Using a security framework to open the car securely via a digital car key app

Easy and secure access to the vehicle with the digital car key

Easy and secure access to the vehicle with the digital car key

Smartphone instead of car key

Constant companion of our present times: the smartphone. We pick it up several times a day to check the news, make phone calls or use various apps that make our lives easier. Wouldn't it also be extremely practical to have a mobile app that conveniently unlocks and locks the car? Such apps have been around for a while, but there are still security concerns. Attacks on digital car apps have already been mentioned in the media several times. As a result, many drivers will be reluctant to use a digital car key. However, if a multi-layer security framework were integrated during the development of such apps, there would be no need to worry about a lack of security in the future.

Commentary from Torsten Leibner, Head of Product Management and Technology bei Build38

It sounds so simple: I install an app and can use it to comfortably open and close my car via smartphone. So where does it fail, that not every car owner wants to make use of a digital car key? First and foremost, because of the lack of trust in the security. Sentences such as “That’s far too insecure” or “Better not, later my vehicle will still be hacked remotely” are often heard. But if you take a close look at the issue of maximum and sustainable security as part of the planning and early implementation phase of an app, these concerns are unfounded.

Meanwhile, there are frameworks on the market that contain all the necessary security features and can be integrated within a few minutes during the development process of a digital car key app. They combine In-App Protection, In-App Reaction and In-App Monitoring in one solution. The advantage for app users is that they can benefit from the comfort of the digital car key without having to worry about any security risks. In turn, app operators from the automotive industry address more customers with a completely secure application, thus strengthening trust in the brand and the technology. In addition, such a software development kit enables a faster launch of the app.

Protect keys in the smartphone optimally

Developers of a mobile car key app can use a modern framework to directly integrate all the necessary security functions at once. This includes, in particular, protection through hardware-based security such as the Silicon Vault. This leaves them more time to concentrate primarily on usability, which is also important. A suitable solution uses cryptographic technology to prevent the secret keys from being accessible to third parties. The secure storage of the keys also offers the advantage of being able to unlock and lock the vehicle even without a sufficient connection – for example in an underground car park. To make it difficult for hackers to decrypt, a professional framework is made available to developers and providers as an inherently protected library. In this way, hackers can be prevented from accessing the digital car key. In addition, a corresponding solution makes it possible to detect whether the digital car key is running on an original or a rooted device.

So, what speaks against using such a framework and ensuring that even more owners of future-proof cars use a mobile car key?

For specific practical experience, see our case study with Chongqing Changan Automobile Company.


ablet Secure Apps Healthcare Sector

Security framework from Build38 makes eHealth apps secure

Security framework from Build38 makes eHealth apps secure

Comprehensive app security guaranteed from development

With the current boom in eHealth apps, concerns around security and privacy are growing louder. Particularly in the case of health apps that provide information about specific diseases, offer support or form the communication interface between health insurers and customers, sensitive data must be specially protected. The so-called Trusted Application Kit (T.A.K) provides a secure framework with code encryption, making it much more difficult for hackers to gain access.

In order to finally eliminate security and data protection concerns in the use of eHealth apps, a general GDPR-compliant solution is currently being sought. This is especially true for digital health apps, which are prescribed by doctors. Build38 already has a suitable solution ready: The T.A.K is permanently adapted to the latest security findings and requirements in order to be able to guarantee the necessary security at all times.

Comprehensively secure eHealth apps with T.A.K

In accordance with the Shift Left Security approach, the T.A.K is already integrated into the app during app development as a library with code obfuscation. Since decryption proves to be particularly difficult, this ensures security from the outset. The multi-layered framework offers In-App Protection as well as reaction and central In-App Monitoring.

When a T.A.K-protected eHealth app is downloaded from the app store and opened for the first time on a mobile device, the app first checks whether it is running in a secure environment. Depending on the result, the app is then either run or blocked subsequently. “Digital health apps make an important contribution in the detection, monitoring, treatment or alleviation of diseases. For this reason, as for all medical devices, important safety regulations apply to them,” says Dr. Christian Schläger, Managing Director at Build38. “With our T.A.K, app operators and developers have a tool that can be integrated into the app in under three minutes. With effective risk and threat management, abuse and manipulation by cybercriminals can be significantly minimized.”

