Cryptography, and cryptographic keys in particular, have become essential cogs in the data security machine, playing a crucial role in preventing costly breaches and the theft of customer information. As mobile apps become more commonplace, protecting the keys inside the apps from malware attacks is playing a more important role than ever.
Cryptographic keys are employed to carry out a variety of functions, including:
- Maintaining the confidentiality of digital assets
- Enforcing software product licensing
- Binding data to devices and applications
- Proving a customer’s identity
- Securing communication against eavesdroppers
- Facilitating, managing and completing sensitive financial transactions
How cryptographic keys work
For mobile users who expect to be able to make transactions on the move, convenience is key. As a result of this drive for a positive user experience, demand has grown for apps to be able to securely store sensitive customer data.
As an example, Android’s Host-based Card Emulation (HCE) allows users to conduct credit card purchases and mobile wallet transactions from within the app. This works by the HCE storing a limited-use key (LUK) inside a local data store on a user’s mobile device, which enables financial transactions to be made in a secure manner through the app.
How cryptographic keys can be stolen or leaked
The sensitive nature of cryptographic keys make them an ideal target for malware, due to the power cybercriminals can wield if they get their hands on them. Malware can employ a range of techniques to make this happen, all designed to find and exploit data in the apps they are targeting.
In addition, it’s important that organisations also see beyond cryptographic keys in this situation. Weaknesses in app security can also enable hackers to steal confidential information directly from the app itself, using malware.
Formulating and inserting malware involves hackers creating malicious app software and using it to compromise data. This could include cybercriminals exploiting weaknesses in the code of the app, enabling them to create a cloned (fake) version. Sensitive information can then be fetched and transmitted to the perpetrator’s server, which in turn can be used to carry out fraudulent activity.
Data leakage. By identifying entry vectors into an unprotected app, malware can also steal sensitive customer data through techniques such as keylogging or taking screenshots showing private information such as passwords. This approach, combined with efforts to steal cryptographic keys, can make hackers a serious force to be reckoned with.
Static and dynamic analysis involve cybercriminals using sophisticated tools to learn more about the inner workings of an app and its cryptographic key protection, including identifying binary signatures within the app’s code and deciphering dynamic method invocation. Through these processes, hackers can then plan the next stages of their attack.
Best practices to prevent cryptographic key theft
There are a number of ways to tackle the growing issue of cryptographic key protection in mobile apps. Below are the two key approaches we would recommend:
- Make apps self-defending by implementing software such as Promon SHIELD™. By adding this additional layer of strong security, organisations can be assured that their app is fully protected from external malware attacks, which should nullify any attempts by hackers to infiltrate the app using malware.
- Use a secured software key-chain inside the app, being hardware and operating system independent. The goal of this approach -called Secure Storage- is to prevent brute force decryption of sensitive information that the application needs to store securely. The idea is to make encryption/decryption dependent on input from a remote server. This server can then limit the number of attempted encryption/decryption requests that are allowed in a given timeframe (rate limiting) and thereby greatly hamper brute force attacks.
- Bind data securely to devices through solutions such as Promon’s App Management Solution. When downloading an app that uses such a solution, users are asked to register and activate when they first open the app. By filling in this information, the user’s credentials are bound to the application and a specific unique device ID is created. These details are then used to authenticate transactions, again providing an extra layer of security.
- Identify your original app is communicating with your data center by checking security components inside the app (such as Repackaging detection) and having a client certificate for authentication.
Learn more about Promon’s solutions, including Promon SHIELD™ and our App Management Solution.