© 2015 IBM Corporation
Surviving the Mobile Phenomenon: Shielding Mobile Apps from Critical Vulnerabilities Jason Hardy, IBM Mobile Security Team Neil Jones, IBM Application Security Team Patrick Kehoe, CMO, Arxan
IBM Mobile Security
2 © 2015 IBM Corporation
by 2017 Mobile downloads will increase to
268 billion Gartner
by 2016 The number of smartphone users worldwide will surpass
2 billion
eMarketer
Enterprise mobile trends
“Enterprise mobility will continue to be one of the hottest topics in IT, and high on the list of priorities for all CIOs.”
Ovum
“IT organizations will dedicate at least 25% of their software budget to mobile application development, deployment, and management by 2017.”
IDC
3 © 2015 IBM Corporation
387new threats every minute or more than six every second McAfee
As mobile grows, so do security threats
“With the growing penetration of mobile devices in the enterprise, security testing and protection of mobile applications and data become mandatory.”
Gartner
“Enterprise mobility… new systems of engagement. These new systems help firms empower their customers, partners,
and employees with context-aware apps and smart products.” Forrester
Arxan
Top mobile devices and apps hacked 97% Android
87% iOS
4 © 2015 IBM Corporation
What concerns does this create for the enterprise?
Source: 2014 Information Security Media Group Survey, “The State of Mobile Security Maturity”
32% are concerned about fraudulent transactions
Only 18% can detect malware / jailbreaks
52% worry about application vulnerabilities
Only 23% have tamper-proofing capabilities
50% are content and data leakage are their top security concern
60% use secure containers for data security
57% say a lost or stolen device is top concern 60% use passcodes for device security
5 © 2015 IBM Corporation
MobileFirst Protect (MaaS360)
AppScan, Arxan, Trusteer M; bile SDK
IBM Mobile Security Framework
AirWatch, MobileIron, Good, Citrix, Microsoft, Mocana
HP Fortify, Veracode, Proguard CA, Oracle, RSA
• Manage multi-OS BYOD environment
• Mitigate risks of lost and compromised devices
• Separate enterprise and personal data
• Enforce compliance with security policies
• Distribute and control enterprise apps
• Build and secure apps and protect them “in the wild”
• Provide secure web, mobile, API access and identify device risk
• Meet authentication ease-of-use expectation
Extend Security Intelligence
• Extend security information and event management (SIEM) to mobile platform • Incorporate mobile log management, anomaly detection, configuration and vulnerability management
Manage Access and Fraud
Safeguard Applications and Data
Secure Content and Collaboration
Protect Devices
6 © 2015 IBM Corporation
IBM Mobile Security Portfolio
IBM Security Access
Manager
IBM DataPower Gateway
IBM BigFix
IBM MobileFirst
Platform
IBM MobileFirst
Protect MaaS360
IBM Security AppScan
Arxan Application Protection
for IBM Solutions
IBM QRadar Security
Intelligence Platform
IBM Security Trusteer
IBM Mobile
Security Services
7 © 2015 IBM Corporation
Extend Security Intelligence
Manage Access and Fraud
Safeguard Applications and Data
Secure Content and Collaboration
Protect Devices
Safeguarding applications and data
2.2
Kaspersky Lab “IT Threat Evolution Report for Q1 of 2015”
billion malicious attacks on computers and mobile devices were blocked during Q1 2015
Gartner Press Release, May 2014
of all mobile security breaches are through apps 75%
overall mobile app usage grew in 2014 76%
Shopping, Productivity and Messaging Give Mobile Another Stunning Growth Year”, Flurry Insights, January 2015
On average, a company tests less than half of the mobile apps they build and…
never test apps to ensure they are secure 33%
Ponemon The State of Mobile Application Insecurity, February 2015
8 © 2015 IBM Corporation
Security Risk
Application security spending Where are your “security risks” versus your “spend”?
Spending
Spend ≠ Risk
35% -
30% -
25% -
20% -
15% -
10% -
5% -
Application Layer
Data Layer
Network Layer
Human Layer
Host Layer
Physical Layer
Many clients do not prioritize application security in their environments
Source: The State of Risk-Based Security Management, Research Study by Ponemon Institute, 2013
9 © 2015 IBM Corporation
• Cost of a Data Breach $7.2M • 80 days to detect • More than four months (123 days) to resolve
Find during Development $80 / defect
Find during Build $240 / defect
Find during QA/Test $960 / defect
Find in Production $7,600 / defect
80% of development costs are spent identifying and correcting defects!
Source: Ponemon Institute
Source: National Institute of Standards and Technology
** Source: Ponemon Institute 2009-10
Cost of Security Defects
10 © 2015 IBM Corporation
Cost of a data breach
Source: 2014 ‘Cost of Data Breach Study: Global Analysis’, Ponemon Institute
$5.85M average organizational cost of a data breach in the U.S.
$201 average organizational cost per compromised record in the U.S.
11 © 2015 IBM Corporation
IBM Application Security Framework
Utilize resources effectively to identify and mitigate risk
Application Security Management
Database Activity
Monitoring
Web Application
Firewall SIEM
Mobile Application Protection
Monitor and Protect Deployed Applications
Static Analysis
Dynamic Analysis
Mobile Application
Analysis Interactive Analysis
Intrusion Prevention
Test Applications in Development
Business Impact
Assessment Asset
Inventory Compliance
Determination Status and Progress
Measurement Vulnerability Prioritization
12 © 2015 IBM Corporation
Mobile Application Security
Application Protection
Protect Deployed Applications
Static Analysis
Dynamic Analysis
Interactive Analysis
Test Applications in Development
IBM Application Security Analyzer
IBM Security AppScan Source/ MF App Scanning
IBM Security AppScan Standard
Arxan Application Protection for IBM Solutions
Test Mobile Apps for vulnerabilities Test
Mobile Backend (Web Services)
for vulnerabilities
Reduce runtime Tampering for
Mobile App
© 2015 IBM Corporation
IBM Application Security on Cloud
14 © 2015 IBM Corporation
Does my Mobile App contain security vulnerabilities?
