Category Archives: Code Protection

Felix Payment System Security Assured with Intertrust whiteCryption®


SAN FRANCISCO and MONTREAL — October 23, 2019 — Intertrust, the pioneer in Digital Rights Management (DRM) technology and leading provider of application security solutions, has announced a partnership to safeguard the Felix payment system with Intertrust’s whiteCryption® application shielding technology which will protect the platform from third-party tampering. Felix, developed by Gentek Global, is designed to make it easier for small and medium-sized businesses to get paid by transforming smartphones into payment terminals.

World’s First Technology for Contactless Tap-and-Pay Card Transactions on Smartphones Undergoes Security and Compliance Certification in Preparation for Visa and Mastercard Pilots

 

SAN FRANCISCO and MONTREAL — October 23, 2019 — Intertrust, the pioneer in Digital Rights Management (DRM) technology and leading provider of application security solutions, has announced a partnership to safeguard the Felix payment system with Intertrust’s whiteCryption® application shielding technology which will protect the platform from third-party tampering. Felix, developed by Gentek Global, is designed to make it easier for small and medium-sized businesses to get paid by transforming smartphones into payment terminals.

The Felix system can be easily integrated into transactions including online shopping, bill settlement, airline tickets, hotel stays, and other purchases. It is the first payment system that allows users with an NFC-enabled Android phone and a contactless payment method to complete purchases by tapping their contactless payment cards against their smartphones while shopping, both online and face to face. Felix can be delivered as either a standalone mPOS application or as an SDK to be integrated into third‑party apps.

Independent testing lab Riscure will provide product evaluation services for the Felix platform as it undergoes Payment Card Industry Data Security Standard (PCI DSS) compliance certification, which ensures all sellers safely and securely accept, store, process, and transmit cardholder data during credit card transactions. Full PCI security evaluation of Felix is expected to finalize before Christmas 2019. These partnerships will play a critical role as Felix is field-tested in imminent Visa (NYSE:V) and Mastercard (NYSE:MA) pilots.

“Our partnership is helping move Felix closer to its goal of safe, frictionless shopping right on your smartphone,” said Andrew Snyder, Technical Business Director at Intertrust. “Felix’s convenient tap-to-pay approach, with whiteCryption working in the background to assure safety, makes it a pretty powerful way for users to get the most out of their online shopping experience.”

Intertrust’s whiteCryption provides a bulwark against reverse engineering and tampering via cutting-edge obfuscation, self-defense, and key protection techniques to safeguard software application code, proprietary data, and company information across platforms including Android, iOS, Windows, macOS, and Linux embedded. With Felix, customer payments are processed both in-person and online by holding contactless bank cards against Android smartphones. The system uses the built-in Near Field Communication (NFC) technology to read the card data and send it through Felix for payment processing.

“Our collaboration with Intertrust prevents cybercriminals from using techniques such as reverse engineering or hacking smartphone memory to find security keys,” said Owen Newport, CEO & co-founder, Gentek Global. “This means Felix users can rest easy knowing sensitive payment card details and other personal information are shielded from bad actors.”

Typically, to address strict security requirements Mobile Point of Sale (mPOS) technologies require external hardware to facilitate card acceptance and PIN processing. Felix is the first commercial solution to enable both card acceptance and PIN entry on the same device in a secure manner, without additional hardware.

 

Meet with Intertrust and Gentek Global at Money20/20, Las Vegas

Come and meet with Intertrust at Money20/20 in Las Vegas, October 27-30 at Booth #3928 where it will be demonstrating the Felix payment solution and discussing the best ways to protect your apps and keys.

 

About Gentek Global

Felix payment technology has been designed and developed by Gentek Global, a product development team operating out of Montreal, Canada and Melbourne, Australia, and specializing in cyber security, mobile payments and contactless NFC technologies. As the world of e-commerce and mobile payments continue to grow at an exponential rate globally, the opportunities and risks grow along with them. Felix is designed to capitalize on both the growth and risks present in the market.

