• Skip to main content

Biz Builder Mike

You can't sail Today's boat on Yesterdays wind - Michael Noel

  • Cryptocurrency Exchange
  • Blockchain Consultants
  • About Us
  • Blog

Enterprise

Jan 20 2021

Elaborate Scam App Impersonates Leading Asian Bank; Victims Duped into ‘Investing’

Elaborate Scam App Impersonates Leading Asian Bank; Victims Duped into ‘Investing’Elaborate Scam App Impersonates Leading Asian Bank; Victims Duped into ‘Investing’

Zimperium, in collaboration with a leading Asian bank, have uncovered the early stages of a coordinated effort by scammers to defraud existing and new bank customers. In this blog, we will:

  • Alert the general public about the scam before it gains traction; 
  • Outline the entire scam around the fake bank app; and
  • Show how it is also targeting other financial services, including another bank.

The campaign coincided with the bank’s announcement about its development of a digital exchange, enabling institutional investors and accredited investors to tap into a fully integrated tokenization, trading, and custody ecosystem for digital assets. 

Thus far, dozens have downloaded the app and have lost an average of $1,500 each. The app – first seen on VirusTotal on December 22, 2020 – has still not been identified as malware or scamware by any anti-virus companies. 

The campaign remains active and is, in fact, growing:

  • It appears to be downloadable via third party sites and/or phishing links;
  • The command and control servers are still operational;
  • The elaborate scam itself features, among other aspects, active customer support; and 
  • We’ve learned of a similar campaign targeting a second bank. We are reaching out to that bank directly, before revealing the name.  

Downloading the app

Once the app is downloaded from a third party store or phishing link and is opened, the victim is presented with the following login page:

Figures 1, 2: Fake login and registration page along with the “password retrieval” option

As part of the registration process, users are asked to provide an email address, account number, “rganization code” (note the typo appears in the app itself) and other details. 

In an attempt to appear legitimate, registration generates an automated email containing a verification code trying to impersonate a legitimate email from the bank (including using the bank’s name in the email address). We received verification codes when we registered with legitimate and fake information.  

Figure 3: Fake email for registration with verification code. (Note: “If not my operation”)

The entire communication takes place with a server that does not belong to the impersonated institution. Instead, the user has unknowingly shared personal and financial information with the attackers. 

Figure 4: The communication with C&C when trying to login with credentials

App experience

Once logged in, the application presents the victim with a seemingly legit cryptocurrency trading platform using the brand value of the impersonated organization as a lure. It looks more convincing with the dynamically changing prices.

Figures 5, 6: The Home and Trade pages that make use of information from Figure 8

Figure 7: The continuous pings to get the updated prices as seen in Figure 7

Customer support

Moreover, the presence of a customer support option provides the victim with additional confidence of being able to contact the financial institution (the scammers) with any questions or issues.

When we attempted this, we received the following:

Figures 8, 9: The customer support chat box presents the offer image and convincing text

Figure 10: Scam poster encouraging victims to “invest”

Customer support would be the first choice for the victim to complain about discrepancies, but the scammers cleverly set it up in such a way that it convinces the victim to “Recharge” and invest to reap (non-existent) benefits.

Making use of legitimate platforms that offer services to communicate with customers through customer support, the scammers offer “Customer Service Solutions” as seen below with this command and control’s response:

Figure 11: The URL for customer support as received from the C&C server

If the upward trend makes the victim interested in investing, the scammers have set up a “Funds Management” page allowing for the continued exploitation of the victim as seen below:

Figures 12, 13: The option to recharge and add funds to the account

The Recharge option mentioned above is the first go-to for a new victim to begin investing through the platform. 

The two investment options offered are “Online Pay” and “USDT,” where the victims were asked to chat with the customer support and pay online or transfer the funds to a provided BTC or ETH wallet and attach proof of the transaction.

Figures 14, 15, 16: The recharge options- Online Pay, BTC, ETH with “Important Notice”

Figures 17, 18: The BTC and ETH wallet’s transactions

What can you do?

It’s clear this campaign is just beginning and – as we mentioned – targeting a different bank already. Here’s what you can do:

From a consumer perspective, never download apps from third-party sites; rely solely on the App Store and Google Play. Be leery of apps that may have grammatical or other errors  – like “rganization code” which appeared in the app itself.  

From an enterprise perspective, Zimperium is the global leader in mobile device and app security, offering the only real-time, on-device, machine learning-based protection against Android, iOS and Chromebooks threats. We detect this attack and others like it. 

Please contact us to learn more. 

Previous Zimperium Mobile Security Blog PostPrevious Zimperium Mobile Security Blog Post Automate Mobile Application Security Testing from Jenkins

Elaborate Scam App Impersonates Leading Asian Bank; Victims Duped into ‘Investing’

Source

Written by bizbuildermike · Categorized: Mobile Security · Tagged: 2020, android, App Security, App Store, Apps, banking apps, blog, btc, chat, Chromebooks, cryptocurrency, custody, digital, digital assets, email, Enterprise, ETH, exchange, financial services, gains, Global, Google, information, institutional investors, Investing, investment, iOS, malware, Mobile, Mobile Security, more, note, other, perspective, Phishing, platforms, research, scam, scamware, security, tokenization, Traction, trade, trading, transaction, verification, wallet, ZIMPERIUM, zLabs

Jan 18 2021

China’s BSN to Launch Global CBDC Payment System Beta in 2021

China’s lead in the race for developing a Central Bank Digital Currency (CBDC) is unassailable at this point. The country is making further progress, with the government’s blockchain service network looking to release a CBDC network beta this year.

Safe, Low-Cost CBDC Payments

China’s Blockchain-based Service Network (BSN) has announced plans to launch a public beta for a global CBDC network, per a blog post. 

The BSN is a blockchain network that enables digital token and decentralized app (dApp) development. 

In the post, the state-sponsored network explained that it would invest a considerable amount in research and development this year. The network plans to focus on digital payments primarily as it is working towards launching a Universal Digital Payment Network (UDPN).

Speaking on digital payments, the BSN pointed out that stablecoins and CBDCs have become more prominent across the world as countries look to embrace e-payments fully. The network plans to launch a payment network based on all developed CBDCs in the next five years.

“This digital payment network will completely change the current payment and circulation method, enabling a standardized digital currency transfer method and payment procedure for any information system,” the BSN explained, adding that a convenient, cost-effective beta will be available in the second half of this year.

With the payment network, the BSN is looking to provide a standard digital currency transfer procedure. It aims to combine systems like insurance, banking, enterprise resource allocation, and mobile apps through dedicated application program interfaces (APIs) to make global payments safe and cheaper.

The payment network is one of BSN’s four objectives for the year. The other three include expanding its network, promoting its new private platform, and expanding its ecosystem. In addition, the BSN reiterated its commitment to enhancing blockchain capabilities to companies and governments worldwide.

China Forges On With Digital Yuan

So far, digital yuan has been one of China’s most ambitious economic and financial projects. Officially launched in late 2019, the project has gone through extensive tests last year and looks to be entering advanced testing phases.

Last year saw several firms and government agencies partner on testing the CBDC in several real-world situations, mainly through giveaways and retail spending. The developers haven’t relented in their efforts this year as they look to strengthen their research and testing base.

Last week, local news sources confirmed that the Agricultural Bank of China, one of the country’s largest state-owned banks, had launched ATMs for the digital yuan. As the reports explained, the machines were installed at specific branches within Shenzhen. Customers at these branches have been able to spend and convert the digital yuan tokens they got as a part of the government’s “red envelope” lottery – a project that saw the government hand out $3 million worth of the asset to 100,000 citizens.

The machines reportedly allow digital yuan deposits and withdrawals via a smartphone app. Users can also convert their savings and cash to the CBDC.

China’s BSN to Launch Global CBDC Payment System Beta in 2021

Source

Written by bizbuildermike · Categorized: cryptocurrency · Tagged: 2021, Agricultural Bank of China, Apps, ATMs, Banking, Banks, bitcoin, blockchain, BSN, Cash, cbdc, cbdcs, Central Bank, central bank digital currency, china, cryptocurrency, Currency, decentralized, digital, digital currency, digital payments, digital token, Digital Yuan, Enterprise, Global, government, information, insurance, Mobile, mobile apps, more, news, other, payment, payments, research, retail, Shenzhen, smartphone, stablecoins, token, tokens, world

Jan 07 2021

SoFi to Go Public in $8.65 Billion SPAC Deal with Chamath Palihapitiya’s Social Capital

Chamath Palihapitiya, CEO of Social Capital (NASDAQ:IPOE), has announced that SoFi will go public via a SPAC deal that is worth $8.65 billion via CNBC

According to a Tweet by Palihapitiya, his thesis is based on the challenges of incumbent banks and the benefits of Fintech and digital banking.

Palihapitiya says that SoFi has built a best in class digital banking solution. SoFi reports 1.8 million predicted to top 3 million users in 2021. The company was launched as a student loan refinancing platform but, over time, has iterated and expanded into other verticals and markets. Today, SoFi is more of a digital bank and investing platform with a dedicated community than an online lender. It was reported in mid-2020, that SoFi has filed for a national banking charter.

Anthony Noto said that he and Palihapitiya are super aligned with the goals of SoFi.

“Setting really high, loft goals,” said Noto. “We can really do a much better job of explaining the opportunity together.”

Noto predicted SoFi would do a lot of things together strategically with Social Capital. He added that they spent 2020 preparing for this event.

And why a SPAC versus an IPO? Noto says a SPAC will allow them to better educate investors – a process that is superior to a traditional IPO.

Additionally, deal certainty is a feature of a SPAC that Noto said drove their decision. He pointed to S-1s filed by firms that, in the end, do not get done.

In 2020, SoFi’s revenue was said to be at $621 million. In 2025, SoFi anticipates revenue of $3.67 billion.

SoFi expects to hit profitability in 2021 delivering $27 million to the bottom line. In 2025, net income is predicted to rise to $1.17 billion.

SoFi has built the AWS of Fintech said Palihapitiya. He also pointed to the fact that SoFi not only serves consumers but is also in the enterprise space providing services to Fintechs like Chime.


$IPOE is merging with @SoFi to take them public.

This is an incredible company in banking and fintech that has the potential for a winner-take-most outcome.

Watch @cnbc now or listen to call at 1pm ET (https://t.co/6Ebp0kS2nf) to hear from me and @anthonynoto.

1-pager below. pic.twitter.com/HY89KqRLCD

— Chamath Palihapitiya (@chamath) January 7, 2021

Source

Written by bizbuildermike · Categorized: Crowdfunding · Tagged: 2020, 2021, anthony noto, AWS, Banking, Banks, ceo, Chamath Palihapitiya, Chime, Community, company, digital, digital bank, digital banking, Enterprise, Event, fintech, Go, Investing, ipo, LINE, markets, more, online lender, other, revenue, said, social, social + capital, sofi, spac, Space, student, Twitter, Yahoo

Dec 27 2020

SEC vs. Ripple: A predictable but undesirable development

The U.S. Securities and Exchange Commission has not been kind to crypto in the past year. In March 2020, in the SEC v. Telegram case, the Commission won a worldwide injunction against the proposed issuance of Grams by Telegram, undoing years of innovative work even in the absence of any allegations of fraud. Then, on the last day of September 2020, Judge Alvin K. Hellerstein dashed the hopes of Kik Interactive by ruling in favor of the SEC’s motion for summary judgment in SEC v. Kik Interactive, halting the sale of Kin crypto tokens. Both of these actions were filed in the Southern District of New York. On Dec. 22, 2020, the SEC decided that it was time to initiate another high-profile action, filing in the same district against Ripple Labs and its initial and current CEOs, Christian Larsen and Bradly Garlinghouse, respectively, for raising more than $1.38 billion through the sale of XRP since 2013.

The initial fallout from this action has been swift and severe: 24 hours after the lawsuit was filed, the price of XRP was down almost 25%. This still left XRP ranked fourth on CoinMarketCap, with a total market capitalization of over $10.5 billion.

The complaint

In its complaint, the Commission paints a straightforward pattern of sales of XRP that were never registered with the SEC or made pursuant to any exemption from registration. From the perspective of the Commission, this amounts to a sustained practice of illegal sales of unregistered, non-exempt securities under Section 5 of the Securities Act of 1933.

For readers not familiar with legal procedure, it might seem unusual for the case to be brought in a New York federal court, especially since Ripple is headquartered in California, and both named individuals reside there. However, Ripple has an office in the Southern District of that state, some statements were made by Garlinghouse while he was present in New York, and significant sales of XRP were made to New York residents. In legal parlance, this would make venues in the Southern District of New York appropriate.

In addition, it might be surprising to some that both Larsen and Garlinghouse were named personally in an action that seeks primarily to recover for XRP allegedly sold illegally by Ripple, through its wholly-owned subsidiary, XRP II LLC. They are named both because they individually also sold significant volumes of XRP — 1.7 billion by Larsen and 321 million by Garlinghouse — and because the SEC contends they “aided and abetted” Ripple in its sales.

Aiding and abetting is a cause of action that depends on a primary violation by a third party, in which the aider and abettor voluntarily and knowingly participates with the goal of assisting in the venture’s success. In this case, Ripple would be the primary violator, and both Larsen and Garlinghouse are alleged to have substantially participated in the pattern of Ripple’s XRP sales, with the goal of allowing the company to raise funds without registering XRP under the federal securities laws or complying with any available exemption from registration.

The bulk of the complaint provides an overview of digital assets, details the SEC’s version of the history of Ripple and its marketing efforts with regard to XRP, illustrates how in the opinion of the Commission, XRP satisfies the elements of the Howey investment contract test under the federal securities laws, and seeks to demonstrate how Larsen and Garlinghouse participated in the on-going sales efforts.

In addition to disgorgement of all “ill-gotten gains,” the requested order would permanently ban the named defendants from ever selling unregistered XRP or participating in any way in the sale of unregistered, non-exempt securities. It would also prohibit them from participating in the offering of any digital asset securities, and it seeks unspecified civil monetary penalties.

A brief history of Ripple and XRP

The idea behind the current XRP dates back to late 2011 or early 2012, before the company changed its name to Ripple. The XRP Ledger, or software code, operates as a peer-to-peer database, spread across a network of computers that records data about transactions, among other things. In order to achieve consensus, each server on the network evaluates proposed transactions from a subset of nodes it trusts not to defraud it. Those trusted nodes are known as the server’s unique node list, or UNL. Although each server defines its own trusted nodes, the XRP Ledger requires a high degree of overlap between the trusted nodes chosen by each server. To facilitate this overlap, Ripple publishes a proposed UNL.

Upon the completion of the XRP Ledger in December 2012, and as its code was being deployed to the servers that would run it, a fixed supply of 100 billion XRP was set and created at little cost. Of those XRP, 80 billion were transferred to Ripple and the remaining 20 billion XRP went to a group of founders, including Larsen. At this point in time, Ripple and its founders controlled 100% of XRP.

Note that these choices represent a compromise between the fully decentralized, peer-to-peer network that was envisioned when Bitcoin (BTC) was first announced and a fully centralized network with a single trusted intermediary such as a conventional financial institution. In addition, Bitcoin was never designed or intended to be held or controlled by a single entity. In contrast, all XRP was originally issued to the company that created it and that company’s founders. This hybrid approach to a blockchain-based digital asset and more conventional assets created and controlled by a single entity led some crypto enthusiasts to complain that XRP was not a “true” cryptocurrency at all.

According to the SEC’s complaint, from 2013 through 2014, Ripple and Larsen made efforts to create a market for XRP by having Ripple distribute approximately 12.5 billion XRP through bounty programs that paid programmers compensation for reporting problems in the XRP Ledger’s code. As part of these calculated steps, Ripple distributed small amounts of XRP — typically between 100 and 1,000 XRP per transaction — to anonymous developers and others to establish a trading market for XRP.

Ripple then began more systematic efforts to increase speculative demand and trading volume for XRP. Starting in at least 2015, Ripple decided that it would seek to make XRP a “universal [digital] asset” for banks and other financial institutions to effect money transfers. According to the SEC, this meant that Ripple needed to create an active, liquid XRP secondary trading market. It, therefore, expanded its efforts to develop a use for XRP while increasing sales of XRP into the market.

At about this time, Ripple Labs, and its subsidiary, XRP II LLC, came under investigation by the U.S. Financial Crimes Enforcement Network, or FinCEN, acting pursuant to its mandates in the Bank Secrecy Act, or BSA. Acting in conjunction with the U.S. Attorney’s Office for the Northern District of California, the two companies were charged with failing to comply with various BSA requirements, including failure to register with FinCEN and failure to implement and maintain proper Anti-Money Laundering and Know Your Customer protocols. According to FinCEN, Ripple’s failure to comply with these FinCEN requirements was facilitating the use of XRP by money launderers and terrorists.

This action did not proceed to trial, with Ripple Labs settling the charges by agreeing to pay a $700,000 fine and further agreeing to take immediate remedial steps to bring the companies into compliance with BSA requirements. The settlement was announced by FinCEN on May 5, 2015. The major contention of FinCEN throughout its investigation was that XRP was a digital currency. Ripple acceded to this position and has since worked to comply with BSA requirements.

At the same time, as noted in the SEC’s complaint, from 2014 through the third quarter of 2020, the company sold at least 8.8 billion XRP in the market and institutional sales, raising approximately $1.38 billion to fund its operations. In addition, the complaint asserts that from 2015 through at least March 2020, while Larsen was an affiliate of Ripple as its CEO and later chairman of the board, Larsen and his wife sold over 1.7 billion XRP to public investors in the market. Larsen and his wife netted at least $450 million from those sales. From April 2017 through December 2019, while an affiliate of Ripple as CEO, Garlinghouse sold over 321 million XRP he had received from Ripple to public investors in the market, generating approximately $150 million from those sales.

XRP is not like Bitcoin or Ether

The preceding description paints a picture of a digital asset that is widely held by persons scattered around the globe. In the case of both Bitcoin and Ether (ETH), this kind of decentralization was apparently enough to convince the SEC that those two digital assets should not be regulated as securities. As Director Bill Hinman of the SEC’s Division of Corporation Finance explained in June of 2018:

“If the network on which the token or coin is to function is sufficiently decentralized — where purchasers would no longer reasonably expect a person or group to carry out essential managerial or entrepreneurial efforts — the assets may not represent an investment contract. Moreover, when the efforts of the third party are no longer a key factor for determining the enterprise’s success, material information asymmetries recede. As a network becomes truly decentralized, the ability to identify an issuer or promoter to make the requisite disclosures becomes difficult, and less meaningful. […] The network on which Bitcoin functions is operational and appears to have been decentralized for some time, perhaps from inception. Applying the disclosure regime of the federal securities laws to the offer and resale of Bitcoin would seem to add little value.”

This kind of analysis does not really work for XRP, most of which continues to be owned by the company that created it, where the company continues to have significant influence over which nodes will serve as trusted validators for transactions, and where the company continues to play a significant role in the profitability and viability of the asset. Part of that role will now, of course, involve responding to this latest SEC initiative.

The court’s probable reaction

Unfortunately for Ripple and its former and current CEOs, the SEC has a strong case that XRP fits within the Howey investment contract test. Derived from the 1946 Supreme Court decision in SEC v. W. J. Howey, this test holds that you have bought a security if you: (1) make an investment (2) of money or something else of value, (3) in a common enterprise, (4) with the expectation of profits, (5) from the essential managerial efforts of others. Most of the purchasers of XRP, or certainly a very large number of them, would appear to fit within each of these categories.

Ripple raised more than $1.38 billion from the sale of XRP, so it is abundantly clear that purchasers were paying something of value. Moreover, as there was no effort to limit purchasers to the amount of XRP that they might reasonably “use” for anything other than investment purposes, that element appears likely to be present as well. The fact that the fortunes of all the investors rise and fall together along with the value of XRP in the marketplace should satisfy the commonality requirement.

The complaint highlights a number of things that Ripple has done to promote profitability, including statements that it has made, all of which suggest that a reason for purchasing XRP is the potential for appreciation. The limited functionality of XRP in comparison to its trading supply is another reason to believe that most purchasers were buying for investment, seeking to make a profit.

Finally, the significant on-going involvement and role of the company, especially given its huge continuing ownership interest in XRP, means that there is a strong case to be made that the profitability of XRP is highly dependent on the efforts of Ripple. All of this points to the reality that, under the Howey Test, XRP is likely to be a security.

Ripple’s response to the SEC’s action

Ripple’s response to the SEC’s enforcement action came even before the SEC’s complaint was officially filed. On Dec. 21, Garlinghouse tweeted out a condemnation of the SEC’s planned action, criticizing the agency for picking favorites and trying to “limit US innovation in the crypto industry to BTC and ETH.” Soon after, Ripple’s general counsel, Stuart Alderoty, gave a strong indication of how the company was likely to respond in the pending matter by pointing out the 2015 FinCEN issue, which he claimed was a government determination that XRP was a digital currency rather than a security under the Howey Test.

Unfortunately, classification as a digital currency does not necessarily preclude regulation as a security. As another New York district court decided in the 2018 case of CFTC v. McDonnell, in the context of the Commodity Futures Trading Commission’s authority to regulate digital assets, “Federal agencies may have concurrent or overlapping jurisdiction over a particular issue or area.”

Thus, even though FinCEN regulates crypto as a digital asset, the CFTC may treat it as a commodity; the SEC may regulate it as a security; and the Internal Revenue Service may tax it as property. All at the same time.

Conclusion

This comment should not be taken as approval of the SEC’s current approach and relative hostility to crypto offerings. As the SEC’s complaint notes, the XRP sales that are now being questioned took place over many years. The initial sales date back to 2013, which had happened considerably before the SEC first publicly announced its position that digital assets should be regulated as securities if they fit within the Howey investment contract analysis, which did not come until 2017 with The DAO Report. Moreover, since 2015, Ripple has been proceeding in accordance with the settlement reached with FinCEN. Since that time, Ripple has worked to bring its operations into compliance with BSA requirements, operating as if XRP is a currency rather than a security.

The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Carol Goforth is a university professor and the Clayton N. little professor of law at the University of Arkansas (Fayetteville) School of Law.

The opinions expressed are the author’s alone and do not necessarily reflect the views of the University or its affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

SEC vs. Ripple: A predictable but undesirable development

Source

Written by bizbuildermike · Categorized: cryptocurrency · Tagged: 2017, AML, analysis, article, ban, Banks, bitcoin, btc, California, ceo, CEOs, cftc, Christian Larsen, Commodity Futures, company, compensation, Computers, Court, crypto, cryptocurrencies, Currency, dao, data, decentralization, decentralized, digital, digital asset, digital assets, digital currency, element, enforcement, Enterprise, ETH, ether, exchange, finance, FinCEN, founders, fraud, fund, gains, government, highlights, html, information, innovation, Internal Revenue Service, investment, irs, Kik, KYC, Law, lawsuit, Ledger, legal, market, market capitalization, marketing, money, more, New York, Offerings, opinion, opinions, other, perspective, Regulation, revenue, ripple, ripple labs, risk, SEC, securities, Securities and Exchange Commission, security, Software, Space, Telegram, token, tokens, trading, transaction, transfers, u.s., United States, us, work, xrp

Dec 23 2020

Automate Mobile Application Security Testing from Jenkins

Automate Mobile Application Security Testing from JenkinsAutomate Mobile Application Security Testing from JenkinsAutomate Mobile Application Security Testing from JenkinsAutomate Mobile Application Security Testing from Jenkins

Mobile apps require continuous testing throughout the development process to ensure proper compliance and security measures are in place. If you are using Jenkins continuous integration server in your pipeline, continually testing your mobile app builds is simple with Zimperium’s mobile application security testing platform, zScan.

Here we will describe how you can automate mobile application security testing from your Jenkins implementation and increase your testing cadence to produce better apps while reducing your time to market and the associated manual effort. Every time new code is submitted to Jenkins, zScan will test the compiled app and provide specific details about improving any security gaps in your mobile apps. 

In this blog, we provide details on:

  1. Why mobile application security testing remains difficult;
  2. How to automate and configure testing from Jenkins;
  3. Available outputs and optional Jira integrations;
  4. Test Data categorizations; and
  5. How to install in your existing processes

Successful Continuous Mobile App Testing

Today, successful mobile application development organizations utilize a combination of native and cross-platform frameworks. Cross-platform frameworks allow for a single code base without compromising a great user experience. This means features and fixes are rolled out much more frequently than ever before. 

Keeping pace requires testing solutions to not only assess these frameworks accurately, but also allow for complete automation. You need mobile specific tools since it’s not just Android and iOS operating systems that are changing; the hybrid frameworks are evolving as well. 

“With zScan, we are detecting security vulnerabilities before release – in hours rather than weeks – and then automatically provide our third party developer with a list of fixes.” – Application Security Manager, Global Banking Company

Failing to identify errors in mobile apps correctly can lead to disastrous results. Governing bodies can fine your company for failing to comply with a compliance mandate or, worse, your company could suffer severe brand damage if a mobile app breach became public. 

There are several public mobile app breach examples from this year. Some of the more notable breaches from this year include the Walgreens mobile app, BHIM data leak, and several coronavirus contact tracing apps that leaked private user data.

Automated App Testing Using CI/CD Platforms

Automating mobile application security testing in your DevOps toolchain provides your teams the opportunity to test early and test often. Developers continue to commit code in the same fashion when developing new features, bug fixes, and modifications. However, by integrating continuous testing to Jenkins during the development cycle, you identify compliance, security, and privacy risks early when they are less expensive to fix. 

If you reduce the number of bugs by testing more often, your overall delivery costs decrease, and throughput increases. Integrating security tools into existing DevOps frameworks allows for more productivity and better quality without forcing developers to unlearn and relearn new processes. Sounds good, right?

zScan Automates Mobile Application Security Testing

Zimperium’s zScan mobile application security testing platform provides security and development teams with privacy, data leakage, compliance violations, and security findings on any iOS or Android application. Zimperium’s proprietary processing engine dissects each mobile application binary directly from Jenkins and provides data on your apps’ resident risks. 

Each finding provides developers specific descriptions and remediation instructions. The detailed instructions can integrate into existing ticketing systems like Jira. The platform can be further customized to focus on categories that align with your enterprise or industry. 

Incorporating the scan results into your ticketing system allows for further downstream efficiencies. These integrations mean developers can work faster and reduce cycle times for bug fixes and enhancements. Teams can customize and filter findings as tracked, mitigated, confirmed, or fixed to prioritize workflows and deadlines.

How to Configure Your Jenkins Server and zScan

Integrating Zimperium’s mobile application security testing to Jenkins is simple.

  1. Download Jenkins plugin from zScan administration console;
  2. Open Jenkins and navigate to “Manage Plugins;”
  3. Upload zScan plugin to zScan; and 
  4. Configure Jenkins

Download the Jenkins plugin provided in your zConsole administration panel.

Navigate to Manage Jenkins and select Manage Plugins.

Click the Advanced tab and in the Upload Plugin section, choose and upload the file zScan-jenkins-plugin.hpi. 


Then restart Jenkins.

Jenkins Configuration

In the Configure section of your project, select Add Post-Build Action, and click “Upload Build Artifacts to zScan.”

Available fields in your configuration include:

  • Zimperium Server URL Endpoint
    • This is your root URL to your Zimperium console.
  • Client ID
    • This value is from your Zimperium Console Authorizations. Your Client ID is created after you generate your API Key.
  • Client Secret
    • This client secret is only displayed when you initially generate your API key along with the client identifier value.
  • Source Files
    • This allows you to specify patterns using ANT script. Zimperium provides several possible ANT statement examples that can help you get started.
  • Excluded Files
    • This field provides the ability to specify patterns to exclude files. This field is the opposite of the Source Files field. Similarly, multiple patterns are comma-separated.

Findings, Instances, and Compliance Categories

After you configure Zimperium’s mobile application security testing platform with Jenkins and begin testing, zScan will provide you with security findings and instances. Findings are potential issues discovered in the app analysis. Each of the findings describing each issue is categorized by affecting security, data leakage, and compliance (OWASP, NIAP, NIST, CCPA, GDPR) mandates and recommendations. 

Instances are specific locations where the finding is present in your app’s code. A hypothetical finding example in a physical penetration test could be that the doors in your house remain unlocked. If both the front door and back door are unlocked, there are two instances of the finding. Both of the findings may or may not need to be fixed. You can choose to accept one instance, allowing the back door to remain unlocked for a given house (app). Customizable policies can filter findings in future assessments for unlocked doors so you can focus on new findings.

[embedded content]

zScan Helps Reduce Mobile App Risk

To reduce risk and limit fraud, organizations worldwide are testing native and hybrid mobile apps with zScan to identify potential data leakage and security vulnerabilities. Mobile application development teams from the banking, financial services, healthcare, and public sector depend on Zimperium to secure, harden and detect real-time attacks to their apps, no matter the health of their users’ device. 

“With zScan, we are detecting security vulnerabilities before release – in hours rather than weeks – and then automatically provide our third-party developer with a list of fixes.” – Application Security Manager, Global Banking Company

Contact us today for more information on zScan and how you can automate your mobile application security testing.

Previous Zimperium Mobile Security Blog PostPrevious Zimperium Mobile Security Blog Post Millions Stolen from US and EU Banks Could’ve Been Prevented

Automate Mobile Application Security Testing from Jenkins

Source

Written by bizbuildermike · Categorized: Mobile Security · Tagged: analysis, android, api, App Security, Apps, automation, Banking, Banks, blog, breach, company, coronavirus, data, Enterprise, financial services, fraud, Future, GDPR, Global, health, healthcare, information, integration, iOS, Jenkins, market, Mobile, mobile app, mobile apps, Mobile Security, more, NIST, Privacy, productivity, risk, security, Sounds, Teams, us, vulnerabilities, work, youtube, ZIMPERIUM, zScan

  • Go to page 1
  • Go to page 2
  • Go to page 3
  • Interim pages omitted …
  • Go to page 6
  • Go to Next Page »

Copyright © 2021 · Altitude Pro on Genesis Framework · WordPress · Log in