UPLOAD TEST REMEDIATE
Easy as 1,2,3!IBM Application Security Analyzer
Free Trial Link: IBM Application Security Analyzer
15 © 2015 IBM Corporation
IBM Application Security Analyzer
16 © 2015 IBM Corporation
IBM Application Security Analyzer
© 2015 IBM Corporation
IBM AppScan Source/MobileFirst Platform Application Scanning
18 © 2015 IBM Corporation
AppScan Source/MobileFirst Platform Application Scanning identify security vulnerabilities in your application source code before deployment
! Analyze data flow within applications
! Find vulnerabilities such as Insecure Data, Unintended Data Leakage, etc. (covering all of the OWASP 2014 Top 10 Mobile Risks*)
! Identify vulnerable lines of code and provide remediation assistance
! Support native Android (Java), native iOS (Objective-C), Web, and MobileFirst Platform Foundation projects (JavaScript, HTML5, Cordova)
*www.owasp.org/ (Risk #10 though Arxan)
© 2015 IBM Corporation
IBM Security AppScan Standard
20 © 2015 IBM Corporation
IBM Security AppScan Standard
© 2015 IBM Corporation
Arxan Application Protection for IBM Solutions
22 © 2015 IBM Corporation
Disruption in the Security Landscape Centralized, trusted environment
Distributed or untrusted environment “Apps in the Wild”
• Web Apps • Data Center Apps
Attackers do not have easy access to application binary
+ Application Security Testing (“Build it Secure”)
+ Application Self-Protection (“Keep it Secure”)
• Mobile Apps • Internet of Things • Packaged Software
Attackers can easily access and compromise application binary
23 © 2015 IBM Corporation
Mobile Apps “in the Wild” Are Vulnerable to Attacks
• Applications can be modified and tampered with • Run-time behavior of applications can be altered,
causing unsafe or improper operation • Malicious code can be injected or hooked into
applications
Integrity Risk (Code Modification or
Code Injection Vulnerabilities)
• Private and sensitive information can be exposed, including cryptographic keys that are used to secure information
• Applications can be reverse-engineered back to the source code
• Code and Intellectual Property (IP) can be lifted, stolen, reused or repackaged
Confidentiality Risk
(Reverse Engineering or
Code Analysis Vulnerabilities)
24 © 2015 IBM Corporation
Protection is a critical, final step in any secure SDLC
Build It Secure Keep It Secure
Application Development
Vulnerability Analysis & Testing
Application Protection
Release & Deployment
IBM MobileFirst Platform & Native
Build and Manage
Mobile Apps
IBM Security AppScan Source & Application Security
Analyzer
Identify Vulnerabilities
Arxan Application Protection for IBM Solutions
Defends, Detects, and Reacts
to Attacks
Secure and Protected
Application
" Extend security from testing to run-time code protection " Mitigate risks comprehensively against hacking attacks and exploits " Gain the world’s strongest multi-layer protection (defend, detect, react)
Free of critical flaws and vulnerabilities Protects itself against attacks
http://www-03.ibm.com/software/products/en/arxan-application-protection
25 © 2015 IBM Corporation
Preventing Reverse Engineering -- Apply Control Flow Obfuscation Control Flow Obfuscation Confuse the Hacker • Dummy Code Insertion
• Instruction Merging
• Block Shuffling
• Function Inlining
• … and More!
Before: Unprotected After: Protected
25
26 © 2015 IBM Corporation
Preventing Reverse Engineering -- Other Techniques
• Method Renaming
• String Encryption
• … and More!
String not found
Where did it go?
26
27 © 2015 IBM Corporation
Preventing Tampering and Runtime Attacks
Common Techniques
Jailbreak Detection Am I on a
jailbroken device?
Checksum -- Has the binary changed?
If so, let me know so I can do something about it!
Method Swizzling Detection --
Is someone hijacking my code? Debug Detection
Is a debugger running?
27
28 © 2015 IBM Corporation
Arxan Application Protection – Defends, Detects, and Reacts
Defend against compromise
• Advanced Obfuscation • Encryption • Pre-Damage • Metadata Removal
Detect attacks at run time
• Environmental checks • Anti-Debug • Jailbreak/Root detection
• Run time • Checksum • Resource Verification • Swizzling / Hooking
Detection
React to ward off attacks
• Repair • Custom Reactions • Shut Down (Exit, Fail) • Alert / Phone Home
Protected App • Self-defending • Tamper-resistant • Hardened against hacking attacks & malware exploits
29 © 2015 IBM Corporation
Arxan Security is Applied at the Compile Stage -- Security is “Built-In” the App so It is Protected Everywhere
30 © 2015 IBM Corporation
Additional Resources
! Blog: 10 Convenient Ways to Increase Your Mobile Application Security Knowledge ! Blog: Another 10 Convenient Ways to Increase Your Mobile Application Security
Knowledge
! IBM/Arxan White Paper: Securing Mobile Applications in the Wild with Application Hardening and Run-Time Protection
! IBM White Paper: Securing the Mobile Enterprise with IBM Security Solutions
© 2015 IBM Corporation
Q&A Session
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOU www.ibm.com/security
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.
Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at “Copyright and trademark information” www.ibm.com/legal/copytrade.shtml
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM’s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
Legal notices and disclaimers