 

About Intertrust

Intertrust provides trusted computing products and services to leading global corporations – from mobile, CE and IoT manufacturers, to service providers and enterprise software platform companies. These products include the world’s leading digital rights management (DRM), software tamper resistance, and technologies to enable private data exchanges for various verticals including energy, entertainment, retail/marketing, automotive, fintech, and IoT. Founded in 1990, Intertrust is headquartered in Silicon Valley with regional offices in London, Tokyo, Mumbai, Bangalore, Beijing, Seoul, Riga, and Tallinn. The company has a legacy of invention, and its fundamental contributions in the areas of computer security and digital trust are globally recognized. Intertrust holds hundreds of patents that are key to Internet security, trust, and privacy management components of operating systems, trusted mobile code and networked operating environments, web services, and cloud computing.

Additional information is available at intertrust.com, or follow us on Twitter or  LinkedIn.

 

About Riscure

Founded in 2001, Riscure is a leading global advisor on the security of connected and IoT devices, as well as a recognized vendor of advanced security testing tools and security training. Riscure helps customers around the world to build robust hardware and software solutions and to speed up the process of secure development and certification.

Riscure is the world-leading security laboratory in mobile Security with more than a decade of experience in SoC (System-on-Chip) security, software security, and Mobile Security. Riscure’s expertise in Mobile Security is well recognized by the industry. Riscure is accredited by many organizations, among which are Visa, Mastercard, Discover, American Express, EMVco, GlobalPlatform and FIDO to perform security assessments of a wide variety of mobile solutions.

Since 2007, Riscure has pioneered in assessing the security of mobile solutions and mobile security technology with a current extensive track record of 200+ security evaluations of Mobile Payment and Mobile POS solutions, 25+ OEM Pays with multiple smartphone vendors (OEMs), 25+ Mobile Trusted Execution Environment (TEE) and 50+ Mobile Software Security Solutions including obfuscation, white-box cryptography, and biometric solutions.

 

Contact

Sarah Fraser
Spark
intertrust@sparkpr.com
+1 (650) 743-0660

 


The mind of the payment crook provides clues for the fight


It’s important to investigate the mindset of a cybercriminal and explore the attack tools they typically use before discussing the ways of solving the problem. The typical attack methods exploited by hackers to compromise mobile applications, and the common weaknesses associated with them, are not always as obvious as they may seem.


Banks will feel the pain from mobile payment fraud


Although the popularity of mobile technologies has greatly simplified day-to-day financial operations for end users, it has given attackers a new opportunity for attack. The costs of dealing with cybercrime incidents have reached the point where spending is now a major threat to the corporate bottom line.


Protecting Medical Devices from Data Breaches – Some Highlights from the FDA Draft Guidance


According to the Identity Theft Resource Center’s Data Breach Report, the healthcare/medical industry saw over 112,800,000 records breached in 2015 – by far the most of any industry. This translates into roughly one in every three Americans that saw their healthcare data compromised by a cybersecurity breach, numbers that may actually be much greater than that.

A recent CIO article – Why any organization can suffer a healthcare breach, and 5 tips for keeping PHI safe – shared the fact that most organizations with employees have health-related information such as workers’ compensation data or employee wellness programs stored in house. Add this to the industry breaches and the numbers might be even scarier.

So what to do?

The CIO article lists some steps to take, including:

  1. Know what PHI data you have (this goes beyond the healthcare/medical industry)
  2. De-identify data through encryption or tokenization
  3. Involve the BI team
  4. Strengthen security around data pathways between company and vendors
  5. Monitor access to data – even by privileged users

While these steps can certainly help, the article falls short of speaking to mobile devices and applications. Today, with BYOD and cloud-based applications in wide-spread use throughout the enterprise (healthcare and medical industry included) securing data becomes quite complex – regardless of the device. While falling short of business-related mobile devices, The FDA recently released draft guidance for industry and staff on Postmarket Management of Cybersecurity in Medical Devices (PDF), which highlights some key recommendations to boost data security. Needless to say all mobile device manufacturers (medical or otherwise) should heed these guidelines as a means to advance data security measures.