You can also get extensive insights into the topic of eHealth apps and their security in the podcast “Tick Tack – Time for Mobile Security” from Build38: https://build38.com/de/neuer-build38-podcast-mobile-health-security-episode-1.


App security specialist Build38 welcomes Manuel Holzhauer as new advisory board member

App security specialist Build38 welcomes Manuel Holzhauer as new advisory board member

Focus on digital transformation in the finance and insurance market

With immediate effect Manuel Holzhauer joins the advisory board of Build38. In doing so, the start-up benefits from its many years of experience and extensive network from its activities in the start-up, finance and insurance industries. Holzhauer currently operates as Insurance Industry Executive at Microsoft.

Before his current position at Microsoft, Manuel Holzhauer worked for many well-known companies and organizations such as PricewaterhouseCoopers, Accenture, Munich Re and the InsurTech Hub Munich. Through the InsurTech Hub, he has known and supported Build38 GmbH since its foundation. He has a passion for innovation and digital transformation in the finance and insurance sector. Especially in the financial industry, customer centricity is a decisive competitive factor. This applies to internal processes, but much more to external customer interfaces. Here, the focus should be on customer benefits at all times. For example, mobile apps can be used to implement new concepts that improve communication with customers and simplify the execution of transactions.

"Mobile apps as a front end to the customer are now very important to many companies. Here, developers and operators often focus on the functionalities or the user experience, but not on the necessary security and compliance. However, since the banking and insurance sectors in particular have security as a key value proposition, cyberattacks pose an enormous threat that can quickly become a reputational risk. Therefore, in my view, it is essential to take appropriate safety measures. For this reason, I see it as essential to integrate app security during the early development phase. This is exactly where Build38's innovative concept comes in," says Holzhauer.

"We are pleased to have Manuel Holzhauer on board, an experienced expert whose inspiring ideas and good relationships will help us build bridges in the world of finance and insurance. With his support, we are able to expand the reach of our app security approach, make new contacts and advance business processes," says Dr. Christian Schläger, CEO of Build38.

Manuel Holzhauer, new member in the advisory board
from Build38


Silicon Vault, by Build38, makes data storage on mobile devices more secure

Silicon Vault, by Build38, makes data storage on mobile devices more secure

Product update ensures improved control over sensitive data

With the Trusted Application Kit (T.A.K) Build38 has developed a software development kit (SDK) that protects mobile apps from all online threats. In order to adapt the T.A.K to new security requirements, the provider has now added Silicon Vault to its tool, which uses the hardware (HW)-backed storage capabilities of modern smartphones. This means that certificates, API keys, sensitive data and health information, among other things, can be stored on the mobile device even more securely than before.

Business and digital use cases are evolving at an ever-increasing pace these days, from eGovernment to healthcare to automotive use cases. This makes it all the more important to constantly adapt the mobile app security to the current requirements and the threat situation. Build38’s T.A.K already contains all the necessary security functions for mobile apps. This security framework can be integrated in under three minutes during app development.

With Silicon Vault, Build38 has supplemented the T.A.K with a new security feature that uses hardware-based symmetric and asymmetric cryptography on mobile devices. In this way, data storage can be effectively secured in the future. Other T.A.K features such as Secure Storage – which has been available for a long time – signature creation and TLS authentication also benefit from this increased level of security.

“With the extension of our solution, we are pushing the step towards further digital sovereignty for our customers and partners,” says Torsten Leibner, Head of Product Management at Build38. “The new feature enables us to provide maximum security for modern use cases when using mobile apps. Security-relevant information remains on the end device and is securely stored there.”

Torsten Leibner, Head of Product Management von Build38
Torsten Leibner, Head of Product Management, Build38


Banking Fraud

The fundamentals of implementing strong Device Identification

The fundamentals of implementing strong Device Identification

Some weeks ago, IBM Trusteer reported a massive fraud operation against banks, which lead to losses in the order of millions of dollars. In a nutshell, attackers managed to 1) steal end user credentials and 2) bypass the fraud management scheme of the banks in order to automate millions of small transactions, which would go through unnoticed by the banks’ risk assessment infrastructure (and, potentially, also by the users).

The first step (stealing the bank customer’s credentials) was apparently done using some sort of social engineering attack (that involved installing malware in the end-user’s device). Whereas in the second step attackers used emulators to “trick” the fraud management system of the different banks. We believe it is fair to say that, in this case, the fraud management system failed to do its job, which is, precisely, to protect against situations like this one, where users have been tricked or deceived. So, let’s dig a bit more into this.

Identifying the weak spot

Let’s first try to understand what the anti-fraud system was supposed to be doing. From the reading, one can understand that it was supposed to detect situations where a user account was being used in a device other than the legitimate user’s one. This is a typical scenario for fraud management: if we see the user is using an iPhone, whereas normally they are connecting from a Samsung… Well, that is strange, isn’t it? So, this is why the hackers used emulators: because emulators gave them the ability to “trick” the anti-fraud solution to believe that they were using the end user’s device, when in fact they were not.

So, how might have this worked out? And let’s be clear here, we are entering the land of speculation as the researchers didn’t give enough details to know exactly how it worked. But it is safe to assume that attackers:

  1. Somehow managed to plant malware into the user’s device (e.g., via a phishing scam)
  2. Used this malware to steal credentials, device information and get access to SMS
  3. With the information harvested, set up an automated scheme that
    a) set up an emulator that looked (to the eyes of the anti-fraud system) exactly like a user’s device.
    b) logged in to the banking app using the stolen credentials. Since the device seemed to be the end user’s one, the anti-fraud system didn’t react.
    c) performed a small transaction, that would not raise any suspicious in the banks’ system (and, likely, would go unnoticed by the user), and, finally
    d) was able to repeat these steps millions of times in a matter of days, effectively stealing millions of dollars.

There are multiple things that could have been done differently in this scenario, but here we want to focus on how the attackers managed to “spoof” the device. Or, in other words, how strong was the device identification mechanism. In order to answer this question, let’s first put ourselves in the shoes of the attacker and let’s try to understand how they would go about “spoofing” an end user device.

The relevant step here is not so much 3.b, but rather step 2: collecting the right device information to be used later on. Because the most important thing the attacker needs to know is which information does the fraud management system use to identify a device. At the end, this is the information the hackers need to extract (using the malware) from the end user device to be able to spoof it.

Most likely, the fraud management system uses many different values to identify a device: some of them are obvious, but other ones not so much. Among the obvious ones we can find things like the device manufacturer, the device model, the operating system version, the Android ID (for Android devices) or the IDFV (for iOS ones) … But these are not really interesting, as any device identification system would use them.

The real strength of the device identification system resides on the not-so-obvious device identifiers, especially how many of them are used and, also, how well protected are they. Notice that it is not that important which parameter is being used, but how difficult it is for an attacker to know that it is being used. At the end, the ultimate goal of the attacker is to write a piece of malware that will gather it later on – and this is what we want to prevent.

Exploiting the weakness

So: how could an attacker know the device identifiers that are being used?

  • The easiest approach would likely be to sniff the information transmitted from the app to the backend, using a MITM attack. By analyzing the traffic, the attacker would get a good understanding of which identifiers are being used.
  • Another option would be to read through the source code of the application, in order to find the routines that gather this information and send it to the backend systems. Since the source code is likely to not be available to the attacker, the alternative will be the decompiled binary. It is not as useful as the source code, but a good amount of information can be extracted from a decompiled binary performing static analysis.
  • Finally, the last option available (because it’s the most difficult one) to the hacker would be to use dynamic analysis. Examples of dynamic analysis include debugging the application while it is executing, using a hooking framework (like Frida), etc.

Notice that the options listed above are not mutually exclusive: the attacker needs to succeed in only one of them in order to succeed in the whole attack. So, solutions that prevent only one of the scenarios will make the attacker’s life difficult but will not, ultimately, prevent them from succeeding.

Protecting your app

Considering all of this, we could say that a strong device identification scheme should:

  1. Use many, non-obvious, device identifiers. The more device identifiers, the better.
  2. Protect against MITM attacks. Sniffing network traffic yields a lot of information, so a good protection on this front is a must.
  3. Obfuscate the sensitive parts of the binary. In the case of mobile apps, attackers will always have access to the binary, so proper obfuscation to prevent static analysis is crucial.
  4. Prevent against dynamic analysis. When static analysis is not enough, attackers will fall back to dynamic analysis: debugging, instrumenting, modifying the app, etc. This means that preventing against debuggers, hooking frameworks (such as Frida) and code injection, among others, is also important.

