danger in the app stores: 3rd party mobile app risk for banks, finserv & fintech
TRANSCRIPT
Danger in the App Stores:3rd Party Mobile App Risk for Banking & FinTech
8X FASTER3X DEEPER
MOST TRUSTED© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
THE INFORMATION BLACK HOLE
3RD PARTY APP
INFORMATIONBLACK HOLE
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
DEEP MOBILE SECURITY EXPERTISE
Open source
Books & Speaking
3
Mobile threat research is in our DNA▪ Dream team of security researchers▪ Every waking moment spent:
– Discovering critical vulns– Identifying novel attack vectors– Creating/maintaining renowned
open-source mobile security tools/projects
The NowSecure Mission▪ Educate enterprises on the latest mobile threats▪ Maximize the security of apps enterprises
develop, purchase and use
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
NowSecure #MobSec5Weekly mobile security news update
SUBSCRIBE NOW:www.nowsecure.com/go/subscribe
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
AGENDA + SPEAKERS
MILLIONS OF POINTS OF APP RISK▪ Stakeholders▪ Risk & Compliance▪ Mobile Attack Surface
REAL-WORLD APP RISK DATA▪ Industry Benchmark Data▪ Example best in class▪ Example worst in class
RECOMMENDATIONS▪ Best Practice Approaches
Brian ReedChief Mobile Officer
Alex WishkoskiDirector, Product Mgmt
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
3RD-PARTY MOBILE APP RISK& IMPACT
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
WHAT IS SCOPE OF 3rd PARTY APP RISK?
50,000 Devices 89 Apps/Device4,450,000 Points of Risk
Sources: “The Economic Risk of Confidential Data on Mobile Devices in the Workplace” Ponemon Institute;“Average number of apps installed by users in the United States in 2016, by device” Statista
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
WHAT RISK? NEWS FLASH TODAY!
BLOG: https://www.nowsecure.com/blog/2017/11/14/oneplus-device-root-exploit-backdoor-engineermode-app-diagnostics-mode/
▪ Millions of OnePlus Devices in Asia, India & Europe now exposed
▪ New Root Exploit discovered YESTERDAY
• Manufacturer's EngineerMode App left BackDoor in production
• System-signed .apk w/ SHA256 hash of PWD that was easily reversed
• With password, EngineerMode app enables a debugging mode & Rooting
▪ How do you know if you are exposed?
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
WHAT IS SCOPE OF 3rd PARTY APP RISK?
50,000 Devices 89 Apps/Device4,450,000 Points of Risk
Sources: “The Economic Risk of Confidential Data on Mobile Devices in the Workplace” Ponemon Institute;“Average number of apps installed by users in the United States in 2016, by device” Statista
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
WHO IS RESPONSIBLE FOR 3rd PARTY APP RISK?
10
• Evaluate mobile technology • Establish mobile security and
architecture requirements• Test for vulnerabilities and ensure
security, privacy, compliance
SECURITY & ARCHITECTURE• Centrally coordinate & enable business
mobilization • Support BYOD, COPE & Enterprise
managed devices & apps• Easy, quick vetting of 3rd party mobile
apps to ensure meet policy and governance requirements
MOBILE CENTER OF EXCELLENCE• Establish risk-based guidelines for
mobile app security, compliance and privacy
• Ensure governance and controls in place for all mobile apps
• Track and report on industry compliance and privacy mandates
COMPLIANCE & RISK
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
WHAT IS THE MOBILE APP ATTACK SURFACE?
11
API BACKEND▪Platform vulnerabilities▪Server misconfiguration▪Cross-site scripting▪Cross-site request forgery ▪Cross origin resource sharing▪Brute force attacks▪Side channel attacks
▪SQL injection▪Privilege escalation▪Data dumping▪OS command execution▪Weak input validation▪Hypervisor attack▪VPN
DATA AT REST
▪Data caching▪Data stored in application directory
▪Decryption of keychain▪Data stored in log files▪Data cached in memory/RAM▪Data stored in SD card
▪OS data caching▪Passwords & data accessible▪No/Weak encryption▪TEE/Secure Enclave Processor▪Side channel leak▪SQLite database▪Emulator variance
DATA IN MOTION
▪Wi-Fi (no/weak encryption)▪Rogue access point▪Packet sniffing▪Man-in-the-middle▪Session hijacking▪DNS poisoning▪TLS Downgrade▪Fake TLS certificate▪Improper TLS validation
▪HTTP Proxies▪VPNs▪Weak/No Local authentication▪App transport security▪Transmitted to insecure server▪ Zip files in transit▪Cookie “httpOnly” flag▪Cookie “secure” flag
▪GPS spoofing▪Buffer overflow▪allowBackup Flag▪allowDebug Flag▪Code Obfuscation▪Configuration manipulation▪Escalated privileges
▪URL schemes▪GPS spoofing▪Integrity/tampering/repacking▪Side channel attacks▪App signing key unprotected▪JSON-RPC▪Automatic Reference Counting
CODE FUNCTIONALITY
▪Android rooting/iOS jailbreak▪User-initiated code▪Confused deputy attack▪Multimedia/file format parsers▪Insecure 3rd party libraries▪World Writable Files▪World Writable Executables
▪Dynamic runtime injection▪Unintended permissions▪UI overlay/pin stealing▪Intent hijacking▪Zip directory traversal▪Clipboard data▪World Readable Files
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
WHAT ARE RISK & COMPLIANCE MANDATES?
AppE.5.b Operational Risk Mitigation
AppE.5.b(iii) Mobile Application Risk Mitigation
PCI DSS Version 3.2 Dev, test, Maintain Secure Systems & Apps
PCI Mobile Payment Acceptance Security Guidelines
PART 314—Standards for safeguarding customer information
NIST FIPS 200: Minimum Security Requirements
NIST SP 800-53: Security & Privacy Controls
NIST SP 800-163: Vetting the Security of Mobile Applications
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
WHY ARE THE RISK RATIOS SO BAD?
