trusted application kit (t.a.k)the t.a.k-client is a software-based security solution that...
TRANSCRIPT
Trusted Application Kit (T.A.K) A Short Introduction
March 2019
2
Protecting our personal data | www.build38.com
Table of Contents 1. Protecting our personal data .......................................................... 3
2. Software security .............................................................................. 4
2.1 The economics of attacks .................................................. 4
2.2 The goals of software security .......................................... 4
3. Trusted Application Kit (T.A.K) ....................................................... 6
3.1 What is T.A.K? ..................................................................... 6
3.2 T.A.K is a multi-layer app security framework .............. 7
3.3 Six security modules – tick of your security controls ... 8
3.4 T.A.K security concept ....................................................... 9
3.5 T.A.K threat protection .................................................... 11
3.6 T.A.K ecosystem overview .............................................. 12
3.7 Deploying T.A.K protected applications ........................ 14
3.8 How does T.A.K work ....................................................... 14
3.9 Rental Car app – T.A.K protects access keys ............... 15
4. Summary.......................................................................................... 17
4.1 Go for it – you are safe .................................................... 17
4.2 T.A.K technology highlights............................................. 17
4.3 T.A.K and software security ............................................ 20
List of figures ............................................................................................ 21
Disclaimer ................................................................................................. 22
About Build38 ........................................................................................... 23
Build38 ....................................................................................................... 23
3
Protecting our personal data | www.build38.com
1. Protecting our personal
data
Over the past decade, the exponential rise in the use of mobile
devices has transformed the way we live. This transformation has
been accompanied by increasingly sophisticated criminal attempts
to access the devices we use and depend upon. As our personal
and work data is the prize, only the best security will suffice.
By 2020, annual app store downloads could rise to around 284
billion. Developers recognize that trust is of the utmost importance
when it comes to keeping and attracting customers. In order to
best serve customers, developers must provide secure and
convenient mobile applications. Build38’s Trusted Application Kit
(T.A.K) is a mobile security framework for mobile operating
systems, used by developers. T.A.K is built into the application
during the design phase, not retrofitted. Moreover, T.A.K can be
used as a stand-alone solution or alongside other security
technologies.
By preventing the unauthorized analysis, modification, copying,
and usage of the most security-relevant parts of a mobile
application, T.A.K does exactly what customers expect and demand:
it prevents access to that all-important user information.
4
Software security | www.build38.com
2. Software security
2.1 The economics of attacks
Attacks are generally divided into two phases: the engineering
phase (also called ‘exploit identification’) and the exploitation
phase (see Figure 1).
During the engineering phase, an attacker discovers an exploit, but
still needs to spend time and invest money to industrialize the
exploit and make it applicable to the mass market. The goal of an
attacker is usually to earn as much money as possible by attacking
as many devices as possible, for as long as possible.
Figure 1: The economics of attacks
2.2 The goals of software security
The overall goal of software security is to make life more difficult
for attackers, to frustrate them, and to make potential targets as
unattractive as possible. The second goal is to raise the bar, by
making attacks far too difficult for hobbyists (e.g. script kiddies).
In the engineering phase (see Figure 2), attackers must invest
more money in hacking tools. Adding extra protection forces
5
Software security | www.build38.com
attackers to invest more time, continue spending on tools or
perhaps to build the tools required for an attack. This prolongs the
overall process (arrow t1 in Figure 2) and adds an extra layer of
frustration.
In the exploitation phase (see Figure 2), attackers’ earnings are
limited by providing as much diversity as possible. Once an
attacker enters door number one, three more paths are presented,
requiring additional application analysis and observation. And if a
mobile application is updated regularly, for example, every thirty
days, attackers must start over every time. The aim of software
security is therefore to minimize industrialization and shorten the
impact of attacks (arrow t2 in Figure 2).
Figure 2: Software security measures
6
Trusted Application Kit (T.A.K) | www.build38.com
3. Trusted Application Kit
(T.A.K)
3.1 What is T.A.K?
T.A.K is a collection of security functions every (native) app
developer needs to implement in order to develop more secure
mobile applications, e.g. secure communication, secure storage,
etc. The security approach deployed by T.A.K is based on a client-
and-server principle: The T.A.K-Client and the T.A.K Cloud.
