Arxan shortlisted for Appsters Award

Arxan has been shortlisted in the upcoming Appsters Awards under the category, Best App Technology! The awards will take place in London on November 12.

The Appsters Awards are a must-attend for the who’s who in the world of apps. The award winners are decided by a judging panel of independent experts, delivering plaudits to worthy winners across key categories.

Our mobile application protection technology protects from revenue loss, fraud, unauthorised data access, or brand loss from reverse engineering, code tampering or inserting malware into an application. This integral protection enables app owners to distribute core assets with confidence by incorporating self-defence and tamper-resistant attributes via proprietary controls into the app.

According to ABI Research the mobile application security market grew to $389 million by the end of 2012, the need for protection and security within mobile applications is of high importance. Our unique app hardening capability ensures the integrity of critical business or security logic contained in the mobile endpoint is protected from attacks that can result in severe financial and reputational damages.

Fingers crossed the judges are impressed with the pioneering mobile application protection technology that we have to offer. Keep your eyes peeled for further announcements nearer the time of the awards on November 12.

Don’t forget to come and visit us at stand 322 at Apps World between 12 -13 November at ExCel Centre, London. Also, be sure to join us at our panel session at the event “New technologies in mobile banking & financial services and their impact on the customer experience”, taking place on November 12 at 4:30pm GMT.

To find out more information about the event, please visit https://www.apps-world.net/europe/

Protecting Brand and Intellectual Property from Hacking Attacks: Arxan’s Integrated Solution in Xamarin Evolve Panel and Workshop

With the ever-increasing threats and data breaches, mobile app protection is quickly becoming the defining attribute for high-value mobile apps.

An efficient approach to layer incremental security is critical now more than ever during the build process and before deployment.

Arxan’s integrated and enhanced solution announced today ensures seamless interoperability for enhanced application protection with Xamarin-based mobile apps – which will be further discussed at Xamarin’s own conference, Xamarin Evolve, in a panel and workshop with Arxan.

The panel, taking place on Wednesday, October 8, from 2:30pm – 4:00pm ET, will center on how to best secure your sensitive data in the app, on the device, and over the wire – with insights from Arxan VP of Product Management Vince Arneja and moderator & Xamarin Director of Enterprise Mobility Steve Hall, as well as fellow panelists and representatives from Airwatch, Good Technology, and Mobile Iron.

Also taking place at Xamarin Evolve is the workshop, Think Like a Hacker! Common Techniques Used to Exploit Mobile Apps and How to Mitigate these Risks, led by Arxan engineer Darren Cathey on Thursday, October 9, from 11:15am – 12:00pm ET. During this session, attendees will learn just how easy it is for hackers to leverage widely available third party tools to completely disable and compromise mobile apps.

To meet with Vince and/or Darren at the event, please stop by our booth (#4) or email info@arxan.com.

Revolutionizing Security for mCommerce: Arxan’s Software-Based Approach in Upcoming Webinar and Industry Panel

As mCommerce is driving up mobile payment transactions around the world, cybercriminals are closely following with new exploits increasingly being launched as a means to commit mobile transaction fraud.

As such, a proven mCommerce security approach is in great demand, in order to combat top mobile app payment risks and emerging threats that impact mobile financial transactions.

Arxan’s innovative approach to secure mCommerce announced today, serves as a point of discussion in the webinar, “Revolutionary Security for HCE Mobile Payments.”

The webinar being held tomorrow (Tuesday, September 30) from 11:00 AM – 11:30 AM EDT will present this newly announced approach, as well as beliefs on how software-based security has revolutionized the mobile payment industry. Host Winston Bond (Arxan’s Security Solutions Architect) will delve into the value from adopting this approach, with payment providers and ecosystem stakeholders being able to fully leverage the mobile computing platform.

