzlingDetection --
Is someone hijacking my code?
Debug Detection
Is a Debugger Running?
© 2015 IBM Corporation32
IBM Security Systems
Application Protection: A Number of Guards Can Be
Leveraged
Defendagainst
compromise
• Advanced Obfuscation
• Encryption
• Pre-Damage
• Metadata Removal
Detectattacks at
run-time
• Checksum
• Debugger Detection
• Resource Verification
• Resource Encryption
• Jailbreak/Root Detection
• Swizzling Detection
• Hook Detection
Reactto ward off
attacks
• Shut Down (Exit, Fail)
• Self-Repair
• Custom Reactions
• Alert / Phone Home
© 2015 IBM Corporation33
IBM Security Systems
Application Protection: Multi-Layered Protection – Example
© 2015 IBM Corporation34
IBM Security Systems
Mobile payment, with the existing retail PoS
infrastructure
HCE mobile apps have particular needs
Need protection of keys and cryptography
• Offline, as well as online
Need to work on any Android device
• From any manufacturer
• With any mobile operator
Should be portable to other platforms
• Once they support HCE too
Arxan’s innovative solution
TransformIT®
• Whitebox cryptography
PLUS Application protection technology
• Anti reverse-engineering
• Tamper resistance
Application Protection: Mobile Payment Apps: Host Card
Emulation
© 2015 IBM Corporation35
IBM Security Systems
Application Protection: Why Arxan?
‘Gold standard’ protection strength– Multi-layer Guard Network – Static & run-time Guards– Customizable to your application– Automated randomization for each build
No disruption to SDLC or source code with unique binary-based Guard injection
Cross platform support -- > 7 mobile platforms alone
Proven– Protected apps deployed on over 300 million devices – Hundreds of satisfied customers across Fortune 500
Unique IP ownership: 10+ patents
Integrated with other IBM security and mobility solutions
© 2015 IBM Corporation36
IBM Security Systems
World’s Strongest App Protection, Now Sold & Supported by IBM
Benefit of your existing trusted relationship with IBM
• Arxan’s technology now available from IBM: Sales, Solution, Services, Support from
IBM, with close collaboration between IBM and Arxan to ensure your success
• Leverage your existing procurement frameworks and contract vehicles (IBM Passport
Advantage, ELAs, Perpetual License, Elite Support, etc) for purchasing Arxan products
and take advantage of your relationship pricing and special discounts from IBM
Leverage Arxan as part of comprehensive solution portfolio from IBM
to holistically secure mobile apps, with value-adding validated integrations
• Enables unique ‘Scan + Protect’ application security strategy and best practice for
building it secure during development (AppScan) and keeping it secure deployed
“in the wild” (Arxan)
• Value-adding Arxan integrations, validations, and interoperability testing with other
IBM products (e.g., IBM AppScan, IBM Trusteer, IBM Worklight)
© 2015 IBM Corporation37
IBM Security Systems
NEXT STEP: Contact your IBM representative or email
[email protected] for more information
Webinar participants eligible for Free Evaluation of “Arxan Application Protection for IBM Solutions”Now offered as part of IBM’s Security Portfolio
Special Offer for Webinar Participants
© 2015 IBM Corporation38
IBM Security Systems
Additional Resources
Arxan/IBM White Paper: Securing
Mobile Apps in the Wildhttp://www.arxan.com/securing-mobile-apps-in-the-wild-with-app-hardening-and-run-
time-protection/
How to Hack An App
https://www.youtube.com/watch?v=VAccZnsJH00
IBM Whitepaper: Old Techniques, New Channel:
Mobile Malware Adapting PC Threat Techniqueshttps://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-
WW_Security_Organic&S_PKG=ov26530&S_TACT=C341006W&S_CMP=web_opp_s
ec_trusteer_msdk/
© 2015 IBM Corporation40
IBM Security Systems
Thank You! Ori Bach
Jonathan Carter