Академический Документы
Профессиональный Документы
Культура Документы
Introduction
Component Integration
Brief overview of components to integration
Benefits of each component
Rules
Summary
ARXAN CONFIDENTIAL
Component Introduction
ARXAN CONFIDENTIAL
Developers follow
standard lifecycle
using IBM tools
(Worklight,
Rational) or thirdparty tools
Design
Develop
Compile
Test
Keep It Secure
IBM AppScan
assists developers to
identify vulnerabilities
in apps and facilitates
organizations ability
to enforce security
quality
Programming aw remedia=on
Arxan enables
developers or security
engineers to embed
self-defense and
tamper-resistance to
protect application
integrity against attacks
Application is free of
critical flaws and
vulnerabilities
Application protects
itself against attacks
Defends against
compromise
Detects attacks at
run-time
Reacts and alerts
Integration Components
Solu%on
Components
Benet
1.
Technical
guide
How
to
integrate
IBM
AppScan
and
Arxan
into
the
SDLC
to
use
them
in
conjunc=on
Control
full
scope
of
risks
and
build
in
security
from
tes=ng
to
run-=me
protec=on
Design
and
implement
"defend",
"detect",
and
"react"
app
integrity
protec=ons
inside
your
app,
without
modifying
its
source
code
Helps
ensure
interoperability
and
support
ARXAN CONFIDENTIAL
Rule Integration
1. Acquire Arxan IBM AppScan rules via a number of different
channels:
ARXAN CONFIDENTIAL
Rules
Available Rules and Examples
ARXAN CONFIDENTIAL 10
<Conden=ality Risk>
<Integrity Risk>
<Code
Modica=on
/
Injec=on
Risk>
ARXAN
CONFIDENTIAL
11
Risk Coverage
AppScan rules cover a number of different risks highlighted
in Arxans whitepaper, Threats to Mobile Apps in the Wild:
Technical
Risk
Expression Count
Repackaging
Applica=on Decryp=on
2
ARXAN
CONFIDENTIAL
12
Rules highlight
this method as
likely to be
swizzled and
modified by an
attacker
// Transaction-request delegate
- (IBAction)performTransaction:(id)sender
{
if([self loginUserWithUsername:username
incomingPassword:password] != true)
{
UIAlertView *alert = [[UIAlertView
alloc] initWithTitle:@"Invalid User"
message:@"Authentication Failure" delegate:self
cancelButtonTitle:@"OK" otherButtonTitles:nil];
[alert show];
return;
}
ARXAN CONFIDENTIAL 13
ARXAN CONFIDENTIAL 15
ARXAN CONFIDENTIAL 16
ARXAN CONFIDENTIAL 17
Repackaging
Rules highlight
common entrypoints
where jailbreak
detection should
occur.
ARXAN CONFIDENTIAL 18
ARXAN CONFIDENTIAL 19
Exposed Methods
ARXAN CONFIDENTIAL 20
ARXAN CONFIDENTIAL 21
Debugger Check
Rules highlight
common entrypoints
where the app
should check for the
unauthorized
presence of a
debugger.
ARXAN CONFIDENTIAL 22
ARXAN CONFIDENTIAL 23
ARXAN CONFIDENTIAL 24
ARXAN CONFIDENTIAL 25
Conclusions
Rules are available via many different channels:
ARXAN CONFIDENTIAL 26