Infosec In the City (IIC)
Native Mobile Botnet & Anti-Botnet Solutions — by Ron Munitz
#IICSG2019 Conference Deep-Tech Track
Day 2 (20 Jun 2019)
@ Breakout Room 1
[#IICSG2019 Conference Full Schedule]
In the enterprise and payment worlds, the motivation for anti-fraud solutions is clear: One must not be able to impersonate and use other user's credentials in order to carry out transactions; Sometimes at a minor scale (with human interaction) and sometimes in a very massive scale (with some sort of a Bot-Net). The targets, this way or another would be either one or more individuals, an enterprise, or in the case of advanced persistent threats a country or critical infrastructure in it.
Looking at it from a technical point of view, it is safe to say that there has actually been nothing new or groundbreaking in this front for years, with the exception of the advances in the ways in which data is processed (AKA - "Big Data and Machine Learning").
While the targets on these fronts are relatively well modeled, and there are quite some solutions that attempt to eliminate fraud patterns, and bot patterns (most notably with some behavioral analysis) in the Web and Mobile Web client domains, it might come as a surprise that when talking about native mobile apps, which are in essence what most of us use for most of our activities these days - there has been almost no work in the domain until 2015, and up until these days, the solutions (without offending anyone) are just not good enough (to say the least - and we will happily prove it to you on a pay-per-success bet. Prepare your wallets!)
The mobile ecosystem is particularly interesting because the target markets there (for solution providers) seem to have very little to do with another, so you can see all kind of products that are meant for OEM's, others that are for mobile game developers, and the business models and markets are so different that solving the same problems in (about) the same way, often goes overlooked or missed for so-called business reasons (AKA: business ecosystem which doesn't understand the domain). Lucky for you, we happen to have been consulting pretty much everywhere in the mobile ecosystem, and sold products both (unlucky for us, and we'll explain why) for the enterprise markets, and for the consumer market - so we will tell you (but not exhaust you) about business points you would want to avoid, and give some emphasis to a target market we managed to successfully infiltrate - which is a multi-billion market of application monetization (AKA user acquisition, in-app purchases, real-time bidding, and tons of 3rd party SDKs), swamped with frauds and bot-nets.
In this session, we will survey the different types of unique mobile attacks on a diverse range of domains: We will understand the kind of attacks on apps and on platforms, differentiate the possible concepts and solutions, and present some of the concepts applied by Stealthium, an ambitious all-around multi-fence defensive solution, available selectively for some of our customers, for both Android and iOS. We will naturally not expose all technical details, or help you to build a botnet, but do expect invaluable tips in that direction!
We will discuss generic mobile botnet strategies that work, and then go more specific, illustrating the weak points of application monetization security and how to attack them, discuss some methodologies of protection, and further present the technical tradeoffs involved in integrating such solutions.
We will conclude the discussion by showing how those techniques apply to the enterprise mobile market, presenting inherent threats on a platform or ROM level, and getting back the discussion to the OEM world, emphasize the threats of untrusted Operating System aided attacks.