Munich transport association MVV relies on Build38 for eTickets

MVV App secured by Build38
Mvv App Screenshot 2020

It's finally a public reference: the city of Munich's transport association MVV is using Build38 Trusted Application Shield T.A.K to ensure the fraud prevention for their app-based public transport tickets.

They rely on anti-cloning, binding app, identity and ticket and easy to use control codes (among 2 dozen other security features).

We are extremely proud of helping the digitalization in our hometown Munich!

If you want to know how tickets for public transport, events, digital content etc. can be secured as well and you want to save resources and time as well – contact us at solutions@build38.com and read our case study!


TeleTrusT Angebot: Mobile Security SDK und Plattform kostenfrei für 4 Monate „Seien Sie schneller wieder bei Ihren Kunden – mit sicheren mobilen Anwendungen!“

Wir möchten in einer wirtschaftlich schwierigen Zeit TeleTrusT Partnern und anderen Unternehmen bei der schnellen Umsetzung Ihrer mobilen Anwendungen und Digitalisierungsbestrebungen unterstützen. Wir sehen täglich, dass die mobile App der favorisierte Zugang und Kontakt mit Ihren Kunden wird. Wir sind ihr Service und Lösungsprovider in schwierigen Zeiten: Fokussieren sie sich auf die App und die Interaktion mit Ihren Kunden, und wir sorgen für die Sicherheit. So sind sie schneller am Markt und sparen Zeit und Ressourcen, damit Ihre Kunden sich auf Sie verlassen können – den Sie verlassen sich auf #BuildOnBuild38.

Unser Angebot bis 15.7.2020: Starten Sie einen PoC des Trusted Application Kit (T.A.K) mit uns und erhalten Sie kostenfrei Zugang zu Ihrer personalisierten Entwicklungs- und Testplattform auf unserer Build38 Cloud. Für Ihre Apps erhalten Sie personalisierte und speziell gesicherte SDK Komponenten für bis zu 2 Apps (jeweils auf iOS und Android). Unser DevOps Team unterstützt sie mit bis zu 3 Tagen Integrationssupport. Außerdem erhalten Sie Zugang zur Doku, den Lernmaterialen und Code Beispiele für die schnellste App-Integration, die es am Markt gibt! Gehen Sie bis Ende Juni 2020 mit den Apps im App Store live erhalten Sie 3 weitere Monate kostenlose Nutzung der Build38 T.A.K Cloud Plattform.

T.A.K schützt Ihre mobile App und die Daten Ihrer Kunden vor Angriffen. Der Zugang zu sensitiven Daten, die Ablage und die Übertragung von Daten wird durch T.A.K geschützt. Wir unterstützen Unternehmen dabei, Ihre Sicherheitsanforderungen für Apps schneller umzusetzen, um dadurch schneller am Markt zufriedene Kunden zu gewinnen. Ihre Sicherheits- und Compliance-Teams haben jederzeit den detaillierten Überblick, wie Ihre Apps im Feld genutzt werden, und können jederzeit mit entsprechenden Maßnahmen eingreifen.

T.A.K Mobile Security SDK und Plattform ist von Entwicklern für Entwicklern gemacht, mit dem Ziel eine einfache Integration in ihre Android und iOS Projekte zu ermöglichen. Sie benötigen keine spezielle Expertise für Cyber-Sicherheit mehr, wodurch schnelleres und effizienteres Entwickeln möglich wird. Unsere Security as a Service Ansatz hält die App-Sicherheit ständig aktuell.

Nicht Teil des Angebots ist das Trusted Governance Kit T.G.K. die GRC Lösung für App Monitoring und Management. Bei Fragen dazu, sprechen Sie uns an.

Build38 ist ein weltweites tätiges Cyber-Security Unternehmen mit Kunden aus unterschiedlichen Industrien, wie zum Beispiel Finanz- und Versicherungswesen, Automobilbranche, Gesundheit.

Ihr direkter Kontakt: servus@build38.com


Business continuity during COVID-19 outbreak

Dear all,

The challenges we all face currently with the COVID-19 outbreak can not be faced alone. Build38 has been working against the COVID-19 impacts right from the start helping our customers in China, having colleagues and an office in Singapore and now being indirectly affected with the teams in Munich and Barcelona.