The T.A.K-Client is provided to developers / service providers as a
low-level native library, in binary format, with code obfuscation
applied (low-level as compared to a high-level programming
language like Java). This makes reverse engineering far more
difficult for attackers. In contrast, Java can be more easily reverse
engineered.
T.A.K relies on a secure communication channel between the
T.A.K-Client and the T.A.K Cloud. The secure communication
channel principle can also be used to enable secure communication
between the T.A.K-Client and the Service Provider (SP)-server.
This approach prevents network sniffing.
The T.A.K Cloud tracks the status of the T.A.K library and the end
device. This means T.A.K provides active protection to the
application(s). In other words, the T.A.K-Client is built into an
application during the development process, and while the end
user actively uses the application, it can be monitored for
suspicious behavior. The T.A.K Cloud would know whether the
original device or a rooted device were being used, for example.
7
Trusted Application Kit (T.A.K) | www.build38.com
T.A.K provides a higher level of security for mobile applications
produced by financial institutions, enterprise services, insurance
companies, and the automotive industry, among others. The
protection T.A.K provides is not visible to the end user, yet it offers
a higher level of application security for confidential data.
In general, when data is at rest or in transit, T.A.K offers the most
secure means of protecting sensitive or confidential data.
3.2 T.A.K is a multi-layer app security framework
The T.A.K-Client is a software-based security solution that
incorporates many different layers of software security
technologies (like an onion) to strengthen the level of security.
The onion-like concept of the different security walls aims to hinder
any attacker to such an extent that the time required to extract
assets exceeds the time the application is updated on a regular
basis. It offers the best possible application security thanks to the
combination of all applying all security features at the same time
(see Figure 3).
Figure 3: T.A.K is a multi-layered application security framework
8
Trusted Application Kit (T.A.K) | www.build38.com
The layer “Native Code Protection” prevents the binary code of the
library from being easily reversed engineered and manipulated by
hackers.
The T.A.K layer “Enhanced Security Functions” provide unique
security features and functionality which are grouped in 6 different
modules. These are described in more detail in the next chapter.
Summarizing, T.A.K protects confidential or sensitive data, e.g. the
user’s data. It also prevents code lifting, a method whereby the
application is copied from one mobile device and then used on
another mobile device in order to exploit the application.
3.3 Six security modules – tick of your security
controls
This chapter briefly describes the six security modules. Each of the
modules contains a great variety of features and functionality.
Figure 4: Six Security Modules – tick of your security controls
Secure Memory Management offers various means to encrypt
and decrypt data with a wide variety of characteristics, from
reading / writing certificates in a rather slow and highly secure
mode to encrypting hundreds of megabytes of data in seconds, or
9
Trusted Application Kit (T.A.K) | www.build38.com
from supporting a hardened and attack resistant implementation of
cryptographic software up to a hardware-backed storage.
Connectivity Management makes sure that the mobile apps
connections are always secure and ensure secure API usage.
Privilege Escalation Prevention detects commonly known issues
like rooting and jailbreaking. At the same time runtime integrity of
the T.A.K-Client is ensured.
Environment Detection aims at detecting in what environment
the mobile app is running, e.g. the environment it has initially be
installed in or if it is currently attached to a debugger or running in
a virtual machine.
Administration takes care of the personalization of a mobile app,
means a mobile app is personalized to a specific device. It also
provides automated certificate and key management, as well as
the app security management.
Threat and Fraud Prevention is protecting resources and files of
a mobile app, it protects the identity and protects apps from being
misused by and as bots. The trust level provides valuable insights
of a service provider’s T.A.K protected mobile app on a specific
device. It also provides the data input for the server-based insights
and analytics.
3.4 T.A.K security concept
The T.A.K-Client is a software-based security solution that
incorporates many different layers of software security
technologies (like an onion) to strengthen the level of security. Its
goal is to provide a mobile application hardened against threats.
It implements four different functional blocks to prevent threats,
to detect threats and to respond to detected threats in an
10
Trusted Application Kit (T.A.K) | www.build38.com
appropriate manner. In combination with the T.A.K-Server also
threats can be predicted, and countermeasures be taken on the
server side of the service provider, therewith preventing fraud.
Overall, all four functional blocks are always active, meaning in
combination they allow continuous monitoring and analytics of a
T.A.K protected mobile application. See Figure 5 for an overview.
