What are some of the mobile app security secrets behind the world’s top financial institutions? They incorporate security early in the app development lifecycle and continuously improve their app’s security posture with each new update. These organizations understand that as consumers rely on their mobile devices for banking and payments, security has never been more important.
However, security isn’t always second-nature to all financial services app developers. An analysis conducted in 2020 by Guardsquare found that less than 50% of the top-ranked financial apps have code hardening and other security measures in place that prevent reverse engineering and tampering. Without these protections, attackers could potentially steal IP, repackage or clone apps, gain access to sensitive customer data, and more.
Guardsquare works with some of the top global financial institutions and mobile payment SDK providers to help protect against these types of attacks. By implementing code hardening and runtime application self-protection (RASP) as security protections, organizations are able to meet compliance requirements including PCI SCC guidelines, PCI SPoC, PCI CPoC and more.
Here are three ways these financial services companies leverage Guardsquare to incorporate security into their development process.
One of the top mobile payment providers had always considered app security as a critical part of the development lifecycle. However, the company recognized that while parts of their code were well-secured, the control flow and code logic were not obfuscated, leaving them open to potential security issues and attacks.
The security team tried to manually obfuscate code in the past, but discovered many challenges along the way. For example, some obfuscation made the code too difficult for their own developers to parse. Additionally, the company found the trade-offs between security and performance were untenable, leading to crashes and slowdowns.
By using DexGuard (Android) and iXGuard (iOS) the company was able to automatically add multiple layers of protection to their mobile applications. Instead of struggling to obfuscate code, the team integrated Guardsquare transparently and seamlessly into its development process. Now their security and development teams can effectively add multiple layers of protection to their Android and iOS applications without slowing down their work.
Mobile payment applications have a strict set of compliance requirements to follow. For example, a leading mobile payments SDK company’s customers need to comply with Payment Card Industry (PCI) SDK 3DS Security Standards. As a result, the company had to ensure that the SDK itself is compliant with these standards.
Working with a small security team servicing a wide variety of customers, the company turned to a solution that could help automate some of the steps toward PCI compliance. Specifically, the company needed runtime application self-protection (RASP), to ensure that:
After an evaluation, the security team selected DexGuard and iXGuard tools for hardening their mobile payment SDK. The tools obfuscated and encrypted the SDK, making it more difficult for an attacker to break the SDK or read its code. These solutions also helped the company meet its PCI mobile payment acceptance compliance requirements. As a result of implementing DexGuard and iXGuard, the SDK is more secure and provides maximum protection for customers, who are mobile payment application developers themselves.
Some banks, like this large financial institution, tap into the talents of many different developers to create their mobile applications. As a result, security techniques applied throughout the development process may vary dramatically. To ensure maximum app security, gain a level of consistency, and meet compliance requirements, the team chose Guardsquare’s mobile app protection solutions.
DexGuard and iXGuard helped the security team mitigate the risk of reverse engineering using client-side code static analysis and leveraging the compromised operating environment of the client targets. In addition, Guardsquare helped protect financial data and provided intelligence on type of devices and location of access. The solution has been simple for all of the developers on the team to implement regardless of experience level.
No matter your organization’s mobile app security maturity level, Guardsquare can help ensure your mobile applications are well-protected against reverse engineering and tampering.