PiOSoned POS - A Case Study in iOS based Mobile Point-of-Sale gone wrong
Mike Park at AppSec USA 2013
Mobile Point of Sale (POS) are becoming more and more common in a wide variety of retail outlets. And why not, it adds speed and convenience to shopping and can increase a retailers ability to sell. But POS and Mobile are hard to get right and secure. What happens when you try to combine the two on trendy iOS devices and rush your solution out the door?
Based on multiple mobile tests conducted by Trustwave SpiderLabs' application security, Mike Park will walk through the typical mobile POS apps for iOS and show how and why they can be attacked, often with no sign an attack is going on.
Mike will cover technological shortcomings, coding mistakes and the common misunderstanding of the underlying platform that almost always occur and result in an insecure application. This will include some hardware card reader devices that default to allowing almost no security.
Outline
1. Introduction
2. Why Mobile POS?
3. Why iOS?
4. The Problem
Poorly written apps
Speed of jailbreaking
Ability to hide the jailbreak
The Card Reader
5. A walk through of the PiOSon POS demo app
What the app does
How the app reads CHD
How the app processes and send the data to the backend
How typical is this
6. Hacking the POS - Demo
Jailbreak
Intro to Method Swizzling
Setting up the device
Adding the reader
Installing the malware
Capture the Track data
7. How to improve this
Understand the underlying platform
Understand the way your card reader works
Why is this so insecure?
View a safer version of the app -- AntidOte POS
8. What to do
Coding best practices
Choosing a card reader
Outside the device -- MDM?
9.Conclusion
Speaker
Mike Park
Managing Consultant, Trustwave SpiderLabs
Mike Park is a Managing Consultant at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 12 years experience building and securing software for a variety of companies. Mike is a CISSP and specializes in application security assessment, penetration testing, reverse engineering and secure development life cycle. Mike is an active member of the Ottawa ISSA.
Based on multiple mobile tests conducted by Trustwave SpiderLabs' application security, Mike Park will walk through the typical mobile POS apps for iOS and show how and why they can be attacked, often with no sign an attack is going on.
Mike will cover technological shortcomings, coding mistakes and the common misunderstanding of the underlying platform that almost always occur and result in an insecure application. This will include some hardware card reader devices that default to allowing almost no security.
Outline
1. Introduction
2. Why Mobile POS?
3. Why iOS?
4. The Problem
Poorly written apps
Speed of jailbreaking
Ability to hide the jailbreak
The Card Reader
5. A walk through of the PiOSon POS demo app
What the app does
How the app reads CHD
How the app processes and send the data to the backend
How typical is this
6. Hacking the POS - Demo
Jailbreak
Intro to Method Swizzling
Setting up the device
Adding the reader
Installing the malware
Capture the Track data
7. How to improve this
Understand the underlying platform
Understand the way your card reader works
Why is this so insecure?
View a safer version of the app -- AntidOte POS
8. What to do
Coding best practices
Choosing a card reader
Outside the device -- MDM?
9.Conclusion
Speaker
Mike Park
Managing Consultant, Trustwave SpiderLabs
Mike Park is a Managing Consultant at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 12 years experience building and securing software for a variety of companies. Mike is a CISSP and specializes in application security assessment, penetration testing, reverse engineering and secure development life cycle. Mike is an active member of the Ottawa ISSA.