Figure 5: T.A.K Security Framework
Hardening against threats already happens when implementing
the hardened T.A.K-Client library, and once the T.A.K hardened
mobile app is installed and executed for the first time, the
application hardening goes into the second phase.
Preventing threats is achieved by hardening the system and
isolating functionality from the underlying operating systems. Also,
the attacker’s attention is diverted here.
Detecting threats means that security relevant incidences are
detected and contained. For example, manipulation of the API
within the app, using wrong certificates for communication or a
cloned mobile app are part of this step.
11
Trusted Application Kit (T.A.K) | www.build38.com
Responding to threats is equally important as both preventing
and detecting to treats. It allows the app to react independently
out in the field to threats by taking predefined actions as response
to a detected threat.
The security status of each single mobile application and device is
monitored by the T.A.K-Server. This allows the prediction of
attacks, but also allows making a proactive exposure assessment.
3.5 T.A.K threat protection
T.A.K protects against a wide variety threats (see Figure 6), from
more common threats like reverse engineering and code lifting, up
to highly sophisticated attacks like Side Channel Attacks. Therewith
T.A.K could also be called the swiss-army-knife of threat protection.
Figure 6: T.A.K protects against threats (selection)
Almost all modules are actively involved in threat prevention or its
detection. Following, a high-level overview with exemplary use
cases and functionality is given.
The functions within the Secure Memory Management module
are designed and implemented in such a way that key extraction or
successful side channel attacks are prevented.
12
Trusted Application Kit (T.A.K) | www.build38.com
The Connectivity Management module prevents sniffing of
network data from the T.A.K-Client to the T.A.K-Server, but also
ensures secure transmission of data from the mobile application to
the service provider’s backend. On top of that a potential
manipulation of the T.A.K API is being detected.
The Privilege Escalation Prevention module detects rooting or
jailbreak attempts and ensure the integrity of the T.A.K-Client, too.
The Environment Detection module detects for example any
change in runtime environment, for example if the mobile app has
been cloned to another device.
The Threat and Fraud Prevention module protects resources
and app specific files from manipulation and provides input for the
trust level of a mobile app and device that service providers can
query. It also protects the mobile app from being misused by and
as bots.
All six security modules are hardened by applying native code
protection to it, as T.A.K is a native code library. This is the outer
layer of T.A.K protection which prevents code manipulation and
ensures that reverse engineering is a cumbersome task.
3.6 T.A.K ecosystem overview
As previously mentioned, T.A.K is more than just a native client
library that offers security to app developers or service providers.
The following section discusses the T.A.K ecosystem, a software
security framework.
T.A.K is based on a client-server architecture, and its main
components are the T.A.K-Client and the T.A.K Cloud. The T.A.K
Cloud delivers several benefits to various stakeholders of the
ecosystem.
13
Trusted Application Kit (T.A.K) | www.build38.com
When you are a firm believer of ‘Trust is essential, control is better’,
then you as a service provider should integrate the Verify I/F for
fraud prevention (see Figure 7). Your server-side decision can then
be based on an outside opinion (the “Trust Level”), and not what
the apps tells you.
Marketeers and security experts will benefit from the various
dashboards provided to you. Along the saying “knowledge is power”
it delivers you great insights and analytics. Make use of the
information gain and get to know what your mobile apps are doing.
Fights potential threats and fraud early.
Launching mobile apps and new services faster than anyone else.
This thought already starts with your own developers or your
developing company: be faster during build, test and deploy.
Integrate our tools and APIs into the DevOps cycle for improved
continuous development and continuous integration.
Figure 7: T.A.K ecosystem overview
14
Trusted Application Kit (T.A.K) | www.build38.com
3.7 Deploying T.A.K protected applications
Service providers and their developers always receive a software
library tailored to their requirements. This also includes
documentation enriched with multimedia content and self-study
examples.
Even if you want to use T.A.K for two different projects, we ensure
that the library looks different on the surface in size and in direct
code comparison, although you want to use the same range of
functions in both cases. This is part of the security precautions.
Today, mobile applications are regularly updated for a variety of
reasons, such as user interface modifications or the provision of
new functionality. T.A.K updates can be included in this workflow
without interruptions. Build38 therefore recommends that service
providers and their developers regularly request a new build of the
specific T.A.K. client library and update the mobile application
accordingly. This ensures that application security remains at the
highest level.
