Threat Modelling for the Mobile Channel: A Quick Guide Using Mobile Banking as a Case Study
Introduction: Navigating the Complexities of Threat Modeling in Mobile Banking Applications
In application security, the concept and practice of threat modelling stand out as crucial elements, especially when it comes to securing mobile banking applications. This guide is specifically crafted for a wide range of engineers and risk executives, aiming to enrich their understanding of advanced threat modelling methodologies and techniques.
We go beyond the basics of threat modelling, adopting an iterative, structured approach that involves a thorough analysis of the entire ecosystem. This method recognizes the necessity of controlling certain aspects while applying a zero-trust approach to others. The foundational principle of this methodology is integrity, a critical element without which security cannot exist.
Threat modelling is a systematic and strategic process designed to identify and evaluate potential threats and vulnerabilities within a system. It is an essential tool that enables engineers to understand and anticipate possible attack vectors, and effectively prioritize security measures. In this guide, we explore an advanced approach to threat modelling, one that embraces a holistic view of multiple systems as an interconnected whole. This comprehensive perspective is key for security professionals, as it facilitates the identification of multiple reinforcement points, leading to more precise and informed risk scoring and prevention strategies. Practical experience has consistently demonstrated that such an approach substantially diminishes the success rate of attacks, whether targeted at the entire mobile channel or its specific components, like mobile applications.
Our exploration includes a dive into the STRIDE threat modelling methodology, applying it to dissect the attack surface of mobile banking apps. We examine various components, including the user interface, data storage, network communication, third-party integrations, and the core operating systems, such as Android and iOS. In navigating the potential threats — from unauthorized access, data breaches, malware, and DoS attacks, to MitM attacks — we assess what might be effective risk management strategies. It is important to note that each organisation is unique, and their likelihood and impact will be different yet very significant. When it comes to assessing it, it is important to establish robust lines of communication between stakeholders and have key priorities and risks identified and agreed among key people in the company.
The guide places a strong emphasis on the implementation of robust countermeasures. These include multi-factor authentication, encryption, secure coding practices, regular security testing, code reviews, and comprehensive incident response planning. Highlighting the dynamic nature of threat modelling, we underline the importance of continuous monitoring and updating to stay aligned with emerging threats and technological progress. Effective collaboration and communication with stakeholders, developers, and security teams are emphasized as crucial components of this ongoing process. Furthermore, the role of tools and automation — including threat modelling software, vulnerability scanners, and penetration testing frameworks — cannot be underestimated in simplifying and enhancing the threat modelling process. Nevertheless, it is out of scope for this quick guide.
Additionally, the guide stresses the importance of user education in reinforcing app security. We advocate for clear instructions on secure app usage and heightened awareness about common threats such as phishing and password security. Integrating security training or resources directly within the app itself is highlighted as a strategy to enhance user understanding and compliance with security measures.
Overall, this guide aims to equip professionals with the essential knowledge required to establish a security framework for mobile banking applications, ensuring the protection of sensitive information in a constantly evolving digital environment.
Understanding the STRIDE Threat Modelling Framework
One of the most popular frameworks for threat modelling is STRIDE, which stands for Spoofing Identity, Tampering with Data, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Let's have some examples of each element of STRIDE:
S (Spoofing Identity)
Threats: Unauthorized access to user accounts and impersonation of banking servers.
Real-World Example: Cybercriminals use phishing techniques to acquire user credentials, gaining unauthorized access to banking accounts.
T (Tampering with Data)
Threats: Unauthorized alteration of transaction data and manipulation of app code.
Real-World Example: Attackers inject malicious code into a banking app, altering transaction values or destinations.
R (Repudiation)
Threats: Transaction disputes arising from inadequate audit trails.
Real-World Example: Customers dispute authorizing transactions in the absence of verifiable logs.
I (Information Disclosure)
Threats: Data breaches that expose sensitive customer information and interception of data during transmission.
Real-World Example: Hackers exploit weak encryption to intercept and steal customer data in transit.
