Presentation: Trusting Mobile Clients with Remote Attestation

Track: Building Security Infrastructure

Location: Plymouth - Royale, 6th fl.

Duration: 5:25pm - 6:15pm

Day of week: Tuesday

Level: Intermediate

Persona: General Software, Security Professional


Everyone knows that in client-server systems, you can't trust the client. However, remote attestation gives us a way to change this. As Square provides financial services on unmanaged mobile devices, building more visibility into the client's runtime environment helps us fight fraud and offer unique features. In this talk I'll describe the systems we've developed to verify that our app is unmodified and running in a secure environment.

Naive client-side tampering checks are relatively easy to circumvent, since attackers can modify both the application and the OS. To counter this, we use a server-driven system that dynamically interrogates the client software. I'll discuss how we manage a rules system with hundreds of interdependent modules, build robust anomaly detection models without having any data from attackers, and support millions of devices running thousands of firmware versions. Our system has parallels with intrusion detection, hardware tamper detection, and systems combating spam, fraud, and abuse.

Speaker: Janek Klawe

Security Engineer @Square

Janek Klawe is the technical lead of Square's mobile security team, which is responsible for keeping sellers' devices safe for every type of payment. He's spent the last three years building backend systems and models to detect and respond to on-device software tampering. In previous lives, Janek developed automated trading systems and software for rendering watercolor-style animations.

Find Janek Klawe at

Similar Talks

Software Engineer @Agrilyst
Cofounder & CTO, previously Co-Founder & CTO @Gilt
Platform Director, "SeatGeek Open"​ @SeatGeek
Director of Engineering @ Squarespace
Software Engineer @Jet, previous CTO
Leading Machine Learning Researcher, Vowpal Wabbit Contributor
Senior Research Software Development Engineer @Microsoft


Monday, 26 June

Tuesday, 27 June

Wednesday, 28 June