Presentation: Trusting Mobile Clients with Remote Attestation

Track: Building Security Infrastructure

Location: Plymouth - Royale, 6th fl.

Day of week:

Level: Intermediate

Persona: General Software, Security Professional

More talks on:

Abstract

Everyone knows that in client-server systems, you can't trust the client. However, remote attestation gives us a way to change this. As Square provides financial services on unmanaged mobile devices, building more visibility into the client's runtime environment helps us fight fraud and offer unique features. In this talk I'll describe the systems we've developed to verify that our app is unmodified and running in a secure environment.

Naive client-side tampering checks are relatively easy to circumvent, since attackers can modify both the application and the OS. To counter this, we use a server-driven system that dynamically interrogates the client software. I'll discuss how we manage a rules system with hundreds of interdependent modules, build robust anomaly detection models without having any data from attackers, and support millions of devices running thousands of firmware versions. Our system has parallels with intrusion detection, hardware tamper detection, and systems combating spam, fraud, and abuse.

Speaker: Janek Klawe

Security Engineer @Square

Janek Klawe is the technical lead of Square's mobile security team, which is responsible for keeping sellers' devices safe for every type of payment. He's spent the last three years building backend systems and models to detect and respond to on-device software tampering. In previous lives, Janek developed automated trading systems and software for rendering watercolor-style animations.

Find Janek Klawe at

Speaker page

https://www.linkedin.com/in/janek-klawe-588047138/

Similar Talks

Inside Job: How to Build Great Teams Within a Legacy Organization?

Qcon

Engineering Director @Meetup

Francisco Trindade

Self-Selection for Resilience and Better Culture

Qcon

Agile/DevOps Trainer & Founder of Agile Play Consulting, LLC

Dana Pylayeva

CockroachDB: Architecture of a Geo-Distributed SQL Database

Qcon

CockroachDB maintainer, Co-founder & CTO @CockroachDB

Peter Mattis

Breaking Hierarchy - How Spotify Enables Engineer Decision Making

Qcon

Senior Engineering Manager, Data and Machine Learning Infrastructure @Spotify

Kristian Lindwall

Context Matters: Improving the Performance and Wellbeing of Teams

Qcon

Director of IT @Etsy

Shawn Carney

Maintaining the Go Crypto Libraries

Qcon

Cryptogopher @Google

Filippo Valsorda

Video Streaming at Scale

Qcon

IBM Distinguished Engineer, CTO Watson Media Cognitive Solutions @IBM

Lysa Banks

Machine-to-Machine Interfaces

Qcon

Sr. Consultant, AppDev @awscloud

Ari Lerner

Building and Operating a Serverless Data Pipeline

Qcon

Director Of Engineering at Intent

Will Norman

Tracks

Tracks

Non-Technical Skills for Technical Folks

Trust, Safety, & Security

Data Engineering for the Bold

Machine Learning for Developers

Software Defined Infrastructure: Kubernetes, Service Meshes, & Beyond

21st Century Languages

High-Performance Computing: Lessons from FinTech & AdTech

Modern Java Innovations

Architecting for Success when Failure is Guaranteed

Building High-Performing Teams

Human Systems: Hacking the Org

Modern CS in the Real World

Developing/Optimizing Clients for Developers

Microservices / Serverless (Patterns & Practices)

Architectures You've Always Wondered About