SlideShare a Scribd company logo

Danger in the App Stores: 3rd Party Mobile App Risk for Banks, FinServ & FinTech

NowSecure
NowSecure

What you don’t know about third-party apps in the Apple® App Store® and the Google Play™ store can hurt you. Apple and Google have app review processes at various levels, but banks and financial services organizations require more scrutiny -- especially for BYOD & COPE devices. Commercial apps used by employees in the workplace can leak data and violate security policies. Third party apps that use your company SDKs or APIs can expose your organization, defraud your customers, and tarnish your brand. Learn how to incorporate third-party commercial apps in your mobile threat modeling exercises and application security programs to protect your organization, your reputation, and your customers. Originally presented 11/14/2017

Technology
1 of 31
Download to read offline
Danger in the App Stores: 3rd Party Mobile App Risk for Banking & FinTech 8X FASTER 3X DEEPER MOST TRUSTED © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. THE INFORMATION BLACK HOLE 3RD PARTY APP INFORMATION BLACK HOLE
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. DEEP MOBILE SECURITY EXPERTISE Open source Books & Speaking 3 Mobile threat research is in our DNA ▪ Dream team of security researchers ▪ Every waking moment spent: – Discovering critical vulns – Identifying novel attack vectors – Creating/maintaining renowned open-source mobile security tools/projects The NowSecure Mission ▪ Educate enterprises on the latest mobile threats ▪ Maximize the security of apps enterprises develop, purchase and use
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. NowSecure #MobSec5 Weekly mobile security news update SUBSCRIBE NOW: www.nowsecure.com/go/subscribe
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. AGENDA + SPEAKERS MILLIONS OF POINTS OF APP RISK ▪ Stakeholders ▪ Risk & Compliance ▪ Mobile Attack Surface REAL-WORLD APP RISK DATA ▪ Industry Benchmark Data ▪ Example best in class ▪ Example worst in class RECOMMENDATIONS ▪ Best Practice Approaches Brian Reed Chief Mobile Officer Alex Wishkoski Director, Product Mgmt
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. 3RD-PARTY MOBILE APP RISK & IMPACT
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. WHAT IS SCOPE OF 3rd PARTY APP RISK? 50,000 Devices 89 Apps/Device 4,450,000 Points of Risk Sources: “The Economic Risk of Confidential Data on Mobile Devices in the Workplace” Ponemon Institute; “Average number of apps installed by users in the United States in 2016, by device” Statista
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. WHAT RISK? NEWS FLASH TODAY! BLOG: https://www.nowsecure.com/blog/2017/11/14/oneplus-device-root-exploit-backdoor-engineermode-app-diagnostics-mode/ ▪ Millions of OnePlus Devices in Asia, India & Europe now exposed ▪ New Root Exploit discovered YESTERDAY • Manufacturer's EngineerMode App left BackDoor in production • System-signed .apk w/ SHA256 hash of PWD that was easily reversed • With password, EngineerMode app enables a debugging mode & Rooting ▪ How do you know if you are exposed?
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. WHAT IS SCOPE OF 3rd PARTY APP RISK? 50,000 Devices 89 Apps/Device 4,450,000 Points of Risk Sources: “The Economic Risk of Confidential Data on Mobile Devices in the Workplace” Ponemon Institute; “Average number of apps installed by users in the United States in 2016, by device” Statista
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. WHO IS RESPONSIBLE FOR 3rd PARTY APP RISK? 10 • Evaluate mobile technology • Establish mobile security and architecture requirements • Test for vulnerabilities and ensure security, privacy, compliance SECURITY & ARCHITECTURE • Centrally coordinate & enable business mobilization • Support BYOD, COPE & Enterprise managed devices & apps • Easy, quick vetting of 3rd party mobile apps to ensure meet policy and governance requirements MOBILE CENTER OF EXCELLENCE • Establish risk-based guidelines for mobile app security, compliance and privacy • Ensure governance and controls in place for all mobile apps • Track and report on industry compliance and privacy mandates COMPLIANCE & RISK