Taking a broader perspective, we can conclude that proper endpoint protection is a must for fraud-prevention solutions based on end-user device identification. Otherwise, attackers will manage to feed “fake” data that will bypass the protections implemented in the backend.


Nordic IT Security Summit Logo

Secure Mobile Banking: Build38 present at the Nordic IT Security Summit

Secure Mobile Banking: Build38 present at the Nordic IT Security Summit

Cybersecurity event for the financial sector

Cyberattacks are occurring more and more frequently around the world. Especially banks and financial institutions are very much affected. To support the financial sector on cybersecurity, the Financial Institutions Edition of the annual Nordic IT Security (NITS) Summit has been launched. This will provide a platform for the fintech, e-commerce and mobile banking industries, offering an optimal opportunity for networking and mutual exchange. The event will take place on April 15 and 16, 2021. In total, many industry leaders will participate in the Summit, outlining their visions and sharing valuable business insights. It will also be possible to browse virtual exhibitions, in which the latest technologies are presented. Build38, an expert in mobile banking app security, is also part of the digital event.

Especially due to the Corona situation, mobile payment is used even more frequently by customers. At the same time, it has also brought it increasingly into the focus of cybercriminals, who hack banking apps to gain access to customers' personal payment data. However, this risk can be eliminated with the early integration of a multi-layered security framework that includes all necessary security functions. Build38 has developed such a framework, which prevents known and unknown attacks at all times and thus optimally secures banking apps. In line with the Shift Left Security approach, the Software Development Kit (SDK) can be integrated in a very short time during the early development phase. This ensures security from the outset. During the event, attendees will be able to learn in-depth about Build38's Trusted Application Kit (T.A.K).

Further information about the event can be found here: https://nordicitsecurity.com/.

 

 

 

 

 


eHealth apps already without security risks and side effects

Goodbye to security and data protection problems

We are currently experiencing a boom in eHealth apps. Some apps accompany patients during certain illnesses, provide information and offer support, while other apps help with weight loss, exercise or serve as a means of communication between health insurers and customers. Soon there will also be the e-prescription and the electronic patient file. What all these apps have in common is the need for maximum security. In the case of the electronic patient file in particular, there is currently a lot of discussion about security and data protection. But if these factors were taken into account appropriately during the development process, there would be no need to worry about them. Appropriate solutions that take all important security aspects into account are already available on the market.

Comment by Dr. Christian Schläger, Managing Director of Build38

Of course, it is of paramount importance that apps – especially eHealth apps – are sufficiently protected against cyberattacks. In healthcare and also in apps, a lot of sensitive and personal data is processed which is extremely worth protecting. For example, diabetics enter their measured blood glucose levels, or people who are about to lose weight note their weight and have their body mass index calculated. The fact that this data is not intended for everyone probably does not need to be mentioned here. That's why we can understand why users are currently focusing on the security and data protection of these apps.

Security is often neglected in app development

Nevertheless, the security aspect is often initially neglected during app development due to a lack of expertise, time and budget. Before thinking about establishing certain security measures, many companies give top priority to the design and the fastest possible launch date. If an app is then launched under this assumption, it usually does not offer sophisticated protection against data theft, app cloning or other cyberattacks.

It's so easy to integrate security into apps right from the start. The days when large sums of money had to be invested and it took an extremely long time to secure an app 100 percent are over. In the meantime, there are modern and more cost-effective alternatives in the form of frameworks that can be integrated during app development in a short time. Such frameworks can prevent attacks and unauthorized access, so that sensitive data can never fall into unauthorized hands.

This should make it possible to finally remove all concerns about security and data protection.

 

 

 

 


Gebäude TÜV Austria

Mobile app security through security framework: Build38 enters into distribution partnership with TÜV AUSTRIA subsidiary SPP

Mobile app security through security framework: Build38 enters into distribution partnership with TÜV AUSTRIA subsidiary SPP

Expansion of the partner network in the DACH region

Munich, February 23, 2021 – With the number of mobile applications growing every day, the topic of app security plays an important role worldwide. Attacks, in which cybercriminals gain access to apps via security vulnerabilities and thus obtain sensitive data, occur again and again. To solve this global problem and make apps secure, Build38 has developed a Software Development Kit (SDK) that includes a collection of essential security features. To make its SDK available to even more companies in the future, the solution provider is pursuing the expansion of its partner network. By cooperating with the reseller SPP, a wholly owned subsidiary of the TÜV AUSTRIA Group, Build38 is taking another important step in this direction.