D (Denial of Service)
Threats: Disruptions to banking services and server overloads.
Real-World Example: Distributed Denial of Service (DDoS) attacks overwhelm a bank’s servers, rendering the mobile app inaccessible to legitimate users.
E (Elevation of Privilege)
Threats: Exploiting system vulnerabilities to gain unauthorized access or elevated privileges.
Real-World Example: Attackers exploit flaws in the mobile operating system to gain elevated privileges, circumventing the app’s security measures.
Mapping STRIDE onto the Mobile Channel
Understanding how the STRIDE framework maps onto the mobile channel is crucial. Except for Denial of Service, which primarily concerns backend availability, each category typically involves a combination of API security, communication channel security, and application/device security. This multifaceted approach is key to preventing successful attacks.
Holistic Countermeasures for the Mobile Channel
It’s essential to base our entire strategy on the premise that the system maintains a certain level of integrity. Let's first outline these foundational measures before diving into specific countermeasures. It is important to emphasize that effective and continuous communication among stakeholders is critical at all stages, including design, planning, execution, and feedback loops. Regularly asking critical questions - who, what, when, how, whom, and why - and challenging the strategy is crucial. However, it’s also important to respect organizational authority and recognize that apparent security gaps might be part of a broader strategic approach.
Foundational Security Measures in Mobile Application Security
In the dynamic world of mobile application security, where challenges range from man-in-the-middle attacks to sophisticated malware, the foundational approach to safeguarding apps is multi-faceted. Based on my comprehensive experience as a co-founder and CEO of a pioneering mobile application security company, the following measures are pivotal:
Encryption of Sensitive Elements
Encrypting sensitive strings, classes, and native libraries in the application is crucial. This includes protecting resources and employing entry point obfuscation and Android manifest mangling.
Obfuscation Techniques
Name obfuscation for methods and variables, alongside control flow obfuscation, helps mask the application's internal logic from potential attackers.
Virtualization and RASP
Utilizing virtualization to conceal system API invocations and integrating Real-Time Application Self-Protection (RASP) enhances security against runtime threats.
Integrity Controls
Implement encryption-based integrity control and additional code integrity checks, ensuring the application remains uncompromised at various stages.
Robust Anti-Tamper Mechanisms
Incorporate anti-debugging, anti-dynamic instrumentation, and anti-emulator measures to thwart advanced reverse engineering and tampering efforts.
Device-Specific Protections
Implement anti-root, anti-jailbreak, and anti-sideloading measures, along with anti-malware defences, to secure the device environment.
Communication Hardening
Public key pinning, certificate transparency, and mobile application firewalling fortify the communication channels against interception and manipulation.
Advanced Countermeasures
Deploy techniques against AI-enabled threats like camera stream replacers, vital for safeguarding systems like KYC.
Upon establishing application and device integrity, the focus shifts to threat intelligence platforms (or Extended Detection and Response - XDR), which monitor and collect data from self-protection engines. These platforms analyse various factors - from malware presence to device integrity breaches - and contribute to risk scoring systems.
This holistic monitoring is complemented by cryptographically signed transactions using White Box Cryptography (WBC) to minimize key leakage risks and implement WBC table destruction algorithms.
Moreover, mutual backend-app-device integrity authentication/attestation forms a crucial part of the security strategy. This approach, including elements like device binding and SSL certificate pinning, enhances mutual trust between the app and the server.
To further reinforce security, the integration of Virtual Trusted Execution Environment (vTEE) alongside hardware secure elements forms a hybrid approach, offering robust protection against targeted attacks
In designing these strategies, one must consider the human element, emphasizing the need for continuous evolution in response to the ever-changing security landscape. Creative and critical approaches, combined with a deep understanding of internal processes and a holistic view of both technical and human factors, are essential in developing effective security strategies.
Expanded discovery of STRIDE
S (Spoofing Identity)
- Multi-Factor Authentication (MFA)
MFA is essential, utilizing biometrics, one-time passwords via email, push notifications, SMS, physical tokens, secure authenticator apps, or unique bank card identifiers. Balancing robust security with user experience is critical. Clear communication and user education on security measures can enhance user loyalty and understanding.
