PiOSoned POS - A Case Study in iOS based Mobile Point-of-Sale gone wrong
Thursday, November 21 • 10:00 am - 10:50 am
Based on multiple mobile tests conducted by Trustwave SpiderLabs' application security, Mike Park will walk through the typical mobile POS apps for iOS and show how and why they can be attacked, often with no sign an attack is going on.
Mike will cover technological shortcomings, coding mistakes and the common misunderstanding of the underlying platform that almost always occur and result in an insecure application. This will include some hardware card reader devices that default to allowing almost no security.
1. Introduction
2. Why Mobile POS?
3. Why iOS?
4. The Problem
Poorly written apps
Speed of jailbreaking
Ability to hide the jailbreak
The Card Reader
5. A walk through of the PiOSon POS demo app
What the app does
How the app reads CHD
How the app processes and send the data to the backend
How typical is this
6. Hacking the POS - Demo
Jailbreak
Intro to Method Swizzling
Setting up the device
Adding the reader
Installing the malware
Capture the Track data
7. How to improve this
Understand the underlying platform
Understand the way your card reader works
Why is this so insecure?
View a safer version of the app – AntidOte POS
8. What to do
Coding best practices
Choosing a card reader
Outside the device – MDM?
9.Conclusion