As a result, we have strengthened two areas for our customers:

 

  • Security as a Service – integrating new features and functions for you so you can concentrate on your main business and leaving constant security and compliance to us
  • Full-service provider – integrating app development capabilities with our certified partner to offer you the complete solution and support you need from the front end (App) to your backend, SIEM integration and

For our colleagues and their families, we have strengthened the already existing possibilities for home office and flexible work time. The health of our team and their loved ones is extremely important to us. All non-essential travel has also been suspended, and all internal and external meetings will take place virtually. We understand this may impact some planned meetings, but we hope that all participants understand the gravity of the current situation.

As a company we have taken the necessary measures and updated our planning to fight the economic challenges. All our sChristian Schlaeger Build38ystems are cloud-based and are fully automated, so we can reassure you that our service delivery functions will continue without disruption. Our staff remains available via the known virtual channels.

We stay sharp and vigilant to help our customers worldwide with the best service from Singapore to Barcelona and support our current pilots and PoCs and everyone interested in getting into the mobile market to stay in business.

We from Build38 wish you all to stay healthy and thank you for your understanding.

Yours,

Dr. Christian Schläger
Managing Director (CEO) & Co-Founder


Build38 Closes an Exceptional 2019, Exhibits at RSA Conference and Continues its Commercial Expansion

MUNICHMarch 2, 2020 /PRNewswire/ -- Build38, the global provider of Mobile Application Security made in Germany, closes 2019 at a new high with a total order intake in the single-digit million Euros. As the first full financial year for the company, this gives an encouraging message that its solutions and services are finding the way to market. With existing commercial references in Automotive, Financial Industry, Mobility, and Digital Identity, 2020 is going to be the year for the scaling in those verticals and further growth.

To continue supporting that commercial expansion, Build38 was present as an exhibitor at the RSA Conference in San Francisco, taking place on the last week of February. For almost 30 years, RSA Conference has been a driving force behind the world's cybersecurity agenda. The central point where people from around the world gather to share, learn and grow. Build38 welcomed current, and future, customers, partners, and investors at its booth and had breakthrough discussions and showcased beyond the cutting edge in-App protection capabilities, its Mobile Threat Detection and Analytics latest developments.

The young company was also featured in Europe last week as one of the 12 startup companies selected for the semi-final for the 4YFN Award competition.

As part of the commercial expansion, Build38 has signed agreements for the provision of their solutions and services with several partners, including markets like GermanySpainBulgariaAustriaPhilippinesSingapore and Taiwan. Adding to the existing agreements, the reach of Build38 grows steadily.

About Build38

Build38 is a global provider of mobile application protection solutions. Its Trusted Application Kit (T.A.K) solution combines AI-platform and strongest app shielding technology which protects B2B and B2C mobile channels from fraud and reduces your compliance risk exposure. It also enables new use cases and opens the market for new digital business models. Build38 protects applications across various industries including automotive, financial, public transport and health care. Build38 is headquartered in Munich with global offices in Barcelona and Singapore.

For further information about Build38 visit www.build38.com


Build38 selected for the 4YFN Awards competition at Mobile World Congress

Build38 is extremely honored to have been selected together with 12 other innovative young companies to compete for the 4YFN (4 Years From Now) Award. The Award, a highlight event that is part of the Mobile World Congress and Mobile World Capital Barcelona activities.

At Mobile World Congress, the largest mobile event in the world that brings together the latest innovations and leading-edge technology alongside today’s most influential visionaries, Build38 will have a prominent showcase. Combining the presence at the State of Bavaria Pavilion in Fira Gran Via with a booth and the participation as one of the 12 innovative young companies selected at the MWC startup event, the 4YFN Award competition. The semi-finals will take place on the 24th of February and the Final on the 26th, both at the Fira Montjuïc Exhibition Hall in Barcelona.

The Build38 team is excited to deliver a memorable pitch and show how Apps can enable service providers to have additional revenue through new use-cases and reduce fraud in the mobile channel.


An Interview with Pedro Hernandez, APAC Managing Director and co-founder of Build38

This interview was published on the ICE71 Blog as part of their founder series of members of their Scale Program. It can be accessed here.

We recently caught up with Pedro Hernandez, APAC Managing Director and co-founder of Build38, an ICE71 Scale startup. Pedro shared about the story behind Build38 as well as his thoughts on mobile app security and the digital wallet space.

