Deliver Strong Mobile App Security and the Ultimate User Experience”

The PresentersWill LaSala, Director of Services @ VASCOWill has been with VASCO since 2001 and over the years has been involved in all aspects of product implementation within financial institutions and mobile application developers. Will also oversees the VASCO professional services group helping banks, enterprises, and ASPs in with custom mobile application security, identity management, and authentication projects. He brings to the table over 20 years of software and cyber security experience. Will’s research interests are focused around the use of mobile technology to improve user experience.

Andrew Showstead, Director of Technical Consultancy and Market Solutions @ VASCOAndrew oversees engineering and product implementation aspects of mobile application security and fraud prevention projects for the enterprise clients. He is also a technical team lead tasked with researching and developing new markets for VASCO in North America. Andrew comes back to VASCO after serving as a Chief Technology Officer for nJuvo Inc. where he led the development of an Internet security product for payment fraud prevention. His research interests include identity federation and the use of embedded technologies to simplify security.

Founded in 1991

Publicly traded on the NASDAQ since 1997 (VDSI)

More than 10,000 customers in 100 countries

50+ consecutive quarters of profitability

17+ global offices

Company Highlights

About VASCO

WHAT’S THE PROBLEM WITH MY MOBILE EXPERIENCE?

5

The Growth of Mobile App Fraud

6

1. Corruption of the execution environment• Application sandboxing is broken on rooted device: the data you store on

the device can be read or updated by any other application running on the same device

• Default keyboard is replaced by keyboard including a keylogger• Screen reader record application display and forward information

2. Reverse engineering of the application through instrumentation and debugging

3. Modification of the application• Modified and repackage applications are published on alternative store for

phishing attacks

Threats to Your Mobile App

7

Browser

System

Phone/SMS

Apps

Malware

PhishingPharmingClickjackingMan-in-the-MiddleBuffer OverflowData Caching

No Passcode/Weak PasscodeIOS JailbreakingAndroid RootingOS Data CachingPasswords & Data AccessibleCarrier-Loaded SoftwareNo Encryption/Weak EncryptionUser-Initiated Code

Baseband AttacksSMishing

Sensitive Data StorageNo Encryption/Weak

EncryptionImproper SSL Validation

Config ManipulationDynamic Runtime Injection

Unintended PermissionsEscalated Privileges

Device Attack Surface: What behaviors can present issues?

*2014 VIA Forensics

Mobile Vulnerabilities

Mobile Vulnerability – Reverse Engineering

8

MY Bank

Threats to the application

9

MY Bank

100%4:22 PM

MY Bank

Threats to the application

10

MY Bank

100%4:22 PM

MY Bank

Threats to the application

11

MY Bank

100%4:22 PM

MY Bank

Threats to the application

12

MY Bank

100%4:22 PM

MY Bank

Password?!

My Bank Too…

BEST PRACTICES

14

Avoid Storing data on the mobile – Apply persistent protection when you must

Consider the Platform – apply rootkit/jailbreak protections

Secure Provisioning is a must-have, and Implement a Secure Encrypted Channel

Protect the User Interface from Malicious Compromise

Two-Factor Authentication can be achieved through an easy user experience

Secure your Transactions and Document Signing Process

Threats to the Application

SECURING THE MOBILE EXPERIENCE: DIGIPASS FOR APPS

17

RASP or application shielding is a set of technologies used to add security functionality directly to mobile applications for the detection and prevention of

application-level intrusions

What is Runtime Application Self-Protection

18

• Proactively shields applications from malware

• Controls execution, and preventing real-time attacks

• Protects the integrity of mobile applications to ensure data and transactions are not compromised

• Maintains a mobile application's run time integrity even if a user inadvertently downloads malware onto their device

What Does RASP Do?

19

http://www.forbes.com/sites/sap/2015/03/10/most-cyber-attacks-occur-from-this-common-vulnerability/#122ee06741ae

The hackers may be gaining access through applications and solutions... many organizations have significant network security in place but it’s not enough as 84% of all cyber-attacks are happening on the application layer.

Only 1% of all apps today have a Runtime Application Self-Protection running but by 2020, 44% of all applications will be leveraging some type of RASP protection

http://www.technavio.com/report/global-it-security-global-runtime-application-self-protection-security-market-2016-2020

Why Do I Need RASP?

23

MYApp

real-time queuing

Approve Deny

ACHIEVING THE BEST PRACTICES

27

Avoid Storing data on the mobile – Apply persistent protection when you must

Consider the Platform – apply rootkit/jailbreak protections

Secure Provisioning is a must-have, and Implement a Secure Encrypted Channel

Protect the User Interface from Malicious Compromise

Two-Factor Authentication can be achieved through an easy user experience

Secure your Transactions and Document Signing Process

DIGIPASSfor Apps

DIGIPASSfor Apps

DIGIPASSfor Apps

DIGIPASSfor Apps

RASP

RASP

Achieving Best Security Practice with DIGIPASS for APPS

WHAT’S NEXT?Contact the VASCO team to get a live demo that: • - demonstrates compromised app behavior• - outlines DIGIPASS for APPS protection mechanisms• - info-usa@vasco.com