guard square - mobile application protection
TRANSCRIPT
Mobile application protection
[email protected] @GuardSquare www.guardsquare.com
Heidi Rakels 13/01/2017
Many Android apps are protected by GuardSquare
App
Problem: mobile apps are easy to attack
App
Reverse-engineeredin 2 minutes!
Insert malware
App
Example:
App
Solution: self defending apps
Mobile application protectionWith multiple layers of sophisticated protection• Encryption
• Obfuscation
• Debug detection
• Emulator detection
• Root detection
• Secure storage
• …
Protection against static attacks
• Data and IP extraction
• Tampering and cloning
Protection against dynamic attacks
• Compromised device
Rooted device, debugger, emulator
• Network attacks
Man-in-the-middle attacks (MitM), network traffic sniffing
Combine static and dynamic protection
Dynamic protection(RASP)
Static protection
Most companies only focus on dynamic protection
Hacker tools crash or produce nonsense when the app is protected
Hacker tools crash or produce nonsense
App attack
Our approach: no change in usability
Performed behind the scenes
Additional optimization for the usability
SmallerFaster
5%-20% 10%-70%
Which apps should be protected?
App
MediaShoppingPaymentBankingGamesHealthcare….
75% minimalprotectionOur free product ProGuard
Security of European banking apps
11% full protection8% our product DexGuard3% others
14% no protection
What do app users want?
• Simple• Fast• Secure
GuardSquare helps making the apps fast and secure
Protection of the IoT
Developers are not security engineers
• They focus on user experience
• Security is complex
• Security is overhead
• Security is bad for the usability
Security comes at the end of the development cycle
“Let’s encrypt it”
“We do pen tests”
We are safe!
Secure SDLC
Architecture
Development
Build process
Code review
Pen tests