An app hardening use case: Filling the PCI prescription for preventing privilege escalation in mobile apps

February 8, 2018 2279 Views Sebastian Holst

Preventing Privilege Escalation in mobile payment apps (PCI Mobile Payment Acceptance Security Guidelines Section 4.3)

Regulators, standards bodies and IT auditors have become increasingly likely to recommend an absolute prohibition of rooted Android devices in production environments. As the 2017 PCI Mobile Payment Acceptance Security Guidelines state, “Bypassing permissions can allow untrusted security decisions to be made, thus increasing the number of possible attack vectors.”

It is only natural that the apps themselves rise up to act as a ubiquitous governance, risk, and compliance management layer – preventing, detecting, responding, and reporting on threats - including those posed by unauthorized rooted devices.

The PCI Mobile Payment Security Guidelines recommend the following (4) controls be in place:

Section 4.3 Prevent Escalation of Privileges

“Controls should exist to prevent the escalation of privileges on the device (e.g., root or group privileges). … (1) the device should be monitored for activities that defeat operating system security controls (e.g., jailbreaking or rooting) and, when detected, (2) the device should be quarantined by a solution that removes it from the network, removes the payment-acceptance application from the device, or (3) disables the payment application.

(4) Offline jailbreak and root detection are key since some attackers may attempt to put the device in an offline state to further circumvent detection.”

DashO for Android can fulfill these PCI requirements. DashO can be configured to:

Enforce a no rooted device policy wherever DashO hardened apps are run, and
Ensure that DashO hardened apps trigger real-time responses including notifications, auto-exit, and even a permanent disabling of the app (a quarantine or bricking). For a more thorough treatment of anti-root controls see DashO Root Detection & Defense is one Check that will not bounce!

In short, DashO can – with little or no programming required – inject sophisticated root detection logic as well as the logic your app needs to defend itself against these evolving attacks.

This post-compile approach to injecting runtime controls (detect, respond, and report) are also available to meet similar anti-debugger and/or anti-tamper requirements.

For a deeper discussion on compliance and risk management, please consider watching one of our Webinar's such as:

App Dev and the Law: GDPR, DTSA, and XY&Z.

Free Trial

Request Quote

Request Demo

Create More Secure Applications – Don’t Hard Code Credentials; Instead, Use Application Hardening

Credentials are a problem for your app. Why? Because they’re a critical access gateway: If attackers get their hands on working usernames and passwords they can cause havoc — everything from stealing user accounts to compromising high-level application functions.

It’s big business; Sensor Tech Forum notes that 85 malicious apps on Google Play were stealing login credentials, while Verizon’s 2018 Data Breach Investigation Report found that 81 percent of hacking incidents used weak or stolen passwords.

And while part of the problem rests with users choosing username and password combinations that are easy to remember and easy for attackers to guess, applications have their own issue: Hard coding. From smart city software to stock trading applications, the use of hard-coded credentials saves time upfront but significantly impacts security.

Don’t become an easy mark for hackers: Here are six ways to boost credential control and reduce total risk.

In 2017 and again in 2018, PreEmptive Solutions surveyed over 15,000 professional developers asking about their organization’s current and projected use of a broad cross-section of development languages and frameworks.

Evaluating each annual survey result on its own and again together as a whole offers insights into current practices, assumptions about future trends as well as the actual trends that played out during the time between the two survey collection points.

The white paper, The Future of Language and Framework Survey shows a professional development community striving to reduce the number of languages and frameworks they rely upon while simultaneously increasing their commitment and investments in the technologies they retain. As this maturation occurs, overall clarity and confidence in their architecture and mission improves.

Prevention, detection, and response

Today, Microsoft announced Azure DevOps – Loosely, it is TFS and VSTS, with its services broken out into distinct components that can be used together or separately. The Azure DevOps services are Azure Boards, Azure Repos, Azure Pipelines, Azure Test Plans and Azure Artifacts. When Azure DevOps was VSTS and TFS, we supported integration with PreEmptive’s Dotfuscator. Today, none of that changes. As Azure DevOps evolves, we will continue to improve our integration, so that you can easily add multi-layered protection to your valuable apps.

In Mindset shift to a DevSecOps culture, Buck Hodges, Director of Engineering for Visual Studio Team Services, stressed the importance of both preventing breaches and “assuming breaches. ”In essence, prevention only gets you part of the way there. “Assuming a breach” allows for effective incident detection, response and recovery process planning.

The .NET Conference is right around the corner. Make sure to mark your calendar because this virtual three-day developer event is not one you will want to miss. Included will be a wide variety of live sessions for beginners to advanced developers to attend.

Learn to build and the latest techniques for:

The release of Dotfuscator v4.37 yesterday marks the first big step toward a major goal: to modernize our Visual Studio integration. This release is numbered as a "minor" release - because, as always, we work hard to not make breaking changes - but its significance is actually very major.

Our current Visual Studio integration has always been one of the primary user interfaces for Dotfuscator; nearly half of our users use it, or have used it. Of those users, most are quite happy with it. (So we know that changing it is no small undertaking!)

However, there are some users who can't use it, or for whom it doesn't work very well. Notably, users with especially large projects, or complex build configurations, or more-modern projects that have heavy packaging components (including Xamarin and UWP), have all only had the option of our "standalone GUI" and a custom-made build integration.

An app hardening use case: Filling the PCI prescription for preventing privilege escalation in mobile apps

Preventing Privilege Escalation in mobile payment apps (PCI Mobile Payment Acceptance Security Guidelines Section 4.3)

Section 4.3 Prevent Escalation of Privileges

Create More Secure Applications – Don’t Hard Code Credentials; Instead, Use Application Hardening

Multi-Year Developer Survey Reveals Evolving Practices and Foreshadows Further Change

Automating and Scaling App Protection with Azure Devops

Prevention, detection, and response

Catch the .NET Conf: Latest Updates and Tips

An Easier, Better Way to Use Dotfuscator

Latest Blog Posts

Create More Secure Applications – Don’t Hard Code Credentials; Instead, Use Application Hardening

Multi-Year Developer Survey Reveals Evolving Practices and Foreshadows Further Change

Automating and Scaling App Protection with Azure Devops

Catch the .NET Conf: Latest Updates and Tips

An Easier, Better Way to Use Dotfuscator

Latest News

Dotfuscator Adds Rooted Device Controls to Meet Exceptional Xamarin.Android Demand

Microsoft Build 2018

PreEmptive Solutions Launches GDPR Compliance Relief Program

Protecting Your Xamarin Apps with Dotfuscator

Third Major Dotfuscator Community Edition Release in 12 Months Expands Real-time Defense and Streamlines Xamarin Integration

Twitter

App Protection Blogs

An app hardening use case: Filling the PCI prescription for preventing privilege escalation in mobile apps

Preventing Privilege Escalation in mobile payment apps (PCI Mobile Payment Acceptance Security Guidelines Section 4.3)

Section 4.3 Prevent Escalation of Privileges

Prevention, detection, and response

Latest Blog Posts

Latest News

Twitter