Presentación de PowerPoint
Transcripción
Presentación de PowerPoint
Seguridad de aplicaciones móviles en tiempo de ejecución Mantenga segura sus aplicaciones Panorama de Apps móviles 7/04/2016 R&C – Protección e Innovación | Arxan Technologies, Inc. 2 Agenda 1 Riesgos en la estrategia Móvil 2 ¿Cómo apoyamos? 7/04/2016 R&C – Protección e Innovación | Arxan Technologies, Inc. 3 Alteración en el panorama de Seguridad Centralizado, Entorno de confianza • Web Apps • Data Center Apps Distribuido o Entorno no confiable “Apps in the Wild” • Mobile Apps • IoT Apps / Embedded Apps Los atacantes no tienen fácil acceso al binario de la aplicación. Los atacantes pueden acceder y comprometer fácilmente el binario de la aplicación Pruebas de Seguridad a las aplicaciones Autoprotección a la aplicación (“Construirlo Seguro”) 7/04/2016 (“Mantenerlo Seguro”) R&C – Protección e Innovación | Arxan Technologies, Inc. 3 El problema es real – Apps móviles están siendo atacadas • Majority of top 100 paid Android and iOS Apps are available as hacked versions on third-party sites (“State of Mobile App Security”, Arxan, 2014) • “51% of repackaged apps contain malware” (Trend Micro, 2014) • “It is trivial for an attacker to hijack a legitimate Android application” (InfoSecurity Magazine, 2014) • "First known malware that can infect installed iOS apps … First in-the-wild malware to install third-party apps on non-jailbroken iOS devices.” (Palo Alto Networks discovering WireLurker malware, Nov 2014) Arxan: State of Mobile App Security, 2014 7/04/2016 R&C – Protección e Innovación | Arxan Technologies, Inc. 4 Estado de Seguridad en Aplicaciones 7/04/2016 R&C – Protección e Innovación | Arxan Technologies, Inc. 4 Estado de Seguridad en Aplicaciones 7/04/2016 R&C – Protección e Innovación | Arxan Technologies, Inc. 4 “Apps in the Wild” son vulnerables a ataques Riesgos de Integridad (Modificación de código o Inyección de vulnerabilidades) Riesgos de Confidencialidad (Ingeniería Inversa o Análisis de código) 7/04/2016 • Las aplicaciones pueden ser modificadas o alteradas. • El comportamiento en tiempo de ejecución de aplicaciones puede ser alterado, provocando un funcionamiento inseguro o inadecuado. • Código malicioso puede ser inyectado o adherido a la aplicación. • La información privada y sensible puede ser expuesta, incluyendo las llaves criptográficas que se utilizan para asegurar la información. • Conocimiento de código a partir de practicas de ingeniera inversa. • Código y la propiedad intelectual puede ser robada, reutilizada o reempaquetada. R&C – Protección e Innovación | Arxan Technologies, Inc. 4 Muchas maneras de hackear una App Reverse Engineering or Code Analysis (Confidentiality Risk) Java/.NET String literal metadata code Disassembly / Symbol based structure decompilation of native decompilation analysis dumping and code (Obj C/C++) analysis Application decryption Mobile App Static or dynamic key lifting 11 110 01 0 1001110 1100 001 01 111 00 Binary patching Application re-signing and re-packaging Method swizzling / function hooking within application Malware Library and system service API hooking payload insertion and swizzling Code Modification or Code Injection (Integrity Risk) 7/04/2016 R&C – Protección e Innovación | Arxan Technologies, Inc. 5 Muchas herramientas automatizadas de Hacking pueden ser usadas Category Example Tools App decryption / unpacking / conversion • • Clutch APKTool, dex2jar Static binary analysis, disassembly, decompilation • • • IDA Pro, Hopper JEB, JD-GUI, Baksmali Class, symbol, string dumping Runtime binary analysis (debugging, tracing) • • GDB, ADB Introspy, Snoop-It Runtime manipulation, • hooking, code injection, • method swizzling, patching • Malware / trojan injection • Jailbreak detection evasion • Integrated weaponized toolsets 7/04/2016 • Cydia Substrate, Theos suite Cycript, CInject Hex editors Dendroid, AndroRAT • Automated, free or low-cost tools lower barriers to hacking • Many breaches and exploits can be created in hours or less • Unprotected apps are easy prey for these hacking tools xCon, tsProtector AppUse, Snoop-It, iNalyzer R&C – Protección e Innovación | Arxan Technologies, Inc. 10 Las llaves criptográficas están también siendo atacadas Cryptographic key exploits have been applied in a number of prominent hacks, for example: Hackers are relying on memory scraping with increasing frequency -- it is essential to protect keys in memory! Crypto keys extracted though memory scraping, allowing unauthorized access to financial transactions (in PoS systems) and digital content (AACS in HD DVD, BluRay) Exploiting forms of buffer overflow attacks, like Heartbleed, to steal crypto key Sony PS3 hack cryptographic keys revealed Level Android APK integrity vulnerability Zero Growing trend of memory scraping (Source: Verizon 2015 Data Breach Investigations Report) Unfortunately, many don’t protect their keys or think it is too difficult to protect them 80% of respondents to Ponemon Institute survey identified broken cryptography as most difficult risk to minimize (State of Mobile Application Insecurity, February 2015) 11 Anatomía de un ataque a una aplicación móvil. 1. Decrypt the mobile app (iOS apps) 11 110 01 0 1001110 1100 001 01 111 00 Reverse-engineering app contents Extract and steal confidential data 2. Open up and examine the app 11 110 01 0 0101010 0101 110 011100 00 Create a tampered, cracked or patched version of the app 3. Create a hacked version Release / use the hacked app 4. Distribute App https://www.arxan.com/how-to-hack-a-mobile-application 7/04/2016 www.rycbc.com 12 Agenda 1 Riesgos en la estrategia Móvil 2 ¿Cómo apoyamos? 