- Device Binding
Binding the customer's device to their account, such as through device fingerprinting, ensures only authorized devices access the application.
- Advanced RASP
Implement real-time application self-protection to prevent malicious manipulation of camera and microphone streams.
- Behavioural Analysis
Monitoring user behaviour for anomalies, like repeated failed login attempts or unusual spending patterns, helps detect impersonation attempts.
- Zero-Knowledge Proof (ZKP) Authentication
In highly secure scenarios, using cryptographic computations through applets installed on banking cards can enhance authentication processes.
It is important to remember that while these countermeasures are effective, no single solution is fool proof. A layered defence strategy, combining multiple security controls, is always more effective.
T (Tampering with Data)
- Encryption-Based Integrity Control
Utilize encryption, obfuscation, and virtualization alongside Real-Time Application Self-Protection (RASP). In sensitive scenarios, Virtual Trusted Execution Environments (vTEE) should be employed for heightened security.
- Data Encryption
Employ end-to-end encryption for data both in transit and at rest, ensuring unreadability even if accessed by attackers.
- Communication Hardening
Implement Public Key Pinning and Certificate Transparency to secure data transmission.
- Access Control Lists (ACLs)
Use ACLs to limit data access based on user roles and permissions, reducing potential damage from attacks.
- Data Signatures
Digital signatures guarantee data authenticity and integrity, using asymmetric encryption to verify unaltered transmission or storage.
- Auditing and Logging
Maintain comprehensive logs of system activity to detect suspicious behaviour indicative of tampering.
- Secure Communication Protocols
Implement HTTPS, SSL/TLS, or QUIC to protect data in transit.
- Physical Security
Strengthen on-premises data storage with stringent physical security measures.
- Data Backup and Recovery
Regularly back up critical data and establish disaster recovery protocols.
- Network Segmentation
Isolate sensitive data using firewalls and segmentation techniques like VLANs.
- Monitoring and Incident Response
Continuously monitor for signs of intrusion and have a robust incident response plan.
- Employee Education and Training
Regular training on data security best practices, including awareness of social engineering and phishing tactics.
A holistic security approach covering all mobile channel aspects, including robust policies, regular assessments, and staying informed about emerging threats and technologies, is crucial.
R (Repudiation)
- Transaction Confirmation
Send confirmations to the user's registered contact after transactions, serving as proof and helping prevent disputes.
- Digital Signatures
Ensure transaction authenticity and integrity with digital signatures.
- Dispute Resolution Process
Implement a clear process for users to report transaction issues, aiding in swift conflict resolution.
- Call Back or Confirmation by a Friend/Relative
Add an extra layer of security for high-risk transactions. This measure increases trust, potentially improves customer loyalty, and fosters community engagement. It bridges the gap between physical and digital interactions, creating a more human-centred authentication process.
Incorporating a call-back or confirmation feature has multifaceted benefits beyond security, positively impacting social interactions, customer loyalty, and overall user experience. This holistic approach to authentication and security in mobile banking applications enhances user trust and satisfaction.
I (Information Disclosure)
The countermeasures for Information Disclosure largely overlap with those for Spoofing Identity, Tampering with Data, and Repudiation. However, let's enumerate them for clarity:
- Access Control Lists (ACLs)
Implement ACLs to limit access to sensitive data based on roles and permissions.
- Data Encryption
Encrypt sensitive data both in transit and at rest to prevent unauthorized access and readability.
- Secure Communication Protocols
Use HTTPS, SSL/TLS, or QUIC for data transmission to protect against eavesdropping.
- Auditing and Logging
Maintain detailed logs of all activities, including data modifications and access requests, to detect potential breaches.
- Training and Education
Regularly educate employees on data security, emphasizing recognition of social engineering tactics and secure data handling.
- Physical Security
Strengthen on-premises data storage with robust physical security measures like access controls and surveillance.
- Network Segmentation
Use segmentation techniques to isolate sensitive data and reduce the attack surface.
- Monitoring and Incident Response
Continuously monitor for signs of breaches and have a comprehensive incident response plan.
- Employee Background Checks
Conduct thorough background checks to minimize risks of intentional breaches.
- Emergency Response Team
Train a team to handle such attacks and system failures.
- Public Relations Management
Have a communication plan to address stakeholders during attacks.
D (Denial of Service)
Countermeasures for Denial of Service (DoS) attacks include:
- DDoS Protection
Implement solutions to detect and mitigate traffic floods and DNS amplification attacks.
- Rate Limiting
Manage incoming traffic to prevent system overload.
- Content Delivery Networks (CDNs)
Use CDNs to distribute content and reduce server load.
- Web Application Firewalls (WAFs)
Deploy WAFs to block malicious traffic indicative of DoS attacks.
- Traffic Filtering
Use routers and firewalls to filter out non-essential traffic and spoofed packets.
- Physical Infrastructure Protection
Ensure continued operations of critical infrastructure during attacks.
- Network Capacity Planning
Ensure adequate capacity to handle increased traffic.
- Redundancy and Backup Systems
Implement redundant systems for business continuity
- Emergency Response Team
Train a team to handle DoS attacks and system failures.
- Public Relations Management
Have a communication plan to address stakeholders during attacks.
No single solution guarantees complete protection against DoS attacks. A multi-layered approach is recommended.
E (Elevation of Privilege)
Countermeasures for Elevation of Privilege in the human aspect include:
- User Account Control
Strictly manage user accounts with unique credentials and lockout policies.
- Password Policy
Enforce complex passwords and periodic changes.
- Access Control Lists (ACLs)
Restrict access to sensitive resources based on roles.
- Mandatory Access Control (MAC)
Implement policies based on information sensitivity.
- Sandboxing
Isolate applications and users in separate environments.
- Regular Security Audits
Detect and address vulnerabilities.
- Security Training and Education
Teach employees about security best practices.
- System Updates and Patches
Regularly update software to fix vulnerabilities.
- Network Segmentation
Isolate sensitive data and systems.
- Disable Unnecessary Services
Reduce attack surface by disabling non-essential services.
- Limit User Interaction
Automate routine tasks to minimize manual input.
- Monitor System Logs
Detect unusual activities indicating privilege escalation attempts.
- Intrusion Detection Systems (IDS)
Monitor for suspicious network traffic.
- Multi-Factor Authentication (MFA)
Add an extra layer of security for remote access.
- Use Secure Protocols
Encrypt data in transit.
- Restrictions on File Execution
Control file and script execution locations and users.
- Memory Protection
Implement techniques to prevent exploitation of vulnerabilities.
- Regular Software Reviews
Evaluate software for security weaknesses.
- Third-Party Vendor Management
Ensure vendors comply with security standards.
- Cybersecurity Insurance
Consider insurance to cover cyber-attack costs.
- Incident Response Plan
Develop a plan for cyber-attack response.
Implementing these countermeasures significantly reduces the risk of insider threats and privilege escalation, safeguarding your organization's assets and data.
How to Use the OKR Approach to Design and Continuously Improve Your Threat Models
Incorporating the Objectives-Key Results (OKR) approach with the STRIDE framework is an effective strategy for designing and continuously improving threat models in the mobile channel. Here's an example of how this can be structured:
Objective 1: Enhance Confidentiality in the Mobile Channel
Key Results:
- Identify at least 3 potential threats to confidentiality.
- Develop a mitigation strategy for each identified threat.
Objective 2: Strengthen Integrity in the Mobile Channel
Key Results:
- Identify at least 3 potential threats to integrity.
- Develop a mitigation strategy for each identified threat.
Objective 3: Ensure Availability in the Mobile Channel
Key Results:
- Identify at least 3 potential threats to availability.
- Develop a mitigation strategy for each identified threat.
Once implemented, it is important to define a time trame, which will be unique to each organisation, depending on its size, explosure, fundamental and technical risks, within which mitigations' efficiency is measured. The rusults are served into the feedback loop in order to furthe improve the overall strategy.
When integrated with the STRIDE framework, these objectives can be further categorized:
Spoofing
Objective 1: Identify potential identity spoofing attacks.
Key Results:
- Identify at least 3 potential identity spoofing attacks.
- Develop mitigation strategies for each attack
Tampering
Objective 2: Identify potential tampering attacks.
Key Results:
- Identify at least 3 potential tampering attacks.
- Develop mitigation strategies for each attack.
Repudiation
Objective 3: Identify potential repudiation attacks.
Key Results:
- Identify at least 3 potential repudiation attacks.
- Develop mitigation strategies for each attack.
Information Disclosure
Objective 4: Identify potential information disclosure attacks.
Key Results:
- Identify at least 3 potential information disclosure attacks.
- Develop mitigation strategies for each attack.
Denial of Service
Objective 5: Identify potential denial of service attacks.
Key Results:
- Identify at least 3 potential denial of service attacks.
- Develop mitigation strategies for each attack.
Elevation of Privilege
Objective 6: Identify potential elevation of privilege attacks.
Key Results:
- Identify at least 3 potential elevation of privilege attacks.
- Develop mitigation strategies for each attack.
By applying the OKR approach with the STRIDE framework, we can set specific, measurable objectives and key results to systematically identify and mitigate potential threats. This method ensures the confidentiality, integrity, and availability of our mobile channel data, providing a comprehensive shield against various attack types.
Continuously Improving the STRIDE-Based Threat Model Using Modified OKRs
To ensure the STRIDE-based threat model remains effective and relevant, it's crucial to regularly review and update it. Here are steps for modifying the OKR approach for continuous improvement:
- Set Specific, Measurable Objectives:
Define clear objectives for enhancing the threat model, such as identifying new threats or reducing successful attacks by a certain percentage. These objectives should be quantifiable to track progress effectively.
- Establish Key Results
Key results should indicate progress toward the objectives. Examples include the number of new threats identified, vulnerabilities mitigated, or security incidents prevented.
- Regular Reviews and Updates
Schedule routine reviews of the threat model, updating potential threats, likelihood and impact scores, and incorporating new intelligence.
- Involve Stakeholders
Engage various organizational departments in the review process, including IT, legal, compliance, and marketing, to ensure comprehensive awareness and input.
- Utilize Data Analytics
Apply data analytics to analyse historical security data. This helps in spotting trends and patterns that can refine the threat model.
- Incorporate Feedback
Actively seek and incorporate feedback from stakeholders to identify improvement areas and emerging threats.
- Continuous Monitoring
Stay abreast of the latest security research, news, and best practices, and update the threat model accordingly.
- Training and Awareness
Implement employee training programs to educate about the threat model and its application. This ensures organizational-wide understanding and effective mitigation strategies.
- Third-Party Assessments
Engage independent experts to evaluate the threat model, offering an external perspective on potential improvements.
- Collaboration
Work with industry peers, partners, and vendors to exchange intelligence and best practices. This collaboration can unveil new threats and mitigation strategies, fostering shared learning and resources.
By adhering to these modified OKRs, organizations can continuously refine their STRIDE-based threat models, maintaining robust defences against evolving risks and threats.
Example of a Threat Model for a Mobile Banking Application Using STRIDE
S (Spoofing Identity)
- Malware Injection via Phishing
Attackers send phishing emails or SMS messages to trick users into downloading malicious apps.
- MitM Attack During Login
Attackers intercept login processes to steal credentials.
- Session Hijacking on Public Wi-Fi
Attackers intercept internet traffic on public Wi-Fi to steal session cookies.
- Social Engineering for Fake App Installation
Attackers trick users into installing fake apps that steal information.
- Unauthorized Access via Stolen Devices
Attackers use stolen devices to access banking apps.
- Exploiting App Code Vulnerabilities
Attackers exploit vulnerabilities for unauthorized actions.
- Physical Device Tampering
Attackers physically install backdoors on devices.
T (Tampering with Data)
- Modifying App Code
Attackers alter app code to include malicious functions.
- Altering Transaction Details
Attackers intercept and modify transaction data.
- Communication Hardening
Manipulating Account Information: Attackers unauthorizedly alter account details.
- Altering Security Settings
Attackers disable security features like two-factor authentication.
- Exploiting Third-Party Library Vulnerabilities
Attackers exploit weaknesses in libraries used by the app.
- Compromising Data Storage
Attackers access and manipulate app data storage.
- Exploiting Encryption Weaknesses
Attackers decrypt sensitive information by exploiting encryption flaws.
R (Repudiation)
- DoS Attacks
Attackers disrupt app services, making them unavailable.
- Distributed DoS Attacks
Coordinated attacks overwhelm app server resources.
- Dispute Resolution Process
Data Tampering: Attackers alter transaction history.
- Fraudulent Transactions
Attackers make unauthorized purchases and dispute them.
- Account Takeover
Attackers gain unauthorized account access.
- False Fraud Accusations
Attackers damage reputations with false fraud claims.
- Manipulating Reviews and Ratings
Attackers deter new users with fake negative reviews.
- Disinformation Campaigns
Spread of false information about the app.
- Intellectual Property Theft
Attackers steal and use proprietary app code.
I (Information Disclosure)
- Data Breaches
Unauthorized access to sensitive app data.
- Sensitive Data Exposure
Exposure of passwords or financial information.
- Privacy Violations
Unauthorized collection or distribution of user data.
- Confidentiality Breaches
Interception of confidential information like encryption keys.
- Authentication Bypass
Attackers bypass security controls.
- Authorization Exploitation
Unauthorized access to sensitive functionality..
- Session Management Weaknesses
Vulnerabilities in session management exploited.
E (Elevation of Privilege)
- Escalation of Privileges
Attackers gain unauthorized access through privilege escalation.
- Sandbox Escape
Compromising the app’s sandbox environment.
- Jailbreak or Rooting Exploits
Gaining elevated access through device vulnerabilities.
- Third-Party Library Exploits
Unauthorized access via library vulnerabilities.
- Permission System Abuse
Exploiting permission flaws for unauthorized access.
- Manipulating Application Logs
Concealing malicious activity.
- Exploiting Encryption Weaknesses
Gaining access through encryption flaws.
It's crucial to recognize that these are illustrative examples and that actual attack vectors may vary. A comprehensive threat modelling exercise is essential to identify all potential attack vectors and develop effective countermeasures.
In sum, employing STRIDE in tandem with OKR strategies offers a robust framework for developing a threat model. This methodology is instrumental in pinpointing and neutralizing potential threats to an organization's digital assets. By dissecting the threat model into smaller, more manageable components and concentrating on specific objectives and measurable results, organizations can craft a nuanced and effective threat model, one that resonates with their unique security needs and risk profiles.
Remember, threat modelling is not a static exercise but a dynamic process. It demands regular revisions and updates to stay relevant in the face of emerging threats and evolving organizational landscapes. Moreover, incorporating diverse perspectives from stakeholders across the organization, and rigorously challenging established assumptions, is vital. This inclusive approach ensures the comprehensiveness and accuracy of the threat model.
While external consultants can offer valuable insights and expertise, it's critical for organizations to critically evaluate their recommendations. Ensuring these align with the organization’s broader goals and security objectives is key. By actively engaging in the threat modelling process, organizations can tailor their strategies to effectively safeguard their most critical assets.
In essence, the combined STRIDE and OKR approach to threat modelling lays out a structured, repeatable pathway for identifying and mitigating potential security threats. Embracing this methodology positions organizations to proactively confront and adapt to the ever-changing landscape of cyber threats, securing their assets against a backdrop of digital evolution.
In summary, this comprehensive approach to mobile application security, shaped by years of extensive experience, underscores the importance of a multifaceted, dynamic, and informed strategy in protecting mobile applications in today’s digital era.