December 10, 2019

    International Banking App Security Regulations Signal Need for Application Shielding

    Recent international mobile banking and financial services app regulations in Turkey and Singapore are paving the way for tighter app security policies. While these regulations are primarily intended to safeguard consumers and their sensitive financial data, in the process, they will protect app publishers from the unintended consequences of mobile application hacking and misuse.

    Luckily, application shielding is a measure organizations can easily implement to remain compliant with these upcoming regulations, as well as keep sensitive logic and data protected from misuse. Application shielding makes an app more resistant to common intrusion techniques, including reverse-engineering and tampering. According to OWASP, these techniques rank among the top ten most common security risks for mobile applications.

    Here’s a quick look at some of the highlights mobile app developers should be aware of when it comes to these upcoming regulations. They’re likely to become industry standards that other countries will embrace in 2020 and beyond, so it’s best to be prepared!

    Turkey’s Regulations Put Security Onus on Banks

    The Turkish banking regulatory agency, BDDK, recently issued draft legislation to ensure that banks are held responsible for the secure development and ongoing protection of their mobile applications. Among the provisions in the legislation:

    • Regular integrity checks to ensure that applications are running without unauthorized or malicious code in development, testing or production environments.
    • Systemic application controls that ensure the accuracy, completeness and reliability of the data entered, modified, processed or produced by mobile applications. This measure includes ensuring authorized access to data.
    • Verification that the source of all code within the application comes from the bank itself. The bank is responsible for ensuring that apps remain free of malicious code that could affect a consumer’s mobile device, data, or operating system.
    • During the customer verification/authentication process, the bank must ensure that data is being transmitted securely between the customer and bank alone, without third-party interference.

    These regulations are intended to ensure that financial institutions are proactive about their banking app security, rather than waiting to be affected by a breach. Taking the right preventative measures can protect banks from financial loss, customer loss, reputational damage, and more.

    Singapore Cracking Down on Data Privacy and Security

    Like Turkey, the Singaporean government has been serious about data privacy, introducing regulations such as the Personal Data Protection Act (PDPA) and the Cybersecurity Act to ensure digital regulatory compliance. However, many organizations have overlooked these business obligations when it comes to their mobile applications, which has led to more specific guidance around the protection of mobile apps.

    New mobile regulations in Singapore include specific application security measures for developers and app publishers, including:

    • Avoid storing or caching data in the mobile application to mitigate the compromise of data on the device
    • Implement the following:
      - Anti-tampering mechanisms that prevent the injection of malicious code that could alter or monitor the behavior of the app at runtime
      - Application integrity checks (such as dynamic app protection including runtime application self-protection, or RASP), as well as code obfuscation to prevent reverse-engineering of the application
      - Certificate or public key pinning to protect against man-in-the-middle attacks
      - A secure in-app keypad to prevent keylogging and credential theft
      - Device binding to prevent tokens from being cloned.

    Many cybersecurity experts believe that once Singapore passes these regulations, other countries including Malaysia and Thailand with similar PDPA requirements will quickly follow suit.

    The Best Defense: Static and Dynamic App Protection

    In the banking industry and beyond, application shielding can protect your mobile apps against tampering and misuse that could result in unauthorized access, malicious code injections, credential theft, app cloning, and more. In addition, as more and more countries introduce regulations similar to Turkey’s and Singapore’s, global organizations will need to be prepared for compliance reasons.

    To be defended against a full spectrum of attacks, it’s important that organizations search for a solution that combines both static and dynamic app protection. Static protection prevents hackers from decoding sensitive parts of the application (such as API keys or credentials), and protects code and data at rest. Dynamic protection defends apps against analysis at runtime and live attacks. Code hardening techniques such as code obfuscation and encryption, as well as RASP, can help organizations remain both protected and compliant with the latest regulations.

    Even with these emerging international regulations, surprising new research from Guardsquare recently confirmed that just under half of the top global banking apps are obfuscating their code. Ideally, new compliance requirements will empower an industry-wide change, or at least raise awareness for more organizations to embrace proactive application shielding.

    Learn more about Security for Mobile Financial Applications and how we can help protect your customer data with our state-of-the-art security.


    Discover how Guardsquare provides industry-leading protection for mobile apps.

    Request Pricing

    Other posts you might be interested in