In Plain Sight: The Insecurities of Mobile Financial Apps
Presentation Date & Time:
September 16th at 1:30 PM
Presenter Information:
Name: Alissa Knight
Organization: Aite Group
Title: Senior Analyst
Presentation Description:
I recently completed vulnerability research of 30 different mobile apps across all of the financial services sectors to include retail banking, credit card, mobile payment, crypto-currency, Health Savings Accounts, retail brokerage, health insurers, and auto insurance apps. The research was performed over a 6 week period.
In this research, the mobile applications were decompiled, meaning we reversed the app back to its original source code to assess vulnerabilities. When an app is capable of being decompiled, it provides the adversary access to sensitive information inside the source code, such as API keys; API secrets; URLs that the app communicates with, which would allow an adversary to then target the APIs of the backend servers; recompile it to insert malware for later redistribution; and an understanding of how detections are being performed to identify a jail broken/rooted phone so they can circumvent those checks and disable mandatory code signing and sandboxing.
The findings that will be presented in my talk are deeply troubling and staggering. Every audience member will walk away with something from this presentation, from CISOs who will want an immediate static and dynamic code analysis and hardening of their own mobile app to ensure they don’t suffer from these vulnerabilities to the developers writing the code who will want to learn how to write more secure/hardened code.
Alissa Knight Biography
Alissa Knight is a twenty-year veteran of the cybersecurity industry with expertise over the last two decades in penetration testing, incident response and forensics, and penetration testing of connected cars. Alissa is a published author, having published the first book on hacking connected cars through Wiley. She is also a serial entrepreneur with two successful M&A exits under her belt to public companies in international markets. Alissa spent much of her career as a vulnerability researcher, publishing the first vulnerability on hacking VPNs and speaking on it at Blackhat Briefings in 2001.
Today, Alissa has reinvented herself as a full-time writer, influencer, and industry analyst, focusing her research into the cybersecurity issues impacting the financial services, healthcare, and fintech industries that matter to CISOs globally. Through her assessment of sector trends, creation of segment taxonomies, market sizing, preparation of forecasts, and developing industry models, Alissa provides these industries a combination of syndicated and bespoke market research, competitive intelligence, and consulting services in the cybersecurity market through unbiased, objective and accurate research.
Today, Alissa has reinvented herself as a full-time writer, influencer, and industry analyst, focusing her research into the cybersecurity issues impacting the financial services, healthcare, and fintech industries that matter to CISOs globally. Through her assessment of sector trends, creation of segment taxonomies, market sizing, preparation of forecasts, and developing industry models, Alissa provides these industries a combination of syndicated and bespoke market research, competitive intelligence, and consulting services in the cybersecurity market through unbiased, objective and accurate research.
|
|