As new digital banking and payment technologies continue to emerge, many mobile app developers face unclear or non-existent security regulations. For example, one financial technology that has been gaining popularity in Brazil is PIX-enabled mobile apps. Based on our analysis, it appears that many of these apps were likely developed quickly to meet the technology’s official launch in February 2020 and failed to follow security best-practices.
We’ve performed security research into the emerging technology by analyzing six PIX-enabled apps to determine how secure they are for mobile users. From this analysis, we found that only one of these PIX apps had any code hardening or runtime protection at all and the others appear vulnerable to cyberattacks related to reverse-engineering and application repackaging.
In this post, we’ll take a closer look at the PIX technology, PIX-enabled app vulnerabilities, and how Guardsquare fits into the mix.
The Central Bank of Brazil recently launched its official instant payments system called PIX that most large financial institutions are required to adopt in the country. This new system enables payments by scanning QR codes, which contain critical information about the transaction and its recipient.
While MasterCard and Visa have certain security regulations for near-field communication (NFC) payments, it’s unclear whether PIX-enabled apps have regulatory security requirements. We discovered that many PIX apps are vulnerable to repackaging attempts because they’re not protected against reverse engineering using application hardening. Here how hackers could modify transactions or steal user credentials using repackaged PIX apps.
Our pentesting revealed the potential for malicious actors to use app clones to inspect and modify the data at the application level – to change the recipient of a payment or extract financial information.
Most of the apps we analyzed rely on the Android barcode scanning library ZXing for decoding the QR codes. These Android apps pass the result of the QR Code generation via intents, so malicious actors could use a hooking framework like Frida to monitor all intents handling QR code data and modify them at runtime. That means that using a repackaged app an adversary could manipulate the payment transactions undetected.
In addition, many PIX-enabled apps are storing data in the application sandbox without any protection. Using a repackaged app, malicious actors can extract this account information and authenticate on behalf of the user. That means they’d have full control over the user’s account and could initiate fraudulent financial transactions to steal their money.
Here’s how an attack could work. During the login phase, the user is authenticated by providing credentials like emails, user IDs, and password. Each payload is sent to the backend using a well-known open-source library called OkHttp. The backend returns a token that is injected into the header of each authentication response payload. By repackaging the application and injecting an HTTP logging interceptor to dump these payloads, it’s straightforward for malicious actors to extract user credentials at runtime.
While there may not be clear security regulations for PIX apps, they face the same security risks as other banking apps. That means mobile developers should use application hardening techniques like code obfuscation, encryption and runtime application self-protection (RASP) to protect their PIX apps. This multi-layered approach is the best way to ensure the security and integrity of digital financial transactions and protect consumers from fraudulent charges.
Using Guardsquare’s DexGuard and iXGuard solutions, app developers can obfuscate their code to make understanding the architecture design and control flow of the app using static analysis tools much more difficult. In addition, these solutions have RASP features that detect root, hook, and tamper attempts to prevent dynamic attacks. By protecting PIX apps using application hardening, developers can mitigate any loss of reputation or revenue from cyberattacks.