Okay LogoOkay Logo

Protecting Users Against Unauthorized Transactions on Mobile Devices: Tamper Resistance Using Honeypots

28/11/2019

artifact

The internet has made building great solutions that solve plenty of problems fairly easy. However, it does not come without its problems and security issues.

Mobile security concerns

It is very common to download apps from the marketplace that solves a particular problem for us. Sometimes these apps do come for free, and they require certain permissions and privileges on our devices for them to function properly. Somehow these apps collect information from your device using those privileges that were granted previously by you to function. Immediately it gets those permissions, it begins to run some tasks in the background that the user does not know about and will not authorize.

Apps designed in this fashion will try to access poorly protected information on the device and exploit certain loopholes. Apps like these are called malwares.

Malwares

Malwares are harmful programs that are designed to cause damage to your computer, device or computer network. Malwares are very dangerous to any organization or individual who possesses and uses a device for confidential transactions. Some of the damages caused by malware sometimes cannot be undone. Malwares can be used to access and expose confidential documents on a device.

Insecure Networks

Sometimes it is not even the apps we have installed on our device but the wifi network that our devices are connected to. We may not even know that the network is not secure and that there is a malicious person intercepting messages being sent over that particular network. This allows malicious persons to access confidential information being sent.

Transactions are meant to be confidential and secured, so Okay provides layers of security and integrity checks before any transaction is approved thus preventing exploited loopholes on the device.

Protecting Users With Okay Strong PSD2 Tamper Resistance Using Honeypots

Honeypots are used to add a layer of security to an application by creating a fake environment that looks like the real one with the goal of baiting an attacker/malware then trapping the attack in that environment without putting the real application, system or even the user at risk.

At its lowest level, honeypots act as bait for attackers or malicious programs running in the background. Honeypots mirror the real environment so well that the attacker may never know about its existence and intents. As the malicious attacker (or malware) continues to infiltrate the system, Honeypots collects information about the attacker’s behavior and actions. Since the honeypot has been already configured to watch for programs or applications like this it provides room to fully contain the attack and protect the user.

Honeypots on Mobile

Okay provides a strong PSD2 compliant way of securing apps, keeping transactions safe and secure before an attacker compromises any vital data. Any vital information that has been compromised fails the tamper resistance test and automatically invalidates the transactions. Every app has a series of methods or functions it executes when it has been built. An attacker can easily decompile your app and automatically understands how your app works. This poses a security challenge for companies and businesses who want to perform a series of confidential actions. So the developer takes a step further to obfuscate the code hiding the details of the app’s implementation. But this does not fully guarantee that the source code is unbreakable or 100% percent safe from reverse engineering.In the case where an attacker successfully breaks the apps obfuscated code, honeypots make it difficult for the attacker to know which method will be executed by the app to fulfill a particular transaction. 

Honeypots attach fake methods alongside the real ones on the app and systematically collect information as the attacker executes the fake methods. Once a transaction is initiated with Okay, Okay secure servers hold information about the legitimate methods on the app that is supposed to execute a transaction. Okay checks the integrity of that transaction by examining the methods that were executed by the app and then matches it with information stored on Okay’s secure servers. If this transaction fails this test, the transaction is rejected.This makes it difficult for attackers to interfere with transactions that are secured by Okay.