Skip to main content
Apr 09, 2019

Vulnerability Epidemic in Financial Mobile Apps - Episode 4 [Video]

Defense in depth for apps

Did you come across any web technology as part of this? Did you see any JavaScript or anything like that, that was part of the app that gave another--is another piece of the puzzle, which people probably never expect.

Down the rabbit hole?

Yeah, yeah, definitely JavaScript.

The other thing was this research obviously trickles down into three completely separate research papers. And one of them was API security. It's almost like that--you know that analogy which I think is used way too much, is networks have become this hard candy exterior, soft, gooey interior. I just want to smack whoever says that to me now, because I'm so tired of hearing it. But it's almost like that soft, gooey interior has kind of just like the shell broke and it's like oozing out with APIs.

And really, it's an unknown [INAUDIBLE], that companies are think, oh, well, why do we need ARXAN, or application shielding to secure, when we have a WAF. It's like, dude, because it's two completely separate things. We're authenticating and authorizing our API traffic. Because you're not obfuscating your code. There's all these other different attack vectors that I think we as--I think chief information security officers, buyers, security engineers, need to understand that there's multiple attack vectors here. It's not just one.

And that's why you're looking at solutions like ARXAN that aren't a one-trick pony, that have these security controls around multiple attack vectors. It's not just one thing. It's-- is this operating on a routed or jailbroken device? What does that lead to? All of those things are issues that are addressed with shielding.

So you've previously self-described yourself as a layer seven enthusiast. The question that comes up a lot, especially as we're talking about transport security and SSL, is SSL enough to protect the data being transferred to and from APIs?

No, because, if you think--OK, so that's-- you're talking about data in transit security. So we've already seen vulnerabilities being published in SSL. There's no such thing as something that's un-hackable. I think for my approach, as a practitioner, I've always preached defense in depth.

To me, security needs to be like an onion. You've got-- like, OK, what are you trying to protect, and building your security controls as layers like an onion around it. And this shouldn't be just one layer. Because you're talking about multiple things. And if you have an adversary that has enough time, and patience, and interest to actually breach something, they're going to get in. And if you've shielded your app, there's other things that they can try and go after. I mean, even with obfuscation. There's a way to de-obfuscate. I mean, you can go out there and Google it, and there's all sorts of articles you put that explain how to address that. It needs to be multiple layers of defense. It needs to be data in transit, data at rest. It needs to be all of this stuff, API security. It needs to be multiple security checks on the mobile device itself.

We are going to be doing a webinar soon called Building the Zero Trust Enterprise. So ZTE is like a big term being thrown around right now. And it's really interesting, because if you think about application shielding, it really is the antithesis-- to me, application shielding is just that one thing, that one piece of the puzzle in building that whole ZTE infrastructure. It's just one piece that you need to be doing in addition to everything else.

You can't trust the mobile device that the app is on, because you don't own it.

These companies are making apps, creating apps, and pushing them out to devices that they have absolutely no control over. How do you secure that?

Like think about it--let's really just think about this for a second. It's like our military sending soldiers out into an Area Of Responsibility, an AOR, that they have absolutely no visibility, no control, no security controls, no forward operating bases, nothing to protect that soldier.

And a lot of times, no feedback.

How do you do that? And no feedback, no communication, nothing. You don't know what's happening in that theater of operation. You have no idea what's going on in that area. And you're expected to protect this asset. And you've got this asset there that's your company, and a way into your company is Enterprise, and you have no idea what's happening in the environment of the device that it's running on.

Rusty Carter

Rusty Carter is a security software executive with over 20 years experience, and the current Vice President of Product Management at Arxan Technologies, an application security company that provides application shielding and protection against reverse-engineering and tampering to the world’s largest companies. Prior to Arxan, Mr. Carter led product management at Symantec, McAfee, and Pulse Secure (formerly Juniper), and was responsible for the introduction and growth of multiple new products and lines of business. Mr. Carter holds international patents in the fields of information security, AI / machine learning, telecommunications, mobile devices, and user interaction. Mr. Carter’s background includes system and software architecture, engineering, and has a bachelors degree in Psychology from the University of Arizona.

The Vulnerability Epidemic in Financial Mobile Apps

Join the webinar with Aaron Lint, Arxan chief scientist, and Alissa Knight, Aite Group senior cybersecurity analyst, on Tuesday, April 23, 2019.
More from the Blog
Apr 02, 2019

Vulnerability Epidemic in Financial Mobile Apps [Infographic]

Arxan commissioned research by Aite Group to examine the mobile app vulnerabilities across eight financial services sectors. ...
Read more
Apr 03, 2019

Vulnerability Epidemic in Financial Mobile Apps - Episode 1 [Video]

Summary of research and findings
Read more
Nov 14, 2018

Securing mobile apps against reverse engineering and hacking [Podcast]

Listen to Alissa Knight interview Ken Jochims about Arxan Technologies and application s
Read more