Interesting research from the folks at RiskIQ on Mobile Banking Apps

[Jonathan Carter]

http://www.riskiq.com/company/press-releases/riskiq-finds-more-11-percent-android-banking-and-finance-related-apps-are#overlay-context=user

[Jim Manico]

I see several companies offering brand management services that track app-stores looking for illegally cloned versions of their apps and issue takedown notices to the stores.

Without getting into specific vendors, does anyone have experience with these services?

Aloha,

--

Jim Manico

@Manicode

(808) 652-3805

On Jan 24, 2015, at 7:53 AM, Jonathan Carter <jonatha...@owasp.org> wrote:

http://www.riskiq.com/company/press-releases/riskiq-finds-more-11-percent-android-banking-and-finance-related-apps-are#overlay-context=user

--
You received this message because you are subscribed to the Google Groups "OWASP Mobile Top 10 Risks" group.
To unsubscribe from this group and stop receiving emails from it, send an email to owasp-mobile-top-1...@owasp.org.
For more options, visit https://groups.google.com/a/owasp.org/d/optout.

[Daniel Miessler]

I do, yes. 

Daniel

[Jim Manico]

Annnnnd? Tell us more!

--

Jim Manico

@Manicode

(808) 652-3805

[Daniel Miessler]

You said not to talk about vendors. Ha.

I know a few that have good approaches, but they all involve searching the Internet on regular intervals and looking for a given customer’s real and possibly fraudulent apps using their name in the stores.

Some just flag on that, others actually download them and run them through an automated scan for privacy and security.

Finally, some of them then provide access to a database of these results that can integrate with MDMs and such, so companies can determine if they want to allow the app to be installed or not.

Daniel

[Bev Corwin]

Good point about referencing vendor research. Any good independent research sources out there for web application security ecosystem? Is OWASP involved?

[Jim Manico]

There are at least 10 vendors out there who will monitor the various app stores and go through the take down process for you, sometimes via automation in real time. Some of these are called "brand management" services. I think it's an important strategy for this specific risk.

--

Jim Manico

@Manicode

(808) 652-3805

On Jan 24, 2015, at 2:43 PM, David Fern <df...@verizon.net> wrote:

I work at a US Federal Government Agency and this is one of our challenges.

We have mobile apps but there are others out there that look valid and are not.

 

Thanks,

David

[Jonathan Carter]

Defensive, preventatiive measures are particularly important solutions to this when the cost of time after the compromise is critical. Certain verticals are particularly sensitive to this time window and proactive defenses are much more cost effective than reactive services like takedown. Both have their place as potential solutions.  However, defensive postures are far more cost-effective in most business use-cases.

[Willy Halim Dinata]

Hello All. I'm new on this forum.

About this topic, I wonder why people can be fooled by a look-a-like banking app. They should check the uploader first whether it's the official one or not before downloading the app, shouldn't they?

[Jim Manico]

I consider both solutions to be incomplete. Most CISO's I talk to aim for both. :)

And now we hug!

Aloha,

--

Jim Manico

@Manicode

(808) 652-3805

[Jim Manico]

The cloned apps, especially in the Android marketplaces are VERY convincing.

--

Jim Manico

@Manicode

(808) 652-3805

[Jim Manico]

Any security that depends upon user awareness is doomed to failure, so a big *no way*, Willy.

Aloha
Jim

[Paco Hope]

I would agree. It is decidedly difficult for the average user to properly figure out who “the uploader” is and whether “the uploader” is, in fact, “the official one”. End users don’t really have that capability.

Paco

[Jim Manico]

*hat tip Paco*

Even really super smart users work long hours, get tired, are under stress in an emergency, or just drink waAaaaAaay to much wine or hard liquor late at night (at best[1]) while doing work activities - all of which may lead to bad security decisions.

You don't want to many shots of hard liquor (20$-100$) to undermine your major corporation (1-100 Billion dollars!)

Aloha,
Jim

[1] I have heard rumors that hard drinking starts early in the day while at work for some starts ups, oh my!

[Yair Amit]

I agree with you guys. IMO, the right approach is to be able to identify whether the apps that are downloaded by employees are the official ones or fake ones. Doing so automatically (via a security tool) can allow the organization to better manage its mobile security risks and to enforce a corporate-wide policy. 

Best regards,

- Yair

Yair Amit

CTO & co-founder, Skycure

ya...@skycure.com | +972.54.644.2448

www.skycure.com | @yairamit

Download Skycure for your device

[Willy Halim Dinata]

Hi guys,

Thanks for the explanations. I thought it was a trivial thing for users to identify.

--
Regards,

Willy Halim Dinata

Sent from mobile phone. Please excuse typos and brevity.