Industry sign banking california work order mobile
well hi everyone this is Scott King over at simpie reom and I am joined by my esteemed partner in colleague Jacques cares over at guard square and today we're going to talk about why your app mamie maybe not as secure as you think so a little bit about our agenda today we're going to give you an overview of a couple of pieces of research on over 3,000 mobile banking and financial services apps we're going to provide some reach examples of what could happen if you don't properly secure your app some app shielding best practices we're going to review the wasp mobile top 10 and how these apps graded against those compliance policies some app rankings so we did actually score them on a 0 to a 100 scale and we'll provide you some numbers on how these apps actually ranked some recommendations and resources and then we actually have asked every one of the registrants if they had any questions today and we had some questions submitted so we're gonna review those at the end so Jacque anything to open the session before we get started yeah definitely we when we did that report these analysis of these applications it was given by the fact that we saw some external researches which showed us that apps were not at all protected or very little protected so let's say reports show that 75% of the of the apps where we're not fulfilling the basic security requirement so then we said okay let's look into that a bit deeper and let's analyze that and that's where we came up with that with that study so keen to share more information on that ok nice so first I'd like to share a little bit about PSD to so this is the payment services directive this is the second go-around and really this was driven because all of the banks and all of the consumers started using mobile devices for mobile payments but I'd really like to call out a specific section in the PSD to and specifically the article 9 in the regulation states that you must put mechanisms in place to ensure that the software or the device has not been altered by the payer or by a third party and Jacques that third party could be anyone right so what are we protecting against well exactly we protect against that information which is then has to be shared by banks to third parties that that API which is insured should be very well protected because it's going in the in the wild world I would say so that's why what is it is important another thing I would like to add is some say PZ - ok it's a European directive regulation but let's relate it to open banking but we see that many countries around the world are also adopting that these same specifications some a bit slower than others but we see that in Asia in Middle East and also in Latin America where some countries are also applying the same regulation so to say this is only applicable to Europe it's also a shortcut I would say yeah I think that is it's a good point Jacque PSD to does have a ripple effect as does GD P R so you'll see other countries as you know specifically in the u.s. here the California consumer Privacy Act really followed on the you know from the lead of Gd P R so same thing with PSD - so first off I want to talk about a little bit about what can happen to your app if if someone is looking for information from it so here we've got you know lack of obfuscation can lead to static reverse engineering so you know really what our attacker is looking for they're you know they're looking to gain insight a critical process they're looking for vulnerabilities that they can exploit and and really what they're doing is you know they're looking to bypass any security software that you may have in your app how can they find embedded credentials and then on the bottom left-hand side these are some of the tools available to to hackers in to to reverse engineers on how they can attack your app and how they can inspect it for vulnerabilities and maybe accidental information that is left behind in in Joc we have a couple of real-world examples that where this is actually happen over at let's go a bit Phi let me add one thing here is that okay we talked a bit about lack of obfuscation which in static protection but it's it has also its impact on the dynamic protection because we will talk to that about that a bit later but we see that if your static protection is not okay it will also influence your dynamic protection but we will come to that later exactly exactly one of the you know one of the most notable examples where a mobile app was reverse engineered in order to steal money from a bank was Tesco Bank so essentially what happened is you know weaknesses in the mobile app it'll displayed information to the attackers credentials and in API logins so essentially what happened is they unscarred they discovered some information they went in overnight stole two and a half million pounds of customers money from over 9,000 different accounts all you know all overnight they've never been caught and then fine for this was pretty severe sixteen point four million pounds for failing to exercise due skill and care you know what do you any comments on this jar no it's it's a good example of where because sometimes you say okay it's about stealing credentials and information which can be reused here we really talk about about money which was stolen so that that's an example which which speaks to the imagination I would say yeah that really they're probably really hurt who has ever in charge of that so I feel for him another example was a bit v wallet so this is a Bitcoin wallet it was actually hacked twice they put out a bug bounty and offered to two paying attackers that could get into to get into the app and they were actually able to get into the app quite easily turns out the bit if I didn't actually want to pay the bug bounty after this was done twice so pretty interesting another area that that we as Imperium get a lot of questions about is Bank impersonations overlays and specifically Bank bought so these attacks leveraged malicious mobile apps they get them on your phone the mobile the malicious mobile app can then inspect which other applications you have on your device if they see a mobile banking app then they go and fetch the image when you attempt to log in place that over your mobile app and you actually surrender your credentials directly to the attacker without you knowing it so these are specifically crafted apps and and the malware is specifically crafted for specific banks you can look up a list of banks that are actually targeted if you're interested if your bank is targeted on this attack you can you can ask me later or you know google it and google your bank name and bank Mont and see if you're on a list these are really really dangerous and users don't know really don't know that they're succumb to this attack right Jean you need me and it's amazing to see that if you the figures are available about 2018 where they saw an increase over a year of 200% of troy ounce so malware which which has been installed and also that same period saw an increase of six hundred and fifty percent of the fake applications which are stored and available so it means that there is a tremendous increase of that kind of malware or fake apps which are misleading the users and and yeah could with a lot of consequences yeah and unfortunately Jacques the the reason that you're seeing the increase in that type of activity is that the return on investment for an attacker to attack a banking app is high it's upwards of four hundred percent so the level of effort taken to to create these malware's and to create these overlay attacks it pays off in the end you can make four hundred percent on your time and your money because you know these guys work in real shops and and have daytime hours to construct this malware and unfortunately you know you and I have to to help everybody defend their apps right so in in this instance you know you know the the malware that we looked at specifically Bank bare bank bought 65% of the apps that we looked at were susceptible to to bank bought attacks yeah yeah indeed it's it's a bit it's a bit worrying to see that that figure and yeah I mean that's why we started to study hours and went into our study which which I will explain a bit more now so what we did we analyzed more than three thousand Android applications of leading financial institutions all over the world and these were some of the the outcome the results that we saw that we saw over the different regions fairly the same amount of of lack of protection so from from Africa over Europe and North America so there is quite a fairly steady amount to be noticed we also did an analysis more on the industry so the market so if you can show that slide where we're also there we see there are a bit more discrepancies we analysed really banking apps called applications which were related to credit card application and such and to payment and in wallets so we see is bigger increasing on protection for wallet apps that's probably historically explainable because many are related to card schemes which are these guys are very strongly regulated and they are already imposing very strong rules to themselves MasterCard Visa I make so the EMV co-regulation so in that sense they it's it's not a surprise that from all the the markets they are the best protected I would say and you shocked on on that point do you think that is because of the self-regulation from the card companies yeah definitely okay it's and it starts by PhD - no but PCI here so they're they're imposing and and now we see also that the these card games of course they cannot impose these regulations yet to their members which they can for for really payment applications for mobile apps they cannot yet but what they do they try already to secure their wallets which they'd and offer to banks to install in their in their application so these mobile api's or as the case are strongly protected and of course they are trying now into new regulations which are being developed on the vehicle association to also impose that more and more but it's not yet there of course interesting interesting so that's bring if we sum that up we see that a bit less than fifty percent F some obfuscation in place which means that more more than half of them don't have any protection against static attacks in test which is kind of worrying and if we then see the ones which have some some protection in place or pretend that they are 80% of that are using our open source product which is called ProGuard and that product is mainly an optimizer just a few words on that the optimizer means that we it's shrinks and it makes the app faster and that's a product which has been on the market since a very long time because in the past in 2001 2002 when it was created it was meant to really reduce the size and because the smartphones were not that powerful so that's and we had a very thin layer of protection of obfuscation but that's really a very thin layer and people think ok they have been using that there is also mentioning about obfuscation so they think ok that's that's more than enough which is totally not the case because that product is not meant for there has been reverb for security reasons so and if you take that that into account it means that less than 10 percent of the applications of these financial institutions use a kind of a strong protection which is a bit worrying well there is a it's a very small number so you're saying less than 10 percent actually use kind of a full obfuscation method right well well that is a yeah that is surprising so as as part of our research over as Imperium we took a look at the the OS mobile top 10 and so these are set of practices that that developers follow and what we did is we actually scaled all of the apps together on a zero to 100 percentile so you can see at the top improper platform usage that bar is completely green so that means a hundred percent of these apps pass for for that for that rule there and then you can follow on down the line the red means failure so m2 insecure data storage so really you know unintended data leakage is things that we're looking for 97% of those apps actually fail for that and you go on down the line and you look at m9 which is reverse engineering and that was really the point of today's presentation was you know how can I shield or harden my app from being reverse engineered a hundred percent of the iOS apps in our study actually failed for reverse engineering now that doesn't mean that they don't have any type of obfuscation that means there are exposures in the app that can be exploited and those would include code and api's so if you leave in API open obviously that exposes some information otherwise the app couldn't you know if you obviously ated that the app couldn't communicate correctly to external sources so you need to have extra checks on your API security as well now if we move to Android the chart looks a little bit different insecure data storage less apps fail for that in secure communications less apps fail for that but again on a reverse engineering a hundred percent of the apps fail so you know you really just need to take a look at you know why you're failing make sure that you're comfortable with the reasons that the the reporting mechanism is telling you that you're failing and if you're not comfortable with it do some further research to make sure that you're not exposing your app in your assets and your connections to attackers out in the wild a small command dairy family is called you you see that the same failures are appearing on the iOS as on the Android okay there are some discreet differences but so that's something where we come often across some comments to say people who