The importance of application shielding for payment apps
Apps are increasingly important in every facet of our lives, especially the financial aspects. With a desire for more flexibility, accessibility, and control, the pressure is on financial institutions and payment providers to meet consumer demands or risk being outflanked by tech behemoths.
The problem, specifically for financial services firms, is that their apps have bigger targets on their backs when it comes to hackers, due to the value of the private information they hold. This isn’t limited to credit card numbers and PINs but also bank account info, purchase histories, personal details, and the app IP itself.
While attacks and security breaches can result in direct material losses through theft of funds and intellectual property, they also have major consequences in terms of consumer trust and regulatory fines.
How hackers attack apps:
- Reverse engineering apps to understand code and locate vulnerabilities
- Tampering with code to bypass business logic
- Stealing private information, encryption keys, or IP
- Directing app to export sensitive information to the criminal’s server
- Replacing function calls to gain permissions to use the app for their own purposes
Application shielding is, therefore, a major concern for all app developers, particularly those who develop apps for financial institutions. But how does application shielding work? Let’s take a closer look at how Intertrust’s application shielding system helped a partner in fintech keep their product safe and get it successfully to market.
Felix Payments’ Need for Secure Application Shielding
As an international specialist in mobile point of sales, Felix Payments was seeking to launch a suite of products that could turn standard, off-the-shelf mobile devices into EMV-capable payment terminals. Their capabilities are delivered by two proprietary technology systems, Felix and the firm’s middleware, Hector.
- Felix: A solution that uses Near Field Communication (NFC) to enable Android phones to accept card payments, both for merchants as a POS and for e-commerce through a “tap to phone” SDK. Following a tap, Felix encrypts the card data, which is sent to Hector.
- Hector: The back-end architecture, compliant with Payment Card Industry (PCI) requirements, is where the transaction processing takes place. Running in a secure cloud environment, Hector links Felix with the payment networks used by financial institutions.
Making use of the NFC technology that most off-the-shelf Android phones already possess, Felix Payments’s innovative products create an affordable and easy payment processing solution for merchants. This decreases the costs and inconvenience associated with running and maintaining POS hardware. Felix Payments can make relevant devices capable of accepting payments with their app alone.
Due to the large amount of sensitive data being processed and transferred, this naturally created significant security and application shielding requirements for Felix Payments. These included:
- Securing data created and sent by the app, as well as data transferred between Felix and Hector
- Application shielding against reverse engineering and code tampering
- Protecting the encryption keys at all times
- Complying with PCI security guidelines
- Creating a mutually compatible solution that didn’t disrupt the connection between Felix and Hector
- Building a system capable of scaling to meet growth in transactions
Intertrust’s Application Shielding Solution
As a security partner, Intertrust was able to provide the solutions and expert guidance that Felix Payments needed. Our whiteCryption Code Protection protected Felix and Hector and empowered them with self-defense capabilities.
Felix Payments’s applied the following application shielding techniques, among others:
- Code obfuscation: Removing or replacing code to make the app more difficult to reverse engineer while not affecting its functionality
- Control flow flattening: The application structure is altered, making it hard to understand while keeping the functionality the same.
- Integrity checkers: Using a patented technique, thousands of checkers and overlapping checksum regions detect if a change has been made and enable the programmer to choose a custom defense response
- Android rooting detection: If a device has been rooted, it means it can be used to run apps in ways that aren’t permitted. Code protection can detect if the app is trying to run on a rooted device
- Anti-debugging checker: Debuggers are a common way for hackers to attempt to reverse engineer apps and understand their logic. By using multiple debug checkers, code protection enables an app to identify a debugging attempt and execute a defensive action
Felix Payments also employed whiteCryption Secure Key Box, a white-box cryptographic library that creates an ultra-secure environment for cryptographic keys. It ensures that the critical keys that are used to encrypt and decrypt data and securely identify devices are always encoded, even while they are in use.
The results of the partnership were not just improved security and application shielding for Felix Payments’s products. In the words of Felix Payments’s CEO, Owen Newport, “Intertrust’s whiteCryption is very well supported and highly regarded inside the major card brands. By going with whiteCryption, the credit card security assurance groups and PCI allowed us to utilize PIN validation when required.”
Going with a scalable, third-party solution also saved hundreds of development hours as well as staff costs. As Newport noted, “By partnering with a market leader like Intertrust, we have shortened our path to market considerably.”
For Felix Payments, finding a security partner who could guarantee the integrity of their payment processing systems and customer data was essential. Not only that, but choosing one which has decades of experience in the field and already has the trust of major financial institutions helped them bring their product to market quicker and up to the compliance standards expected.
To find out more about whiteCryption’s Code Protection and Secure Key Box solutions and how they can protect your apps, get in contact with our team.
About Paul Butterworth
Paul Butterworth is an experienced payment and security professional, having spent almost 30 years in the card, payments and IT security industries. Paul is responsible for global product marketing for the Intertrust Secure Systems’ market leading application shielding and device identity solutions.