guard square - mobile application protection
TRANSCRIPT
Mobile application protection
[email protected] @GuardSquare www.guardsquare.com
Heidi Rakels 13/01/2017
Problem: mobile apps are easy to attack
App
Reverse-engineeredin 2 minutes!
Insert malware
App
Example:
App
Solution: self defending apps
Mobile application protectionWith multiple layers of sophisticated protection• Encryption
• Obfuscation
• Debug detection
• Emulator detection
• Root detection
• Secure storage
• …
Protection against dynamic attacks
• Compromised device
Rooted device, debugger, emulator
• Network attacks
Man-in-the-middle attacks (MitM), network traffic sniffing
Combine static and dynamic protection
Dynamic protection(RASP)
Static protection
Most companies only focus on dynamic protection
Hacker tools crash or produce nonsense when the app is protected
Hacker tools crash or produce nonsense
App attack
75% minimalprotectionOur free product ProGuard
Security of European banking apps
11% full protection8% our product DexGuard3% others
14% no protection
Developers are not security engineers
• They focus on user experience
• Security is complex
• Security is overhead
• Security is bad for the usability
Security comes at the end of the development cycle
“Let’s encrypt it”
“We do pen tests”
We are safe!