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. WHAT IS THE MOBILE APP ATTACK SURFACE? 11 API BACKEND ▪Platform vulnerabilities ▪Server misconfiguration ▪Cross-site scripting ▪Cross-site request forgery ▪Cross origin resource sharing ▪Brute force attacks ▪Side channel attacks ▪SQL injection ▪Privilege escalation ▪Data dumping ▪OS command execution ▪Weak input validation ▪Hypervisor attack ▪VPN DATA AT REST ▪Data caching ▪Data stored in application directory ▪Decryption of keychain ▪Data stored in log files ▪Data cached in memory/RAM ▪Data stored in SD card ▪OS data caching ▪Passwords & data accessible ▪No/Weak encryption ▪TEE/Secure Enclave Processor ▪Side channel leak ▪SQLite database ▪Emulator variance DATA IN MOTION ▪Wi-Fi (no/weak encryption) ▪Rogue access point ▪Packet sniffing ▪Man-in-the-middle ▪Session hijacking ▪DNS poisoning ▪TLS Downgrade ▪Fake TLS certificate ▪Improper TLS validation ▪HTTP Proxies ▪VPNs ▪Weak/No Local authentication ▪App transport security ▪Transmitted to insecure server ▪ Zip files in transit ▪Cookie “httpOnly” flag ▪Cookie “secure” flag ▪GPS spoofing ▪Buffer overflow ▪allowBackup Flag ▪allowDebug Flag ▪Code Obfuscation ▪Configuration manipulation ▪Escalated privileges ▪URL schemes ▪GPS spoofing ▪Integrity/tampering/repacking ▪Side channel attacks ▪App signing key unprotected ▪JSON-RPC ▪Automatic Reference Counting CODE FUNCTIONALITY ▪Android rooting/iOS jailbreak ▪User-initiated code ▪Confused deputy attack ▪Multimedia/file format parsers ▪Insecure 3rd party libraries ▪World Writable Files ▪World Writable Executables ▪Dynamic runtime injection ▪Unintended permissions ▪UI overlay/pin stealing ▪Intent hijacking ▪Zip directory traversal ▪Clipboard data ▪World Readable Files
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. WHAT ARE RISK & COMPLIANCE MANDATES? AppE.5.b Operational Risk Mitigation AppE.5.b(iii) Mobile Application Risk Mitigation PCI DSS Version 3.2 Dev, test, Maintain Secure Systems & Apps PCI Mobile Payment Acceptance Security Guidelines PART 314—Standards for safeguarding customer information NIST FIPS 200: Minimum Security Requirements NIST SP 800-53: Security & Privacy Controls NIST SP 800-163: Vetting the Security of Mobile Applications
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. WHY ARE THE RISK RATIOS SO BAD? >5 MILLION APPSTORE APPS 245 MOBILE APP DEVs 1 SECURITY ENGINEER : :
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. SPEED VOLUME RISK COST LOW HIGH WHY SO MUCH TENSION?
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. REAL-WORLD EXAMPLES OF APP STORE APP RISKS
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. WHAT ARE THE 3RD PARTY RISK STATS? 49%apps have at least 1 significant risk 30%of Android reports run reveal sensitive user data 60%of iOS apps don’t require encrypted connections Source: NowSecure Software and Research Data 2016-2017 20,000+Android apps found that send passwords in the clear 120,000+Apps that can reveal user location 16 26%of iOS reports reveal sensitive data in transit
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. INSIDE MOBILE APP RISK SCORING
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. TESTING FOR RISK -- DATA IN MOTION ▪ Apply SSL/TLS universally ▪ Assume that the network layer is not secure and is susceptible to eavesdropping ▪ Use strong, industry standard cipher suites with appropriate key lengths ▪ 34% of iOS apps use HTTP ▪ iOS ATS slow adoption (less than 40%)
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. PREVENTING MITM ATTACKS ▪ Use HSTS / HTTPS Prevent protocol downgrade attacks ▪ Validate certificates ▪ Use cert pinning ▪ Educate users Don’t install certs