Some highlights of the report:

It is recommended as part of a [device] manufacturer’s cybersecurity risk management program that the manufacturer incorporates elements consistent with the NIST Framework for Improving Critical Infrastructure Cybersecurity (PDF) (i.e., Identify, Protect, Detect, Respond, and Recover).

Manufacturers can also enhance their postmarket detection of cybersecurity risks by incorporating detection mechanisms into their device design and device features to increase the detectability of attacks and permit forensically sound evidence capture.

Manufacturers should consider the incorporation of design features that establish or enhance the ability of the device to detect and produce forensically sound postmarket evidence capture in the event of an attack. This information may assist the manufacturer in assessing and remediating identified risks.

Manufacturers should design their devices to ensure that risks inherent in remediation are properly mitigated including ensuring that the remediation is adequate and validated, that the device designs incorporate mechanisms for secure and timely updates.

Our enterprise-level solution, Cryptanium, has two main components that can help medical device manufactures introduce the security needed to prevent malware threats like ransomware. The first is Cryptanium Secure Key Box, a white box cryptographic library that implements standard cryptographic algorithms in a way that completely hides the keys. The second is Cryptanium Code Protection, a comprehensive tool for hardening software applications on multiple platforms. These two components work together to increase security protection against these types of malware threats.

The connected world we live in today goes beyond computers and mobile devices to automobiles, home appliances and medical devices; the security solutions that we rely on need to work harder to protect the people that rely on these devices.

To read the full FDA Draft Guidance for Postmarket Management of Cybersecurity in Medical Devices, you can download it here (PDF):

http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf

 

Photo by Ken Jarvis.


Happy New Year – Top Five Blog Posts for 2015


As we embark on another year of blogging, it’s always nice to look back on what people enjoyed reading in 2015. There were a lot of hot topics from IoT and connected car security to banking and financial application security to new healthcare security needs all of which will most certainly get some headlines in 2016.

As for 2015, here were our top five blog posts:

1. Application Security Just Got Proactive – Runtime Application Self-Protection

The BYOD growth has helped fuel some of the growth in this perimeter security spending increase, but perimeter protection simply won’t cut it in today’s intrusion landscape; applications need self-defense or as Gartner calls it, runtime application self-protection (RASP).

2. Software Diversification: What it Is and Why It’s Important

Software diversification is a method of altering an executable binary so that various instances of the same software, while providing identical functionality, to an attacker appear different and operate differently on the binary level. Software diversification confounds an attacker’s attempts to exploit information gained from one deployment to compromise other deployments. It is much harder to develop a universal cracking scheme for software instances that are diversified. Instead, each software instance must be cracked individually.

3. 20 Code Protection Criteria for Optimal Application Security

Let’s face it, there’s more exposed data today thanks to growing trends such as cloud services, BYOD, IoT and social networking. The war zone these trends create between software applications and the adversaries who want to crack them is very broad and diverse. An application can be attacked at various layers, on different hardware, and with very different goals in mind, creating a very complex problem for companies who want to protect their intellectual property.

4. Securing Mobile Banking Transactions from Malware and Data Breaches

Financial institutions are increasingly turning to branded consumer mobile apps as a way of gaining and retaining mobile-savvy customers. These mobile apps allow consumers to perform transactions such as depositing checks via check images taken from the mobile device, moving money between accounts and checking the status of their accounts. If these apps are not properly protected, they could provide a venue for malware to steal customer’s user credentials (username, PIN, etc.), account information, check images and other information which could be used to crack a customer’s account and steal their financial assets.

5. Secure Key Box: FIPS 140-2 Level One Certification Now in Hand

We’re excited to announce that our Secure Key Box 4.6.0 Crypto Module has received the FIPS 140-2 Level 1 certification from NIST. This certification assures that government, financial agencies, and resellers alike that our Secure Key Box module delivers the highest level of protection available for sensitive information.

We look forward to sharing more news, insights, and content as 2016 unfolds, so be sure to bookmark our blog and visit often. Happy New Year!


Are Medical Devices the Next Ransomware Target?