For registration details, please visit: https://www2.gotomeeting.com/register/316988458

Also, Arxan’s VP of Product Management, Vince Arneja, will be providing more information on the software-based security approach at the Mobile Payments Conference, as a speaker on the industry panel, “Keeping Mobile Commerce Secure,” on Oct. 7th at 4:15 pm.

Arneja will discuss the exposures and risks among mCommerce ecosystem’s critical industry stakeholders and will address the role of key security approaches needed for strong defense.

If you’d like to schedule a meeting at the show with Vince to discuss Arxan’s comprehensive software-based security, please email us at info@arxan.com.

We hope to see you at the webinar and conference!

Think like a Hacker! Featured events at AppSec USA hosted by Arxan

AppSecUSA logo

The first step in learning how to protect and defend your applications from Hackers is to think like one….

Arxan’s security experts will be hosting a few exciting and exclusive events during AppSec USA in Denver, CO on September 18 & 19.  Highlights below:

workshopMobile App Hacking Workshop 

We’ll be hosting the first-ever hands-on, interactive Mobile App Hacking Workshop during the OWASP AppSec USA 2014 Project Summit.

The inaugural workshop will be led by security experts and will uniquely enable attendees to immediately apply their app protection learning’s in their own environments in order to mitigate app binary risk and implement new approaches on mobile app security.

Dates/Times:  September 18 , 1:00PM – 3:30PM  & September 19,  9:00AM – 11:30AM

Attendees:  This complimentary and specialized workshop is intended for mobile app developers and security experts to gain first-hand knowledge / experience of reverse engineering hacking techniques on iDevices using widely available third party tools. These tools are used to completely disable and compromise mobile app binaries to gain unauthorized access to source code, then tamper with the app to enable unauthorized access, advanced malware attacks, steal sensitive data or intellectual property, conduct fraud and other illicit activities.  Attendees will:

  • Learn about the evolutions in the mobile threat landscape
  • Learn how hackers use third party tools to compromise app integrity via reverse-engineering and tampering attacks (e.g. Clutch, IDA, Hex-Rays, otool, classdump, Theos, gds/nm/strings debuggers, etc.).
  • Explore findings from mobile banking red-team testing projects at several top global banks
  • Customized workstation and jail broken devices are included in the workshop as well as a sample mobile banking app

Limited Seating and Pre-qualification:  Workshop seats are limited to 10 per day and will last up to 2.5 hours. To fully engage in the workshop, interested participants need to have advanced app development and computer engineering skills.  Due to the severely limited size, participants will receive confirmation upon completion of pre-qualification questions from the following survey.

 

“How to Hack an App”  Demo Series at Arxan Booth G1

These demos will showcase the nefarious tools and methods that hackers use to identify targets within an app and intrude on it’s critical code.  Stop by to see for yourself how mobile apps are being attacked using these common techniques to exploit applications!

Dates: September 18 & 19

Times:

11:00 AM  See How Your Binary Exposes Your Source Code

3:00 PM  Binary Modification for n00bs (newbies)

4:00 PM  Breaking iTunes Code Encryption

 

Free Mobile Application Assessment

We’ll also be offering a free Mobile App Assessment where Arxan’s mobile app security experts assess your mobile app for exposures to key risks. Not attending? Request the Mobile Application Assessment here.

If you’d like to schedule a meeting at the show to discuss Arxan’s application protection solutions, please email us at info@arxan.com

We hope to see you at the event!

Arxan Presents ‘Revolutionizing Mobile Payments’ at the UL Innovation Seminar

UL

Arxan is thrilled to announce our participation in the upcoming UL Innovation Seminar, focusing on hardware vs. software-based security solutions. See below for details on our session:

Session Title:  Revolutionizing Mobile Payments; Without the Complications of Hardware

Speaker: Jonathan Carter, Technical Director, Arxan

Date: Friday, September 5, 2014

Time:  1:30pm-2:00pm

Location: Hyatt Regency San Francisco, Airport

Description: Innovation in mobile computing is now going beyond hardware attributes to deliver new features, services and most significantly, the required security for new business models. During this presentation, Jonathan Carter will share his belief on how innovations in software-based security have revolutionized the mobile payment industry.  Baring the shackles of fragmented hardware ecosystems, these innovative software security techniques provide a new trusted secure element.  The value from adopting this approach enables providers to fully leverage the mobile computing platform and confidently deploy new financial services to finally achieve widespread distribution and adoption.   The success that other industries have already realized in terms of customer growth, scalability and confidence in security will also be shared.

