An app hardening use case: Filling the PCI prescription for preventing privilege escalation in mobile apps

February 8, 2018 3280 Views Sebastian Holst

Preventing Privilege Escalation in mobile payment apps (PCI Mobile Payment Acceptance Security Guidelines Section 4.3)

Regulators, standards bodies and IT auditors have become increasingly likely to recommend an absolute prohibition of rooted Android devices in production environments. As the 2017 PCI Mobile Payment Acceptance Security Guidelines state, “Bypassing permissions can allow untrusted security decisions to be made, thus increasing the number of possible attack vectors.”

It is only natural that the apps themselves rise up to act as a ubiquitous governance, risk, and compliance management layer – preventing, detecting, responding, and reporting on threats - including those posed by unauthorized rooted devices.

The PCI Mobile Payment Security Guidelines recommend the following (4) controls be in place:

Section 4.3 Prevent Escalation of Privileges

“Controls should exist to prevent the escalation of privileges on the device (e.g., root or group privileges). … (1) the device should be monitored for activities that defeat operating system security controls (e.g., jailbreaking or rooting) and, when detected, (2) the device should be quarantined by a solution that removes it from the network, removes the payment-acceptance application from the device, or (3) disables the payment application.

(4) Offline jailbreak and root detection are key since some attackers may attempt to put the device in an offline state to further circumvent detection.”

DashO for Android can fulfill these PCI requirements. DashO can be configured to:

Enforce a no rooted device policy wherever DashO hardened apps are run, and
Ensure that DashO hardened apps trigger real-time responses including notifications, auto-exit, and even a permanent disabling of the app (a quarantine or bricking). For a more thorough treatment of anti-root controls see DashO Root Detection & Defense is one Check that will not bounce!

In short, DashO can – with little or no programming required – inject sophisticated root detection logic as well as the logic your app needs to defend itself against these evolving attacks.

This post-compile approach to injecting runtime controls (detect, respond, and report) are also available to meet similar anti-debugger and/or anti-tamper requirements.

For a deeper discussion on compliance and risk management, please consider watching one of our Webinar's such as:

App Dev and the Law: GDPR, DTSA, and XY&Z.

Google IO Recap: Firebase, Jetpack, Kotlin, and R8

PreEmptive had the opportunity to send a couple of representatives to Google IO this year. IO 2019 didn't tell us what dessert starts with a Q, but it did showcase some great tools and frameworks as well as provide insight into the direction of Android:

For the third year in a row, Microsoft’s Build conference set up shop in the Washington State Convention Center, giving technology professionals a glimpse into what lies ahead for the Redmond giant.

Previous years highlighted key advancements such as Microsoft 365, the Azure Cosmos DB and Xamarin — in 2019, the company went all-in with announcements for a new Visual Studio, .NET evolution and the emergence of true Linux on Windows OS.

Here’s a look at the best of Build 2019.

Last month we blogged about R8 and Google's build architecture changes and hinted at things to come in PreEmptive Protection - DashO, our powerful Java obfuscation and application protection tool that integrates tightly with Android. Today, we're excited to announce a public beta of our next major release: DashO 10 (Beta 2).

This new version of DashO works together with R8 to protect Android apps and libraries.

Whether you're using Azure Pipelines, TeamCity, Jenkins, or your local dev machine, Dotfuscator Professional is easier to integrate than ever before.

Last August, we released an easier, better way to integrate Dotfuscator into your build process. We quickly followed that with new instructions for Xamarin integration - making Dotfuscator the easiest-to-integrate (and still most-effective!) Xamarin protection product, by far.

Today, we're releasing a suite of features and components that make it much easier to provision Dotfuscator into your continuous integration environment, making it easy to use in your automated build, too.

Google recently introduced R8, a new tool designed to replace ProGuard as the default shrinker in the Android build process. R8 is meant to produce as-good-or-better outputs than ProGuard, and to do so faster than ProGuard does, thereby reducing overall build times. It will be enabled by default in the next release of Android Gradle Plugin (v3.4).

This change removes a long-standing component (ProGuard) and replaces it with entirely-new code that does essentially the same thing. Why would Google do such an expensive, risky thing?

An app hardening use case: Filling the PCI prescription for preventing privilege escalation in mobile apps

Preventing Privilege Escalation in mobile payment apps (PCI Mobile Payment Acceptance Security Guidelines Section 4.3)

Section 4.3 Prevent Escalation of Privileges

Google IO Recap: Firebase, Jetpack, Kotlin, and R8

Microsoft Build 2019: Visual Studio Expands, .NET Evolves and Windows Gets a Kernel

DashO 10 Beta 2: Android Support, Rebuilt From the Ground Up

It's Never Been Easier to Automate Your Builds With Dotfuscator Professional

R8: A Step in Google's Android Build Performance Roadmap

Latest Blog Posts

Google IO Recap: Firebase, Jetpack, Kotlin, and R8

Microsoft Build 2019: Visual Studio Expands, .NET Evolves and Windows Gets a Kernel

DashO 10 Beta 2: Android Support, Rebuilt From the Ground Up

It's Never Been Easier to Automate Your Builds With Dotfuscator Professional

R8: A Step in Google's Android Build Performance Roadmap

Twitter