What inspired you to start Build38, and what’s your role in it?
The mobile experience has become part and parcel in everything we do. Just think about actions and habits such as accessing your bank account, opening your car door, and saving your personal photos in your phone. These conveniences require access to personal and private data.

Inadvertently, these data may include those of our family. My co-founders at Build38 and I realised this earlier on, especially when we are all dads with kids (daughters, to be exact). My daughter was born in Singapore two years before the founding of the company in 2018. When you enter parenthood, protection and safety of your private and family lives become a concern. That naturally led us to focus in the protection of mobile applications to safeguard our online data—and our daughters’!

I have been working in the Mobile Security space for many years, from SIM Cards to Mobile Payment solutions in Europe and Asia Pacific, so it was a smooth transition for me. Currently, I’m taking care of the business in the Asia Pacific region for Build38.

How did the name “Build38” come about?
“Build” is there because our solution is used to build secure and relevant mobile apps and services. “3” is the number of locations where we have footprints—Munich, our HQ; Barcelona, the main development and operations centre; and Singapore, our Asia Pacific hub. “8” is the number of employees when we first started the company. Interestingly, in Chinese numerology, 3 sounds like “life” and 8 typically means “to prosper”. So you could say that our name means “build a life of prosperity”—a pretty good sign!

There are many mobile security solutions in the market. How does Build38 differentiate its product called “TAK”?
The Trusted Application Kit (TAK), is a combination of client and server protection which is unparalleled in the market. On the client side, TAK provides “hardening” of a mobile app, and for this purpose it has met very stringent security requirements. It’s been used in the financial, automotive and digital identity industries. With TAK, we combine the increase in app security (app hardening) with a monitoring service of the app. This service provides real-time data and AI-powered insights for our customers, keeping their apps secure and preventing breaches and fraud. These secured apps become “self-defending”.

Share with us an interesting client use case or two.
Our solution was originally conceived to protect mobile payments, but ended up in a very diverse number of use-cases. For instance, in China, one of the largest carmakers is using our solution to protect the mobile app they provide their customers to open a car and remotely start its engine. It was critical for the app to work even in an underground parking space without network coverage. That was a challenge from security perspective, and that was what we achieved.

In Germany, you can purchase subway tickets from your mobile phone. This convenience created a side problem—users started creating “clones” of the tickets and shared them with their friends and family, so a season ticket can be used by several people. The transit operator had to suspend this way of buying tickets! Our solution prevented ticket cloning, reducing such a fraud. We pride ourselves in protecting the bottom line of our customers in reducing fraud. Because app protection enables business where none was conducted before, we ultimately help our customers increase their revenues.

We’ve been hearing a lot of news around the digital wallet space in Singapore recently. For example, Grab recently launched Asia’s first numberless card with Mastercard. Local banks such as DBS and OCBC are also rolling out efforts for customers to use Google Pay without a credit card from 2020. What are your thoughts about this?
These developments make our lives exciting and are the reason behind our presence in this region from day one. Europe is a homogeneous and legacy-type market in payment infrastructure. On this side of the world, though, we see innovative markets exerting a big influence in introducing new ways of payment and money remittance.

Singapore is at the forefront and has become a test bed for many of these new payment methods, so we see associated security challenges emerging. You probably read in the news how some ride hailing apps were hacked in order to give some drivers an advantage in the acceptance of rides. User verification and tracking has become a challenge too, and we do see some interesting approaches here. With our solution, these challenges can be addressed, and we are pretty thrilled that we are already in discussions with many of the market players. We find lessons learned here useful as we can bring them back to other markets and be at the leading edge.

Cybersecurity is the protection of any computerised system from any compromise that would have a negative effect (trust, financial, personal) in the physical world. – Pedro Hernandez


Build38 exhibiting at the Singapore Fintech Festival & SWITCH

We are very excited to share that we will be present at the Singapore FinTech Festival & SWITCH. As one of the startups selected by the Catalonia Trade and Investment agency, we will be at the Catalonia International Pavilion of the SFF x SWITCH. Come and visit us, enjoy some souther european hospitality and learn interesting facts, like that Build38 largest workforce chunk is based in Barcelona, a vibrant and innovative city that has become a key place for entrepreneurship in Europe and globally. Meet our Asia Pacific Managing Director, Pedro Hernandez, and talk to our Head of Product Architecture, Marc Obrador, for the latest insights on Mobile App Security and Fraud Management.