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. TESTING FOR RISK -- IP ADDRESSES ▪ 3rd party libraries, SDKs are common culprits Ad networks frequently uniquely identify users and geo-locate them insecurely ▪ Validate all outbound traffic destinations ▪ Apps frequently have 100s of connections (this one had 250)
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. TESTING FOR RISK -- DATA AT REST ▪ Writable executables ▪ Local log data • GPS data / location • Files / directories accessed ▪ External storage • Always examine all files, permissions
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. TESTING FOR RISK -- 3RD PARTY LIBRARIES ▪ Nearly all apps have 3rd party libs ▪ Open source allows both good and bad eyeballs ▪ Popular libraries ≠ safety
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. TESTING FOR RISK PERMISSIONS & ENTITLEMENTS ▪ Contact list access ▪ Write external storage ▪ Calendar ▪ Send SMS ▪ NFC
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. IN ACTION: BEST PRACTICES FOR FINSERV & BANKING
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. BEST PRACTICE RECOMMENDATIONS 1. Recognize the risks of 3rd party apps on BYOD and COPE devices ○ Assume all are untrusted until validated, no matter who the developer 2. Put controls and processes in place to analyze and monitor 3rd party app risk ○ Inventory & analyze your existing mobile apps leveraging EMM/MDM ○ Adapt processes to review and approve all new mobile apps before introduction ○ Leverage automated tools for in depth testing and continuous monitoring 3. Find a reputable source to stay up to date on the latest threats ○ Sign up for Nowsecure #MobSec5 at www.nowsecure.com/go/subscribe ○ Read our blog at www.nowsecure.com/blog 25
Case Study ● PROBLEM: Provider of 3rd-party risk analytics to insurers, F500 enterprises & investment banks needed app-store app risk rankings at scale ● Leverage the NowSecure Platform™ for the world’s deepest 3rd-party app vetting ● On-demand access to millions of app-store app security scores via NowSecure INTEL API 26
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NowSecure INTEL AlwaysOn AppStore Cloud Analysis for EMM & Security teams NowSecure AUTO OnDemand Fast Cloud Analysis for Dev, QA & Security teams NowSecure WORKSTATION Deep Pen Testing Analysis for Security Analysts NOWSECURE PLATFORM for 360º COVERAGE OF MOBILE APP SECURITY TESTING NowSecure SERVICES Expert Pen Testing, Training & Programs for App Owners & Security teams 27 8X FASTER – 3X DEEPER – MOST TRUSTED
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. SHIFT LEFT WITH MOBILE APPSEC FACTORY 28 RAPID TEST DEVELOPED APPS PRODUCTION YOUR APPSEC FACTORY Rapid Test all apps in 15mins automatically… RAPID: PASSED REQUIREMENTS DESIGN BUILD TEST Spend <1 hour deep testing any concerning rapid results or additional advanced/pre-release certification DEEP CERTIFICATION DEEP TEST DEEP: PASSED ANY TEST: FAILED 3RD PARTY APPSTORE APPS ONLINE: FAILED ONLINE: PASSED Instantly Vet 3rd Party App Risk ONLINE TEST
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. NOWSECURE COMING ATTRACTIONS Next Month’s Webinar 2018 Mobile AppSec Must-Dos Tuesday, Dec. 5 NH-ISAC Fall Summit Come see NowSecure Nov. 28 - 30 in Scottsdale, AZ AppSec Cali 2018 Come see NowSecure Jan. 30 - 31 in Santa Monica 29
© Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. OPEN Q&A MILLIONS OF POINTS OF APP RISK ▪ Stakeholders ▪ Mobile Attack Surface ▪ Risk & Compliance REAL-WORLD APP RISK DATA ▪ Industry Benchmark Data ▪ Example best in class ▪ Example worst in class RECOMMENDATIONS ▪ Best Practice Approaches Brian Reed Chief Mobility Officer Alex Wishkoski Director, Product Mgmt
Let’s talk NowSecure +1 312.878.1100 @NowSecureMobile www.nowsecure.com Subscribe to #MobSec5 A digest of the week’s mobile security news that matters https://www.nowsecure.com/go/subscribe