say ok but yeah Android ok I can understand but iOS it's it's a it's secure so I don't need to worry which shows that it's not really the case and and also studies other studies are really indicating that that today we can say that out of the ten Android application which has which are being hacked six I always apps so it's really catching up and to say that the iOS community is safe it's totally uncorrect yeah it really is in you know when you talk about api's and connections both apps use the same connection the protocols themselves you know sometimes there's a vulnerability in the protocol itself for instance you know Wi-Fi or Bluetooth or NFC and and that is not platform dependent and then and then also with you know with Android the fragmentation you know may help you a little bit in terms of an exploit constructed for a certain operating system is is is only good for a smaller percentage whereas for iOS you know about seventy five percent of the of the devices are kept up to date or as twenty five percent or not so it really depends it's it's always an argument but you really need to look at you know really the protocols itself and supply chain attacks take a look at mage cart you know that is that's not platform dependent either alright so here is our scatter chart for privacy and security risk scores for the iOS mobile banking apps in our sample so the the scores are from a 0 to a 100 scale on both privacy and security so the the apps represented in the lower left-hand corner are the most secure and have the least chance of leaking data through the app the apps on the upper right-hand corner where you get closer to a hundred these apps are most susceptible to data leakage and they are there they have higher scores for security which means that in the in the weighted average and how these scores are calculated the more problems you have the higher your score and and some of these are you related to authentication methods you can override SSL or TLS chain validations you know about 1/4 allow unsecured and unverified connections to servers with lower TLS versions there are a high percentage in this chart that implements whistling API calls that could be manipulated and and there's you know non secure HTTP proxies in here there's private access frameworks for iOS and again you know some have additional libraries in the app that that shouldn't be there so if you'd like to take a look a little bit on why these are the exact reasons and the exact percentages just download the research and and you can tak
a closer look same here with the the Android so 0 to a 100 score from platform to platform from iOS to Android they don't make sense to compare each other but depending a platform so inside of Android you'll notice that the dots move you know the the pattern if I go back and forth the pattern is a little bit different but what you want to look at is you know you were a prelate of to the others some of the Android apps in the upper right hand corner some of the problems 90% of the apps enable webview to execute JavaScript code you know if the app is connecting to a banks website to show pages in the app of the bank's website uses JavaScript you know that is a different reason but however it's best not to use javascript in there you know many of these apps use insecure data storage they actually use world readable world writable data stores in the app and then two of these apps scored really really high because they have an additional Android application bundled inside the mobile banking app so definitely need to take a look at that and understand why why that is there and again if you want it additional detail just take a look at the the research and will provide that link to you at the at the end of the session so shark or what's some best practices and recommendations for our audience today yes okay so there are different things which need to be done or can be done without impacting your user experience and that's first of all to apply multiple confiscation techniques we already saw that they many many apps are not obfuscated and encrypted so to use these techniques that's that's definitely an important thing we also talked about Ross so the the runtime protection mechanisms and the detection of threats but you have to see that in a combination because we've seen in the past and there is a famous example of German big big bank savings banks which which was hacked ethically luckily for them they were implementing a fairly strong grasp protection but they didn't protect the against static attack so no obfuscation or very little obfuscation and the the hackers were able to retrieve the intelligence of that rasp and by doing so they could build malware to to to bypass these these protections so the combination of two is really important and and yeah of course it's important to to use that to take that into account in your development cycles so that people invest a lot in their user interface and which which is right of course because that's that's key in in the experience that custard the customer has with that application but if they forget to implement all the all the security it doesn't have to be so time-consuming but if they forget then the risks are are can be tremendous and that's why we can only advise to to to spend some time in some budgets on implementing these these obfuscation and rasp techniques and then also the database remediation that's that's also important because there they can gather information on how they can improve that their their protection base yeah your your German example Jacques goes back to what we talked about earlier with the you know understanding security checks and security methods inside your app so it sounds like these guys weren't we're hiding their methods very well and and we're exploited so hopefully no harm you said it was an ethical hack so so no harm right no all right good good I don't know if I'll do things to add yeah I mean just is essentially I would say you know don't take you know your current state for granted just find you know research why your app scores the way it does make sure that you're comfortable with it because many of the apps that we looked at are you know multiple multiple versions old right and teams change methods change so you know you could have you could have code in there that is is either deprecated for instance there you know inside our research there is a deprecated SDK used by about 12% of the apps and it's completely vulnerable you can download exploits for it on the Internet yet it still lives on in subsequent versions of the app because really no one's just taking a look at it so it's a so it's really dangerous and if I can find it then somebody else can very easily but so some of the research that we used today is available on the internet you can download the full financial application security report from guard square the mobile banking apps are not created equal Fromm's Imperium and will supply these links to you as well in the follow-up email so you don't have to try and write those down and so we did have some questions jacques on the on registration and I believe we have one extra question today I'll take a look at that so we had people register for this presentation and one of the questions that came in which was-- guidelines can we use to make our Android app highly secure yet very friendly to you so Jacque what do you what do you have to say about that well there are guidelines available which are clearly stating what what best practices are and of course by by using some some obfuscation Andross techniques they they can they can differently help we can provide these these guidelines in more detail if if we have the that's available but we can we can share it's also available not on our website so yeah I don't know if you have yeah I mean the you the the usability and security is a fine line but you know you have to make it friendly to use if if users don't use your app and don't give you good reviews in the App Store and play then if you leave a bad review I know that Google just implemented some algorithm changes on reviews they're using more recent reviews in terms of waiting so it pushes your app down plus I'm sure people are measured on this that actually developed this app what's important to add there is that the the guidelines don't need to impact the user friendliness it's it can be totally so it's not by adding security in line with the guidelines that you will decrease the user friendliness of your application at least with using our tools it it really doesn't to be so that's an important thing to do that right yeah they're there they're not dependent the only way to have 100% security would be to not have a mobile app and then not having a mobile app is completely unusable so there's there's a line in there somewhere so the second question shock that we had what is the business impact if the banks need to limit their customer transactions from a compromised mobile device no well I would say they're the good thing is that by installing some some rasp and some monitoring they can of course in avoid any impact and and when when alerts they can if they install let's say alerts on say devices and things like that so that information can be programmed so that they can put the boundaries where and what they want to do if because often these these devices devices are not necessarily damageable or don't have very severe malware it could be so there it's up to the bank to - and with with the software that we proposed they are able to put their the different boundaries of what they want to do if they want to block the application if they want to let it go or something in between so that's really the good thing is that it can be monitored upfront and and rules can be can can be put in place and then if you add monitoring that's even even more powerful because then you can you can monitor that more closely I would say yeah I really appreciate this question from whoever asked this because they talk about the business impact of limiting a transaction it really is a business decision but as a developer you have to enable that data to be read by the business so if if you don't have any checks or in detection in your app that will actually detect a compromised device you cannot provide that data back to the business so I think that would be number one is you have to have some type of mobile threat defense and detection inside of your app therefore that produces that data right so we talked about the database remediation decisions on the previous slide this goes directly from that so you have to have something inside your mobile app to detect that on a third-party device so this is an unmanaged device that your user is using so I really like that and in the meantime I've already something in place because when the app is is out there I mean when you when you program that and configure the security tools you can already define some some business rules which you have agreed with with with the business units on if this then we apply that and that that's already that's already a check and in a security mechanism and then if you monitor then you you can you can you have a strong strong ecosystem I would say okay and then so we've got some more questions that are coming in and and I'll take a look at those the last question that was submitted before the session how can we enhance security within a patient app that communicates with medical devices same way so you you really need to be securing any type of medical app specifically with patient information that you know you don't want it one to be reversed on the patient's device so who knows what the health of the patient device is in communicating with medical devices you know a lot of times like I said earlier the protocols themselves are vulnerable so any communication in between the app and the the medical device is is susceptible for hacking you know there are examples on the internet where people you know they've broken into pacemakers and things like that that are actually internal to somebody's body and manipulated it like like unlocking a car with a with a mobile app mm-hmm so some of the other questions that that have come in Jacques as an iOS developer starting on Android is there a development or checklist guide on implementing secure Android applications and what do you think about SSL pinning so yes I do have a checklist we're not going to talk about it today and SSL pinning yes I recommend it and and I also recommend some type of man-in-the-middle and network attack type of defense as well yep I agree and in the checklist here we can communicate that to people yeah I've got your email address so I'll send you the checklist it's in another presentation and then last question for today Jacques I know the answer to this one because we do this type of research do you see other types of apps that are more or less secure actually yes we have three other research pieces on travel apps shopping apps and tomorrow there will be dating apps and and yes some are more or less secure I will say that the financial services apps even though they are pretty scary they they tend to be most secure because actually they get most resources assigned to them there's there's bigger teams so Jean thank you very much for joining me for this presentation today I really appreciated your insight on on the guard square research any closing thoughts no thank you for the invitation Scott and I'm hoping to answer further questions and you have my email address so do not hesitate to drop the mail okay thank you very much yeah if you have any further questions go ahead and ask them directly to Jacques or myself thank you so much for joining and have a great rest of your day thank you I'm you you you