• Home

  • Mobile

  • What attackers know about your mobile apps that you don’t: Banking & FinTech
29
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

What attackers know about your mobile apps that you don’t: Banking & FinTech

Embed Size (px)

Citation preview

Page 1: What attackers know about your mobile apps that you don’t: Banking & FinTech

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

Page 2: What attackers know about your mobile apps that you don’t: Banking & FinTech

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

Page 3: What attackers know about your mobile apps that you don’t: Banking & FinTech

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.3

Page 4: What attackers know about your mobile apps that you don’t: Banking & FinTech

4

▪▪

–––

▪▪

Page 5: What attackers know about your mobile apps that you don’t: Banking & FinTech

▪▪▪

▪▪▪

Page 6: What attackers know about your mobile apps that you don’t: Banking & FinTech
Page 7: What attackers know about your mobile apps that you don’t: Banking & FinTech

25% Haveat least 1 high risk flaw

35% Haveun-encrypted data transmission

63% iOS AppsOpting out of ATS exposing network risks

more likely to leak account credentials

BizApps 3X

Source: NowSecure Software and Research Data 2016-2017

1% Android Appsproperly use Google SafetyNet Attestation API

50% Android Appsdynamically load code missed by static analysis

7

Page 8: What attackers know about your mobile apps that you don’t: Banking & FinTech

8

Page 9: What attackers know about your mobile apps that you don’t: Banking & FinTech

▪▪▪▪▪▪

▪▪▪▪▪▪▪▪▪▪▪▪▪

▪▪▪▪▪▪▪▪▪▪▪▪▪▪▪▪

9

▪▪▪▪▪▪Cross origin resource sharing▪▪▪▪

▪▪▪▪

▪▪▪▪▪▪▪

▪▪▪▪▪▪▪▪▪

▪▪▪▪▪▪▪▪

Page 10: What attackers know about your mobile apps that you don’t: Banking & FinTech

iOSAPPS

Dynamic code and assetsMITM attacks

Take the the attacker POV to test across app, compiler, data at rest, data in transit, OS, HW & SW during and after running the mobile app

iOS FRAMEWORKS

iOS NATIVE LIBRARIES

iOS Mach/XNU KERNEL

iOS HAL

HARDWARE

10

Buffer overflows

Race conditions

Forensic artifacts

Malware

Contact hijacking

TARGETAPP

Page 11: What attackers know about your mobile apps that you don’t: Banking & FinTech

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

Page 12: What attackers know about your mobile apps that you don’t: Banking & FinTech

12

Page 13: What attackers know about your mobile apps that you don’t: Banking & FinTech

.java files compiler .class files

dx tool

.dex filesAPK builder.apk files

Jar signer .so files resources

13

Page 14: What attackers know about your mobile apps that you don’t: Banking & FinTech

14

Page 15: What attackers know about your mobile apps that you don’t: Banking & FinTech

15

Page 16: What attackers know about your mobile apps that you don’t: Banking & FinTech

Host Target

bootstrapper

Write bootstrapper code into memory of Target process

16

Page 17: What attackers know about your mobile apps that you don’t: Banking & FinTech

Host Target

bootstrapper

bootstrapper-thread

Hijack existing thread in Target to execute bootstrapper

17

Page 18: What attackers know about your mobile apps that you don’t: Banking & FinTech

Host Target

bootstrapper

bootstrapper-thread

frida-agent.so

Bootstrapper loads frida-agent into Target’s memory space

18

Page 19: What attackers know about your mobile apps that you don’t: Banking & FinTech

Host Target

bootstrapper

bootstrapper-thread

frida-agent.soComm. Chan

Agent opens bi-directional channel between Debugger and Debuggee

19

Page 20: What attackers know about your mobile apps that you don’t: Banking & FinTech

Host Target

bootstrapper

bootstrapper-thread

frida-agent.soComm. Chan

JavaScript

Agent sets up its own thread, accepting instrumentation scripts from Debugger

Instrumentation scripts

20

Page 21: What attackers know about your mobile apps that you don’t: Banking & FinTech

Host Target

bootstrapper

bootstrapper-thread

frida-agent.soComm. Chan

JavaScript

Instrumentation scripts

Instrumentation “probes” target specific APIs and code logic of interest

21

Page 22: What attackers know about your mobile apps that you don’t: Banking & FinTech

Host Target

bootstrapper

bootstrapper-thread

frida-agent.soComm. Chan

JavaScript

Instrumentation scripts

probe results

Probe results streamed to debugger and parsed/redirected

22

Page 23: What attackers know about your mobile apps that you don’t: Banking & FinTech

iOSAPPS

iOS FRAMEWORKS

iOS NATIVE LIBRARIES

iOS Mach/XNU KERNEL

iOS HAL

HARDWARE

23

TARGETAPP

Page 24: What attackers know about your mobile apps that you don’t: Banking & FinTech

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.