Recommended

The Rise of the DataOps - Dataiku - J On the Beach 2016
The Rise of the DataOps - Dataiku - J On the Beach 2016 The Rise of the DataOps - Dataiku - J On the Beach 2016
The Rise of the DataOps - Dataiku - J On the Beach 2016 Dataiku
 
Introduction to PlanGrid
Introduction to PlanGridIntroduction to PlanGrid
Introduction to PlanGridPlanGrid
 
Filling the Construction Labor Gap
Filling the Construction Labor GapFilling the Construction Labor Gap
Filling the Construction Labor GapProcore Technologies
 
HelloWorld: Avoiding the Penalty
HelloWorld: Avoiding the PenaltyHelloWorld: Avoiding the Penalty
HelloWorld: Avoiding the PenaltyHelloWorld
 
Credit Suisse, Reference Data Management on a Global Scale
Credit Suisse, Reference Data Management on a Global ScaleCredit Suisse, Reference Data Management on a Global Scale
Credit Suisse, Reference Data Management on a Global ScaleOrchestra Networks
 
Acolyance: Applying MDM to Drive ERP Success & ROI
Acolyance: Applying MDM to Drive ERP Success & ROIAcolyance: Applying MDM to Drive ERP Success & ROI
Acolyance: Applying MDM to Drive ERP Success & ROIOrchestra Networks
 
Alteryx investor presentation
Alteryx investor presentationAlteryx investor presentation
Alteryx investor presentationalteryxinvestor
 
Multidomain MDM at Amadeus
Multidomain MDM at AmadeusMultidomain MDM at Amadeus
Multidomain MDM at AmadeusOrchestra Networks
 

Recommended

The Rise of the DataOps - Dataiku - J On the Beach 2016
The Rise of the DataOps - Dataiku - J On the Beach 2016 The Rise of the DataOps - Dataiku - J On the Beach 2016
The Rise of the DataOps - Dataiku - J On the Beach 2016 Dataiku
 
Introduction to PlanGrid
Introduction to PlanGridIntroduction to PlanGrid
Introduction to PlanGridPlanGrid
 
Filling the Construction Labor Gap
Filling the Construction Labor GapFilling the Construction Labor Gap
Filling the Construction Labor GapProcore Technologies
 
HelloWorld: Avoiding the Penalty
HelloWorld: Avoiding the PenaltyHelloWorld: Avoiding the Penalty
HelloWorld: Avoiding the PenaltyHelloWorld
 
Credit Suisse, Reference Data Management on a Global Scale
Credit Suisse, Reference Data Management on a Global ScaleCredit Suisse, Reference Data Management on a Global Scale
Credit Suisse, Reference Data Management on a Global ScaleOrchestra Networks
 
Acolyance: Applying MDM to Drive ERP Success & ROI
Acolyance: Applying MDM to Drive ERP Success & ROIAcolyance: Applying MDM to Drive ERP Success & ROI
Acolyance: Applying MDM to Drive ERP Success & ROIOrchestra Networks
 
Alteryx investor presentation
Alteryx investor presentationAlteryx investor presentation
Alteryx investor presentationalteryxinvestor
 
Multidomain MDM at Amadeus
Multidomain MDM at AmadeusMultidomain MDM at Amadeus
Multidomain MDM at AmadeusOrchestra Networks
 
iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2NowSecure
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureNowSecure
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsNowSecure
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecNowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaNowSecure
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019NowSecure
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsNowSecure
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyNowSecure
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowNowSecure
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowNowSecure
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security TestingNowSecure
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018NowSecure
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskNowSecure
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechNowSecure
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesNowSecure
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowNowSecure
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 

More Related Content

More from NowSecure

iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2NowSecure
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureNowSecure
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsNowSecure
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecNowSecure
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaNowSecure
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintNowSecure
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019NowSecure
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsNowSecure
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesNowSecure
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyNowSecure
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowNowSecure
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowNowSecure
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security TestingNowSecure
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDANowSecure
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?NowSecure
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018NowSecure
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskNowSecure
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechNowSecure
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesNowSecure
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowNowSecure
 

More from NowSecure (20)

iOS recon with Radare2
iOS recon with Radare2iOS recon with Radare2
iOS recon with Radare2
 
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference ArchitectureFrom Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
From Tangled Mess to Organized Flow: A Mobile DevSecOps Reference Architecture
 
Android Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy Enhancements
 
Debunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSecDebunking the Top 5 Myths About Mobile AppSec
Debunking the Top 5 Myths About Mobile AppSec
 
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2fridaOSS Tools: Creating a Reverse Engineering Plug-in for r2frida
OSS Tools: Creating a Reverse Engineering Plug-in for r2frida
 
Building a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing BlueprintBuilding a Mobile App Pen Testing Blueprint
Building a Mobile App Pen Testing Blueprint
 
Mobile App Security Predictions 2019
Mobile App Security Predictions 2019Mobile App Security Predictions 2019
Mobile App Security Predictions 2019
 
Jeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOpsJeff's Journey: Best Practices for Securing Mobile App DevOps
Jeff's Journey: Best Practices for Securing Mobile App DevOps
 
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated IndustriesCASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
CASE STUDY - Ironclad Messaging & Secure App Dev for Regulated Industries
 
A Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing StrategyA Risk-Based Mobile App Security Testing Strategy
A Risk-Based Mobile App Security Testing Strategy
 
Android P Security Updates: What You Need to Know
Android P Security Updates: What You Need to KnowAndroid P Security Updates: What You Need to Know
Android P Security Updates: What You Need to Know
 
iOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To KnowiOS 12 Preview - What You Need To Know
iOS 12 Preview - What You Need To Know
 
5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing5 Tips for Agile Mobile App Security Testing
5 Tips for Agile Mobile App Security Testing
 
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDATop OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
Top OSS for Mobile AppSec Testing: The Latest on R2 and FRIDA
 
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
85% of App Store Apps Fail OWASP Mobile Top 10: Are you exposed?
 
