Presentación de PowerPoint

Seguridad de aplicaciones móviles en
tiempo de ejecución
Mantenga segura sus aplicaciones
Panorama de Apps móviles
7/04/2016
R&C – Protección e Innovación | Arxan Technologies, Inc.
2
Agenda
1
Riesgos en la estrategia Móvil
2
¿Cómo apoyamos?
7/04/2016
R&C – Protección e Innovación | Arxan Technologies, Inc.
3
Alteración en el panorama de Seguridad
Centralizado, Entorno de confianza
• Web Apps
• Data Center Apps
Distribuido o Entorno no confiable
“Apps in the Wild”
• Mobile Apps
• IoT Apps / Embedded Apps
Los atacantes no tienen fácil
acceso al binario de la aplicación.
Los atacantes pueden acceder y
comprometer fácilmente el binario de la
aplicación
Pruebas de Seguridad a las aplicaciones
Autoprotección a la aplicación
(“Construirlo Seguro”)
7/04/2016
(“Mantenerlo Seguro”)
R&C – Protección e Innovación | Arxan Technologies, Inc.
3
El problema es real – Apps móviles están
siendo atacadas
•
Majority of top 100 paid Android
and iOS Apps are available as
hacked versions on third-party
sites (“State of Mobile App Security”, Arxan,
2014)
•
“51% of repackaged apps contain
malware” (Trend Micro, 2014)
•
“It is trivial for an attacker to
hijack a legitimate Android
application”
(InfoSecurity Magazine,
2014)
•
"First known malware that can
infect installed iOS apps … First
in-the-wild malware to install
third-party
apps
on
non-jailbroken iOS devices.” (Palo
Alto Networks discovering WireLurker malware,
Nov 2014)
Arxan: State of Mobile App Security, 2014
7/04/2016
R&C – Protección e Innovación | Arxan Technologies, Inc.
4
Estado de Seguridad en Aplicaciones
7/04/2016
R&C – Protección e Innovación | Arxan Technologies, Inc.
4
Estado de Seguridad en Aplicaciones
7/04/2016
R&C – Protección e Innovación | Arxan Technologies, Inc.
4
“Apps in the Wild” son vulnerables a
ataques
Riesgos de
Integridad
(Modificación de
código o Inyección de
vulnerabilidades)
Riesgos de
Confidencialidad
(Ingeniería Inversa o
Análisis de código)
7/04/2016
• Las aplicaciones pueden ser modificadas o alteradas.
• El comportamiento en tiempo de ejecución de
aplicaciones puede ser alterado, provocando un
funcionamiento inseguro o inadecuado.
• Código malicioso puede ser inyectado o adherido a la
aplicación.
• La información privada y sensible puede ser expuesta,
incluyendo las llaves criptográficas que se utilizan para
asegurar la información.
• Conocimiento de código a partir de practicas de
ingeniera inversa.
• Código y la propiedad intelectual puede ser robada,
reutilizada o reempaquetada.
R&C – Protección e Innovación | Arxan Technologies, Inc.
4
Muchas maneras de hackear una App
Reverse Engineering or Code Analysis
(Confidentiality Risk)
Java/.NET
String literal
metadata
code
Disassembly /
Symbol
based
structure
decompilation of native decompilation analysis
dumping and
code (Obj C/C++)
analysis
Application
decryption
Mobile App
Static or dynamic
key lifting
11 110 01
0 1001110
1100 001
01 111 00
Binary
patching
Application re-signing
and re-packaging
Method swizzling /
function hooking
within application
Malware
Library and system
service API hooking payload
insertion
and swizzling
Code Modification or Code Injection
(Integrity Risk)
7/04/2016
R&C – Protección e Innovación | Arxan Technologies, Inc.
5
Muchas herramientas automatizadas de
Hacking pueden ser usadas
Category
Example Tools
App decryption /
unpacking / conversion
•
•
Clutch
APKTool, dex2jar
Static binary analysis,
disassembly,
decompilation
•
•
•
IDA Pro, Hopper
JEB, JD-GUI, Baksmali
Class, symbol, string dumping
Runtime binary analysis
(debugging, tracing)
•
•
GDB, ADB
Introspy, Snoop-It
Runtime manipulation,
•
hooking, code injection,
•
method swizzling, patching •
Malware / trojan injection
•
Jailbreak detection evasion •
Integrated weaponized
toolsets
7/04/2016
•
Cydia Substrate, Theos suite
Cycript, CInject
Hex editors
Dendroid, AndroRAT
•
Automated, free or
low-cost tools lower
barriers to hacking
•
Many breaches and
exploits
can
be
created in hours or
less
•
Unprotected apps are
easy prey for these
hacking tools
xCon, tsProtector
AppUse, Snoop-It, iNalyzer
R&C – Protección e Innovación | Arxan Technologies, Inc.
10
Las llaves criptográficas están también
siendo atacadas
Cryptographic key exploits have been applied in
a number of prominent hacks, for example:
Hackers are relying on memory scraping with
increasing frequency -- it is essential to protect
keys in memory!
 Crypto keys extracted though memory
scraping, allowing unauthorized access to
financial transactions (in PoS systems) and
digital content (AACS in HD DVD, BluRay)
 Exploiting forms of buffer overflow attacks,
like Heartbleed, to steal crypto key
 Sony PS3 hack
cryptographic keys
revealed
Level
 Android APK integrity vulnerability
Zero
Growing trend of memory scraping
(Source: Verizon 2015 Data Breach Investigations Report)
Unfortunately, many don’t protect their keys or think it is too difficult to protect them
 80% of respondents to Ponemon Institute survey identified broken cryptography as most
difficult risk to minimize (State of Mobile Application Insecurity, February 2015)
11
Anatomía de un ataque a una aplicación
móvil.
1. Decrypt the mobile
app (iOS apps)
11 110 01
0 1001110
1100 001
01 111 00
Reverse-engineering app contents
Extract and steal confidential data
2. Open up and
examine the app
11 110 01
0 0101010
0101 110
011100 00
Create a tampered,
cracked or patched
version of the app
3. Create a hacked
version
Release / use the
hacked app
4. Distribute App
https://www.arxan.com/how-to-hack-a-mobile-application
7/04/2016
www.rycbc.com
12
Agenda
1
Riesgos en la estrategia Móvil
2
¿Cómo apoyamos?
7/04/2016
R&C – Protección e Innovación | Arxan Technologies, Inc.
13
Construir y Mantener Apps Seguras
Arxan augments with Application Hardening and Run-time Self-Protection
 Extend security from testing to run-time code protection
 Mitigate risks comprehensively against hacking attacks and exploits
 Gain the world’s strongest multi-layer protection (defend, detect, react)
Build It Secure
Application
Development
Build and Manage
Mobile Apps
e.g. Kony, IBM
Worklight, Xamarin
7/04/2016
Vulnerability
Analysis
& Testing
Identify Source
Code Vulnerabilities
e.g. HP Fortify,
IBM AppScan,
Veracode
Keep It Secure
Application
Protection
Release &
Deployment
Secure and
Protected
Application
Arxan Application and
Cryptographic Key
Protection
Free of critical
flaws and
vulnerabilities
Defend, Detect, and
React to Attacks
Protects itself
against attacks
R&C – Protección e Innovación | Arxan Technologies, Inc.
14
Escenarios a proteger en Apps móviles
1.
Prevent or detect bypassing or disabling of security controls (e.g.,
jailbreak/root detection, authentication, authorization, encryption,
digital rights/licensing)
2.
Prevent or detect bypassing or modification of business logic
(e.g., transactions, restricted functionality, sensitive operations)
3.
Prevent information loss or exposure (e.g., via compromised user
credentials, keys, data storage)
4.
Prevent creation of rogue, cloned, pirated, or modified versions
5.
Prevent or detect insertion of malicious code in the app (e.g.,
prevent remote control, information / identity stealing, financial
charging)
6.
Prevent stealing of proprietary code/IP from the app
7.
