Protect your customer data and your reputation with our state-of-the-art security
Secure valuable gaming revenue streams & maintain user trust with our Unity integration
Secure your e-commerce revenue & safeguard data by layering mobile app protection
In the past few years, mobile finance apps reached 573.1 million downloads in the US and, in 2022, the financial app market’s value reached $1.18 billion worldwide. With financial apps, it’s easy for users to transfer money, invest, and perform basic banking functions on the go. The growing popularity of these apps makes them attractive to businesses looking to grow and retain their customer base, and also a target for threat actors.
One of the most common ways threat actors attack a mobile financial app is reverse engineering. An attacker will typically download the targeted app from an app store and analyze the app within their local environment using a variety of tools. If the reverse engineering attempt is successful, threat actors can access financial data and personally identifiable information (PII) in the app, putting the mobile app’s publisher and financial institution at risk for revenue loss, fines, and brand reputation damage as a result of fraud.
In this blog, we’ll examine what information threat actors target with reverse engineering, common financial app security vulnerabilities, and how to protect your app from these attacks.
According to the Open Web Application Security Project (OWASP), when threat actors target a mobile app for reverse engineering they’re usually trying to accomplish the following:
The process of reverse engineering often leads to threat actors discovering exploitable security weaknesses in financial apps. Some of the most common vulnerabilities include:
Last year, threat actors exploited an API key tied to Slope, a mobile software wallet provider. Slope’s software wallet was used by Solana, a blockchain designed to support massively scaling decentralized applications (dapps). As a result of the attack, thousands of Solana users’ SOL, a USDC stablecoin, and other Solana-provided tokens were stolen. In total, the threat actors stole a total of $4.46 million in coins and tokens.
Solana is an example of reverse engineering where attackers discovered the API key by breaking down and analyzing the app for vulnerabilities. Unfortunately, these attacks affect everyone — from the end-users’ tokens, to the irreparable reputational damage Solana suffered.
When it comes to reverse engineering, many app publishers and security specialists underestimate the true costs of revenue loss from customer churn and fines from regulatory bodies.
OWASP MASVS provides an industry standard on mobile app security with particular recommendations for financial apps. MASVS recommends that mobile apps handling money and PII adopt four additional security controls for resilience to guard against reverse engineering and tampering:
OWASP MASVS is a good foundation for security, but implementation of the recommended security standards requires additional tools. After all, MASVS recommends adding runtime application self-protection (RASP) to your financial app to protect against dynamic analysis attacks. RASP functions by injecting checks throughout your application’s code to detect where and when a threat actor is attempting to reverse engineer your app. Manually injecting checks is tedious and lacks the agility and effectiveness of automated check injection. You’ll want to find a security solution that automates the RASP process.
Additionally, MASVS-RESILIENCE-3, recommends adding layers of obfuscation to your mobile application. Obfuscation strategies include renaming classes, fields, methods, and libraries in your app’s structure and altering the structure of the code, among other methods like control flow obfuscation. Often, developers and security specialists lack the specialized knowledge to apply multiple obfuscation techniques, which can leave the app vulnerable. To avoid security gaps, it’s best to find a tool that automatically applies multiple layers of obfuscation to your application.
Guardsquare offers a comprehensive mobile app security approach, including protecting, testing, and real-time monitoring of financial services apps.
When it comes to reverse engineering and protecting financial apps, it’s important to consider what is at risk and plan ahead to prioritize security and protect the sensitive information and assets in your app with a comprehensive security plan. Not only is the end-users’ data at risk, but also your organization’s revenue and reputation.
As mobile app usage continues to grow, so will the number of financial apps and, unfortunately, the threat actors targeting them. Reverse engineering is a sophisticated attack technique that requires multiple layers of mobile application protection. As always, Guardsquare recommends approaching the security of your app with a “protect, test, and monitor” mindset.
Ready to protect your financial app against reverse engineering? Connect with an expert to get started.