5 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 20185 Mobile App Security MUST-DOs in 2018
5 Mobile App Security MUST-DOs in 2018
 
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App RiskMobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
Mobile Apps & Connected Healthcare: Managing 3rd-Party Mobile App Risk
 
What attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTechWhat attackers know about your mobile apps that you don’t: Banking & FinTech
What attackers know about your mobile apps that you don’t: Banking & FinTech
 
Solving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial servicesSolving for Compliance: Mobile app security for banking and financial services
Solving for Compliance: Mobile app security for banking and financial services
 
Leaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to KnowLeaky Mobile Apps: What You Need to Know
Leaky Mobile Apps: What You Need to Know
 

Recently uploaded

Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 

Danger in the App Stores: 3rd Party Mobile App Risk for Banks, FinServ & FinTech

  • 1. Danger in the App Stores: 3rd Party Mobile App Risk for Banking & FinTech 8X FASTER 3X DEEPER MOST TRUSTED © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information.
  • 2. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. THE INFORMATION BLACK HOLE 3RD PARTY APP INFORMATION BLACK HOLE
  • 3. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. DEEP MOBILE SECURITY EXPERTISE Open source Books & Speaking 3 Mobile threat research is in our DNA ▪ Dream team of security researchers ▪ Every waking moment spent: – Discovering critical vulns – Identifying novel attack vectors – Creating/maintaining renowned open-source mobile security tools/projects The NowSecure Mission ▪ Educate enterprises on the latest mobile threats ▪ Maximize the security of apps enterprises develop, purchase and use
  • 4. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. NowSecure #MobSec5 Weekly mobile security news update SUBSCRIBE NOW: www.nowsecure.com/go/subscribe
  • 5. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. AGENDA + SPEAKERS MILLIONS OF POINTS OF APP RISK ▪ Stakeholders ▪ Risk & Compliance ▪ Mobile Attack Surface REAL-WORLD APP RISK DATA ▪ Industry Benchmark Data ▪ Example best in class ▪ Example worst in class RECOMMENDATIONS ▪ Best Practice Approaches Brian Reed Chief Mobile Officer Alex Wishkoski Director, Product Mgmt
  • 6. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. 3RD-PARTY MOBILE APP RISK & IMPACT
  • 7. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. WHAT IS SCOPE OF 3rd PARTY APP RISK? 50,000 Devices 89 Apps/Device 4,450,000 Points of Risk Sources: “The Economic Risk of Confidential Data on Mobile Devices in the Workplace” Ponemon Institute; “Average number of apps installed by users in the United States in 2016, by device” Statista
  • 8. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. WHAT RISK? NEWS FLASH TODAY! BLOG: https://www.nowsecure.com/blog/2017/11/14/oneplus-device-root-exploit-backdoor-engineermode-app-diagnostics-mode/ ▪ Millions of OnePlus Devices in Asia, India & Europe now exposed ▪ New Root Exploit discovered YESTERDAY • Manufacturer's EngineerMode App left BackDoor in production • System-signed .apk w/ SHA256 hash of PWD that was easily reversed • With password, EngineerMode app enables a debugging mode & Rooting ▪ How do you know if you are exposed?
  • 9. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. WHAT IS SCOPE OF 3rd PARTY APP RISK? 50,000 Devices 89 Apps/Device 4,450,000 Points of Risk Sources: “The Economic Risk of Confidential Data on Mobile Devices in the Workplace” Ponemon Institute; “Average number of apps installed by users in the United States in 2016, by device” Statista