However, the service provider and its developer remain responsible
for distributing the app through app stores such as iTunes (Apple)
or Play Store (Google).
3.8 How does T.A.K work
Once the user has downloaded the T.A.K-protected app from an
App Store and is running it for the first time on their mobile device,
the T.A.K client library will contact the T.A.K Cloud to perform
some background security checks to ensure the integrity of the
mobile app. Based on these checks, the app either runs or refuses
to run and, if necessary, informs the user of the reason.
15
Trusted Application Kit (T.A.K) | www.build38.com
The service provider's server (usually a web or application server)
can also use the T.A.K Cloud to perform an out-of-band security
check (OOB), i.e. a check via a second and independent
communication channel. Thus, the T.A.K Cloud also enables risk
and threat management, and an independent risk assessment can
be performed by the service provider on its servers rather than by
the application itself. This step is highly recommended by Build38
as it further minimizes the risk of misuse or manipulation of the
mobile application by the hacker, even if not mandatory. The use
of an OOB check provides an additional layer of security in the
background that is not visible to the hacker.
The service provider can access the portal's dashboard at any time.
Here the service provider receives relevant information about the
T.A.K-protected application, e.g. number of registrations, number
of rooted devices, proportion of operating system releases used,
etc. In order to comply with data protection laws, only summarized
data and no personal data is displayed here.
Build38 takes care of the operation of T.A.K, does for example
administrative tasks such as creating new customers (the service
provider), adding new users to the developer portal, and so on.
Build38 does not have access to the service provider's data.
3.9 Rental Car app – T.A.K protects access keys
The following example discuss how a temporary rental car key
could be protected by T.A.K. Using the overall architecture as an
example, Build38 made the following assumptions:
▪ The end-to-end architecture is a secure architecture and its
security assets, security anchors, and attack vectors have been
assessed and documented.
▪ The rental car key is temporary, based on derived credentials.
16
Trusted Application Kit (T.A.K) | www.build38.com
▪ The derived credentials will be created on demand, based on
the relevant security situation, e.g. daily, weekly, or when the
driver changes (e.g. rental enterprise).
▪ The derived credentials will be handled by the functions in the
Secure Memory Management module.
▪ The diagram (Figure 8) has to be extended by the T.A.K Cloud
communication as in Figure 7.
▪ In this specific situation the enterprise key can be revoked
(declared “inactive”) via the T.A.K Cloud.
Figure 8: Car Rental app – car keys protected by T.A.K
17
Summary | www.build38.com
4. Summary
4.1 Go for it – you are safe
Mobile applications are the critical infrastructure of today’s digital
world. Build38 can help your business to become an innovative
organization of tomorrow:
▪ Focus on your core competency: app development.
Don’t worry about security – that’s Build38’s job
▪ Customer satisfaction is your goal.
Build38 helps you developing secure mobile apps faster. You
can meet you project timelines.
▪ Knowledge is power.
You should know what your mobile apps are doing out there in
the wild.
4.2 T.A.K technology highlights
Service providers can use the T.A.K-Client library to develop
security-critical applications on a standard platform across a wide
range of mobile devices (Android ≥ 4.4; iOS ≥ 9). The fact that the
T.A.K-Client comes packaged with the application and is then
installed on the mobile device makes it an attractive solution for
many service providers. Moreover, T.A.K security is non-intrusive
to the user, meaning that the application delivers the best possible
security and user experience while hiding the complexities of this
enhanced security from the user.
One of the many advantages of T.A.K is flexibility: T.A.K is based
on a multi-layered security approach, supporting multiple operating
systems and therefore reaching the broadest possible number of
mobile devices.
In addition, T.A.K reduces dependency on a secure element issuer
18
Summary | www.build38.com
(SEI) (a mobile network operator (MNO) or the owner of an
embedded Secure Element (SE) owner or hardware manufacturer).
This allows the service provider more control.
The main highlights of T.A.K for the service provider are:
• Security solution for mobile devices – T.A.K provides
security on the broadest possible range of mobile devices.
• Develop once for Android and iOS – use the security
concept for both your Android and iOS mobile applications.
• Gateway to the mobile ecosystem – the T.A.K Cloud acts as
a device- and service-agnostic gateway, abstracting the
complexity of the ecosystem from the service provider.
• Efficient integration – for efficient integration and fast time-
to-market, the T.A.K-Client library provides all the security
features and functionality that an app developer need.
