Device Attestation: A Key Capability for SoftPOS and High-Security Apps

Share this blog

To effectively protect a mobile application against attacks, development teams must have a deep understanding of the relevant threats and the associated technical and business risks they pose.

In an ideal world, mobile application developers would be able to rely on the security of the mobile platform. However, the reality is that mobile devices are not always trustworthy and should be treated as such. There are a number of reasons for this, including a lack of timely security patching, outdated devices, and zero-day vulnerabilities. Given this, application developers simply can’t rely on the mobile platform itself to provide the security their applications, keys, and data required.  

Therefore, it’s critical that mobile applications are capable of protecting themselves. They need to remain secure when running in an insecure environment, even one that has been infected with malware or compromised as a result of exploited vulnerabilities in the main OS (for example, Android or iOS). 

While there are software protection tools available to secure mobile applications, the challenge is that most app protection tools are static in nature and can’t detect most security risks that are introduced by insecure platforms. Consequently, there is an urgent need for advanced threat detection capabilities. Particularly, since the future of software-based point-of-sale (SoftPOS) solutions is on commercial off-the-shelf (COTS) devices, having an effective solution that works on all devices is critical.

Evolution of Mobile Application Protection

To establish robust mobile application security, teams must employ a defense-in-depth strategy. This includes identifying the risks and threats applicable to the mobile app and establishing a proper security design. This design must provide adequate safeguards against reverse engineering, tampering, and key and data extraction.

Most mobile application and key protection tools typically embed protection and threat detection capabilities in the application during build time. Depending on the tools and configuration, this can include capabilities for evading root detection and detecting debuggers, emulators, and instrumentation tools, such as Frida, Magisk, Cydia, and Xposed. However, there’s a critical problem: These detection rules are “hard coded” into the mobile application, while attacker capabilities and tools are continuously evolving. 

This is why static defenses are not enough for applications that need robust, ongoing security, such as banking apps, mobile wallets, SoftPOS, digital rights management (DRM) apps, mobile authentication, and m-health apps. For these apps, additional dynamic threat awareness is a critical requirement. In establishing these defenses, teams can’t consider COTS mobile platforms to be trusted. This is especially true given that mobile applications typically run on a wide variety of devices, including those from a range of vendors, with varying models and form factors, different versions of hardware and OSs, different security patching levels, apps downloaded from different app stores, and so on. 

In order to establish a risk management-based approach to mobile application security, the mobile application needs to be able to attest to the status of the environment in which it is operating. In other words, the mobile application needs to be aware of potential and active threats in its surrounding environment. This requires the ability to gain runtime threat visibility and take appropriate mitigating actions if threats are detected.  

Having actionable threat visibility at runtime fuels the next evolution of mobile application security and risk management, enabling policy-driven application self-protection. While many static, build-time solutions pose significant limitations, most SoftPOS solution developers lack the time, resources, and expertise needed to create the advanced attestation capabilities they require. 

Why the PCI MPoC Standard Requires a Robust RASP Solution

The Payment Card Industry’s (PCI) Mobile Payments on COTS (MPoC) provides an industry-wide standard for SoftPOS solutions. By complying with these standards, SoftPOS solutions will enable merchants to receive payments on NFC-enabled devices, including smartphones and tablets running on Android and iOS.

Slated for release towards the end of 2022, PCI MPoC is expected to accelerate merchants’ global adoption of SoftPOS solutions. To participate, developers will need to have their solutions PCI MPoC certified. This certification requires solutions to be evaluated by accredited security labs to ensure that the solutions effectively comply with the security requirements of the standard, which includes measurable security robustness requirements

How Zimperium Enables Robust, PCI-Compliant Mobile Application Security

Security represents an integral requirement for SoftPOS solutions and PCI MPoC certification. Given that, it’s important to use proven mobile application security tools—like Zimperium’s  MAPS. MAPS makes it straightforward for mobile payment solution developers worldwide to develop secure and compliant mobile applications.

MAPS offers comprehensive capabilities, addressing all the security needs of a mobile application developer. MAPS enables SoftPOS developers to meet PCI MPoC requirements. This suite features these leading mobile application security solutions:

  • zKeyBox: zKeyBox offers state-of-the-art, white-box cryptography that protects your encryption keys and secrets while obscuring cryptographic algorithms so an app’s execution logic is not visible to attackers, even if they gain control over the device. Secure PIN is a key capability within the zKeyBox solution. Throughout the PIN entry and encryption process, the PIN encryption key, the PIN, and individual PIN digits are always protected and never appear in the clear in device memory.
  • zShield: This solution offers advanced protection for an app’s source code, intellectual property (IP), and data. zShield safeguards code from a range of potential attacks, including reverse engineering and code tampering.
  • zDefend: zDefend is a machine learning-based device attestation tool. The tool offers runtime awareness through RASP. Featuring a machine-learning engine, the solution delivers a vast amount of threat telemetry and analytics to address MPoC monitoring and attestation needs. zDefend protects against zero-day attacks and can be updated over the air without requiring the app itself to be rebuilt or redistributed. 
  • zScan: With this solution, you can scan your app binary for security, privacy, and regulatory vulnerabilities that can be exploited by an attacker.

While the large-scale global adoption of contactless SoftPOS is just around the corner, Zimperium has been working with SoftPOS developers for years now. Since 2017, we’ve enabled dozens of SoftPOS developers to achieve their security certification with payment brand and PCI standards.

While security is a continuous cat-and-mouse game, Zimperium provides proven and ongoing protection for your mobile applications, even against the newest attacks and attacker tools. Our sole mission is to secure mobile devices and apps while helping our partners get their solutions to market as soon as possible so they can be ready for the SoftPOS rush.

About Zimperium

Zimperium is a global leader in mobile device and app security. The Zimperium Mobile Application Protection Suite (MAPS) helps developers build secure and robust mobile apps, highly resistant against expert attacks. These tools are widely used in the financial industry to secure mobile banking, mobile payment, and SoftPOS applications.MAPS is the only unified platform that combines comprehensive in-app protection with centralized threat visibility. The platform provides app shielding, key protection, app scanning, and runtime protection capabilities.

To learn more on how to secure your SoftPOS application for MPoC, contact us today.

Avatar photo
Author: Tim Hartog
Mobile App Security & Payments Expert. View the author's experience and accomplishments on LinkedIn.

Get started with Zimperium today