how to secure your mobile application with rasp · pdf fileagainst data theft and device...
TRANSCRIPT
![Page 1: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/1.jpg)
© VASCO Data Security, Inc.
Webinar - 13 December 2016
How to secure your mobile application with RASP
![Page 2: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/2.jpg)
© VASCO Data Security, Inc. © VASCO Data Security, Inc. - OPEN2
1. Mobile Application Security
• Risk categories
• Protection layers including RASP
Dirk Denayer – Enterprise & Application Security
2. RASP – Runtime Application Self-Protection
• SDK protection components
• Integration process
• Configuration
• Security assessement service
Guillaume Teixeron – Product Manager
Agenda
![Page 3: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/3.jpg)
© VASCO Data Security, Inc.
of tested apps has
at least one vulnerability
of successful breaches
target the
application layer
Trustwave Global Security Report 2016
Mobile application risks – some figures
![Page 4: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/4.jpg)
© VASCO Data Security, Inc.
AppMY
Mobile application risks – 3 categories
3. Man-in-the-Middle Attacks
1. Application vulnerabilities
2. Platform weaknesses
![Page 5: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/5.jpg)
© VASCO Data Security, Inc.
AppMY
Mobile application protection – 3 layers
1. Application protection
2. RASP (Runtime Application Self Protection)
3. Protection of communication
![Page 6: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/6.jpg)
© VASCO Data Security, Inc.
1. Protecting the app
AppMY
Secure storageagainst data theft and device cloning
Secure coding against reverse engineering
Secure activation against account takeover
![Page 7: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/7.jpg)
© VASCO Data Security, Inc.
2. Protecting execution
AppMY
Detect
Notify
Stop
Prevent
Anti-repackaging
Anti-screen shots
Anti-code injection
Debugger prevention
Anti-key
logging
Anti-screen reader
Emulator protection
Anti-screen mirroring
…
RASP
![Page 8: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/8.jpg)
© VASCO Data Security, Inc.
3. Protecting communication
AppMY
Secure Channel
Transport layer
Transport layer
Transport layer
Transport layer
![Page 9: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/9.jpg)
© VASCO Data Security, Inc.
AppMY
DIGIPASS for APPS
PIN Management
Jailbreak/Root Detection
Integration with
Biometrics
Device Binding
Secure Storage
Geolocation
Client Scoring
Two-Factor
Authentication
Transaction Signing
Secure
Channel
QR code Support
CRONTO Support
Runtime Application Self-Protection (RASP)
DIGIPASS for Apps technologies
![Page 10: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/10.jpg)
© VASCO Data Security, Inc.
AppMY
PIN Management
Jailbreak/Root Detection
Integration with
Biometrics
Device Binding
Secure Storage
Geolocation
Client Scoring
Two-Factor
Authentication
Transaction Signing
Secure
Channel
QR code Support
CRONTO Support
Runtime Application Self-Protection (RASP)
… seamless integration with your app
![Page 11: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/11.jpg)
© VASCO Data Security, Inc.
AppMY
DIGIPASS for APPS
PIN Management
Jailbreak/Root Detection
Integration with
Biometrics
Device Binding
Secure Storage
Geolocation
Client Scoring
Two-Factor
Authentication
Transaction Signing
Secure
Channel
QR code Support
CRONTO Support
Runtime Application Self-Protection (RASP)
DIGIPASS for Apps
![Page 12: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/12.jpg)
© VASCO Data Security, Inc. © VASCO Data Security, Inc. - OPEN12
1. Mobile Application Security
• Risk categories
• Protection layers including RASP
Dirk Denayer – Enterprise & Application Security
2. RASP – Runtime Application Self-Protection
• SDK protection components
• Integration process
• Configuration
• Security assessement service
Guillaume Teixeron – Product Manager
Agenda
![Page 13: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/13.jpg)
© VASCO Data Security, Inc. 13
Set of technologies used to
add security functionalities
directly to mobile applications
for the detection and prevention
of application-level intrusions
What is Runtime Application Self Protection?
![Page 14: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/14.jpg)
© VASCO Data Security, Inc.
App Layer
(app code)
(Objective C,
Java or
native)
OS tools/API
(GUI, File,
Network)
OS
components
(Loader,
Linker)
RASP works proactively and in
real-time, which protects against
zero-day attacks
RASP does not require special
permissions on the device
RASP does not change
User Experience
A secured runtime process
RASP Insights
![Page 15: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/15.jpg)
© VASCO Data Security, Inc.
Protect Detect
React
Hook
detection
Library
injection
detection
Screen
reader
detection
User input
leakage
prevention
Keylogger
detection
Debugger
detection
Emulator
detection
User initiated
screenshot
detection
System initiated
screenshot
detection
App RASP
Sanity CheckNotify app Terminate app
RASP features
![Page 16: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/16.jpg)
© VASCO Data Security, Inc.
Application validates the origin of any third party library
loaded at run time.
All libraries used by the application are whitelisted.
Mobile Application
Security
Anti-code injection
![Page 17: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/17.jpg)
© VASCO Data Security, Inc.
Mobile Application
Security
Application validates that the keyboard used by the
operating system is a trusted keyboard.
Keyboard can be operating system original keyboard or
keyboard provided by trusted third party keyboard provided.
Application may offer its own keyboard interface in case
untrusted one is proposed by default.