The Singapore FinTech Festival & SWITCH exhibition will be held between the 11th and 13th of November at the Singapore Expo (Hall 1 to 6), 1 Expo Drive. Singapore 486150. Opening times are 10am to 6pm.


The Need for Secure eHealth Apps

eHealth apps – your daily companion

In the healthcare sector, too, the range of apps has risen rapidly in recent years. Effectively, they have become everyday companions at work and at home. Already in 2017 roughly 325,000 mobile health apps were counted in app stores, and in 2018 a whopping 400 million of those apps have been downloaded. All those apps measure our fitness, give health tips, analyze physiological data, measure vital signs or calculate the dosage of medications.

More users come along with higher risk of data breaches and higher attractiveness for fraud

Connected health devices and wearables, such as glucometers and cardiac monitors, also collect a treasure trove of data from millions of people every day. Unfortunately, they are often unsecured and open to hacking, potentially exposing patients to adverse effects on their health. Healthccare providers and insurers must expect considerable legal, financial and operational consequences. Health insurance companies are modernizing their approach, providing digital access to insurance cards and medical records. The data breach risks associated with these are, of course, a major concern that needs to be addressed from the outset.

All companies in the fields of medicine and health insurance are faced with the challenge of providing top medical services. Digital services for patients are now being added, which on the one hand must comply with the strictest security and data protection regulations and be resistant to cyber attacks, which can be both costly to mitigate and dangerous for patients. The stakes are higher here than in almost any other field – it really is a matter of life and death in some cases.

Threats to your digitization efforts

The main threats arising from the digitalization of the healthcare industry are fraud, privacy and HIPPA (USA)/GDPR (EU) violations, ransomware and cyberattacks, unauthorized data collection, and hacking of connected medical devices and mobile phone applications. The only way to combat such threats is by implementing adequate security measures right from the very start. In particular, in app development, this means incorporating security measures during the develophment phase and not retrofitting security at the end.

Medical and health insurance professionals can meet this challenge by making online security a priority. Investing the time and resources required to protecting digital channels could prove invaluable on many levels, saving lives and preventing significant financial losses in the future. Since most health information is being digitalized for optimal mobile use, app security is at the forefront of this. Online security depends on being able to verify the identity of the patient and making sure that they are the only ones who are accessing their health information.

Call for action: Protect your eHealth app from growing risks and threats

It is Build38’s strong believe that in a changing digital landscape, app security isn’t a luxury. It is a necessity. Your developers should focus on what they are best at: delivering business value and world-class eHealth apps, while Build38 provides mobile app security. Build38’s Trusted Application Kit is a highly secure, holistic and easy to integrate mobile app security framework.

For the eHealth field, all this means that app users and service providers can rest easy in the knowledge that their highly sensitive data is safe. Patients can use the available digital services in comfort and ease, while medical professionals and insurers can be confident that the risks commonly associated with such services, such as fraud and cloning, are prevented.

In detail: how we can help

Build38’s approach to mobile app security is based on a unique triple-protection approach for compromise detection and continuous hardening: ensuring the integrity of device, app and security.
The SDK and cloud can detect changes to the device’ secure execution environment, and in case of compromise or an ongoing attack, it can render its own function useless immediately. At the same time the app is secured by various In-App protection mechanisms, and while in use it is protected by RASP-technology (Runtime Application Self Protection). The protected data is never visible in clear nor can it be extracted from the device at runtime. When the same data is in motion the Secure Channel and Certificate Pinning prevent Man-in-the-middle (MITM) attacks.

For more detailed information on Build38’s mobile app security please read our whitepaper “Digitalisierung im Gesundheitswesen und Gefahren durch unsichere Apps" (in German) or the same whitepaper in English "Hacking Healthcare - why unsecure apps are bad for patients and providers".


Build38 selected for the Scale Programme of ICE71

Build38 is proud to announce that it has been selected to be part of the Scale Programme of ICE71, the leading Cyber Security Accelerator in Asia-Pacific. ICE71 founding partners are Innov8, the Singtel group corporate Venture Capital unit, and NUS Enterprise, the entrepreneurship arm of the National University of Singapore.

