Needed: Self-Protecting, Security-Aware Mobile Applications with Anti-Tamper Technology



Application providers need to step up and begin building in sufficient security for mobile devices, including vulnerability mitigation, re-evaluation of trust and incorporation of secure authentication channels.

During the last 20 years, malware has evolved from occasional “exploits” to a global multimillion-dollar criminal industry.¹ We hear about viruses such as Flame and Stuxnet, which can infect whole country infrastructures with relative ease. It seems to be getting simpler for hackers and malware to breach private companies and government agencies alike. For example, for at least two years, Flame has been copying documents and recording audio, keystrokes, network traffic and taking screenshots from infected computers. And passing all the information to servers operated by its creators.² If it’s that easy to attack governments and infrastructures, how difficult do you think it is to hack a smartphone?

In network security, perimeter-based and scanning techniques are penetrated and circumvented with alarming regularity. This has resulted in the more widespread use of application layer security technologies, which are now considered to be a critical component for security engineers who have come to realize how important in-depth defense techniques are in the current threat landscape.

A PC currently can expect between 40 and 200 minutes of freedom before an automated probe reaches it to determine whether it can be penetrated.³ This just shows how little time one needs to be connected to the Internet – wireless or not – before it’s touched and potentially hacked. If you think that PCs aren’t very secure, the smartphone (with little to no security in the apps or on the phone itself) is even less so.

And, of course, the latest trend is custom malware for attacking smartphones.

Custom Malware Designed for Smartphones
Application providers need to step up and begin building in sufficient security for mobile devices, including vulnerability mitigation, re-evaluation of trust and incorporation of secure authentication channels.

The need for these techniques is magnified on mobile platforms and perhaps none more so than on Android. A recent study by AV-TEST showed that more than 75 percent of anti-malware solutions ignored at least one in every 10 of the main families of malware in the wild.4 Add to this that Android malware is increasing dramatically, quadrupling between 2011 and 20125, and it seems that failing to protect mobile applications in general, and Android applications in particular, might be inviting a disaster.

The open source nature of the Android platform means that there are a plethora of free, widely available and powerful tools. While these have legitimate uses, they also make it simple to reverse-engineer unprotected applications or even elements of the OS itself, in order to assess vulnerabilities and create attacks. Add to this the fact that there are a wide range of largely unpoliced Android marketplaces where practically any application can be uploaded, making it unsurprising that the security situation has been likened to the Wild West. Even Google’s own marketplace and its use of its ‘Bouncer’ malware detection system is far from infallible, as researchers recently showed.6

Mobile Security Critical for Businesses
With the huge growth of smartphones and the applications that run on them, mobile security is becoming a critical area for all businesses. The sheer volume of commercially sensitive, personal employee and other key data both stored in and transmitted via these devices, makes them an attractive target for hackers. They also are an obvious route for threats that seek to penetrate the back office to corrupt data, capture it, or maliciously alter software through mobile application attacks.

Unfortunately, to date, security in Android has been ineffective. Custom malware attacks on Android applications are increasing exponentially and theft of software, data and content is rising to match. Hackers create and input malware that can change the behavior of applications, substitute account numbers, modify amounts, initiate egregious transactions, capture PINs, passcodes and more. Applications running on remote devices, with unknown configurations, need to be able to defend themselves, their communication, and to clearly signal if they have been compromised.

Apple’s iOS is not an impervious walled garden that many would have you believe either. A number of malicious applications have been removed from the App Store and Russian malware was recently pulled after managing to pass through Apple’s normal protections around their market.7

Approaches to Secure Mobile Devices
There are various means to secure mobile device transactions. Strong security for mobile devices offers a comprehensive portfolio of embedded security solutions; the most obvious being anti-tamper technology, to prevent code and data changes. Anti-tamper is the most significant development in information security since the advent of the firewall and is perhaps the most advanced item in the security professional’s toolkit. The principle behind anti-tamper is quite simple: rather than relying on the security of the environment (by making the assumption that firewalls and virus checkers are installed, correctly configured and updated) anti-tamper ensures that the application can defend itself and its own data.

Clearly this approach will become the standard method for securing applications in the next few years as it is obvious that traditional approaches to security are now insufficient. ‘Defense-in-depth’ is now required for any applications that need to ensure the integrity of their operation.

There are numerous ways anti-tamper technology can help secure smartphone apps for financial transactions:

  1. Protect the application itself against subversion. If it is possible to alter the application’s operation, any security methods inherent in it are open to trivial attack; data validation can be avoided, transactions can be altered or rerouted, data can be captured, and routines can be called at will to have previously unintended consequences.
  2. Protect application data. In the same way as application code can be prevented from alteration, its data can be protected.
  3. Protect data and keys within the application from capture or extraction by using cryptographic primitives, which prevent malware from being able to access the values of keys and other sensitive information by not holding them ‘in the clear’ in memory but instead by holding their values programmatically/algorithmically (e.g., to ensure bank account details are not captured and stolen).
  4. Prevent ‘code lifting’ to extract individual functionalities (e.g., hackers might wish to use a code fragment that signs data with a key to sign some of their own data for a Man-In-The-Middle attack to reroute a payment transaction to a bogus account).
  5. Trigger a response. Once an application is protected against subversion, any detection of an application level attack can trigger a response. While that may typically be as simple as alerting the user to a problem and exiting the application, anti-tamper technology typically allows custom responses; e.g.; sending a message to a server, perhaps to blacklist a device on which a compromise attempt has been made at the server-side.
  6. Repair attacked applications or data. Should even one bit of an application or its data be altered and this be detected, the technology is available to repair the damage in order that the application may still be used.

As malware continues to attack smartphones, financial institutions must strive to provide the needed security to their applications. Malware won’t go away and companies need to be more proactive in securing apps from the inside out using anti-tamper technologies to produce that added level of security. We all know firewalls alone aren’t enough.

 


mcLennan_andrew

Andrew McLennan is an experienced entrepreneur who has founded five start-up companies since 1993, including Metaforic. Andrew has held all the key management roles in startups including CEO, CMO, CCO and COO. Andrew has an honors degree from Strathclyde University in mechanical engineering with aerodynamics.

1 http://www.oecd.org/dataoecd/53/34/40724457.pdf
2, 3 http://www.guardian.co.uk/technology/2012/jun/17/flame-virus-online-security
4 http://www.av-test.org/fileadmin/pdf/avtest_2012-02_android_anti-malware_report_english.pdf
5 http://www.forbes.com/sites/adriankingsleyhughes/2012/05/16/android-malware-quadruples-between-2011-an-2012
6 http://www.theregister.co.uk/2012/06/04/breaking_google_bouncer
7 http://www.wired.com/gadgetlab/2012/07/first-ios-malware-found/

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • TwitThis

Tags: ,