Anti-key logging
![Page 18: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/18.jpg)
© VASCO Data Security, Inc.
Mobile Application
Security
RASP validates that no screen reader is activated on the
device.
In case screen reader is activated a malware could collect all
information displayed by the application on the device
without user noticing it.
Anti screen-reading
![Page 19: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/19.jpg)
© VASCO Data Security, Inc.
Mobile Application
Security
Application makes sure that application context is not
backed up in the background by the operating system.
This prevents that sensitive information persists in the
phone memory after application termination.
Anti-user/system screenshots
![Page 20: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/20.jpg)
© VASCO Data Security, Inc.
Mobile Application
Security
Preemptively disabled by application.
Working on the level of video stream output.
Anti-screen mirroring
![Page 21: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/21.jpg)
© VASCO Data Security, Inc.
Mobile Application
Security
Application prevents debugger from being attach to make
reverse engineering more difficult.
Running processes monitoring
Debugger prevention
![Page 22: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/22.jpg)
© VASCO Data Security, Inc.
Mobile Application
Security
Application detects if it is running in an emulator instead of a
physical device.
Application should stop its execution when detected at
launch time.
Examines OS input
Emulator detection
![Page 23: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/23.jpg)
© VASCO Data Security, Inc.
RASP - Integration
23
![Page 24: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/24.jpg)
© VASCO Data Security, Inc.
RASP Integration Process
Integration
Configuration
Binding
Signing
![Page 25: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/25.jpg)
© VASCO Data Security, Inc.
RASP Integration Process
Integration
Configuration
Binding
Signing
![Page 26: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/26.jpg)
© VASCO Data Security, Inc.
RASP Integration Process
Android iOS1 Integrate RASP SDK
2 Implement Callbacks
Link ShieldSDK.framework
Add configuration file
Add ShieldSDK.jar
Notify app after detection of security issue
Using the ShieldCallbackManager
![Page 27: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/27.jpg)
© VASCO Data Security, Inc.
RASP Integration Process
Integration
Configuration
Binding
Signing
![Page 28: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/28.jpg)
© VASCO Data Security, Inc.
RASP Integration Process
3 Configure RASP
Android iOS
Configuration is done via the
customer portal of Vasco.
![Page 29: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/29.jpg)
© VASCO Data Security, Inc.
Authentication to the portal
![Page 30: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/30.jpg)
© VASCO Data Security, Inc.
Create new Android RASP Configuration
![Page 31: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/31.jpg)
© VASCO Data Security, Inc.
Create new iOS RASP Configuration
![Page 32: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/32.jpg)
© VASCO Data Security, Inc.
Select App to bind
![Page 33: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/33.jpg)
© VASCO Data Security, Inc.
RASP Integration Process
Integration
Configuration
Binding
Signing
![Page 34: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/34.jpg)
© VASCO Data Security, Inc.
RASP Integration Process
4 Bind via
customer portal
Resources
Business Logic
Code Variables
Resources
Business Logic
Code Variables
RASP SDK
Resources
Business Logic
Code Variables
RASP SDK
Cert Pub Key
Resources
Obfuscated Business Logic
Code Variables
RASP SDK
Cert Pub Key
Resources
Code variables
Business LogicRASP SDK
Config Info
Resources
Code variables
Business Logic
RASP SDK
Config Info
Cert Pub Key
BindingA
Repacking
prevention
B
Code
Obfuscation
C
Repacking
prevention
B
BindingA
Android iOS
Resources
Business Logic
Code Variables
![Page 35: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/35.jpg)
© VASCO Data Security, Inc.
RASP Integration Process
Integration
Configuration
Binding
Signing
![Page 36: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/36.jpg)
© VASCO Data Security, Inc.
RASP Integration Process
5Sign the app folder
with the XCENT file
Sign the APK file
with the keystore
file
Android iOSSign the application
![Page 37: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/37.jpg)
© VASCO Data Security, Inc.
Security Assessment
37
![Page 38: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/38.jpg)
© VASCO Data Security, Inc. 38
RASP – Security Assessment
![Page 39: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/39.jpg)
© VASCO Data Security, Inc. © VASCO Data Security, Inc. - OPEN39
1. Mobile Application Security
• Risk categories
• Protection layers including RASP
Dirk Denayer – Enterprise & Application Security
2. RASP – Runitme Application Self-Protection
• SDK protection components
• Integration Process
• Configuration
• Security assessement service
Guillaume Teixeron – Product Manager
Agenda
![Page 40: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/40.jpg)
© VASCO Data Security, Inc. 40
DIGIPASS for Apps
https://www.vasco.com/products/application-security/digipass-for-apps.html
White paper – A Developer’s Guide to Securing Mobile Applications
https://www.vasco.com/news/your-guide-to-secure-mobile-applications/
RASP webpage & White Paper
https://www.vasco.com/glossary/rasp-security.html
RASP security assessement service on your mobile application & other requests : [email protected]
Documentation & Security assessement service
![Page 41: How to secure your mobile application with RASP · PDF fileagainst data theft and device cloning ... phone memory after application termination. ... Documentation & Security assessement](https://reader030.vdocuments.mx/reader030/viewer/2022012307/5ab3a8ba7f8b9a284c8e8b3f/html5/thumbnails/41.jpg)
© VASCO Data Security, Inc.
Questions ?