  • 10. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. WHO IS RESPONSIBLE FOR 3rd PARTY APP RISK? 10 • Evaluate mobile technology • Establish mobile security and architecture requirements • Test for vulnerabilities and ensure security, privacy, compliance SECURITY & ARCHITECTURE • Centrally coordinate & enable business mobilization • Support BYOD, COPE & Enterprise managed devices & apps • Easy, quick vetting of 3rd party mobile apps to ensure meet policy and governance requirements MOBILE CENTER OF EXCELLENCE • Establish risk-based guidelines for mobile app security, compliance and privacy • Ensure governance and controls in place for all mobile apps • Track and report on industry compliance and privacy mandates COMPLIANCE & RISK
  • 11. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. WHAT IS THE MOBILE APP ATTACK SURFACE? 11 API BACKEND ▪Platform vulnerabilities ▪Server misconfiguration ▪Cross-site scripting ▪Cross-site request forgery ▪Cross origin resource sharing ▪Brute force attacks ▪Side channel attacks ▪SQL injection ▪Privilege escalation ▪Data dumping ▪OS command execution ▪Weak input validation ▪Hypervisor attack ▪VPN DATA AT REST ▪Data caching ▪Data stored in application directory ▪Decryption of keychain ▪Data stored in log files ▪Data cached in memory/RAM ▪Data stored in SD card ▪OS data caching ▪Passwords & data accessible ▪No/Weak encryption ▪TEE/Secure Enclave Processor ▪Side channel leak ▪SQLite database ▪Emulator variance DATA IN MOTION ▪Wi-Fi (no/weak encryption) ▪Rogue access point ▪Packet sniffing ▪Man-in-the-middle ▪Session hijacking ▪DNS poisoning ▪TLS Downgrade ▪Fake TLS certificate ▪Improper TLS validation ▪HTTP Proxies ▪VPNs ▪Weak/No Local authentication ▪App transport security ▪Transmitted to insecure server ▪ Zip files in transit ▪Cookie “httpOnly” flag ▪Cookie “secure” flag ▪GPS spoofing ▪Buffer overflow ▪allowBackup Flag ▪allowDebug Flag ▪Code Obfuscation ▪Configuration manipulation ▪Escalated privileges ▪URL schemes ▪GPS spoofing ▪Integrity/tampering/repacking ▪Side channel attacks ▪App signing key unprotected ▪JSON-RPC ▪Automatic Reference Counting CODE FUNCTIONALITY ▪Android rooting/iOS jailbreak ▪User-initiated code ▪Confused deputy attack ▪Multimedia/file format parsers ▪Insecure 3rd party libraries ▪World Writable Files ▪World Writable Executables ▪Dynamic runtime injection ▪Unintended permissions ▪UI overlay/pin stealing ▪Intent hijacking ▪Zip directory traversal ▪Clipboard data ▪World Readable Files
  • 12. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. WHAT ARE RISK & COMPLIANCE MANDATES? AppE.5.b Operational Risk Mitigation AppE.5.b(iii) Mobile Application Risk Mitigation PCI DSS Version 3.2 Dev, test, Maintain Secure Systems & Apps PCI Mobile Payment Acceptance Security Guidelines PART 314—Standards for safeguarding customer information NIST FIPS 200: Minimum Security Requirements NIST SP 800-53: Security & Privacy Controls NIST SP 800-163: Vetting the Security of Mobile Applications
  • 13. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. WHY ARE THE RISK RATIOS SO BAD? >5 MILLION APPSTORE APPS 245 MOBILE APP DEVs 1 SECURITY ENGINEER : :
  • 14. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. SPEED VOLUME RISK COST LOW HIGH WHY SO MUCH TENSION?
  • 15. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. REAL-WORLD EXAMPLES OF APP STORE APP RISKS
  • 16. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. WHAT ARE THE 3RD PARTY RISK STATS? 49%apps have at least 1 significant risk 30%of Android reports run reveal sensitive user data 60%of iOS apps don’t require encrypted connections Source: NowSecure Software and Research Data 2016-2017 20,000+Android apps found that send passwords in the clear 120,000+Apps that can reveal user location 16 26%of iOS reports reveal sensitive data in transit
  • 17. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. INSIDE MOBILE APP RISK SCORING
  • 18. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. TESTING FOR RISK -- DATA IN MOTION ▪ Apply SSL/TLS universally ▪ Assume that the network layer is not secure and is susceptible to eavesdropping ▪ Use strong, industry standard cipher suites with appropriate key lengths ▪ 34% of iOS apps use HTTP ▪ iOS ATS slow adoption (less than 40%)
  • 19. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. PREVENTING MITM ATTACKS ▪ Use HSTS / HTTPS Prevent protocol downgrade attacks ▪ Validate certificates ▪ Use cert pinning ▪ Educate users Don’t install certs