As part of the programme, the Singapore team of Build38 will take residency at the accelerator and able to benefit and contribute to the thriving Cyber Security ecosystem of Singapore and the region. Due to the unparalleled activities and initiatives of ICE71, Pedro Hernandez, Managing Director of Asia-Pacific and Co-Founder of Build38 stated: "We are extremely honoured and happy to be part of ICE71. Singapore, as the most competitive economy in the world and a reference in the Asia-Pacific region, it's a strategic location and ICE71 is the place to be for Build38 as a Cyber Security Start-up with plans to extend our footprint in the region".

ICE71 is located at 71 Ayer Rajah Crescent, the core of the one-north Science, Research and Innovation district of Singapore, hence exposing the Cyber Security ecosystem to multiple disciplines and forging new connections. Now the Asia-Pacific team of Build38 will be benefiting from that exposure too.

 


Security through obscurity: why not?

Wired magazine recently published an article with the following statement:

Think of shielding code like hiding a safe behind a painting. If you have a secure enough lock, it shouldn't matter who can see it.

Well… I have to say that I (somehow) disagree. As with everything in life, the right wording is “it depends”. In this case, it depends on the execution environment.

But let’s back up for a moment. What is app shielding? OWASP, a global non-profit organisation focused on improving the security of software, describes app shielding as “a set of technologies that typically modify an application’s binary code to make it more resistant to reverse-engineering, tampering, invasive monitoring and intrusion.”

Which kind of relates to a broader topic known as "security through obscurity". From Wikipedia: "Security through obscurity (or security by obscurity) is the reliance in security engineering on design or implementation secrecy as the main method of providing security to a system or component. Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism."

[Spoiler alert] The right answer is in the last sentence: "[…] should never be the only security mechanism."

An analogy

Let’s try to find a more specific scenario. The example of the safe proposed in Wired’s article is a good analogy of a cryptographic protocol: the safe would be the protocol itself, the safe’s key (eitherphysical or a passcode) would be the cryptographic key, and the content of the safe would be the data to be protected with encryption. In both cases, the security of the system relies on the assumption that the key is kept in a safe place. But what if this is not possible? What if we had to store the key close to the safe?

This is exactly what happens in mobile apps. If we want to use cryptography (and we need to), we also need to store the keys somewhere in the smartphone so we can use them. Even if we use the latest cryptographic engines (available only in new, high-end devices; such as the hardware-backed KeyStore in Android or the Secure Enclave in iOS), this only solves the problem for a fraction of our user base – and that’s not good enough.

So, what do we do? We hide the safe behind a painting. And we hide the key behind a different painting. Additionally, we implement as many mechanisms as possible, in order to make it very time consuming for a thief to find both the key and the safe - so much time consuming, that the police will be there before he can find both of them.

Can you see the analogy? This is the goal of app shielding: we put as many hurdles as possible in order to force the hacker to spend a lot of time finding the key and knowing how to use it. So much time that we have time to react. And "react" means, for example, that we crash the app process (which makes it very difficult to keep searching), or we delete the user data (emptying the safe, in case it is ever open), or we even change the key itself (frustrating an otherwise successful search).

Mobile Apps need more than just App Shielding!

Of course, app shielding on its own is not enough: we need well-known and tested primitives and protocols behind. But this is also true the other way around: if we don’t protect the key it doesn’t matter which protocol we use.

At Build38, our Trusted Application Kit (T.A.K) uses all sorts of app shielding techniques to protect our customer’s assets – that’s also the reason why we like to call it In-App protection:

  • Our in-house compiler obfuscates T.A.K’s binary code, making static analysis a lot harder.
  • With whitebox cryptography we make sure that cryptographic keys are never in plain in memory (not even while they are being used at runtime!).
  • With certain runtime checks such as root/jailbreak, emulator, debugger or app re-packaging, we prevent dynamic analysis.
  • Finally, on top of pure in-app protections, Build38 uses a cloud platform that monitors the app to identify app and code modifications. The platform allows integration into SOC, SIEM and analytic systems.

All of this together allows us to provide the most comprehensive set of security features, which in turn enables app developers to focus on writing amazing apps , no matter the smartphone they are deployed on.