Category: Blog

Insights on mobile security, compliance, and secure application trends from our security lab experts.

  • SBMP For iPhone

    SBMP For iPhone

    New Opportunities for iPhone Mobile Payment Application Vendors: Leveraging NFC and Ensuring EMVCo Compliance

    In today’s digital economy, secure payment systems are essential for protecting sensitive financial data and maintaining consumer trust. EMVCo, a global technical body, has established the Security Evaluation for Software-Based Mobile Payment (SBMP) program to assure robust security of such solutions. This program provides a methodology for evaluating the security of mobile payment applications against evolving threats.

    Developing Contactless Payment Applications for iPhone

    The recent opening of NFC capabilities for iPhone developers, as outlined by Apple’s support for Host Card Emulation (HCE) transactions in apps (learn more here), has unlocked exciting opportunities for vendors of mobile payment applications.

    Starting with iOS 17.4, which includes APIs that support contactless transactions, developers can now build iOS applications that leverage NFC technology to enable secure, contactless payments without relying on additional hardware.

    By integrating NFC capabilities, vendors can create innovative payment solutions, enhance interoperability across platforms, and stay competitive in the growing mobile payment market.

    However, such applications must comply with the strict security standards defined by EMVCo to ensure data protection and sufficient defense against different types of attacks.

    Building Secure iOS Applications: Leveraging Apple’s Ecosystem and Designing Robust Architecture

    The closed iOS ecosystem offers significant advantages for applications handling sensitive data. Its tightly controlled hardware-software integration, rigorous app review process, and uniform security updates provide a robust foundation for safeguarding user information. By restricting third-party app stores and limiting unauthorized modifications, Apple minimizes potential vulnerabilities, creating a more secure environment for both developers and users.

    Nevertheless, while the ecosystem provides strong built-in protections, the ultimate security of an application depends on its architecture. Developers must prioritize secure design principles, such as data encryption, secure API communications, and robust session management, to ensure sensitive data remains protected, even within a secure operating system like iOS.

    Creating a secure iOS application also presents diverse challenges, including protecting sensitive data, implementing jailbreak detection, preventing reverse engineering, and rigorous management of cryptographic keys.

    To address these challenges, developers must not only leverage Apple’s built-in security features but also adopt secure coding practices and design resilient architecture. Furthermore, the implementation of these security measures should undergo thorough evaluation in accordance with the methodology defined by EMVCo to ensure their effectiveness in protecting sensitive information.

    What is the EMVCo SBMP Certification Program?

    The EMVCo SBMP certification program is designed to assess the security of software-based mobile payment solutions, which rely on mobile devices to process transactions. Unlike hardware-based solutions, which use secure elements, software-based solutions depend on advanced security techniques such as white-box cryptography, code obfuscation, and runtime protections to protect sensitive data.

    The program evaluates payment applications against a set of security requirements, ensuring that they are resilient to common attack vectors, such as reverse engineering, tampering, data extraction, etc. Achieving compliance with the SBMP program demonstrates that a payment solution meets industry-recognized security standards.

    Security evaluation for EMVCo certification must be conducted by an EMVCo-recognized laboratory.

    The Role of Independent Vulnerability Analysis and Penetration Testing

    Independent security assessments that include vulnerability analysis and penetration testing add an additional layer of assurance. 

    The rationale behind this is as follows:

    • Uncovering Hidden Weaknesses
      Independent evaluation can identify vulnerabilities that may be overlooked during in-house testing, as it provides a fresh perspective and leverages external expertise. The penetration  tests simulate real-world attack scenarios, providing insights into potential weak points in the application’s design and implementation.
       
    • Evolving Threat Landscape 
      Cyber threats are constantly evolving. Independent penetration testing ensures that your application is resilient to emerging attack techniques, staying one step ahead of potential adversaries.
       
    • Building Trust
      Demonstrating that your payment solution has undergone rigorous independent testing can enhance stakeholder confidence. It reassures partners, customers, and regulators that your application prioritizes security.
       
    • Regulatory and Industry Compliance 
      Many regulators and industry partners require independent security assessments as part of their approval processes. Proactively conducting these evaluations can streamline certification and compliance efforts.

    IS Laboratory offer

    As a laboratory accredited by EMVCo, IS Laboratory performs EMVCo SBMP security evaluations, including code and documentation review, vulnerability analysis and penetration testing to ensure compliance of the solution with EMVCo standards.

    IS Laboratory offers EMVCo SBMP security evaluations of mobile solutions for both platforms: Android and iOS .

    If you are in the development phase of your payment solution for iOS and planning to obtain EMVCo certification, this is an excellent moment to request a proposal for our services.

    Moreover, IS Laboratory can organize workshops on mobile security and security evaluation requirements and perform gap analysis to help you to prepare for a formal security evaluation.

    If you have any questions regarding any service that IS Laboratory can provide for vendors of  software-based mobile payment solutions, please contact us at contact@is-laboratory.com

  • MPoC Solutions: Principal Threats and Importance of Penetration Testing

    MPoC Solutions: Principal Threats and Importance of Penetration Testing

    PCI MPoC Standard

    The Payment Council Industry (PCI) Security Standards Council (SSC) released in 2022 a standard called MPoC (Mobile Payments on COTS Solution) to support the development of mobile payment acceptance solutions. 

    This program allows usage of a mobile device with a dedicated application as a POS (Point of Sale) instead of an expensive payment terminal.

    MPoC Solution Principal Threats

    While such mobile point of sales systems offer many benefits, they also come with security risks that have to be taken into account during development of an MPoC solution. 

    The main difference between a dedicated POS terminal and a mobile application on COTS is that the former is a hardware device specifically designed to protect sensitive payment assets such as card’s PAN (Primary Account Number) and cardholder PIN (Personal Identification Number). 

    On the contrary, a mobile device shall be considered as an untrusted platform meaning that integrated security controls provided by the device operating system (OS) can be deactivated. In that case an attacker can gain full control over the device and applications running on it. 

    That is why an MPoC solution shall introduce additional robust security mechanisms to protect sensitive data that it handles. 

    The MPoC specification defines security requirements that shall be fulfilled by a mobile  payment on COTS solution to protect the confidentiality and integrity of sensitive 

    payment information handled by the solution. In particular, there a list of requirements covering software protection mechanisms of the MPoC solution. 

    Some of these security measures are embedded in the application and serves for the purpose of local detection of a security compromise like rooting, debugging, tampering with the application, presence of hooking framework, etc. 

    There are various software protection tools available for mobile applications that offer code obfuscation and runtime security measures. However, these tools must be properly configured and integrated into the application. Based on our experience, this is not always done correctly, which can lead to security vulnerabilities. Therefore, it is essential to independently test the integration of these tools in the application. 

    Online nature of mobile devices used for MPoC applications provides additional assurance via a remote attestation system which can monitor the integrity of the device and the application, detect anomalies and threats and implement countermeasures. 

    However, like any security mechanism, remote attestation has its vulnerabilities and challenges. 

    Here are some common vulnerabilities associated with remote attestation: 

    •  Spoofing Attacks: an attacker may attempt to spoof device data collected by the attestation system and mislead it into accepting a compromised mobile device or the application as trustworthy.
    • Replay Attacks: an attacker intercepts and reuses valid attestation data to deceive the remote verifier. 
    • Man-in-the-Middle (MitM) Attacks: an attacker intercepts and alters the communication between the COTS and the attestation system. 
    • Configuration Flaws: incorrect or insecure configurations of attestation services can make the attestation process ineffective.

    Key Assets and Their Protection

    Among all assets defined by the MPoC specification, the most sensitive are the following: 

    • the card’s PAN  
    • the cardholder PIN

    The PAN can be retrieved by an attacker when it is received via the phone’s NFC interface before being encrypted if the MPoC solution does not implement efficient anti-hooking, anti-tampering and anti-debugging mechanisms. 

    The PIN can be intercepted when it is entered by a cardholder or when it is present in the memory before being encrypted. Different runtime security measures such as anti-rooting, integrity protection, code obfuscation, etc. should thwart execution of such attacks.

    Importance of Regular Penetration Testing

    Implementing sufficient level of security for an MPoC application is a very complex task and it requires deep knowledge of the mobile security. 

    In addition, maintaining security of an MPoC solution shall be an ongoing process that involves adapting to new threats, leveraging advancements in technology and complying with evolving regulations. 

    There are several reasons why security evaluation and penetration testing shall be performed regularly: 

    • New Attack Methods: New attack techniques are developed regularly, requiring continuous updates to security measures. 
    • Zero-Day Vulnerabilities: These are previously unknown vulnerabilities in software that are exploited by attackers before the vendor releases a fix. Keeping mobile platform OS updated helps protect against these types of threats. 

    That is why the MPoC specification contains requirements for penetration testing (1A-1.3 and 4A-3.1) that shall be executed before initial deployment of the MPoC solution and at least annually thereafter. 

    This penetration testing must be performed by the personnel with professional skills and experience both in mobile security and payment processing domains. 

    An MPoC solution, like any other security system, must undergo independent testing to verify its effectiveness and the reliability of its security assurance.

    IS Laboratory offer

    This service can be proposed by IS Laboratory as our engineers have significant expertise in security evaluations and penetration testing of different types of payment solutions. 

    IS Laboratory can verify whether your solution implements required level of assets protection and give recommendations to harden its security against state-of-the-art attacks. 

    Moreover, IS Laboratory can organize workshops, provide advisory services for MPoC vendors or perform a gap analysis to assess readiness of your solution for the MPoC certification. 

    If you have any questions regarding any help that IS Laboratory can provide for vendors of MPoC or any other mobile solution that has special security requirements, please contact us at contact@is-laboratory.com