In today’s computer security centric world, most have heard of ransomware. Where a hacker essentially takes over your computer and demands a ransom from the owner to remove the user restriction. According to the FBI, the ransom fee is typically between $200 and $10,000 depending on the perceived value of the device under ransom. If you’re a casual or home computer user you may not even pay the ransom if you don’t have much value invested in your machine or have any important data stored on it. But what if your computer device wasn’t a computer?

Popular Science paints a scary scenario of pacemakers or insulin pumps being attacked in a ransomware hack, leaving people with perhaps little or no option but to pay. While there are no reported cases of this happening as yet, it’s a likely scenario given how late to the game medical device manufacturers are in keeping up with security needs. As the article states:

Unlike on a personal computer, individuals can’t put digital security measures in place to protect their biomedical devices. It’s up to the manufacturers of the device’s hardware and software to put the proper security protocols in place. Hopefully they can do so before ransomware becomes as big of an issue as predicted.

Many hospitals understand this threat and have placed stringent security standards in place for their suppliers, but are suppliers taking the appropriate action? Malware such as ransomware are well-known in the desktop environment but they may increasingly become a problem for medical devices; and since lives may literally be in the balance, these security flaws must be addressed.

Our enterprise-level solution, Cryptanium, has two main components that can help medical device manufactures introduce the security needed to prevent malware threats like ransomware. The first is Cryptanium Secure Key Box, a white box cryptographic library that implements standard cryptographic algorithms in a way that completely hides the keys. The second is Cryptanium Code Protection, a comprehensive tool for hardening software applications on multiple platforms. These two components work together to increase security protection against these types of malware threats.

The connected world we live in today goes beyond computers and mobile devices to automobiles, home appliances and medical devices; the security solutions that we rely on need to work harder to protect the people that rely on these devices.

Photo credit to Steven Fruitsmaak via Wikimedia Commons.


Protecting Against the Dangers Often Found in Financial Mobile Applications


According to latest data breach summary from the Identity Theft Resource Center, there have been 60 data breaches at banking, credit and financial institutions thus far this year. These breaches involved some 5,056,581 records and accounts for almost 10 percent of all data breaches recorded this year. While this may not seem like a lot in the big picture financial institution breaches are particularly dangerous given the data that is typically obtained. And, as more and more financial institutions rollout apps that make banking convenient, the risks are growing.

Of the various dangers associated with mobile banking and apps, malware is looking to become one of the most pernicious. Malware is software specifically designed by bad actors to perform malicious acts such as damage computer operations or gain access to desired information. Malware continues to be a corporate threat, with companies shelling out millions on malware amelioration. 30% of companies surveyed reported a security breach happening at a rate of at least one per month, with malware on end-user’s systems accounting for half of these.

Malware such as computer viruses have been well-known in the desktop environment but they are increasingly a problem for mobile devices; and as financial institutions increasingly make information available to customers via mobile devices, the security threat that mobile malware presents must be addressed. Malware is also a threat behind the firewall as employees increasingly use their personal devices to access corporate information (BYOD). With more and more corporate wealth being associated with intellectual property, this new threat vector cannot be ignored.

If a financial mobile app isn’t properly protected, it is also vulnerable to another pernicious attack, “trojanization”. Trojanization is where a cybercriminal takes a legitimate app and modifies it so that instead of the app performing the tasks originally designed for it, the app actually performs tasks for the cybercriminal such as stealing information from the mobile device. Trojanization is particularly a threat to Android devices because apps distributed through Google Play undergo a less strenuous vetting process and Android devices can also be set to download apps from sources other than Google Play.

Cryptanium protects financial mobile applications on multiple platforms, using the following security features:

  • Integrity protection
  • Obfuscation
  • Anti-piracy protection
  • Anti-debug protection
  • Binary packing
  • White-box cryptography
  • Diversification
  • Jailbreak/rooting detection

Cryptanium has two main components. The first is Cryptanium Secure Key Box, a white box cryptographic library that implements standard cryptographic algorithms in a way that completely hides the keys. The second is Cryptanium Code Protection, a comprehensive tool for hardening software applications on multiple platforms. These two components work together to increase mobile application security.

It is imperative for financial institutions to take the necessary steps to protect their apps by making them harder to hack.