• Secure app communication – the T.A.K-Client uses a secure
communication channel for T.A.K-related security
communication.
The same mechanism can be used to establish a secure
channel to application servers to exchange confidential
information. Network sniffing is prevented since the
communication is established at a native level, rather than at a
high-level programming language level.
• Insights and Analytics – T.A.K security is built into an
application during the implementation and coding phase. In
contrast to many other software security solutions, T.A.K
provides active security feedback during application usage
throughout the app’s life. The service provider has access to
this information (e.g. normal protected, runs in a rooted or
emulated environment) and can make relevant business
decisions based on the given information. Analytics provides a
further deeper level of information.
19
Summary | www.build38.com
• Eligibility checking – the T.A.K Cloud → SP-server
communication channel offers an additional check option via
out-of-band security signaling.
• T.A.K-Client personalization – after installation and initial
use of the application, the T.A.K-Client library is personalized
based on device-specific credentials.
• Device-specific encryption – deploying an application with
T.A.K inside establishes an environment where specific code
protection is enabled by the T.A.K-Client and reverse-
engineering is made extremely difficult, as code lifting is
prevented. It must be remembered that given enough time,
money, resources, and motivation an attacker will eventually
have some success. The goal is to limit this success and create
a climate of frustration for attackers.
• Secure storage of keys – application keys are protected by
the Secure Memory Management’s functionality, ranging from a
hardened and attack resistant implementation of cryptographic
algorithms, or – if supported – by the hardware-backed secure
storage. In the case of code lifting, confidential data stored in
secure storage remains protected as it is encrypted.
• GDPR conformity – the security software framework “Trusted
Application Kit” (T.A.K) has been aligned with the Bavarian
Data Protection Authority (BayLDA) to ensure that all data
protection requirements are met.
20
Summary | www.build38.com
4.3 T.A.K and software security
The software security model, as introduced in Chapter 2 and shown
again below (Figure 9), now indicates the security measures
introduced by T.A.K to meet the goals of software security: make
attackers’ lives more difficult and raise the bar.
Figure 9: T.A.K software security measures
21
List of figures | www.build38.com
List of figures
Figure 1: The economics of attacks ....................................................... 4
Figure 2: Software security measures .................................................. 5
Figure 3: T.A.K is a multi-layered application security framework .. 7
Figure 4: Six Security Modules – tick of your security controls ....... 8
Figure 5: T.A.K Security Framework ....................................................10
Figure 6: T.A.K protects against threats (selection) .........................11
Figure 7: T.A.K ecosystem overview ....................................................13
Figure 8: Car Rental app – car keys protected by T.A.K ..................16
Figure 9: T.A.K software security measures .......................................20
22
Disclaimer | www.build38.com
Disclaimer
This document as well as the information or material contained is
copyrighted. Any use not explicitly permitted by copyright law
requires prior consent of Build38. This applies to any reproduction,
revision, translation, storage on microfilm as well as its import and
processing in electronic systems.
The information or material contained in this document is property
of Build38. Any recipient of this document shall not disclose
or divulge, directly or indirectly, this document or the information
or material contained herein, without the prior written consent of
Build38.
All copyrights, trademarks, patents, and other rights in connection
herewith are expressly reserved to Build38 and no license is
created hereby.
“Trusted Application Kit” might be abbreviated as T.A.K throughout
this document due to space constraints. This is not related to any
trademark that might exist anywhere else.
This document is subject to technical changes.
23
About Build38 | www.build38.com
About Build38
It’s a long way to becoming a trusted service provider. Don’t go it
alone. Build38 is leading provider of next generation app-hardening
and threat protection solutions, enabling the proliferation of new
digital business models. It delivers its Trusted Application Kit
(T.A.K) across various industries including retail, automotive,
financial, public transport and health care. It is headquartered in
Munich with global offices in Barcelona and Singapore.
Our main investor is Giesecke+Devrient, the long-established
technology group with more than 165 years of history and
experience. We bring together the fresh approach of a new venture,
together with the core technology from G+D, reliable and market
proven cyber security portfolio to extend even more the many
users of the technology globally.
Build38
Build38 GmbH
Atelier Str. 29
81671 Munich
Germany
www.build38.com
© Build38 GmbH, 2019
Subject to change without notice.
V18