We cordially invite you to attend the seminar and join our session! Register here, space is limited.

We look forward to meeting you at the event!  Email us at info@arxan.com if you’d like to set up a meeting with us.

Arxan Presents ‘How to Hack an App’ Demo Series at Black Hat 2014!

black-hat-2014-620x201 Arxan_logo_bitmap_web

Arxan is sponsoring the upcoming Black Hat USA 2014 Expo, August 6-7, in Las Vegas.  If you’re planning to attend, we hope to see you at our booth (#1127) to view Arxan’s exclusive ‘How to Hack an App Demo Series!

These round-the-clock demos will showcase the nefarious tools and methods that hackers use to identify targets within an app and intrude on it’s critical code.  Stop by to see for yourself how apps are being attacked using these common techniques to exploit applications:

Black Hat Demos Booth 1127

 

Additionally, here are a few more highlights and offers from our booth at Black Hat that you don’t want to miss!

  • Is your “secure” mobile app unknowingly exposed to reverse engineering and tampering?  We’ll be offering a Mobile App Assessment.

Here’s how it works:

  1. You’ll work with one of Arxan’s mobile app security experts who will assess your app for vulnerabilities and measure it’s exposure to key risks.
  2. We’ll then provide you with a customized report detailing your app’s level of exposure and likely attack points.

This report is a complimentary offer for you– when you come by, just say:                       “Assess my mobile app”!

OWASP says…‘A lack of binary protections results in a mobile app that can be analyzed, reverse-engineered, and modified by an adversary, exposing the app and its owner to a large variety of technical and business risks.

Learn more about the OWASP Mobile Security Project at our booth (#1127).

  • Mobile Application Protection Handbook: Pick up your free copy with key insights from security experts on new mobile attacks and risk mitigation strategies to support secure mobile app development and defend against hackers.
  • Discounted Briefings Pass: Register with Arxan’s priority code bQTBnL03 to save 25% on the standard price ($2,195). These are limited, so sign up today!

If you’d like to schedule a meeting with us at the show to discuss Arxan’s application protection solutions, please email us at info@arxan.com.

We hope to see you at the Summit!

HOW TO HACK A MOBILE APP: IT’S EASIER THAN YOU THINK!

We live in a mobile, personal world, where nearly a billion new mobile phones ship each year. Businesses that are most efficiently adapting to today’s “app economy” are the most successful at deepening customer engagement and driving new revenues in this ever-changing world. Where business opportunities abound, opportunities for “black hats” that conduct illicit and malicious activity abound as well.

Mobile app hacking is becoming easier and faster than ever before. Let’s explore why:

  • It’s Fast: Recent research found that in 84 percent of cases, the initial compromise took “just minutes” to complete
  • It’s Relatively Easy: There are automated tools readily available in the market to support hacking, and many of them are available for free!
  • Mobile Apps are “Low-Hanging Fruit”: In contrast to centralized Web environments, mobile apps live “in the wild,” on a distributed, fragmented and unregulated mobile device ecosystem. Unprotected binary code in mobile apps can be directly accessed, examined, modified and exploited by attackers.

Watch the Demos: How to Hack an App Video Series

Hackers are increasingly aiming at binary code targets to launch attacks on high-value mobile applications across all platforms. For those of you who may not be familiar, binary code is the code that machines read to execute an application — it’s what you download when you access mobile apps from an app store like Google Play.