Photo credit to photosteve101 (Flickr).


iOS Jailbreak Hits 250,000 iPhones


Just a little over a month ago, we featured a blog post – Prevent iOS Jailbreaking with Proven Code Protection – that highlighted the importance of code protection for iOS and other platforms. In it we discussed how some foreign governments, including China, were sponsoring blatant efforts to reward hackers for jailbreaking iPhones.

Jailbreaking is the process of removing the iOS limitations imposed by Apple through the use of various software and hardware exploits. Jailbreaking allows iOS users to gain root access to the operating system, allowing users to obtain elevated control over the device and the operating system. One of the purposes of jailbreaking iOS devices is the ability to copy and install apps bypassing the App Store.

Now, more recently, comes news from Tech Insider that more than 250,000 jailbroken iPhones in at least 18 different countries have had their Apple account logins hacked, and in some cases locked and held for ransom. Certainly in these cases the jailbreaking caught up the iPhone owners, but these hacks can certainly have lingering effects for users of non-jailbroken phones as well.

Cryptanium applies integrated protection mechanisms to the entire application code at different layers. With no changes to your source code, code protection obfuscates the code base using patented obfuscation algorithms, injects hundreds of overlapping integrity checkers, and embeds platform-specific anti-debug, anti-piracy, and anti-malware code. As Cryptanium applies security features at different levels, hackers cannot easily remove applied security techniques one-by-one. In order to succeed, the entire protection must be cracked at once, which is a very difficult task when using Cryptanium.

With Cryptanium, your application becomes a self-contained fortress. You do not have to rely on any external security providers. By implementing the unique features of Cryptanium, intellectual property can be secured, business models protected, and the life cycles of applications prolonged.

Cryptanium delivers the next level of iOS app security with obfuscation, self-defense and tamper resistance technology against piracy including:

  • Add security to your apps in minutes
  • Just point and click, no coding needed
  • Make zero changes to your code or app

We’ll share more of these jailbreak stories as they make headlines, so be sure to stay tuned!

Photo credit to Kārlis Dambrāns.


Recent Data Breaches Underscore Application Security Needs


Corporate data breaches are expensive – especially in the US. According to Ponemon’s 2015 Cost of Data Breach Study: Global Analysis, data breaches have an average cost of $3.8 million, which is up 23 percent from 2013. The report also states:

The costs acquired from each lost record went from a consolidated average of $145 to $154, a six percent increase. Ponemon found the U.S. to have the most “costly” breaches, with each record costing an average of $217.

You don’t need Ponemon to drive these points home. Ashley Madison’s recent data breach may doom the company, and other companies such as Target have also been rocked, and these are just those making news headlines. So what can a company do?

The first thing organizations need to do is look internally. Shadow IT – or employees going around corporate IT departments to use cloud-based apps and other unauthorized technology to help them do their jobs – is a growing problem and concern in most organizations today. A recent CIO article highlighted a Cisco study that suggests that typical organizations have 15 to 22 times more cloud applications running than have been authorized by their IT department. Many of these apps touch enterprise data that may be sensitive. That’s a scary proposition – especially if these apps aren’t secure.

There are different types of application attacks that expose enterprise data. An application can be attacked at various layers, on different hardware, and with very different goals in mind, creating a very complex problem for companies who want to protect their intellectual property. Here are some common attacks on applications:

  1. Analysis. In order to understand and trace the compiled application code, hackers use various static analysis tools and debuggers that allow them to access, analyze, and reverse engineer the binary code. Such analysis enables hackers to understand how the internal algorithms work, discover sensitive information, and pinpoint vulnerabilities.
  2. Intellectual Property (IP) Theft. Some attacks are designed specifically to extract sensitive information, copyrighted material, or proprietary algorithms. If attackers can reverse engineer and analyze a program, the internal secrets are essentially exposed and vulnerable to stealing.
  3. Key Extraction. Cryptographic keys are at the very core of all security systems that deal with encrypted data. If hackers can locate keys in the code or device memory, they can completely circumvent or remove the security features and steal intellectual property.
  4. Tampering. Tampering is the process of modifying the application code with the goal to make it behave in a different way. For example, by tampering with the program code, hackers can remove license checks, copyright protection, and all other security features.
  5. Piracy. Illegal distribution of copyrighted material is one of the primary concerns of software and content publishers. Such companies suffer tremendous loss due to the fact that their content is being freely copied and transferred to unauthorized parties.
  6. Malware Injection. Today viruses, Trojans, and other harmful software cause serious problems not just on desktop computers, but also on smartphones, tablets, and embedded systems. If applications are not sufficiently protected, they can be exposed to privacy attacks, performance-loss, remote control, and unwanted behavior.