Mobile applications on smartphones and tablets have become an indispensable part of everyday life. With the constant use of apps, it is important that they are completely secure so that hackers cannot gain access to it and manipulate it or be able to pick off data. Consequently, every app should be equipped with the necessary security features during development, which the framework from Build38 includes. This allows all Android and iOS apps to be secured from the ground up, so developers, operators and users no longer have to worry about potential cyberattacks.

Expansion of sales activities

Through the newly concluded partnership with TÜV AUSTRIA Group member SPP, Build38 is opening up a new sales channel in the DACH region. "We are pleased to have gained another experienced and well-positioned partner," says Dr. Christian Schläger, Managing Director at Build38. "TÜV AUSTRIA Group's international focus and wide range of authorizations give us the opportunity to offer our mobile app security solutions in additional markets with immediate effect. It is important to us to draw attention worldwide to the need for app security, which can be ensured easily and quickly with our SDK. SPP and TÜV AUSTRIA can provide us with excellent support in this regard."

"Mobile security, specifically secure app development, is an increasingly important topic in today's society and economy. Great damage can quickly arise here – both for the operator and the user – if the topic of security is not focused on at an early stage," says Andreas Koeberl, General Manager at SPP. "We have taken a close look at Build38's security framework and see high potential in it for a holistic security concept for apps."

Andreas Koeberl, General Manager SPP

Andreas Koeberl, General Manager SPP


Security of eHealth apps

3, 2, 1 – Lets start with Mobile Health Security

3, 2, 1 – Let`s start with Mobile Health Security

An introduction to health app security

Do you already use eHealth apps? Maybe you’ve already tracked your fitness on your smartphone or documented your nutrition. In the meantime, there are even certain tested medical apps that are prescribed by doctors and covered by health insurance companies. In the case of diseases such as diabetes, tinnitus or obesity, they provide information, offer preventive measures and support with training and nutrition. Some apps also measure, store and evaluate medical data. This makes them a great help for many people: they motivate them to make personal changes, to keep an eye on their health, or even to improve it. But with all these positive effects, what about app security, and inherently also protecting the patient date? In this blog post, we provide an initial insight into the topic of digital health, what types of apps there are and what their security status is.

Have you ever heard of diabetes apps? They can help those affected by diabetes to manage everyday life more easily, and bundle all important therapy information in one place. In this way, app users can conveniently automatically transfer their values ​​to the app via Bluetooth and then have them analyzed with one click. Such an app is also able to display the blood sugar history or to offer motivating challenges. The data obtained in this way can be used to create clear PDF, Excel or CSV reports that can be used, for example, for the next doctor’s visit.

Diabetes apps are just one example in the area of ​​eHealth. There are many other apps that focus on our health.

What is eHealth?

eHealth is a subcategory of Digital Health. It has been defined by the World Health Organization (WHO) as an umbrella term for the use of information and communication technologies for health. It is the integration of IT technologies or applications for the purpose of health. With regard to digital applications, one quickly stumbles upon the term mHealth (mobile health). mHealth refers to a subset of eHealth activities and systems on mobile devices. eHealth apps are now available en masse. At the latest the Corona pandemic is likely to have continued the upward trend.

Many people have certainly tried health apps in their everyday lives – from the simple body mass index (BMI) calculation app to personal health assistants. A large part of these apps is made up of the wellness area, ie apps for “health-oriented people”; for people who are concerned about their health and “just” want to live healthy. These include fitness apps, lifestyle apps and apps with nutritional information.

Then there are apps that are used in specific cases of illness, and those that are supposed to make life with an illness easier. In these two areas, the focus is on accompanying or supporting their life despite an illness.

In addition, further categories have been defined: apps that require CE marking and the digital health applications introduced in Germany in 2020, the DiGA apps (Digital Health Application). Both take an important step in the direction of quality assurance, because they are subject to regulatory control.