Prevent exposure of potential known, unknown, or new
vulnerabilities and sensitive source code
8.
Ensure compliance with industry guidelines (e.g., OWASP Mobile
Top Ten 2014)
7/04/2016
R&C – Protección e Innovación | Arxan Technologies, Inc.
15
Aplicaciones protegidas en todas partes
16
Arxan Application Protection
Defend
against
compromise
• Advanced Obfuscation
• Code and Resource
Encryption
• Pre-Damage
• Metadata Removal
Detect
attacks at
run time
•
•
•
•
•
•
Checksum
Debug Detection
Resource Verification
Jailbreak/Root Detection
Swizzling Detection
Hook Detection
React
to ward off
attacks
•
•
•
•
Shut Down (Exit, Fail)
Self-Repair
Custom Reactions
Alert / Phone Home
Protected Application
• Self-defending
• Tamper-resistant
• Hardened against hacking attacks and
malware exploits
17
Arxan Multi-Layered Protection
– An Illustration
~50 – 200 Guards in Total
Guard
Network
Check
Repair
Check
Check
Check
(a simplified
example)
Check
Repair
Repair
Check
Check
Repair
Repair
Check
Check
Level 4
Check
Level 3
Check
Swz
Det
Encr
Repair
Level 2
Repair
Adg
Level 1
Obfus
Pre
Chck
App
Code
Pre
PCL
PCLA
Post
PCL
F1
Patch
Range
F2
Inner Loop
Outer Loop (LP)
F3
One
Shot
Application
 Multi-Layered Guard Network with Defense in Depth
(first Guard layer protects code, additional Guard layers protect lower-level Guards)
 Risk-Based, Custom Created for Each Application
 Randomized Binary Implementation for Automated Variability (every build looks different)
18
Protecting an Application with Arxan
GuardSpec™
Configuration file is
written to specify which
Arxan Guards to place in
the application binary
and where.
Arxan Guard
Insertion Engine
Unprotected
Application
Binary
Guard
Library
Build Script is modified
to run Arxan product.
Arxan inserts Guards
specified in the GuardSpec
into the unprotected binary.
Guard Library contains many
different Guard Types and
thousands of Guard instances.
Protected
Application
Binary
Guards fully
dissolve into
binary and cannot
be isolated or
identified. No
accompanying
libraries or need
to connect to
Arxan at run-time.
19
Arxan Case Example - Financial Services
Top 5 Global Bank
•
Mobile App
•
•
Security Controls / Policies
Internal IDs, User Identifiers, Keys
Bank’s CIO challenge: Drive mobile app
innovation without compromising security and
company assets
•
Encrypted Communication Modules
Bank’s Security team identified multiple hacking
attack risks for their apps “out in the wild”
•
Critical Business Logic
•
•
Proprietary Algorithms
•
Unidentified Vulnerabilities
External customer apps (B2C)
Internal employee apps (B2E)
Bypassing security controls, getting unauthorized
access
Sensitive information exposure
Inserting exploits or malware, cloning
applications, rogue versions
Exposing app internals and vulnerabilities
•
Uses Arxan to protect tens of mobile apps
against attacks
•
CIO won CIO 100 Award for innovation
20
Experts Recommend Application
Hardening and Run-time Self-Protection
Analysts
"Make application self-protection a new investment
priority, ahead of perimeter and infrastructure protection.”
”It should be a CISO top priority.” - Gartner
"It (‘application hardening and run-time protection') is a
critical component in the strategy to secure enterprise
software, embedded systems, mobile apps and the muchbandied 'Internet of Things’." - 451
Best Practices
“Lack of Binary Protection” is an OWASP Top Ten Mobile
Risk
Media
21
Recomendaciones…
22
Preguntas…
7/04/2016
www.rycbc.com
23
Análisis de Riesgo de su aplicación móvil
7/04/2016
www.rycbc.com
24
¡Gracias!
Gabriel Murcia Roncancio
Director de Ventas y Servicios
[email protected]
+57 301 568 6848
+57 1 - 621 7555 / 805 1122