Thursday, May 17, 2018

An app hardening use case: Filling the PCI prescription for preventing privilege escalation in mobile apps

Preventing Privilege Escalation in mobile payment apps (PCI Mobile Payment Acceptance Security Guidelines Section 4.3)

Regulators, standards bodies and IT auditors have become increasingly likely to recommend an absolute prohibition of rooted Android devices in production environments. As the 2017 PCI Mobile Payment Acceptance Security Guidelines state, “Bypassing permissions can allow untrusted security decisions to be made, thus increasing the number of possible attack vectors.”
It is only natural that the apps themselves rise up to act as a ubiquitous governance, risk, and compliance management layer – preventing, detecting, responding, and reporting on threats - including those posed by unauthorized rooted devices.
The PCI Mobile Payment Security Guidelines recommend the following (4) controls be in place:
Section 4.3 Prevent Escalation of Privileges
“Controls should exist to prevent the escalation of privileges on the device (e.g., root or group privileges). … (1) the device should be monitored for activities that defeat operating system security controls (e.g., jailbreaking or rooting) and, when detected, (2) the device should be quarantined by a solution that removes it from the network, removes the payment-acceptance application from the device, or (3) disables the payment application.
(4) Offline jailbreak and root detection are key since some attackers may attempt to put the device in an offline state to further circumvent detection.” 
DashO for Android can fulfill these PCI requirements. DashO can be configured to:
  • Enforce a no rooted device policy wherever DashO hardened apps are run, and
  • Ensure that DashO hardened apps trigger real-time responses including notifications, auto-exit, and even a permanent disabling of the app (a quarantine or bricking). For a more thorough treatment of anti-root controls see DashO Root Detection & Defense is one Check that will not bounce!
In short, DashO can – with little or no programming required – inject sophisticated root detection logic as well as the logic your app needs to defend itself against these evolving attacks.
This post-compile approach to injecting runtime controls (detect, respond, and report) are also available to meet similar anti-debugger and/or anti-tamper requirements.

No comments: