CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking...
Transcript of CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking...
![Page 1: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/1.jpg)
CLX.MAP &
Mobile Security
![Page 2: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/2.jpg)
Agenda
2
Digital Banking
Mobile Banking Apps
CLX.MAP
Mobile Security
App Hardening
Is my App Secure?
![Page 3: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/3.jpg)
Digital BankingPortalApp / Mobile Security © CREALOGIX 3
![Page 4: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/4.jpg)
Digital Banking Trends
PortalApp / Mobile Security © CREALOGIX 4
Digital Banking Hub
– Customer orientation
– Omni-directional communication
– Orchestration of services and applications
– API based integration of 3rd party solutions
Mobile Banking
– Mobile only users
– Single universal Mobile Banking App
– Extensible for 3rd party applications
– Flexible customization
![Page 5: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/5.jpg)
Mobile Banking AppsPortalApp / Mobile Security © CREALOGIX 5
![Page 6: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/6.jpg)
What can a Mobile Banking App do?
PortalApp / Mobile Security © CREALOGIX 6
Support multiple (existing) applications
Provide security features
Customization, Branding
Support updates
![Page 7: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/7.jpg)
How can you build a Mobile Banking App?
PortalApp / Mobile Security © CREALOGIX 7
Native Apps
– Platform conformity
– Direct HW support
– Performance
Web Apps
– Easier maintenance
– Existing web content
Hybrid/Multi-platform frameworks
– Cordova/Xamarin/React Native etc
– Extensive code base and plugins (Pro & Con)
![Page 8: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/8.jpg)
CLX.MAPPortalApp / Mobile Security © CREALOGIX 8
![Page 9: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/9.jpg)
What are the advantages?
9
Infrastructure for configuring, building and
deploying apps
Native container for various (web based) apps
Access through a single app
HTML5
Simplified development & update process
Native Plugins
Access to device (e.g. camera)
Improved security through hardening
Integration of native content
![Page 10: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/10.jpg)
Architecture
10PortalApp / Mobile Security © CREALOGIX 10
Network
Security/Hardening
Cryptography
Localisation
Core Plugins*
Native Plugins*
Webview/CSP*
Payment Scanner
PushTAN
QR Code
PhotoPayment
Notifications
Maps
…
HTML5/Java Script
Engine
For customized user
interface
* provided by CREALOGIX, 3rd parties or by the bank
![Page 11: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/11.jpg)
Feature Overview
11
![Page 12: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/12.jpg)
Customization Examples
12
![Page 13: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/13.jpg)
Mobile SecurityPortalApp / Mobile Security © CREALOGIX 13
![Page 14: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/14.jpg)
What are the mobile security threats?
PortalApp / Mobile Security © CREALOGIX 14
Vulnerable Apps:
– M1 Platform misuse
– M2 Insecure data storage
– M3 Insecure data communication
Typical attacks:
– Malware
– MITM
– Fake Apps
– Phishing/Account takeover
Especially on:
– Jailbroken/rooted devices
– Outdated OSs
Source: Peter Stancik: Nicht nur Tescos Bankkunden sind im Visier von Retefe (10.11.2016)
![Page 15: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/15.jpg)
4 Levels of Security Controls
PortalApp / Mobile Security © CREALOGIX 15
Transaction
Workflow and message level
Device / PlatformOS security features
AppArchitectural & Hardening features
DataData leakage prevention in transit & storage
![Page 16: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/16.jpg)
Security Controls – Device / Platform Level
PortalApp / Mobile Security © CREALOGIX 16
– OS/Platform
– App and developer verification (incl. code signing)
– App runtime protection
– Security updates (Android long-term support?)
