Upload
lynga
View
296
Download
17
Embed Size (px)
Citation preview
© VASCO Data Security, Inc.
Webinar - 13 December 2016
How to secure your mobile application with RASP
© VASCO Data Security, Inc. © VASCO Data Security, Inc. - OPEN2
1. Mobile Application Security
• Risk categories
• Protection layers including RASP
Dirk Denayer – Enterprise & Application Security
2. RASP – Runtime Application Self-Protection
• SDK protection components
• Integration process
• Configuration
• Security assessement service
Guillaume Teixeron – Product Manager
Agenda
© VASCO Data Security, Inc.
of tested apps has
at least one vulnerability
of successful breaches
target the
application layer
Trustwave Global Security Report 2016
Mobile application risks – some figures
© VASCO Data Security, Inc.
AppMY
Mobile application risks – 3 categories
3. Man-in-the-Middle Attacks
1. Application vulnerabilities
2. Platform weaknesses
© VASCO Data Security, Inc.
AppMY
Mobile application protection – 3 layers
1. Application protection
2. RASP (Runtime Application Self Protection)
3. Protection of communication
© VASCO Data Security, Inc.
1. Protecting the app
AppMY
Secure storageagainst data theft and device cloning
Secure coding against reverse engineering
Secure activation against account takeover
© VASCO Data Security, Inc.
2. Protecting execution
AppMY
Detect
Notify
Stop
Prevent
Anti-repackaging
Anti-screen shots
Anti-code injection
Debugger prevention
Anti-key
logging
Anti-screen reader
Emulator protection
Anti-screen mirroring
…
RASP
© VASCO Data Security, Inc.
3. Protecting communication
AppMY
Secure Channel
Transport layer
Transport layer
Transport layer
Transport layer
© VASCO Data Security, Inc.
AppMY
DIGIPASS for APPS
PIN Management
Jailbreak/Root Detection
Integration with
Biometrics
Device Binding
Secure Storage
Geolocation
Client Scoring
Two-Factor
Authentication
Transaction Signing
Secure
Channel
QR code Support
CRONTO Support
Runtime Application Self-Protection (RASP)
DIGIPASS for Apps technologies
© VASCO Data Security, Inc.
AppMY
PIN Management
Jailbreak/Root Detection
Integration with
Biometrics
Device Binding
Secure Storage
Geolocation
Client Scoring
Two-Factor
Authentication
Transaction Signing
Secure
Channel
QR code Support
CRONTO Support
Runtime Application Self-Protection (RASP)
… seamless integration with your app
© VASCO Data Security, Inc.
AppMY
DIGIPASS for APPS
PIN Management
Jailbreak/Root Detection
Integration with
Biometrics
Device Binding
Secure Storage
Geolocation
Client Scoring
Two-Factor
Authentication
Transaction Signing
Secure
Channel
QR code Support
CRONTO Support
Runtime Application Self-Protection (RASP)
DIGIPASS for Apps
© VASCO Data Security, Inc. © VASCO Data Security, Inc. - OPEN12
1. Mobile Application Security
• Risk categories
• Protection layers including RASP
Dirk Denayer – Enterprise & Application Security
2. RASP – Runtime Application Self-Protection
• SDK protection components
• Integration process
• Configuration
• Security assessement service
Guillaume Teixeron – Product Manager
Agenda
© VASCO Data Security, Inc. 13
Set of technologies used to
add security functionalities
directly to mobile applications
for the detection and prevention
of application-level intrusions
What is Runtime Application Self Protection?
© VASCO Data Security, Inc.
App Layer
(app code)
(Objective C,
Java or
native)
OS tools/API
(GUI, File,
Network)
OS
components
(Loader,
Linker)
RASP works proactively and in
real-time, which protects against
zero-day attacks
RASP does not require special
permissions on the device
RASP does not change
User Experience
A secured runtime process
RASP Insights
© VASCO Data Security, Inc.
Protect Detect
React
Hook
detection
Library
injection
detection
Screen
reader
detection
User input
leakage
prevention
Keylogger
detection
Debugger
detection
Emulator
detection
User initiated
screenshot
detection
System initiated
screenshot
detection
App RASP
Sanity CheckNotify app Terminate app
RASP features
© VASCO Data Security, Inc.
Application validates the origin of any third party library
loaded at run time.
All libraries used by the application are whitelisted.
Mobile Application
Security
Anti-code injection
© VASCO Data Security, Inc.
