Answers to Frequently Asked Questions on Mobile Security
From the experts at Zimperium
- Does the app contain known malware?
- Does an app app share passwords from its keychain with other apps made by the same team?
- Does the app use weak encryption?
- Does the app use private or outdated frameworks?
- Does the app send query parameters with private user or device information?
- Does the app read private information such as the UDID or device identification number?
MOBILE APPLICATION SECURITY
Side-channel attacks are a set of security exploits that involve the observation of characteristics and behavior of devices when performing cryptographic operations. When an attack is carried out utilizing these observations, it is known as a side-channel attack. Side-channel attacks can be carried out against any operating system, including Windows and Linux. The infamous Meltdown and Spectre vulnerabilities are prime side-channel attack examples that affected nearly every modern processor.
Types of side-channel attacks include:
- Speculative execution attack
- Power monitoring attack
- Cache attack
- Timing analysis
- Differential fault analysis (DFA)
- Thermal imaging
Zimperium’s zKey provides an industry-leading white-box cryptography solution to protect secrets and keys from exposure, even against new side-channel attacks as they emerge.
White-box cryptography is a highly specialized software-based security technique to protect cryptographic keys and operations. It combines obfuscation, encryption, and mathematical transformation techniques to hide cryptographic keys and algorithms so that they never appear in the clear. Standard operations such as encryption, decryption, secure key unwrap, and digital signature creation and validation are done within the secure white-box environment, protecting the keys even if the device is compromised by an attacker.
White-box cryptography provides essential cryptographic key protection in multiple industries. For example, the Payment Card Industry (PCI) Security Standards Council, has determined white-box cryptography to be a preferred method for securing cryptographic keys in Tap-to-Phone mobile POS applications.
Anti-debugging is a set of techniques used within the code of an application to detect and prevent the act of debugging. This stops attackers from dynamically running applications, trying to understand how they work, and changing the behavior of certain features or checks within the application. Anti-debugging techniques include observation and detection of small memory, the operating system, process information, and latency that arises when a debugger is attached to an application and compared to when there is no debugger present.
Applications deployed into zero-trust environments like mobile phones provide opportunities for hackers to easily gain access into systems. Conventional security practices such as firewalls, anti-virus, and MDM are no longer sufficient as none properly protect the app and the assets they contain.
Applications outside the perimeter need to be protected to reduce risk, prevent financial loss, and protect your business brand and intellectual property. Zimperium’s advanced cross-platform application security suite provides patented application shielding to protect software applications, mobile apps, and IoT devices by dramatically increasing their resistance against reverse engineering, tampering, and theft of cryptographic keys.