Exploitable Binary-based Vulnerabilities

Well-equipped hackers seek to exploit two categories of binary-based vulnerabilities to compromise apps:

Code Modification or Code Injection:
This is the first category of binary-based vulnerability exploits, whereby hackers conduct unauthorized code modifications or insert malicious code into an application’s binaries. Code modification or code injection threat scenarios can include:

  • A hacker or hostile user, modifying the binary to change its behavior. For example, disabling security controls, bypassing business rules, licensing restrictions, purchasing requirements or ad displays in the mobile app — and potentially distributing it as a patch, crack or even as a new application.
  • A hacker injecting malicious code into the binary, and then either repackaging the mobile apps and publishing it as a new (supposedly legitimate) app, distributed under the guise of a patch or a crack, or surreptitiously (re)installing it on an unsuspecting user’s device.
  • A rogue application performing a drive-by attack (via the run-time method known as swizzling, or function/API hooking) to compromise the target mobile app (in order to lift credentials, expose personal and/or corporate data, redirect traffic, etc.)

Reverse Engineering or Code Analysis:
This is the second category of exploitable binary vulnerabilities, whereby mobile app binaries can be analyzed statically and dynamically. Using intelligence gathered from code analysis tools and activities, the binaries can be reverse-engineered and valuable code (including source code), sensitive data, or proprietary IP can be lifted out of the application and re-used or re-packaged. Reverse engineering or code analysis threat scenarios may include:

  • A hacker analyzing or reverse-engineering the binary, and identifying or exposing sensitive information (keys, credentials, data) or vulnerabilities and flaws for broader exploitation.
  • A hacker lifting or exposing proprietary intellectual property out of the application binary to develop counterfeit applications.
  • A hacker reusing and “copy-catting” an application, and submitting it to an app store under his or her own branding (as a nearly identical copy of the legitimate application).

You can see examples of these hacks “brought to life” on YouTube (see video below as well), and a summary of Binary Exploits is provided in the graphic. Whether your organization licenses mobile apps or extends your customer experience to mobile technology, the norm is that hackers are able to trivially invade, infect and/or counterfeit your mobile apps. Consider the following:

Reverse Engineering or Code Analysis (Confidentiality)

Code Modification or Code Injection (Integrity)

  • B2C Apps: Eight of the top 10 apps in public app stores have been hacked, according to Arxan State of Security in the App Economy Research, Volume 2, 2013. This means that anyone developing B2C apps shouldn’t assume that mobile app store-provided security measures are sufficient. Often these security measures rely on underlying assumptions, such as the lack of jailbroken conditions on the mobile device — an unsafe and impractical assumption today.
  • B2E Apps: In the case of enterprise-internal apps (B2E), conventional IT security measures such as MDM (mobile device management) and application policy wrappers can be valuable tools for device management and IT policy controls for corporate data and application usage, but they aren’t designed to protect against application-level hacking attacks and exploits.

Time to Secure Your Mobile App
With so much of your organizational productivity riding on the reliable execution of your apps, and such a small a barrier for hackers to overcome superficial threat protection schemes, you could face significant risk unless you step up the protection of your application. It’s time to build trust in apps not just around them.

WHITE PAPER: SECURING MOBILE APPS IN THE WILD WITH APP HARDENING AND RUN-TIME PROTECTION

Application Hardening and Run-Time Protection are mission-critical security capabilities, required to proactively defend, detect and react to attempted app compromises. Both can be achieved with no impact to source code, via an automated insertion of “guards” into the binary code. When implemented properly, layers of guards are deployed so that both the application and the guards are protected, and there’s no single point of failure. Steps one can take to harden and protect apps at run-time are readily available.

Recent history shows that despite our best efforts, the “plumbing” of servers, networks and end-points that run our apps can easily be breached — so isn’t it high-time to focus on the application layer, as well?

