An app hardening use case: Filling the PCI prescription for preventing privilege escalation in mobile apps

February 8, 2018 2537 Views Sebastian Holst

Preventing Privilege Escalation in mobile payment apps (PCI Mobile Payment Acceptance Security Guidelines Section 4.3)

Regulators, standards bodies and IT auditors have become increasingly likely to recommend an absolute prohibition of rooted Android devices in production environments. As the 2017 PCI Mobile Payment Acceptance Security Guidelines state, “Bypassing permissions can allow untrusted security decisions to be made, thus increasing the number of possible attack vectors.”

It is only natural that the apps themselves rise up to act as a ubiquitous governance, risk, and compliance management layer – preventing, detecting, responding, and reporting on threats - including those posed by unauthorized rooted devices.

The PCI Mobile Payment Security Guidelines recommend the following (4) controls be in place:

Section 4.3 Prevent Escalation of Privileges

“Controls should exist to prevent the escalation of privileges on the device (e.g., root or group privileges). … (1) the device should be monitored for activities that defeat operating system security controls (e.g., jailbreaking or rooting) and, when detected, (2) the device should be quarantined by a solution that removes it from the network, removes the payment-acceptance application from the device, or (3) disables the payment application.

(4) Offline jailbreak and root detection are key since some attackers may attempt to put the device in an offline state to further circumvent detection.”

DashO for Android can fulfill these PCI requirements. DashO can be configured to:

Enforce a no rooted device policy wherever DashO hardened apps are run, and
Ensure that DashO hardened apps trigger real-time responses including notifications, auto-exit, and even a permanent disabling of the app (a quarantine or bricking). For a more thorough treatment of anti-root controls see DashO Root Detection & Defense is one Check that will not bounce!

In short, DashO can – with little or no programming required – inject sophisticated root detection logic as well as the logic your app needs to defend itself against these evolving attacks.

This post-compile approach to injecting runtime controls (detect, respond, and report) are also available to meet similar anti-debugger and/or anti-tamper requirements.

For a deeper discussion on compliance and risk management, please consider watching one of our Webinar's such as:

App Dev and the Law: GDPR, DTSA, and XY&Z.

Protecting Java applications that use Spring Framework Core

DashO has support for protecting applications that use Spring Framework Core. Spring can be configured either by custom annotations or XML configuration files, and DashO has support for both. However, applications that use custom annotations require additional handling.

There’s big money in artificial intelligence (AI) — reaching almost $12 billion over the next six years. As noted by research firm McKinsey & Company, companies are now in the process of building out the technology foundation they need for AI deployment, with 45 percent of executives already worried about not investing enough in AI to keep up with the competition. It’s not a baseless fear: The McKinsey research also suggests that AI adoption is following a standard “S-Curve” model, which starts with slow adoption by a limited number of businesses followed by rapid mass adoption as market opportunities increase and then slows again as stragglers are left behind.

Given the wide range of potential applications for AI and the evolution of core intelligence technologies, increased business interest is no surprise. What companies may not be prepared for, however, is the uptick in hacker usage of AI tools and solutions — what happens when attackers flip the AI script?

That was the title of yesterday's congressional briefing organized by ACT | The App Association (in cooperation with the Congressional IP Caucus which is co-chaired by Rep. George Holding, Rep. Adam Smith, & Rep. Hakeem Jeffries).

As is often the case when presenting to different kind of audience (not software-centric), you’re forced to reorganize your thoughts – here are few that might be worth sharing.

Attendees were promised the following agenda:

Learn how rogue apps steal content;
Understand what access devices are enabling the piracy of content;
Learn about a range of app piracy methods used to exploit U.S. companies;
Gain insight into existing industry best practices and enforcement methods for combating IP piracy.

App development now happens at breakneck speeds as companies recognize the need for first-to-market applications that exceed consumer expectations for usability and performance. The root of this rapid release cycle? DevOps — the combination of development and operations teams to deliver best-in-class applications ASAP.

But more apps on the market more quickly means more chances for security issues — as noted by Bank Info Security, 60 percent of all breaches over the last two years started with known software vulnerabilities. Bottom line? DevOps is getting apps out of development, but lack of security is putting them in harm’s way. There are no second chances when it comes to first impressions; users won’t come back if applications expose personal data or become malware distribution drones.

The solution? DevSecOps: Security as a fundamental aspect of application development. Here’s what you need to know.

Model–View–ViewModel (MVVM) is a common pattern used in WPF, Xamarin, and other types of .NET applications. There are different ways to apply the MVVM pattern, but they all share a few underlying concepts. I’d like to discuss these concepts, and how to successfully configure protection with Dotfuscator for MVVM-based apps.

An app hardening use case: Filling the PCI prescription for preventing privilege escalation in mobile apps

Preventing Privilege Escalation in mobile payment apps (PCI Mobile Payment Acceptance Security Guidelines Section 4.3)

Section 4.3 Prevent Escalation of Privileges

Protecting Java applications that use Spring Framework Core

Artificial Intelligence, Real Threats: Can Attackers Flip the AI Script?

Rogue Apps: Facilitating Theft from Developers and Consumers

No Second Chances: App Shielding and the Emerging Need for DevSecOps

Protecting .NET applications that use the MVVM pattern

Latest Blog Posts

Protecting Java applications that use Spring Framework Core

Artificial Intelligence, Real Threats: Can Attackers Flip the AI Script?

Rogue Apps: Facilitating Theft from Developers and Consumers

No Second Chances: App Shielding and the Emerging Need for DevSecOps

Protecting .NET applications that use the MVVM pattern

Latest News

Dotfuscator Adds Rooted Device Controls to Meet Exceptional Xamarin.Android Demand

Microsoft Build 2018

PreEmptive Solutions Launches GDPR Compliance Relief Program

Protecting Your Xamarin Apps with Dotfuscator

Third Major Dotfuscator Community Edition Release in 12 Months Expands Real-time Defense and Streamlines Xamarin Integration

Twitter

App Protection Blogs

An app hardening use case: Filling the PCI prescription for preventing privilege escalation in mobile apps

Preventing Privilege Escalation in mobile payment apps (PCI Mobile Payment Acceptance Security Guidelines Section 4.3)

Section 4.3 Prevent Escalation of Privileges

Latest Blog Posts

Latest News

Twitter