– Device
– Device locking & encryption
– Secure Enclave & keychain
– Fingerprint recognition service
![Page 17: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/17.jpg)
Security Controls – App Level
PortalApp / Mobile Security © CREALOGIX 17
– Architecture
– Check and use the platform features securely
– Device Binding
– User authentication
– Harden against re-engineering
– Processes
– SDLC (Secure Development Life Cycle)
– Release & support processes
– User awareness
– App tour
– Phishing warnings
– Notifications
M1
![Page 18: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/18.jpg)
IPC misuse
Unverified extra data (parameters)
Use multi-app solutions with care
Insecure HTTPS
CA Truststore
Verify certificate chain
Use a secure HTTPS stack
HSTS & HPKP not supported
Not supported on many platforms
Implement effective certificate pinning
Security Controls – Data Level
PortalApp / Mobile Security © CREALOGIX 18
Data Leakage on device
Logs / crash reports
Backups
Screenshot protection
Copy/paste prevention
File Encryption
External storage
Cache files
Shared Preferences
M2 M1 & M3
![Page 19: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/19.jpg)
Security Controls – Transaction
Level
PortalApp / Mobile Security © CREALOGIX 19
2-Factor Authentication
– Authentication on login
– Payment Confirmation
Secure 2nd channel
– PushTAN or FotoTAN preferred to mTAN
– Message level encryption
Server-side workflow features
– Whitelist beneficiaries
– Limit transactions
– Fraud detection
![Page 20: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/20.jpg)
App HardeningPortalApp / Mobile Security © CREALOGIX 20
![Page 21: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/21.jpg)
App Hardening Tools
PortalApp / Mobile Security © CREALOGIX 21
Hardening tools
– Standard options: ProGuard, compiler options
– Commercial tools: DexGuard, Arxan, Promon
Functionality
Anti-debug protection
Jailbreak/rooting detection
Screenshot prevention
Copy/Paste prevention
Runtime integrity checks
Data & code obfuscation
Whitebox cryptography
Native modules
![Page 22: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/22.jpg)
Is my App secure?PortalApp / Mobile Security © CREALOGIX 22
![Page 23: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/23.jpg)
PortalApp / Mobile Security © CREALOGIX 23
Source: Vincent Haupert, Tilo Mueller: On App-based Matrix Code Authentication in Online Banking (12.10.2016)
![Page 24: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/24.jpg)
24
![Page 25: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/25.jpg)
“Not to be missed” mobile security controls
PortalApp / Mobile Security © CREALOGIX 25
IPC misuse
Use multi-app solutions
with care
Secure inter-app
communication
Insecure HTTPS
CA Trust, certificate chain
Use a secure HTTPS
stack
Implement effective
certificate pinning
Data Leakage
Logs / crash reports
Backups
External storage
Screenshot protection
Copy/paste prevention
File Encryption
Cache files
Shared Preferences
Hardening
Anti-debug protection
Jailbreak/rooting detection
Screenshot prevention
Copy/Paste prevention
Runtime integrity checks
Data & code obfuscation
Whitebox cryptography
Native modules
![Page 26: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/26.jpg)
I’ve done all that, can I sleep easy?
PortalApp / Mobile Security © CREALOGIX 26
Of course not …
– Hardening tools do not cover everything
– Is the hardening configuration correct?
– Was the solution PEN tested on all devices & platforms?
– Legacy devices and OS versions need additional effort
– For example:
– Certificate pinning
– AndroidKeystore
![Page 27: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/27.jpg)
Certificate Pinning
PortalApp / Mobile Security © CREALOGIX 27
Certificate pinning in hybrid Apps
– HPKP not supported on iOS/Safari or Android/Webview
– Certificate pinning in manifest (>= Android N)
App must still implement certificate pinning
– Intercept web requests
– native HTTPS implementation
– Verify responses
– Handle redirects and POST requests correctly
![Page 28: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/28.jpg)
Android Keystore
PortalApp / Mobile Security © CREALOGIX 28
Secure Keystore
– Secure Enclave or SW AndroidKeystore?
– Android Kitkat & Marshmallow keystore issues?
– Modified device security level (PIN to PATTERN)
– Handle updated fingerprint set?
App must check for and use hardware keystore correctly
– Check device is secured
– i.e. PIN/PWD device lock & device encrypted
– Use key attributes to detect updated fingerprint sets
– Consider fingerprint fallback authentication
– Handle devices without secure enclave
![Page 29: CLX.MAP & Mobile Security - Security - Speedtest | cnlab · Agenda 2 Digital Banking Mobile Banking Apps CLX.MAP Mobile Security App Hardening Is my App Secure?](https://reader030.fdocuments.net/reader030/viewer/2022041117/5f2cbfb18074ee28033c05cf/html5/thumbnails/29.jpg)
Thank you!
29