Below are 7 common techniques that hackers are using to exploit applications. Select from the playlist below to view short videos (1-2 minutes or less) that demonstrate how it’s done:

  • iTunes Code Encryption Bypass 
    • See how easy it is for hackers to bypass iOS encryption to progress a mobile app attack.
  • Android APK Reverse Engineering
    • Watch how hackers can easily reverse engineer binary code (the executable) back to source code and primed for code tampering
  • Algorithm Decompilation and Analysis 
    • See how “Hopper” is leveraged to initiate a static, springboard attack for counterfeiting and stealing information
  • Baksmali Code Modification
    • Learn how hackers can easily crack open and disassemble (Baksmali) mobile code.
  • Reverse Engineering String Analysis 
    • Watch how hackers use strings analysis as a core element for reverse engineering
  • Swizzle with Code Substitution 
    • Learn how hackers leverage infected code to attack critical class methods of an application to intercept API calls and execute unauthorized code, leaving no trace with the code reverting back to original form
  • Understanding application internal structures and methods via Class Dumps
    • Learn how hackers use this widely available tool to analyze the behavior of an app as a form of reverse engineering and as a springboard to method swizzling

How banks are securing mobile banking applications for the future

There has been a bit of a buzz on the security of financial and banking apps following an article published yesterday on the Daily Mail, which looked at the techniques of reverse engineering and the damage they could do to insecure applications.

This article raises some valuable points on vulnerabilities that can exist in unprotected mobile banking applications.  A crucial element that also demands awareness is the strong security measures that many of our financial institution customers are proactively undertaking to ensure that mobile banking can be very secure.

Our customers are deploying banking apps and mobile solutions that include diverse and layered security methods that mitigate these exploits in order to make sure these hackers do not gain access to valuable data or tamper with the application.

From working closely with our customers, whether they are in the banking sector or otherwise, we know that the security of the app is one of their top priorities and an integral part of their wider mobile strategy.  By adopting technologies such as our  App Protection solutions in conjunction with additional mobile security layers, including some proprietary inventions, they are delivering apps that are tamper resistant and secure against reverse engineering.

Leading financial institutions and services companies are undertaking a set of security best practices to ensure that their innovative mobile application is secure from modern day threats.  These include:

–         building security directly into the mobile app binary so that it is hardened from reverse engineering and hacker attacks,

–         applying secure coding practices, including vigorous app testing and vulnerability scanning techniques with remediation

–        deploying app security that includes policy guards (controls) that can automatically detect app “health”, or any jail-broken or rooted environments

–        finally, include within the app, customized reactions and safeguards that enable the bank to either terminate suspicious transactions and contact customer support.

Banking through securely developed mobile applications can be, and is, a highly secure environment in today’s modern world.   In some cases it could be argued that it may be more secure than online banking via a PC as it leverages the latest innovations in security and protects against many of the newest risk and threat vectors.

Perimeter defenses are not enough – heartbleed lessons demand server side application security to protect your data and keys

Imagine waking up one morning, and discovering that even though you’ve been locking the front door, a window had been left unlocked… for the past two years.

That’s what the internet community discovered early this week. OpenSSL, a free open-source toolkit that provides the security foundation for encrypting communication, left a window open.  A window was left open on every server running OpenSSL 1.0.1 to OpenSSL 1.0.1f, for two years.

An exploit, called the heartbleed bug, revealed that a simple programming error enables an attacker to read the contents of a 64kb chunk of server memory. Within those 64kb of memory, anything from passwords to private keys are stored.  This exploit is unique because it requires no authentication, minimal sophistication, and can be distributed.  The risk this exploit presents is unprecedented.

Renowned security expert Bruce Schneier, rates this bug on a 1 to 10 scale of severity, as an 11.  Schneier goes on to say that due to the incredible length of exposure, even if patched we must assume that all private keys have been compromised, all passwords have been stolen, and anything really is vulnerable.

The mitigation prescribed by multiple leading experts is two-fold.  First, the relatively low-cost update of server-side packages. Ironically, diligent updates of software inadvertently made this bug an issue. Second, re-generate compromised secret data, i.e. public/private key pair, SSL certificates, and every password.  Let’s consider what this second mitigation achieves.

Netcraft reports that over 500,000 sites are vulnerable. The world now engages in a massive effort, of unimaginable cost, to reverse the effects of a careless coding error. And yet, even if all 500,000 sites are updated, all key pairs, certs and passwords changed, we’ve only returned to the state of internet security circa the end of 2011!

A window open for two-years closes, but the mitigation is not complete.  We’ve seen the Android Master Key vulnerability, the Target breach, and now heartbleed demonstrate that once perimeter defenses are broken the crown jewels are exposed for the taking. Time after time, a breach occurs and a reactive mitigation is applied.

The heartbleed bug basically changes everything about what must be considered as viable attack surfaces for server side exploits.  The internal data has now been proven vulnerable, and perimeter defense will only delay the next breach, in which the heart of the enterprise is exposed via memory scanning vulnerabilities again.

A layered approach that leverages security at the application layer is critical and obviously necessary.

Arxan’s Application Protection Platform provides binary hardening to protect the applications that manifest a business’s core assets – data and keys.  Arxan’s unique application security embeds active Data Obfuscation Guards without changing server side code so that sensitive data, such as user credentials, passwords, or ids are protected from being sniffed out as a result of these memory-scanning attacks.   Data obfuscation will render the contents of the memory useless.

Arxan’s durable key protection can also be directly embedded into the server side code and protects the critical data within server side logic before it is deployed.  Enterprise server keys and certificates will then include self-protection from compromise, so that even if perimeter defenses are breached again and server side keys were pulled down, they would not be in clear/plain text or usable .

Clearly we must learn from the apparent misnomer that server side code is not penetrable from client machines.   Moving forward and learning from the pain and costs of the heartbleed breach, the lesson for security professionals is that scanning of sever memory is possible and will likely happen again.  Enterprise security strategies must to evolve from 2011 to incorporate additional layers of server side protection.

Arxan security experts strongly advise on deploying a holistic security solution to protect the  ‘soft and vulnerable’ center of an enterprise so that once perimeter defenses (crusty exterior) are defeated, the internals, where data and keys  can reside,  are not left  so very vulnerable and defenseless.  Layering with  Arxan’s Application Protection Platform hardens the soft and vulnerable interior of server-side memory, to mitigate enterprise risk and loss. This defense in-depth approach assures that even if another memory-centric attack, such as heartbleed, occurs valuable data and key, as well as significant breach-related costs will be spared.

 

Securing the Internet of Things

Interest in The Internet of Things (IoT) continues to grow as people and companies get more and more excited about the opportunities presented by a world of connected devices and massive data collection.

Recently a consortium of major names, such as Intel and IBM, announced they will be working to set standards and guidelines across industries to better support the evolution of IoT. According to the IoT website there are four main principles this consortium will be focused on.

Internet of Things Consortium Principles:

  • Value: Make consumers lives more efficient, safer and seamless.
  • Data: Help consumers understand the benefits and value of their data.
  • Security: Build consumer confidence around IoT experiences.
  • Design: Delight consumers with intuitive design and usability.”

We’re glad to see bullet point number three up there. Since many connected devices are controlled by applications, securing them must be a top priority. If these apps are left unprotected, major privacy and security for businesses and consumers can arise.

At Arxan the goal is to secure these evolving technologies to enable the evolution of the IoT so that products are not vulnerable to targeted attacks and we applaud the new consortium’s commitment to securing the “things” of the future. Check out our Application Integrity Protection Products for how we employ best-in-class hardening technology against tampering, piracy, and unauthorized use of mobile apps that power the enterprise.