PiOSoned POS - A Case Study in iOS based Mobile Point-of-Sale gone wrong

Presented at AppSec USA 2013, Nov. 21, 2013, 10 a.m. (50 minutes).

Video of session: https://www.youtube.com/watch?v=CAtc7Z1VD2I&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=18 Mobile Point of Sale (POS) are becoming more and more common in a wide variety of retail outlets. And why not, it adds speed and convenience to shopping and can increase a retailers ability to sell. But POS and Mobile are hard to get right and secure. What happens when you try to combine the two on trendy iOS devices and rush your solution out the door? Based on multiple mobile tests conducted by Trustwave SpiderLabs' application security, Mike Park will walk through the typical mobile POS apps for iOS and show how and why they can be attacked, often with no sign an attack is going on. Mike will cover technological shortcomings, coding mistakes and the common misunderstanding of the underlying platform that almost always occur and result in an insecure application. This will include some hardware card reader devices that default to allowing almost no security. Outline 1. Introduction 2. Why Mobile POS? 3. Why iOS? 4. The Problem     Poorly written apps     Speed of jailbreaking     Ability to hide the jailbreak     The Card Reader 5. A walk through of the PiOSon POS demo app     What the app does     How the app reads CHD     How the app processes and send the data to the backend     How typical is this 6. Hacking the POS - Demo     Jailbreak     Intro to Method Swizzling     Setting up the device     Adding the reader     Installing the malware     Capture the Track data 7. How to improve this     Understand the underlying platform     Understand the way your card reader works     Why is this so insecure?     View a safer version of the app - AntidOte POS 8. What to do     Coding best practices     Choosing a card reader     Outside the device - MDM? 9.Conclusion

Presenters:

  • Mike Park - Managing Consultant - Trustwave SpiderLabs
    Mike Park is a Managing Consultant at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 12 years experience building and securing software for a variety of companies. Mike is a CISSP and specializes in application security assessment, penetration testing, reverse engineering and secure development life cycle. Mike is an active member of the Ottawa ISSA.

Links:

Similar Presentations: