Preventing Privilege Escalation in mobile payment apps (PCI Mobile Payment Acceptance Security Guidelines Section 4.3)
Regulators, standards bodies and IT auditors have become increasingly likely to recommend an absolute prohibition of rooted Android devices in production environments. As the 2017 PCI Mobile Payment Acceptance Security Guidelines state, “Bypassing permissions can allow untrusted security decisions to be made, thus increasing the number of possible attack vectors.”
It is only natural that the apps themselves rise up to act as a ubiquitous governance, risk, and compliance management layer – preventing, detecting, responding, and reporting on threats - including those posed by unauthorized rooted devices.
When perimeters are breached, identities stolen and malware launched, encryption stands as information’s last line of defense. Without effective encryption policies, you will first be victimized and then held liable (punished) by every information stakeholder (customers, partners, investors, regulators, the courts, etc.).
Just this week, Wired led with the headline Tinder’s Lack of Encryption Lets Strangers Spy on your Swipes where they wrote in part:
“In 2018, You'd be forgiven for assuming that any sensitive app encrypts its connection from your phone to the cloud, … But if you assumed that basic privacy protection for the world's most popular dating app, you'd be mistaken.”
Java 9 is an unusually-complex Java release. It comes with deep changes to some long-held norms, compatibility-breaking changes at build time and run time, and a new release cadence. There's a lot of great stuff, but development teams face tough decisions about what to migrate, how to migrate it, and when to do so.
Here at PreEmptive, we have an especially-complex problem because our flagship Java application, DashO, runs on the Java platform, integrates deeply with the Java platform, and supports apps developed with nearly all versions and implementations of the Java platform. DashO's migration to Java 9 requires deep understanding and extensive care to ensure that DashO continues to be able to inspect, obfuscate, and inject code into apps across all those platforms, while preserving behavior, performance, stability, and portability.
So we've been hard at work on our own migration plans, and we want to share what we've learned. Hopefully this article will make your Java 9 migration planning a little easier.
First, thanks to PreEmptive for inviting me to do a guest post.
Since you're reading this on preemptive.com, you are already aware and probably concerned with the importance of planning for security in application development. And in this guest blog post, I want to address specifically the security vulnerabilities that legacy applications present to your entire organization.
If the Equifax hack wasn't a wakeup call for your entire appsec team, you're probably headed for an earlier retirement than you might otherwise have planned for.
Applications are under siege. As demonstrated by the recent Equifax breach and many others, hackers leveraged everything from compromised mobile apps to cloud-based vulnerabilities. The result? Enterprise IT teams are recognizing that they’re being targeted – particularly their critical apps.
We have just released Dotfuscator Professional 4.31 and it’s available for immediate download (both for clients and as a free evaluation).
Dotfuscator Professional 4.31
- Extends its application protection to new development communities for the very first time.
The GDPR is comprehensive; its impact is far reaching, and the penalties for infringement are severe (up to €20 million or 4% of global annual revenue, whichever is higher).
In short, no impacted business can afford to ignore The GDPR. As the May 2018 deadline looms, organizations find themselves scrambling to be “GDPR ready” – but what exactly does that mean?
According to the official EU GDPR website, http://www.eugdpr.org, “The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.”
This may well be true. The GDPR includes unprecedented penalties connected to data breaches, it reaches across international borders, and it targets both data owners and 3rd party service providers that process/manage that data.