Page 25: What attackers know about your mobile apps that you don’t: Banking & FinTech

© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.25

http://www.nowsecure.com/subscribe
http://www.nowsecure.com/blog
https://bit.ly/2ymLQmm
Page 26: What attackers know about your mobile apps that you don’t: Banking & FinTech

26

Page 27: What attackers know about your mobile apps that you don’t: Banking & FinTech

27

Page 28: What attackers know about your mobile apps that you don’t: Banking & FinTech

Twitter ▪▪

E-mail ▪▪

Web ▪

mailto:[email protected]
mailto:[email protected]
https://www.nowsecure.com/contact/
Page 29: What attackers know about your mobile apps that you don’t: Banking & FinTech

Fintech Innovators "Fintech 100" List 2015

Fintech Innovators "Fintech 100" List 2015

Documents
Wharton FinTech: Overview of FinTech Industry

Wharton FinTech: Overview of FinTech Industry

Business
NRCLive FinTech event Trends in FinTech

NRCLive FinTech event Trends in FinTech

Business
Using system fingerprints to track attackers

Using system fingerprints to track attackers

Technology
MDEC Fintech Developer Bootcamp - Fintech Masterclass Day 2

MDEC Fintech Developer Bootcamp - Fintech Masterclass Day 2

Economy & Finance
FINTECH IN AFRICA: HELPING YOU REALISE THE OPPORTUNITIESglobalmandatoolkit.cliffordchance.com/.../Fintech... · 1 Fintech and regulation: navigating unchartered waters Fintech creates

FINTECH IN AFRICA: HELPING YOU REALISE THE OPPORTUNITIESglobalmandatoolkit.cliffordchance.com/.../Fintech... · 1 Fintech and regulation: navigating unchartered waters Fintech creates

Documents
Eindhoven University of Technology MASTER Detecting repackaged android apps using ... · With the growth of smartphone features, attackers can get more information from users including

Eindhoven University of Technology MASTER Detecting repackaged android apps using ... · With the growth of smartphone features, attackers can get more information from users including

Documents
Fintechnews Network · Fintech Indonesia Fintech Vietnam Fintech Switzerland Fintech Professional 5000 Facebook friends are waiting. SPONSORING Startup Report You can sponsor our

Fintechnews Network · Fintech Indonesia Fintech Vietnam Fintech Switzerland Fintech Professional 5000 Facebook friends are waiting. SPONSORING Startup Report You can sponsor our

Documents
UK FinTech - EYFILE/EY...UK FinTech - EY

UK FinTech - EYFILE/EY...UK FinTech - EY

Documents
Rise FinTech Insights Diversity in FinTech...4 / Rise FinTech Insights This edition of the Rise FinTech Insights report focuses on diversity within FinTech. People often equate technology

Rise FinTech Insights Diversity in FinTech...4 / Rise FinTech Insights This edition of the Rise FinTech Insights report focuses on diversity within FinTech. People often equate technology

Documents
Patterns of Lone Attackers - KAS

Patterns of Lone Attackers - KAS

Documents
The Role of Technology in Mortgage Lendingpages.stern.nyu.edu/~pschnabl/research/FPSV_FinTech_appendix.pdf · Sample Non-Fintech Non-Fintech Non-Fintech Non-Fintech Table reports

The Role of Technology in Mortgage Lendingpages.stern.nyu.edu/~pschnabl/research/FPSV_FinTech_appendix.pdf · Sample Non-Fintech Non-Fintech Non-Fintech Non-Fintech Table reports

Documents
Chess Secrets - Great Attackers - collin crouch.pdf

Chess Secrets - Great Attackers - collin crouch.pdf

Documents
The Japanese were ruthless attackers

The Japanese were ruthless attackers

Documents
Google Gears for Attackers

Google Gears for Attackers

Documents
Gay Dating Apps Used By Attackers To Trap Victims In Ireland. PinkNews

Gay Dating Apps Used By Attackers To Trap Victims In Ireland. PinkNews

Documents
Dealing With Attackers

Dealing With Attackers

Documents
Condensed Version The State of Fintech Apps

Condensed Version The State of Fintech Apps

Documents
Penetration Testing Assessing Security Attackers 34635

Penetration Testing Assessing Security Attackers 34635

Documents
Chess Secrets Great Attackers Collin Crouch

Chess Secrets Great Attackers Collin Crouch

Documents
Attackers and Defenders - Collaborative Learning

Attackers and Defenders - Collaborative Learning

Documents
Mining attackers mind

Mining attackers mind

Technology
Data spies, hackers & online attackers

Data spies, hackers & online attackers

Documents
Computer Security: Computer Science with Attackers

Computer Security: Computer Science with Attackers

Documents
Honeypots Monitoring Attackers

Honeypots Monitoring Attackers

Documents
The Attackers Advantage

The Attackers Advantage

Business
What Is ROI for Attackers

What Is ROI for Attackers

Documents
KPMG Australian FinTech Landscape 2019€¦ · Title: KPMG Australian FinTech Landscape 2019 Author: KPMG Australia Subject: FinTech in Australia Keywords: KPMG Australian FinTech

KPMG Australian FinTech Landscape 2019€¦ · Title: KPMG Australian FinTech Landscape 2019 Author: KPMG Australia Subject: FinTech in Australia Keywords: KPMG Australian FinTech

Documents
Wharton FinTech - Launching a FinTech Venture

Wharton FinTech - Launching a FinTech Venture

Business
Attackers Vs. Defenders: Restoring the Equilibrium

Attackers Vs. Defenders: Restoring the Equilibrium

Technology