Not to be forgotten are apps, which are playing an increasingly important role in the communication process of the health system. These include, on the one hand, apps for management and communication between health insurance and customers and, on the other hand, apps that increase efficiency in the health system. The latter include, for example, the e-prescription and the electronic patient record (ePA). As for the DiGA apps already mentioned, the legal basis for all this has now also been created.

Security, where are you?

Uniform quality criteria for eHealth apps do not yet exist. Data protection and security in particular should be given greater focus in app development. After all, patients want their data to be secure, and legislators also want sensitive data to be protected. However, this does not only apply to eHealth apps. Every app processes personal data and can only be marketed successfully in the long term if consumer trust in IT security and protection of data can be guaranteed.

General security is therefore one of the most important requirements users have of an app. In opinion polls, users say that security and data protection are most important to them in eHealth apps. This is followed by the credibility of the app and the manufacturer, regular maintenance of the app, integration and data collection, and last but not least, who owns the data. You can find out what this means in concrete terms for the security of health apps in our next blog post on this topic.


Sicherheit für den Digital Car Key

Digital Car Key: Open the car safely with your smartphone

Digital Car Key: Open the car safely with your smartphone

The world is becoming more and more digital. An indispensable part of our daily life: smartphones and tablets. As a matter of course, we almost constantly use our mobile companions to google something, make contactless payments or switch on the light in the living room. The flood of apps that are added every day in the App or Google Play Store is almost endless. In the wide world of the stores, there are also mobile applications with which vehicles can be locked and unlocked via cell phone. Such digital key apps are extremely popular not only with many drivers, but especially with hackers. As a result, it is important to take appropriate measures right from the start of the app development to protect the practical digital car key from being accessed by third parties.

Due to the corona pandemic, businesses are increasingly calling for contactless payments. In the course of this, many have already switched to mobile payment and pull out their cell phone or smartwatch at the checkout to settle the bill. What we know from the financial sector has meanwhile also found its way into the automotive sector: the digital car key is enjoying increasing popularity. With the appropriate installed app, future-proof cars can easily be opened and closed again using a smartphone. This offers a pleasant comfort.

However, some automobile owners do not have trust in such modern technology as there is a lot of media coverage of vehicles that have been hacked remotely. To solve such concerns, it is essential that manufacturers adequately protect their digital key apps. This is the only way to guarantee customers security when using the technology. Maximum and sustainable protection should already play a central role in the planning and early implementation phase. Thereby, many of those responsible do not have on their radar that there are multi-layered security frameworks that make the work much easier.

Integrate framework – lock out hackers

A Software Development Kit (SDK) like our Trusted Application Kit (T.A.K) holds a collection of security features that every app needs. Developers of a mobile car key app can integrate the SDK without much effort and in a short time. This ensures that the secret keys in the mobile app are not accessible to unauthorized persons using cryptographic technology. Due to the secure storage of the keys in the smartphone, there is the additional advantage that no network signal is required to access the car. Even if it was parked in an underground garage where the connection is insufficient, the vehicle can be opened without any problems. Furthermore, the integration of our T.A.K allows several people to access the digital key without compromising security.

To ensure that hackers have no chance of accessing the mobile car key, the SDK is made available to developers and providers as a library with code obfuscation, which makes decryption much more difficult. In addition, the app protection uses a secure communication channel between the client and the cloud and provides each app, including the digital car key, with its own secure communication channel. The secure communication channel to the server prevents data traffic analysis (network sniffing). Therefore, the T.A.K should be integrated into the app at the beginning of the development so that it can respond directly to threats later during execution. The integrated Trusted Application Kit can, for example, detect whether the mobile car key is being executed on an original device or a rooted device. Beyond that, the digital car key can be declared inactive via the T.A.K cloud.

Advantages for the users

  • They can use the digital car key unhesitating and benefit from everyday convenience without worrying about the security risks.

Advantages for the automotive industry

  • The T.A.K increases the security of many operating system versions and thus achieves high market coverage/many customers.
  • They strengthen trust in the brand and the technology.
  • It is possible to satisfy the desire of many car owners for security when using such promising technologies.
  • The car owner’s belongings are protected.
  • There are lower costs to develop the technology in an all-around secure way.
  • The app can be launched more quickly because the kit integrates all the essential security aspects required for In-App Protection.
  • Reputational damage can be avoided.

Find out how it all works in practice in our case study with Chongqing Changan Automobile Company.