Build38 Recognized in Gartner 2019 Market Guide for In-App Protection
Munich, Germany, July 5, 2019 – Build38 GmbH, leading vendor of In-App protection and enabler of passwordless authentication solutions has been recognized as Representative Vendor in the Gartner July 2019 “Market Guide for In-App Protection” report. Gartner states, that “by 2022 at least 50% of successful attacks against clickjacking and mobile apps could have been prevented by using in-app protection.”
Build38’s Trusted Application Kit (T.A.K) secured mobile apps diagnose and protect themselves at runtime with Build38’s next generation RASP technology. T.A.K delivers valuable insights to service providers so that they can react on upcoming threats and fraud in real-time. To the end-user of your apps T.A.K remains invisible and non-intrusive, yet it gives your users a high level of trust and security.
T.A.K is a platform solution and an SDK for Android and iOS that allows a quick and easy development of highly secured and protected mobile apps. It is integrated into mobile apps within hours, therewith saves development costs and shortens the crucial time to launch the mobile app.
The Trusted Application Kit (T.A.K) is used globally and deployed by financial institutions, enterprise services, insurance companies, and the automotive industry.
Gartner recommendations is that “security and risk management leaders responsible for application security choose in-app protection for critical and high-value applications that run within untrusted environments and move software logic on the front end. The most common use cases will be mobile apps, single-page web apps (especially consumer-facing ones) and software on connected devices.”
“We hear almost daily that mobile apps need by far better protection than most people are aware of. We believe that Build38 helps customers to propel your app security to a new level of operational excellence. We believe this report acknowledges that In-App protection (application shielding) is a necessity to fight the growing numbers of attacks and fraud cases. We know that App security is not a luxury anymore, it is a must!” says Build38 CEO Dr. Christian Schlaeger. “We are convinced that our Trusted Application Kit, included in this Market Guide report is the most holistic solution in the market. We believe it provides a broad range of In-App protection features for the app and delivers risk- and fraud detection and prevention information to the service provider”.
Gartner subscribers may access the report here: https://www.gartner.com/document/3947048
Gartner, Inc., "Market Guide for In-App Protection" by Dionisio Zumerle, Manjunath Bhat, 3 July 2019.
Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
About Build38
Build38 is a global provider of mobile application protection solutions. Its Trusted Application Kit (T.A.K) represents a new generation of app-hardening technologies that protects apps from known and unknown attacks and opens the market to new digital business models. Build38 protects applications across various industries including automotive, financial, public transport and health care. Build38 is headquartered in Munich with global offices in Barcelona and Singapore. The company is a spin out of Giesecke + Devrient and ranks among the best IT Security startups in Germany. For further information about Build38 visit www.build38.com.
Lessons from Japan: Preventing Account Takeover through App Security
Recently, it has appeared on the news that one of the largest convenience store chains in Japan, that uses a mobile wallet in order to perform payments associated to a credit card, has suffered an attack that ended up in the total loss of 55 Million Yen by almost 1,000 users. Based on public information, it is believed the attack was based on an account takeover scheme. The attacker started a password recovery process that ended up in sending an email with a password reset link.
Apparently, the process was implemented in a way that the user had the option to send the reset link to an alternative email address than the one that was originally used to sign for the account. This is a very strange practice as generally when resetting your password you use some element as the original root-of-trust (the original email address) but in this case it seems that they were using some very basic information like birth date as the root-of-trust.
Even if there is no evidence that the Mobile App was compromised and if additional countermeasures would have prevented the attack, the question here is: Can we design a password reset mechanism that can overcome the flaws of current methods? Beside this particular news, we have heard of many cases of account takeovers by attackers using SIM Card replacement mechanisms, where the Service Provider has to rely on the Mobile Network Operator / Carrier of the user to do the right verification before providing a SIM Card replacement.
Solving the issue: What if the Service Provider didn’t have to rely on third parties for that?
That brings us to an improved flow for the password recovery mechanism. Imagine you have a Mobile Wallet that you use to make purchases and you have a Mobile App in your phone, protected by some kind of user verification, e.g. Fingerprint or FaceID. One day, you want to access your account from a website. Or you are asked to login again and you forgot your account password. In a current scenario, the user would request a password reset and a link would be sent to their Email that once clicked would be used to set a new password. An alternative would be an SMS to their phone number with the link or a code for the password reset.
