Is the detection of jailbroken/rooted phone sufficient against threats?

Nirenj George - Director of Product Architecture & Innovation | Frank Tan - ASEAN Director | Sheralyn Chua - Senior Marketing Executive

Is the detection of jailbroken/rooted phone sufficient against threats?

It is widely known that performing jailbreaking/rooting opens the mobile device to security vulnerabilities. It often leaves a gap for malware to gain elevated permissions on a device. This elevated access allows an adversary to silently and stealthily spy on victims, collecting information from voice communications, camera, email, messaging, GPS, passwords, and contact lists. Functions that detect Jailbroken/rooted devices is most commonly added to transactional mobile applications, serving as the most basic defense against threats. However, this is nothing but a drop in a bucket.


The digital future.

The world is going digital. Our smartphones are the most intimate possession we carry around in our pockets, some may even argue that our phones know everything about us. For that very reason, it could arguably be the reason why most FinTech companies are pivoting their services to mobile devices – just to be close to their end-users. Unfortunately, end-users are often the weakest link. From an aerial view of the mobile threat landscape, some of the most prevalent attacks performed by cybercriminals are through malware attacks, phishing, and SIM-Swapping. Between 2018 and 2019, it is estimated that over 1,100 million baht worth of damage was caused by social engineering frauds, such as phishing, creating fake websites, fake profiles or spoofing using fake images on social media in Thailand, a recently released statement by the Thai Royal Police¹.

Beyond social attacks also lies technical attacks such as hooking. Hooking is a code modification/tampering technique that can perform malicious activities such as API function monitoring, debugging and reverse engineering, stealing personal information, changing the behaviours of the app itself to do un-authorised activities. Hooking attacks renders the most damage and it happens underneath your “skin”.

In perspective, it can be incredibly challenging for banks or their end-users to avoid such attacks by cybercriminals. The banks can only do so much as to implement mechanisms to mitigate such attacks.


Looking beyond.

Fortunately, V-Key has a solution. In an insecure OS environment when the phone is compromised, apps integrated with V-OS Application Protection has mechanisms to detect rooting and jailbreaking of mobile OS. On top of that, V-OS will allow the mobile app to run smoothly without compromising it’s integrity and confidentiality. There will be no breaking of its security or leakage of sensitive information stored inside the app.

V-OS can also detect and prevent attackers from hooking on to the app during run-time, by implementing various mechanisms – one such method to detect rooting/jailbreak so that V-OS will expect a hooking attempt on the app. Also, we remove all debug information which could give any clues to the attacker and also encrypt data at rest and in transit as much as possible.

Such threats are reported back to V-OS App Protection Threat Intelligence server for analysis and response action by system administrators. V-Key’s software performs Root/Jailbreak checking only as the first line of defense but the security of V-OS is not dependent on such checks.

There is no guarantee that jailbreak/root detection is enough to fully secure devices against threats. Hence, it is critical that companies look beyond jailbreaking/rooting, and seek protection against extensive threats such as app debugging, reverse engineering, API Frida hooking and more.



How do we determine the effectiveness of mobile apps’ security systems?

With the spate of remote working regime due to Coronavirus pandemic, the reliance and growth for video conferencing platform has been exponentially escalated. However, most mobile apps today are nowhere near as secure as we would like them to be.

Why Existing Mobile Software Protections are Insufficient

Recognizing that existing mobile software protections are insufficient against today’s cyber threat landscape, we take a closer look at the main types of software protections in the market.

V-OS Protection against CPU vulnerabilities

Virtually every computing device in the world is made unsafe by the latest disclosures on Central Processing Unit (CPU) vulnerabilities. Find out how the virtual secure element technology is protecting millions of mobile application users against such vulnerabilities.

V-OS Protection against Android Plugin malware

There has been a recent surge in Android malware abusing Android Plugin Frameworks for malicious behavior. DroidPlugin, Parallel Space and VirtualApp are several plugin frameworks that have been abused by malware in recent months to spread Android malware.

Three steps to fight the Mobile Security status quo

Have financial institutions accepted a status quo that sacrifices user experience for increased security? With mobile digital identity quickly becoming central to an entire suite of online services, those who challenge the status quo will set themselves up to prosper and grow. Read more to find out three oft-ignored areas of research.

Cryptography in V-OS

V-OS is the world’s first virtual secure element. Cryptography plays a dual-role in these; to secure and manage the secrets kept within V-OS, and to provide a lightweight yet comprehensive cryptographic library.

Building V-OS with HSM

V-OS is the world’s first virtual secure element, a software solution with security built into the firmware code. These include secret cryptographic parameters and data, which need to be randomly generated and securely persisted, and are then transformed into code and data files.

How does a Virtual Smart card protect a customer if they lose or change their mobile phone?

From banks to government agencies, many organisations are intrigued by and exploring software security solutions such as mobile tokens and mobile identity systems for individual identification, authorisation and authentication.

Is software-based Biometrics Authentication the solution to ASEAN’s regulatory challenges?

Banks in Southeast Asia should look towards software-based biometrics as the way forward to navigate the regulatory differences in the region and secure their customers’ transactions.

Infographic: The next frontier in Banking transformation

As technology evolves, banks and financial institutions have no choice but to innovate. However, when it comes to security, many still rely on traditional, costly methods.

Mobile Security that works for everyone

Safe, convenient and simple.

The next wave of Finance: Singapore’s growing Fintech market

With global cumulative investment in financial technology (fintech) forecast to exceed US$150 billion in three to five years, economies around the world are vying to attract fintech innovators and cash in on this growing industry.