Mobile Application
Security
Application validates that the keyboard used by the
operating system is a trusted keyboard.
Keyboard can be operating system original keyboard or
keyboard provided by trusted third party keyboard provided.
Application may offer its own keyboard interface in case
untrusted one is proposed by default.
Anti-key logging
© VASCO Data Security, Inc.
Mobile Application
Security
RASP validates that no screen reader is activated on the
device.
In case screen reader is activated a malware could collect all
information displayed by the application on the device
without user noticing it.
Anti screen-reading
© VASCO Data Security, Inc.
Mobile Application
Security
Application makes sure that application context is not
backed up in the background by the operating system.
This prevents that sensitive information persists in the
phone memory after application termination.
Anti-user/system screenshots
© VASCO Data Security, Inc.
Mobile Application
Security
Preemptively disabled by application.
Working on the level of video stream output.
Anti-screen mirroring
© VASCO Data Security, Inc.
Mobile Application
Security
Application prevents debugger from being attach to make
reverse engineering more difficult.
Running processes monitoring
Debugger prevention
© VASCO Data Security, Inc.
Mobile Application
Security
Application detects if it is running in an emulator instead of a
physical device.
Application should stop its execution when detected at
launch time.
Examines OS input
Emulator detection
© VASCO Data Security, Inc.
RASP - Integration
23
© VASCO Data Security, Inc.
RASP Integration Process
Integration
Configuration
Binding
Signing
© VASCO Data Security, Inc.
RASP Integration Process
Integration
Configuration
Binding
Signing
© VASCO Data Security, Inc.
RASP Integration Process
Android iOS1 Integrate RASP SDK
2 Implement Callbacks
Link ShieldSDK.framework
Add configuration file
Add ShieldSDK.jar
Notify app after detection of security issue
Using the ShieldCallbackManager
© VASCO Data Security, Inc.
RASP Integration Process
Integration
Configuration
Binding
Signing
© VASCO Data Security, Inc.
RASP Integration Process
3 Configure RASP
Android iOS
Configuration is done via the
customer portal of Vasco.
© VASCO Data Security, Inc.
Authentication to the portal
© VASCO Data Security, Inc.
Create new Android RASP Configuration
© VASCO Data Security, Inc.
Create new iOS RASP Configuration
© VASCO Data Security, Inc.
Select App to bind
© VASCO Data Security, Inc.
RASP Integration Process
Integration
Configuration
Binding
Signing
© VASCO Data Security, Inc.
RASP Integration Process
4 Bind via
customer portal
Resources
Business Logic
Code Variables
Resources
Business Logic
Code Variables
RASP SDK
Resources
Business Logic
Code Variables
RASP SDK
Cert Pub Key
Resources
Obfuscated Business Logic
Code Variables
RASP SDK
Cert Pub Key
Resources
Code variables
Business LogicRASP SDK
Config Info
Resources
Code variables
Business Logic
RASP SDK
Config Info
Cert Pub Key
BindingA
Repacking
prevention
B
Code
Obfuscation
C
Repacking
prevention
B
BindingA
Android iOS
Resources
Business Logic
Code Variables
© VASCO Data Security, Inc.
RASP Integration Process
Integration
Configuration
Binding
Signing
© VASCO Data Security, Inc.
RASP Integration Process
5Sign the app folder
with the XCENT file
Sign the APK file
with the keystore
file
Android iOSSign the application
© VASCO Data Security, Inc.
Security Assessment
37
© VASCO Data Security, Inc. 38
RASP – Security Assessment
© VASCO Data Security, Inc. © VASCO Data Security, Inc. - OPEN39
1. Mobile Application Security
• Risk categories
• Protection layers including RASP
Dirk Denayer – Enterprise & Application Security
2. RASP – Runitme Application Self-Protection
• SDK protection components
• Integration Process
• Configuration
• Security assessement service
Guillaume Teixeron – Product Manager
Agenda
© VASCO Data Security, Inc. 40
DIGIPASS for Apps
https://www.vasco.com/products/application-security/digipass-for-apps.html
White paper – A Developer’s Guide to Securing Mobile Applications
https://www.vasco.com/news/your-guide-to-secure-mobile-applications/
RASP webpage & White Paper
https://www.vasco.com/glossary/rasp-security.html
RASP security assessement service on your mobile application & other requests : [email protected]
Documentation & Security assessement service
© VASCO Data Security, Inc.
Questions ?
© VASCO Data Security, Inc.