  • 20. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. TESTING FOR RISK -- IP ADDRESSES ▪ 3rd party libraries, SDKs are common culprits Ad networks frequently uniquely identify users and geo-locate them insecurely ▪ Validate all outbound traffic destinations ▪ Apps frequently have 100s of connections (this one had 250)
  • 21. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. TESTING FOR RISK -- DATA AT REST ▪ Writable executables ▪ Local log data • GPS data / location • Files / directories accessed ▪ External storage • Always examine all files, permissions
  • 22. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. TESTING FOR RISK -- 3RD PARTY LIBRARIES ▪ Nearly all apps have 3rd party libs ▪ Open source allows both good and bad eyeballs ▪ Popular libraries ≠ safety
  • 23. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. TESTING FOR RISK PERMISSIONS & ENTITLEMENTS ▪ Contact list access ▪ Write external storage ▪ Calendar ▪ Send SMS ▪ NFC
  • 24. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. IN ACTION: BEST PRACTICES FOR FINSERV & BANKING
  • 25. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. BEST PRACTICE RECOMMENDATIONS 1. Recognize the risks of 3rd party apps on BYOD and COPE devices ○ Assume all are untrusted until validated, no matter who the developer 2. Put controls and processes in place to analyze and monitor 3rd party app risk ○ Inventory & analyze your existing mobile apps leveraging EMM/MDM ○ Adapt processes to review and approve all new mobile apps before introduction ○ Leverage automated tools for in depth testing and continuous monitoring 3. Find a reputable source to stay up to date on the latest threats ○ Sign up for Nowsecure #MobSec5 at www.nowsecure.com/go/subscribe ○ Read our blog at www.nowsecure.com/blog 25
  • 26. Case Study ● PROBLEM: Provider of 3rd-party risk analytics to insurers, F500 enterprises & investment banks needed app-store app risk rankings at scale ● Leverage the NowSecure Platform™ for the world’s deepest 3rd-party app vetting ● On-demand access to millions of app-store app security scores via NowSecure INTEL API 26
  • 27. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. NowSecure INTEL AlwaysOn AppStore Cloud Analysis for EMM & Security teams NowSecure AUTO OnDemand Fast Cloud Analysis for Dev, QA & Security teams NowSecure WORKSTATION Deep Pen Testing Analysis for Security Analysts NOWSECURE PLATFORM for 360º COVERAGE OF MOBILE APP SECURITY TESTING NowSecure SERVICES Expert Pen Testing, Training & Programs for App Owners & Security teams 27 8X FASTER – 3X DEEPER – MOST TRUSTED
  • 28. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. SHIFT LEFT WITH MOBILE APPSEC FACTORY 28 RAPID TEST DEVELOPED APPS PRODUCTION YOUR APPSEC FACTORY Rapid Test all apps in 15mins automatically… RAPID: PASSED REQUIREMENTS DESIGN BUILD TEST Spend <1 hour deep testing any concerning rapid results or additional advanced/pre-release certification DEEP CERTIFICATION DEEP TEST DEEP: PASSED ANY TEST: FAILED 3RD PARTY APPSTORE APPS ONLINE: FAILED ONLINE: PASSED Instantly Vet 3rd Party App Risk ONLINE TEST
  • 29. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. NOWSECURE COMING ATTRACTIONS Next Month’s Webinar 2018 Mobile AppSec Must-Dos Tuesday, Dec. 5 NH-ISAC Fall Summit Come see NowSecure Nov. 28 - 30 in Scottsdale, AZ AppSec Cali 2018 Come see NowSecure Jan. 30 - 31 in Santa Monica 29
  • 30. © Copyright 2017 NowSecure, Inc. All Rights Reserved. Proprietary information. Do not distribute. OPEN Q&A MILLIONS OF POINTS OF APP RISK ▪ Stakeholders ▪ Mobile Attack Surface ▪ Risk & Compliance REAL-WORLD APP RISK DATA ▪ Industry Benchmark Data ▪ Example best in class ▪ Example worst in class RECOMMENDATIONS ▪ Best Practice Approaches Brian Reed Chief Mobility Officer Alex Wishkoski Director, Product Mgmt
  • 31. Let’s talk NowSecure +1 312.878.1100 @NowSecureMobile www.nowsecure.com Subscribe to #MobSec5 A digest of the week’s mobile security news that matters https://www.nowsecure.com/go/subscribe