Our Cryptanium Code Protection applies integrated protection mechanisms to the entire application code at different layers. With no changes to your source code, code protection obfuscates the code base using patented obfuscation algorithms, injects hundreds of overlapping integrity checkers, and embeds platform-specific anti-debug, anti-piracy, and anti-malware code. As Cryptanium applies security features at different levels, hackers cannot easily remove applied security techniques one-by-one. In order to succeed, the entire protection must be cracked at once, which is a very difficult task when using Cryptanium.

While your IT department may not be able to control the application security features for each app in use, knowing what’s available to application developers can help spread the need for application hardening. Data breaches aren’t going away anytime soon!


Prevent iOS Jailbreaking with Proven Code Protection


Late last month a Forbes article caught my attention, and likely that of millions of iPhone users worldwide. The article – Of Ma and Malware: Inside China’s iPhone Jailbreaking Industrial Complex – highlighted the country’s blatant efforts to reward hackers for jailbreaking Apple’s iPhone operating system. China actually flew hackers in from around the world to help educate their researchers on jailbreaking in an effort to boost their third-party app store industry – apps that are currently banned by Apple.

The article highlighted well-known firms, such as Alibaba, as participating in the jailbreaking efforts and subsequent third-party app marketplaces, to the detriment of Apple and other phone and app providers. The door that jailbreaking provides malware and other piracy is troubling and money changing hands for worthy hackers can reach into the millions, meaning it’s not going to stop anytime soon.

As the article mentions:

China’s third-party marketplaces have become synonymous with iOS malware and piracy, however. In 2014, the Maiyadi App Store was responsible for delivering the Wirelurker malware via 467 apps masquerading as knock-offs of big-name games, including Sims 3, Pro Evolution Soccer 2014 and Angry Birds. As many as 356,000 were infected by the malware, which sought to identify individuals downloading the apps, leading to the suggestion that Wirelurker was the work of a government body trying to uncover pirates. Again, illicit use of Enterprise Certificates helped spread the unapproved software.

Our Cryptanium Code Protection is designed to prevent these jailbreaks in iOS and other platforms. Cryptanium applies integrated protection mechanisms to the entire application code at different layers. With no changes to your source code, code protection obfuscates the code base using patented obfuscation algorithms, injects hundreds of overlapping integrity checkers, and embeds platform-specific anti-debug, anti-piracy, and anti-malware code. As Cryptanium applies security features at different levels, hackers cannot easily remove applied security techniques one-by-one. In order to succeed, the entire protection must be cracked at once, which is a very difficult task when using Cryptanium.

With Cryptanium, your application becomes a self-contained fortress. You do not have to rely on any external security providers. By implementing the unique features of Cryptanium, intellectual property can be secured, business models protected, and the life cycles of applications prolonged.

  • Without an effective code protection scheme, popular applications can be attacked and reverse engineered in a matter of days after release, adversely affecting revenue streams (as the article clearly shows).
  • Code Protection obfuscates the code base using patented obfuscation algorithms, injects hundreds of overlapping checksums, and embeds platform-specific anti-debug and anti-piracy code.
  • Hackers cannot implement a step-by-step removal of the applied security techniques. In order to succeed, the entire protection must be cracked at once, which is an extremely difficult and time consuming task.

Cryptanium code protection delivers the next level of self-defense and tamper resistance technology against jailbreaking and piracy. Why wait for bad press, angry customers and loss of revenue?

Photo credit to Hakan Dahlstrom.