The connection between smartphone users and their money is constantly getting closer, with 63% of users having at least one financial app and 55% having a banking app.
This creates huge opportunities for banks and financial services organizations to:
- Cut down on in-branch and processing costs
- Improve customer experience by enabling 24-hour banking and giving customers improved understanding and control of their finances
- Use data collection and analysis to understand customer behavior
- Enhance targeting and up-selling of products and services
- Use chatbots and AI to respond to customer queries and concerns
Issues with mobile app security
However, with greater usage comes greater risk, especially when it comes to banking and financial services. Financial apps are one of the most lucrative targets for hackers and cyber crime groups due to both the potential access funds and the valuable data stored.
Attacks commonly target financial apps through reverse engineering, exfiltrating poorly secured data, and injecting malicious code into the source code of an app. These vulnerabilities are consistently flagged by industry researchers or worse, after they have already been exploited by criminals.
- The advisory firm Aite Group recently tested 30 financial apps and found widespread security flaws such as poor encryption, lack of source code obfuscation, and unintended data leakage.
- Aite Group also reported that a number of apps have even hard-coded API keys and private certificates into their apps, which could be easily extracted, cracked, and used as an avenue of attack to access a bank’s server and operating system.
- Trend Micro discovered a master-key exploit in Android Apps. It was being used to inject malicious code into a South Korean banking app used by up to 10 million people.
- Researchers from the University of Birmingham revealed how hackers could exploit public key or ‘certificate pinning’ to decrypt, view and modify traffic between an app and its server.
Why mobile application shielding is essential for financial apps
As the usage of banking and financial apps becomes more widespread, hackers are making ever-increasing efforts to break into them. This means that protecting code through mobile application shielding has become essential for providers of these apps.
Not only do attacks risk financial loss through customer refunds and fines from regulatory authorities, they also greatly damage the trust and reputation between financial organizations and their customers. In an industry where customer confidence is paramount, poorly protected apps can pose an enormous liability. A recent survey found that 57% of customers say trust in financial service providers’ cyber defenses impacts their likelihood to do business with them. To safeguard against attacks from mobile malware and application exploits at their source, the most effective solution is mobile application shielding.
How mobile application shielding counters threats
Many app protection and mobile security strategies concentrate on a process of penetration testing and reactive closing of vulnerabilities once they are exposed, but often this can be too late.
The most effective application security is to be proactive and stop attacks from succeeding in the first place through application shielding. Here’s how mobile application shielding protects financial apps from some of the most prevalent attacks.
A new report by Veracode found that 83% of applications have at least one security flaw in their initial scan and 68% fail the OWASP Top 10.
Mobile application shielding, such as Intertrust’s whiteCryption, hardens application security at the source code level through advanced code obfuscation, including string encryption, control flow obfuscation, metadata obfuscation, and other techniques that don’t affect the app’s function but confuse attempts to understand it.
Poor encryption of sensitive data
One of the most vulnerable and valuable targets for hackers is the sensitive data of bank customers. This includes account numbers, credit card details, personal information and banking activity. This sensitive data can be leaked unintentionally through a lack of care for information stored and transferred by apps.
This can be countered by securely encrypting sensitive data as well as the code used to build the app. The use of white-box cryptography ensures sensitive app data, such as encryption keys, are kept safe at all times, even while they are being used.
As apps move outside of the protective environments of the development process and an organization’s own firewalls, attackers attempt to find their vulnerabilities through reverse engineering.
This process can be prevented through employing anti-tampering and code obfuscation, which prevents hackers from understanding how an app works—this kind of mobile application shielding guards against static and dynamic analysis, providing robust app protection.
By effectively faking secure certificates or access keys, not only can hackers gain access to an individual user’s sensitive data, but also a financial institution’s main servers and core operating system.
This can be prevented by securing essential keys with security solutions, such as whiteCryption Secure Key Box, which uses white-box cryptography to keep essential elements such as access keys and certificates safe at all times, whether during runtime, at rest or in transit. Using secure public key infrastructure (PKI) services can also help defeat hackers by creating trusted ecosystems for devices and users.
Injection of malicious code
To take advantage of vulnerabilities they have discovered in mobile app security, bad actors often attempt to add malicious code to the existing functions of an app, and to redeploy onto the app store. The hijacked app then performs actions such as logging the keystrokes and passwords of users, or taking screenshots of their use of an app.
Anti-tampering mechanisms like integrity checking, shared library cross-checking, and self-protection functions that get triggered when a jailbroken or rooted device is detected, can actively stop malicious code injection attempts.
Mitigate risk with application shielding
For banks and financial institutions, apps are an invaluable opportunity to reduce costs, improve customer service and gain business intelligence insights. However, they also expose organizations to new avenues of attack, creating major financial, regulatory, and reputational risks.
Mobile application shielding is one of the best ways of protecting both customers and financial organizations themselves. Intertrust offers industry-leading mobile application shielding solutions that are already protecting major institutions across the world. Get in touch with our team of experts to find out more.
About Paul Butterworth
Paul Butterworth is an experienced payment and security professional, having spent almost 30 years in the card, payments and IT security industries. Paul is responsible for global product marketing for the Intertrust Secure Systems’ market leading application shielding and device identity solutions.