>5
MILLION APPSTORE
APPS
245
MOBILE APPDEVs
1
SECURITYENGINEER
: :
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
SPEED
VOLUME
RISK
COST
LOW HIGH
WHY SO MUCH TENSION?
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
REAL-WORLD EXAMPLES OF APP STORE APP RISKS
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
WHAT ARE THE 3RD PARTY RISK STATS?
49%apps have at least 1 significant risk
30%of Android reports run reveal sensitive user data
60% of iOS apps don’t require encrypted connections
Source: NowSecure Software and Research Data 2016-2017
20,000+ Android apps found that send passwords in the clear
120,000+Apps that can reveal user location
16
26% of iOS reports reveal sensitive data in transit
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
INSIDE MOBILE APP RISK SCORING
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
TESTING FOR RISK -- DATA IN MOTION
▪ Apply SSL/TLS universally
▪ Assume that the network layer is not secure and is susceptible to eavesdropping
▪ Use strong, industry standard cipher suites with appropriate key lengths
▪ 34% of iOS apps use HTTP
▪ iOS ATS slow adoption(less than 40%)
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
PREVENTING MITM ATTACKS
▪ Use HSTS / HTTPS Prevent protocol downgrade attacks
▪ Validate certificates
▪ Use cert pinning
▪ Educate usersDon’t install certs
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
TESTING FOR RISK -- IP ADDRESSES
▪ 3rd party libraries, SDKs are common culpritsAd networks frequently uniquely identifyusers and geo-locate them insecurely
▪ Validate all outbound traffic destinations
▪ Apps frequently have 100s of connections(this one had 250)
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
TESTING FOR RISK -- DATA AT REST
▪ Writable executables
▪ Local log data• GPS data / location• Files / directories accessed
▪ External storage• Always examine all files,
permissions
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
TESTING FOR RISK -- 3RD PARTY LIBRARIES
▪ Nearly all apps have 3rdparty libs
▪ Open source allows bothgood and bad eyeballs
▪ Popular libraries ≠ safety
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
TESTING FOR RISK PERMISSIONS & ENTITLEMENTS
▪ Contact list access
▪ Write external storage
▪ Calendar
▪ Send SMS
▪ NFC
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
IN ACTION:BEST PRACTICES FORFINSERV & BANKING
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
BEST PRACTICE RECOMMENDATIONS
1. Recognize the risks of 3rd party apps on BYOD and COPE devices
○ Assume all are untrusted until validated, no matter who the developer
2. Put controls and processes in place to analyze and monitor 3rd party app risk
○ Inventory & analyze your existing mobile apps leveraging EMM/MDM
○ Adapt processes to review and approve all new mobile apps before introduction
○ Leverage automated tools for in depth testing and continuous monitoring
3. Find a reputable source to stay up to date on the latest threats
○ Sign up for Nowsecure #MobSec5 at www.nowsecure.com/go/subscribe
○ Read our blog at www.nowsecure.com/blog
25
Case Study
● PROBLEM: Provider of 3rd-party risk analytics to insurers, F500 enterprises & investment banks needed app-store app risk rankings at scale
● Leverage the NowSecure Platform™ for the world’s deepest 3rd-partyapp vetting
● On-demand access to millions of app-store app security scores viaNowSecure INTEL API
26
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
NowSecure INTELAlwaysOn AppStore Cloud Analysis
for EMM & Security teams
NowSecure AUTOOnDemand Fast Cloud Analysis
for Dev, QA & Security teams
NowSecure WORKSTATION
Deep Pen Testing Analysisfor Security Analysts
NOWSECURE PLATFORM for 360º COVERAGE OF MOBILE APP SECURITY TESTING
NowSecure SERVICESExpert Pen Testing, Training & Programs
for App Owners & Security teams
27
8X FASTER – 3X DEEPER – MOST TRUSTED
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
SHIFT LEFT WITH MOBILE APPSEC FACTORY
28
RAPIDTEST
DEVELOPED APPS PR
OD
UC
TION
YOUR APPSEC FACTORY
Rapid Test all apps in 15mins automatically…
RAPID: PASSED
REQUIREMENTS DESIGN BUILD TEST
Spend <1 hour deep testing any concerning rapid results or additional advanced/pre-release certification
DEEP CERTIFICATION
DEEPTEST
DEEP: PASSED
ANY TEST: FAILED
3RD PARTY APPSTORE APPS ONLINE: FAILED
ONLINE: PASSED
Instantly Vet 3rd Party App Risk
ONLINETEST
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
NOWSECURE COMING ATTRACTIONS
Next Month’s Webinar2018 Mobile AppSec Must-Dos
Tuesday, Dec. 5
NH-ISAC Fall SummitCome see NowSecure
Nov. 28 - 30 in Scottsdale, AZ
AppSec Cali 2018Come see NowSecure
Jan. 30 - 31 in Santa Monica
29
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute.
OPEN Q&A
MILLIONS OF POINTS OF APP RISK▪ Stakeholders▪ Mobile Attack Surface▪ Risk & Compliance
REAL-WORLD APP RISK DATA▪ Industry Benchmark Data▪ Example best in class▪ Example worst in class
RECOMMENDATIONS▪ Best Practice Approaches
Brian ReedChief Mobility Officer
Alex WishkoskiDirector, Product Mgmt
Let’s talk
NowSecure+1 312.878.1100
@NowSecureMobilewww.nowsecure.com
Subscribe to #MobSec5 A digest of the week’s mobile security news that matters
https://www.nowsecure.com/go/subscribe