In the improved scenario, the Mobile App on the phone is strongly linked to it. This means that it can’t be copied to a different phone, the keys stored can’t be compromised or the communication sniffed. We also don’t have any need to rely on an SMS, whose phone number may have been compromised by poor carrier KYC mechanisms to get a SIM Replacement, or Emails that may be have compromised in multiple ways. This would work as follows: I want to login through the website but I can’t remember my password. I click on recover password. The user is asked through the website to open their app on the phone, do user verification, e.g. Fingerprint, and once is verified the possibility to define a new password is shown on the website. In the case of someone trying to take over the account, once they request the reset password link they will not get through as the real user is not going to open the app and accept the reset of the account.
Actually, such a flow would go in the direction of the Payments Japan Association guidelines that "requires the operators of mobile payment services to confirm the linkage between the devices of users and apps downloaded on them to prevent unauthorized access."
In the case that the user forgets the password and loses access to their phone at the same time, a specific “Red” path for the user verification shall be established. The good thing is that in this scenario, if an attacker is pretending to have lost their phone and forgot the password of the user, the actual user could be alerted of this happening though a warning to the App on the legit mobile device, being able to inform the Service Provider that they have not initiated such a process and alerting the Service Provider that an attack is happening.
Thus, using a strong device binding and a hardened app we can solve many of the risks associated with online account takeovers. Build38, through its family of technologies under the Trusted Application Kit (T.A.K) is able to make Service Providers independent of security processes of others, e.g. Mobile Network Operators / Carriers, Email and ISP providers. Contact us to learn more about Build38 and how we can help you transform your Mobile Security!
#buildonBuild38
Image by TheDigitalWay from Pixabay
Together stronger – Build38 helps fellow Insuretechs with Best in Class analytics and App security
Trust and Analytics are essential for Insuretechs – afterall this is what you sell. Trust is hard to generate – especially for young Insuretechs but for everyone in the industry easy to lose. Munich Insuretech Hub start-up Build38 focuses on trust in mobile Apps – the number one sales channels for the digital natives and is highly praised for its advanced technology, analytical skills and easy integration by Gartner and customers.
Build38’s head architect Marc Obrador on Wednesday started prepping fellow Insuretechs for the mobile market, dangers from hackers and attackers and gave a well-received lesson on countermeasures and design principals. Several case studies made the participants review their current strategy: misuse of your process interfaces by malicious attackers or the competition can render your service useless or cause financial damages. Like in the case of one platform app that didn’t secure its interfaces and let an attacker flood its platform with illegal orders to subscribed insurance companies. After trust was lost, so was the business case for this young company. Or when the competition took apart the source code of an app and stole company secrets on underwriting and calculations – another major blow to a young fintech that could have been prevented.
Build 38’s service is the Trusted Application Kit T.A.K (www.build38.com ) that integrates in the app by design and secures code, IP, user data and compliant PSD 2 authentication. The server component gives you great analytics on an app level that let’s you market and control your services better and basically enhances your app to become “self-defending” against attackers and the competition. Marketeers love the insights they gain and because the SDK approach makes development faster, they can try out much more flavours and variances in less time.
As a special treat and to great applause from the teams, Build38 offered the solution free of charge to all fellow Insuretech Startups for the first year: “there is absolutely no reason why you publish an unsecure app”, says Build38 CEO and Co-Founder Dr. Christian Schlaeger. “T.A.K is fast and easy to integrate and lets you focus on the important stuff for your startup: business models and innovation. For us it is a moral obligation and part of the Munich team spirit to make T.A.K usable to every young company in the Munich Insuretech Hub – together we are stronger!”
Speakers at Cybersecurity Thailand, organised by ETDA, RSA Conference and CyberTech
Build38 was present at the Cybersecurity Thailand conference organised by ETDA, RSA Conference and CyberTech. We were invited to be speakers as part of the Start-up showcase in front of an auditory of 300+ people. Great feedback was received about the innovative showcase that Build38 brings to the table of Service Providers, e.g. Banks, Automakers, Transit operators, that want to go with a Mobile First approach.
Pedro Hernandez was part of the delegation and responsible to deliver the speech during the second day of the event that was profusely reported in Thai media. Many valuable leads and connections were established that will help bring our #buildonBuild38 motto to Thailand!
Speakers at the European Cyber Security Organisation event in Madrid, Spain
Dr. Christian Schläger was invited, as CEO of Build38, to be a speaker at the latest networking event between Cyber Security Start-ups and ecosystem leaders organised by the European Cyber Security Organisation, ECSO, with the support of the National Cyber Security Institute of Spain, INCIBE. The event took place last Tuesday 14th of May, at the venue of the Secretary of State for Digital Advancement in Madrid with a packed auditorium and back-to-back private discussions with selected partners. Build38 showcased the progress done so far and excited the attendees with the next steps and potential from the business side. Gracias Madrid and see you soon! #buildonBuild38
Talk to an Expert and Get T.A.K