How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement

© VASCO Data Security, Inc.

Webinar - 13 December 2016

How to secure your mobile application with RASP

© VASCO Data Security, Inc. © VASCO Data Security, Inc. - OPEN2

1. Mobile Application Security

• Risk categories

• Protection layers including RASP

Dirk Denayer – Enterprise & Application Security

2. RASP – Runtime Application Self-Protection

• SDK protection components

• Integration process

• Configuration

• Security assessement service

Guillaume Teixeron – Product Manager

Agenda


of tested apps has

at least one vulnerability

of successful breaches

target the

application layer

Trustwave Global Security Report 2016

Mobile application risks – some figures


AppMY

Mobile application risks – 3 categories

3. Man-in-the-Middle Attacks

1. Application vulnerabilities

2. Platform weaknesses


AppMY

Mobile application protection – 3 layers

1. Application protection

2. RASP (Runtime Application Self Protection)

3. Protection of communication


1. Protecting the app

AppMY

Secure storageagainst data theft and device cloning

Secure coding against reverse engineering

Secure activation against account takeover


2. Protecting execution

AppMY

Detect

Notify

Stop

Prevent

Anti-repackaging

Anti-screen shots

Anti-code injection

Debugger prevention

Anti-key

logging

Anti-screen reader

Emulator protection

Anti-screen mirroring

…

RASP


3. Protecting communication

AppMY

Secure Channel

Transport layer

Transport layer

Transport layer

Transport layer


AppMY

DIGIPASS for APPS

PIN Management

Jailbreak/Root Detection

Integration with

Biometrics

Device Binding

Secure Storage

Geolocation

Client Scoring

Two-Factor

Authentication

Transaction Signing

Secure

Channel

QR code Support

CRONTO Support

Runtime Application Self-Protection (RASP)

DIGIPASS for Apps technologies


AppMY

PIN Management


Integration with

Biometrics

Device Binding

Secure Storage

Geolocation

Client Scoring

Two-Factor

Authentication

Transaction Signing

Secure

Channel

QR code Support

CRONTO Support


… seamless integration with your app


AppMY

DIGIPASS for APPS

PIN Management


Integration with

Biometrics

Device Binding

Secure Storage

Geolocation

Client Scoring

Two-Factor

Authentication

Transaction Signing

Secure

Channel

QR code Support

CRONTO Support


DIGIPASS for Apps



• Risk categories



2. RASP – Runtime Application Self-Protection


• Integration process

• Configuration



Agenda

© VASCO Data Security, Inc. 13

Set of technologies used to

add security functionalities

directly to mobile applications

for the detection and prevention

of application-level intrusions

What is Runtime Application Self Protection?


App Layer

(app code)

(Objective C,

Java or

native)

OS tools/API

(GUI, File,

Network)

OS

components

(Loader,

Linker)

RASP works proactively and in

real-time, which protects against

zero-day attacks

RASP does not require special

permissions on the device

RASP does not change

User Experience

A secured runtime process

RASP Insights


Protect Detect

React

Hook

detection

Library

injection

detection

Screen

reader

detection

User input

leakage

prevention

Keylogger

detection

Debugger

detection

Emulator

detection

User initiated

screenshot

detection

System initiated

screenshot

detection

App RASP

Sanity CheckNotify app Terminate app

RASP features


Application validates the origin of any third party library

loaded at run time.

All libraries used by the application are whitelisted.

Mobile Application

Security

Anti-code injection


Mobile Application

Security

Application validates that the keyboard used by the

operating system is a trusted keyboard.

Keyboard can be operating system original keyboard or

keyboard provided by trusted third party keyboard provided.

Application may offer its own keyboard interface in case

untrusted one is proposed by default.

Anti-key logging


Mobile Application

Security

RASP validates that no screen reader is activated on the

device.

In case screen reader is activated a malware could collect all

information displayed by the application on the device

without user noticing it.

Anti screen-reading


Mobile Application

Security

Application makes sure that application context is not

backed up in the background by the operating system.

This prevents that sensitive information persists in the

phone memory after application termination.

Anti-user/system screenshots


Mobile Application

Security

Preemptively disabled by application.

Working on the level of video stream output.

Anti-screen mirroring


Mobile Application

Security

Application prevents debugger from being attach to make

reverse engineering more difficult.

Running processes monitoring

Debugger prevention


Mobile Application

Security

Application detects if it is running in an emulator instead of a

physical device.

Application should stop its execution when detected at

launch time.

Examines OS input

Emulator detection


RASP - Integration

23


RASP Integration Process

Integration

Configuration

Binding

Signing



Integration

Configuration

Binding

Signing



Android iOS1 Integrate RASP SDK

2 Implement Callbacks

Link ShieldSDK.framework

Add configuration file

Add ShieldSDK.jar

Notify app after detection of security issue

Using the ShieldCallbackManager



Integration

Configuration

Binding

Signing



3 Configure RASP

Android iOS

Configuration is done via the

customer portal of Vasco.


Authentication to the portal


Create new Android RASP Configuration


Create new iOS RASP Configuration


Select App to bind



Integration

Configuration

Binding

Signing



4 Bind via

customer portal

Resources

Business Logic

Code Variables

Resources

Business Logic

Code Variables

RASP SDK

Resources

Business Logic

Code Variables

RASP SDK

Cert Pub Key

Resources

Obfuscated Business Logic

Code Variables

RASP SDK

Cert Pub Key

Resources

Code variables

Business LogicRASP SDK

Config Info

Resources

Code variables

Business Logic

RASP SDK

Config Info

Cert Pub Key

BindingA

Repacking

prevention

B

Code

Obfuscation

C

Repacking

prevention

B

BindingA

Android iOS

Resources

Business Logic

Code Variables



Integration

Configuration

Binding

Signing



5Sign the app folder

with the XCENT file

Sign the APK file

with the keystore

file

Android iOSSign the application


Security Assessment

37


RASP – Security Assessment



• Risk categories



2. RASP – Runitme Application Self-Protection


• Integration Process

• Configuration



Agenda


DIGIPASS for Apps

https://www.vasco.com/products/application-security/digipass-for-apps.html

White paper – A Developer’s Guide to Securing Mobile Applications

https://www.vasco.com/news/your-guide-to-secure-mobile-applications/

RASP webpage & White Paper

https://www.vasco.com/glossary/rasp-security.html

RASP security assessement service on your mobile application & other requests : [email protected]

Documentation & Security assessement service

https://www.vasco.com/products/application-security/digipass-for-apps.html

https://www.vasco.com/news/your-guide-to-secure-mobile-applications/

https://www.vasco.com/glossary/rasp-security.html

mailto:[email protected]


Questions ?


[email protected]

Documents

How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement