Kobil – Security Features Overview

Confidential 1
Feature Description Protection against Category

Anti- Detecting whether at a start-up time Debugging a code of an application Software

debugging or during application execution some may give an attacker an insight into
(debugger process is trying to debug/trace an internal processes of the application
detection) application. as well as its internal states during
the execution. This, in turn, may give
an attacker weapons for attacking
(manipulating) the app.

Integrity Critical functions of an application are Malicious code execution Software

of critical protected by detecting whether their By changing certain critical functions
functions code has changed. In case a change an attacker may try to make the
has been detected, an application is application call his function, which
immediately terminated. may affect security of the application.

Secure A list of URLs that allowed to be Man-in-the-bowser, man-in-the- Software

browser navigated to by the Trusted Web View. middle, phishing/pharming, social
URL It is not possible to navigate to an URL engineering.
whitelist not on this list. The list is stored and It is not possible for a user to follow a
accessed in a secure manner (integrity, link sent to him via a phishing email
access control). or similar means.

Confidential 2
Feature Description Protection against Category

App Certificate stores contain Root- Man-in-the-bowser, man-in-the- Software

dedicated and/or SubCA certificates required middle
certificate for validating (web) server certificates Infection/manipulation of a system’s
trust store to ensure authenticity of the (web) certificate store can lead to an
server for a secure communication attacker being able to impersonate a
with a client (e.g. a browser). The legitimate web service and make a
certificate store is accessed in a user do some activities to an
secure manner (integrity protected). advantage of an attacker. A separate
It is important to make sure that only certificate store properly protected is
the required and well-known Root- or harder to reach by an attacker.
SubCA certificates are put into the
dedicated certificate trust store. This
mechanism is used for both SDK<-
>SSMS communication as well for
Trusted Web View and app-specific
proprietary communication.
Certificate pinning is a technique also
used as a part of the process. In
particular a (web-) server certificate is
checked against securely stored
certificate in the trust store.

DLL and Before running a DLL, an application By making an application run a Software
browser makes sure it is on a whitelist of malicious DLL or a Web View to run a
plug-in allowed DLLs. As a special case of this malicious plug-in, it is possible for an
whitelisting feature is browser plug-in attacker to manipulate the running
whitelisting. This means that plug-ins process of an application, therewith
for the Trusted Web View are only making a user to undertake actions to
being allowed if they are on the the attacker’s advantage.
white list.

Confidential 3
Feature Description Protection against Category

Execution Executing an application from a User impersonation, application Software,

from a hardware device that is connected to manipulation Hardware
protected a client’s machine, e.g. over USB or Such a protective measure
device Bluetooth. This hardware device has provides a very high security
special mechanisms for protecting the level.
content that it is carrying (application,
user credentials, etc.) and runs a
physically separated own operating
system/firmware that cannot be
changed without Kobil
authentication.

Smart card A process of user authentication, User impersonation Hardware

process where user credentials needed to Smart cards provide a very high
authentication authenticate a user are stored on a level of security and therefore are
and smart card. User’s private key for used whenever high security
authorization signing login requests and standards are put on the user
transactions is stored on a smart card. authentication and transaction
We use evaluated and security- signature.
certified smart cards.
Virtual smart card is a way of bringing
smart card security in the software.
User’s private key is stored in a secure
way (“Protected and separate user key
store”). Moreover, messages to be
signed (for an authentication and
transactions) are transmitted over a
secured channel controlled by the
SSMS (“Dedicated secure channel”).

Confidential 4
Feature Description Protection against Category

USB over USB over IP enables access to a USB Stealing user’s data, unauthorized Hardware
IP device over a network, where a host access.
detection device is connected to. For security USB over IP can be a real problem if a
reasons it may be necessary to detect USB device is carrying user’s sensitive
and block such access type to prevent data or an application for security
remote access to a USB device. sensitive operations, such as banking,
enterprise network access etc.

CD image CD image may be used by a protected Application manipulation. Software,

integrity device (see “Execution from a See “Application integrity check” Hardware
check protected device”) to store an
application that is to be executed from
this device in a protected manner. The
integrity check of the CD image is done
to make sure no manipulations on the
stored application are made. See also
“Application integrity check” and
“Remote secure update”.

Memory Mechanisms for memory protection Stealing sensitive data. Software

protection make sure that sensitive data, which Sensitive data such as PINs,
needs to be stored in memory for the passwords, cryptographic keys must
current program execution, cannot be be kept in memory as little time as
easily accessed by an attacker. possible for the program execution
and erased/overwritten afterwards.

Confidential 5
Feature Description Protection against Category

Anti-code- Detecting whether at a start time or Application manipulation. Software

injection during an application execution, By injecting and executing an
and malicious shared objects are running in appropriate code an attacker may
execution the memory address space of the pose a serious threat to security of
application. Sophisticated attack user’s identity and data.
techniques, such as function hooking,
can be thwarted by the methods used
for code infection protection.

Anti- A keylogger is malicious program that User impersonation. Software

keylogging logs user’s strokes on a keyboard. Keyloggers are one of the most
Therewith an attacker is able to get user wide-spread malware in the wild.
credentials that are typed in However, they are only capable of
(PIN/password, activation code). Anti- stealing typed-in data.
keylogger is a protecting mechanism
that enables an application to block or
to deceit a keylogger.

Confidential 6
Feature Description Protection against Category

Tampering Protects against tampering with Phishing Software

Protection graphical elements of an application. For By displaying manipulated
example changing electronic fill-out graphical elements it is possible for
forms an attacker to make a user to enter
his credentials or perform an
action to the advantage.

Dedicated An encrypted and authenticated Man-in-the-middle Software,

secure communication channel between a An attacker has a harder time to Server
channel server and a user’s device (virtual or break into this channel, since it is
(SDK <- physical). This channel is used for under full control of the security
>SSMS) security related communication, such as server and the application.
user authentication, transaction Moreover, for a successful attack
authorization, app security monitoring, an attacker would need to attack
etc. This channel is physically or logically both dedicated secure channel and
separated from the application channel an application channel, which adds
that is used to deliver application/service complexity to an attack.
content to the user. Additional security
features make sure that strong security
is provided for this channel, see “App
dedicated certificate trust store” and
“Dedicated SSL/TLS Stack”

Protected Protected key store is a part of the User impersonation, unauthorized Software
and application that is protected by integrity access, stealing user’s private data.
separate check mechanisms and encryption. The
user key store (storage) keeps user’s
store private/secret information, e.g. for user’s
authentication. An access to the store is
strictly controlled by the application and
(if available) by a security server.

Confidential 7
Feature Description Protection against Category

Two factor The process of authenticating a user User impersonation, unauthorized Software,
authentication based on two factors pertaining to a access. Hardware
user. The factors are: what a user Whereas it may be quite feasible
knows (e.g. PIN or a password), what for an attacker to overcome one
a user possesses (token, card), what a factor (e.g. steal a password), it is
user is (biometrics), where a user is much harder to (simultaneously)
(geolocation). A two factor break the two factors, e.g. steal a
authentication system uses a password and a security token of a
combination of two factors from the user.
above list. Usually, it is a
combination of what a user knows
and what a user possesses.

Application An application code is verified with App manipulation. Phishing Software,

integrity check respect to integrity, i.e. being By breaking integrity of an Server
unaffected compared to a legitimate application (i.e. manipulating an
state. This check is stronger if done app) an attacker may mimic
server-sided and must cover both the functions of the original app to his
application’s binary executable as advantage e.g. to lure a user to
well as its mapped RAM image. undertake fraudulent actions or
steal user’s credentials/data.

Virtual device An application (virtual device) is bind Application cloning, user Software
binding to a specific mobile device that it has impersonation.
been installed onto. The binding is It is very difficult to clone an
done by collecting certain properties application that contains user’s
of the mobile device and its data and install it onto another
operating system. These properties mobile device in order to later get
should uniquely identify the mobile access to user’s data or
device and can be later used as a impersonate a user.
reference for the binding.

Confidential 8
Feature Description Protection against Category

User and Managing registered users of the system This is a preventive measure, Server
device and devices that belong to these users. which other protective
management Devices can be virtual (apps) and physical mechanisms rely upon. Being
(hardware). With this management able to manage users and their
function an administrator of the system devices is essential for
has an overview of all the users and providing an adequate
devices, activity reports, and is able to protection of the systems and
lock/unlock/delete/activate devices and its processes.
users. Moreover, an administrator has
information on an operating system a
virtual devices is running on, which
mobile device model etc.

Anti-reverse- This mechanism prevents an attacker By getting access to the Software

engineering from being able to get deeper disassembled binary code an
understanding of the original program attacker can get insights into
code of an application or its parts from a security measures of an
binary code that an application or its parts application and get access to
is provided in. One of the techniques used some compiled-in security
here is the so-called disassembler fooling. material, such as cryptographic
It makes a disassembler produce an keys.
assembler code that does not reflect what
the actual code is doing.

Server-sided User’s PIN is not verified in the Brute force attacks. Software,
verified and application, but is transmitted (not a PIN Local PIN verification can be Server
protected itself, but rather a certain fingerprint used by an attacker to simply
user PIN thereof) over a secure channel (see brute force all possible PIN
“Dedicated secure channel”) to a trusted combinations. Even if there is a
server that does verification against lock after a certain amount of
securely stored fingerprints. The server trials, it can be overcome by
can deny access after a certain amount of cloning the app necessary
wrong PIN entries. amount of times and doing
brute force on the cloned
copies.

Confidential 9
Feature Description Protection against Category

App It is being controlled (preferably by a Using outdated app versions that Software,
version trusted server) that a valid version of potentially have security problems, Server
control an application is running. which may lead to compromising
user’s identity and communication.

Kiosk A browser or an application with a web Man-in-the-bowser, man-in-the- Software

mode view starts in a mode, where a user middle, phishing, social engineering.
browser does not have an ability to navigate to It is not possible for a user to follow a
view arbitrary web sites and change link sent to him by via a phishing
browser options arbitrarily. The email or similar means.
browser/application has full control
over the navigation in this case.
Dedicated SSL/TLS stack is responsible for Man-in-the-bowser, man-in-the- Software
SSL/TLS establishing and managing an SSL/TLS middle
Stack (secured) communication between an Infection/manipulation of a system’s
application and a service. A separate stack can lead to an attacker being
SSL/TLS stack means that an able to eavesdrop/manipulate the
application is not relying on a stack SSL/TLS traffic, thus breaking
provided by the operating system, but confidentiality, integrity, and
uses its own. As there are weaknesses authenticity of the communication.
in SSLv3 and SSLv3 protocols, only
secure TLS-type protocols should be
used.
App Protects against graphical overlays for Phishing Software
overlay a mobile app. For example, graphical By displaying a wrong graphical
attack elements for “OK” and “Cancel” can be content, a user can be lured into
protection laid over the original “Cancel” and signing a wrong content or
“OK” elements, so that a user “OK’es” a undertaking an action he was not
transaction instead of cancelling it. intended to do and that is to an
advantage of an attacker

Confidential 10
Feature Description Protection against Category

Execution Scans processes running on a system Application manipulation, reverse Software

environment to identify potentially malicious engineering, debugging.
monitoring processes that may interfere with the
target application.

What-you- The content to be digitally signed by a Phishing Software,

see-is-what- user (e.g. a transaction) is displayed in Signing of a fraudulent Hardware
you-sign full, so that a user is able to check transaction, where a user is
exactly what he is signing. signing something different from
an intended content.

End-to-end Establishment of an end-to-end Man-in-the-middle. Software,

encryption communication channel that is Unauthorized access to Hardwar,
encrypted. Only the designated parties communicated data traffic. Server
are able to decrypt the Eavesdropping by malicious
communication; there is no one in the hackers and secret services.
middle that (legitimately or not) is able
to read the messages transported
through tis channel.

Physical User’s private key is stored on a tamper User impersonation. Hardware

smart card resistant smart card and never leaves User’s private key manipulation
extension this secure environment. and stealing. Therewith user
impersonation and fraudulent
transaction signing.

DNS DNS spoofing is an attack that diverts Phishing, pharming. Software,

spoofing Internet traffic by means of incorrect One possible way to prevent DNS Server
prevention DNS (readable domain names) to IP spoofing is by using server
addresses resolutions. authentication with certificates
Preventing mechanisms aim at and dedicated certificate trust
preventing accepting traffic from stores (see “App dedicated
malicious web servers that a user certificate trust store”).
being diverted to.

Confidential 11
Feature Description Protection against Category

Dynamic memory During an execution of a program Stealing user sensitive data. Software
dumping protection certain states are stored in the
memory. By dumping the memory
it is possible to analyze the dump
and try to recover sensitive
information from it.
Protecting mechanisms here make
sure that no sensitive information
can be retrieved from the memory
dumps.

Static executable With these protecting measures it Application manipulation and Software
patching protection is prevented that an attacker is able malicious code execution.
to change binary code of an
application of its resources.
Techniques such as integrity check
(“Application integrity check”),
code signing and function
signatures (“Integrity of critical
functions”) come into play here.

Session hijacking Session hijacking is an attack that Man-in the-middle, man-in- Software,
prevention takes over a legitimate the-browser Server
communication session between a
server and a client. Preventive
mechanisms make sure that a
session cannot be taken over.

Virtual device with See “Protected and separate user See “Protected and separate Software,
separate key store key store” and “Separate secure user key store” and “Separate Server
and communication channel”. secure channel”.
channel

Confidential 12
Feature Description Protection against Category

Digital Signatures A digital analogue of a signature User impersonation, Software,

(non-reputation) for a contract. A user can sign a unauthorized access. Hardware,
Login, Transaction, message with his private key only Triggering unauthorized Server
Interaction known to him, but everyone can actions, repudiation of
verify a digital signature using undertaken actions.
user’s public key. Therewith
authenticity of a message is
achieved (it is known who signed
the message), but also non-
repudiation (a user cannot later
refuse signing a message). Digital
signatures are used to
authenticate communication on
the Internet, sign transaction in a
(legally) binding manner, as well
as to grant access to authorized
users. See also “Public Key
Infrastructure”.

Public Key Provides a way to communicate Man-in-the-middle Software,

Infrastructure securely (confidentially and Breaking confidentiality and Server
(Certificate authenticated) with a manageable authenticity of a
technology) key distribution procedures in communication
place. (eavesdropping,
impersonation)

Confidential 13
Feature Description Protection against Category

Remote secure Being secure means also being up- Phishing Software,
update (firmware to-date regarding protecting Manipulated application or Hardware,
and software) mechanisms. Being up-to-date for firmware is installed. See Server
an application or a device is also “App version control”
achieved by an update of the
application or device’s firmware.
Remote update makes it possible
to update the application/device
remotely by a trusted server. The
update packets are transferred
over a secure channel and are
equipped with a digital signature
that must be verified before an
update can be undertaken.

Jailbreak/Rooting Depending on a mobile platform, Potential manipulation of an Software

detection detects whether an Android device app via escalated privileges
is rooted or an iOS device is on the target mobile device
jailbroken. In such cases, a mobile
device cannot be fully trusted
anymore since an attacker might
be able to run his tools with higher
privileges than the application
itself. Therefore, at least a working
Jailbreak- or Rooting detection is
important in order to handle those
risks inside the customer-specific
risk management system.

Confidential 14
About Kobil Systems

Today Kobil solutions are a benchmark for digital identity and highly secure data
technology. Founded in 1986, the 120 person strong Kobil Group with head office in
Worms, Germany, is a pioneer in the areas of smart cards, one-time-passwords,
authentication and encryption.

The core of Kobil philosophy is to provide consistent identity and mobile security
management on all platforms and for all communication channels. Almost half of the
Kobil employees are engaged in development, including leading specialists in
cryptography.

Kobil is a decisive participant in the development of new encryption standards.

Commerzbank, DATEV, German Bundestag, Migros Bank, Société Générale, UBS, ZDF
and many others rely and trust on Kobil.

Kobil Systems GmbH

Pfortenring 11
67547 Worms
Tel.: +49-6241-3004-0
Fax: +49-6241-3004-80
E-Mail: [email protected]

Confidential 15