7/04/2016 R&C – Protección e Innovación | Arxan Technologies, Inc. 13 Construir y Mantener Apps Seguras Arxan augments with Application Hardening and Run-time Self-Protection Extend security from testing to run-time code protection Mitigate risks comprehensively against hacking attacks and exploits Gain the world’s strongest multi-layer protection (defend, detect, react) Build It Secure Application Development Build and Manage Mobile Apps e.g. Kony, IBM Worklight, Xamarin 7/04/2016 Vulnerability Analysis & Testing Identify Source Code Vulnerabilities e.g. HP Fortify, IBM AppScan, Veracode Keep It Secure Application Protection Release & Deployment Secure and Protected Application Arxan Application and Cryptographic Key Protection Free of critical flaws and vulnerabilities Defend, Detect, and React to Attacks Protects itself against attacks R&C – Protección e Innovación | Arxan Technologies, Inc. 14 Escenarios a proteger en Apps móviles 1. Prevent or detect bypassing or disabling of security controls (e.g., jailbreak/root detection, authentication, authorization, encryption, digital rights/licensing) 2. Prevent or detect bypassing or modification of business logic (e.g., transactions, restricted functionality, sensitive operations) 3. Prevent information loss or exposure (e.g., via compromised user credentials, keys, data storage) 4. Prevent creation of rogue, cloned, pirated, or modified versions 5. Prevent or detect insertion of malicious code in the app (e.g., prevent remote control, information / identity stealing, financial charging) 6. Prevent stealing of proprietary code/IP from the app 7. Prevent exposure of potential known, unknown, or new vulnerabilities and sensitive source code 8. Ensure compliance with industry guidelines (e.g., OWASP Mobile Top Ten 2014) 7/04/2016 R&C – Protección e Innovación | Arxan Technologies, Inc. 15 Aplicaciones protegidas en todas partes 16 Arxan Application Protection Defend against compromise • Advanced Obfuscation • Code and Resource Encryption • Pre-Damage • Metadata Removal Detect attacks at run time • • • • • • Checksum Debug Detection Resource Verification Jailbreak/Root Detection Swizzling Detection Hook Detection React to ward off attacks • • • • Shut Down (Exit, Fail) Self-Repair Custom Reactions Alert / Phone Home Protected Application • Self-defending • Tamper-resistant • Hardened against hacking attacks and malware exploits 17 Arxan Multi-Layered Protection – An Illustration ~50 – 200 Guards in Total Guard Network Check Repair Check Check Check (a simplified example) Check Repair Repair Check Check Repair Repair Check Check Level 4 Check Level 3 Check Swz Det Encr Repair Level 2 Repair Adg Level 1 Obfus Pre Chck App Code Pre PCL PCLA Post PCL F1 Patch Range F2 Inner Loop Outer Loop (LP) F3 One Shot Application Multi-Layered Guard Network with Defense in Depth (first Guard layer protects code, additional Guard layers protect lower-level Guards) Risk-Based, Custom Created for Each Application Randomized Binary Implementation for Automated Variability (every build looks different) 18 Protecting an Application with Arxan GuardSpec™ Configuration file is written to specify which Arxan Guards to place in the application binary and where. Arxan Guard Insertion Engine Unprotected Application Binary Guard Library Build Script is modified to run Arxan product. Arxan inserts Guards specified in the GuardSpec into the unprotected binary. Guard Library contains many different Guard Types and thousands of Guard instances. Protected Application Binary Guards fully dissolve into binary and cannot be isolated or identified. No accompanying libraries or need to connect to Arxan at run-time. 19 Arxan Case Example - Financial Services Top 5 Global Bank • Mobile App • • Security Controls / Policies Internal IDs, User Identifiers, Keys Bank’s CIO challenge: Drive mobile app innovation without compromising security and company assets • Encrypted Communication Modules Bank’s Security team identified multiple hacking attack risks for their apps “out in the wild” • Critical Business Logic • • Proprietary Algorithms • Unidentified Vulnerabilities External customer apps (B2C) Internal employee apps (B2E) Bypassing security controls, getting unauthorized access Sensitive information exposure Inserting exploits or malware, cloning applications, rogue versions Exposing app internals and vulnerabilities • Uses Arxan to protect tens of mobile apps against attacks • CIO won CIO 100 Award for innovation 20 Experts Recommend Application Hardening and Run-time Self-Protection Analysts "Make application self-protection a new investment priority, ahead of perimeter and infrastructure protection.” ”It should be a CISO top priority.” - Gartner "It (‘application hardening and run-time protection') is a critical component in the strategy to secure enterprise software, embedded systems, mobile apps and the muchbandied 'Internet of Things’." - 451 Best Practices “Lack of Binary Protection” is an OWASP Top Ten Mobile Risk Media 21 Recomendaciones… 22 Preguntas… 7/04/2016 www.rycbc.com 23 Análisis de Riesgo de su aplicación móvil 7/04/2016 www.rycbc.com 24 ¡Gracias! Gabriel Murcia Roncancio Director de Ventas y Servicios [email protected] +57 301 568 6848 +57 1 - 621 7555 / 805 1122
Documentos relacionados
Android malware situation
«Same Origin Policy» can be avoided, meaning that it is possible to obtain information from the other pages open on the browser and access cookies, and if they are not protected, they are used to s...
Más detalles