Secure Mobile Payments: Protect Wallets and SoftPOS from Cyber Threats

As mobile payments become a pillar of modern commerce, securing mobile wallets and SoftPOS applications has never been more critical. Our recent webinar explored the evolving threat landscape, industry best practices for protecting mobile payment solutions, and actionable defense strategies against attacks.

Below is a summary of the key points discussed:

Understanding threats targeting mobile payment apps

Mobile payment apps are a lucrative target for attackers. Their ultimate goals are stealing sensitive data, such as:

• card data, card tokens, and profiles.
• track 2-equivalent data.
• personally identifiable information (PII) of customers.
• cryptographic keys.
• application source code.
• app attestation data.

The real risk isn’t just the theft of individual data points; it’s the potential for scalable attacks that could compromise larger populations, creating widespread operational and reputational risks.

Key security issues in wallet and SoftPOS apps

While mobile wallet and SoftPOS apps serve similar functions, they have different architectures and threat models:

• Wallet apps are vulnerable to attacks like secure storage breaches, app attestation data manipulation, and communication key extraction.
• SoftPOS apps face risks such as misconfigured intents, weak inter-process communication (IPC), insufficient cryptographic protection, and improper network security (e.g., lack of TLS pinning).

Understanding these differences is the key to designing effective defense strategies.

How threat actors attack mobile wallets and SoftPOS

Threat actors mainly use two types of attacks:

• Repackaging: Modifying an app’s code and then redistributing it to intercept or tamper with data.
• Runtime instrumentation: Injecting code at runtime to alter the app’s behavior without modifying the app itself.

Both methods exploit common weaknesses, such as a lack of obfuscation, poor runtime protection, insecure asset storage, and embedded secrets in cleartext.

What it takes to build to industry standards

To be launched and accepted by major credit card networks, payment processing apps must undergo rigorous security assessments guided by standards set by organizations like EMVCo and PCI SSC.

The typical process includes:

• understanding security requirements from the payment scheme.
• implementing initial security measures based on those requirements.
• conducting penetration tests through certified labs.
• addressing vulnerabilities and improving protections.
• obtaining final approval to go to market.

While meeting the minimum requirements of compliance is crucial, this should not be mistaken for ensuring comprehensive mobile app security. Every payment processing app has a unique risk profile. Factors such as handling of PIN data, reliance on native device security features (e.g., biometrics), or integration with external hardware like card readers all shape the app’s specific attack surface and risk profile.

To address these nuances, developing a bespoke threat model is essential. A custom threat model guides mobile app security testing and hardening efforts by identifying which assets and attack vectors matter most. This approach ensures that penetration testing goes beyond generic checks, delivering more meaningful and effective results.

In addition, frameworks like the OWASP Mobile Application Security Verification Standard (MASVS) provide platform-independent, general recommendations. While not payment-specific, MASVS complements industry regulations by helping teams assess and strengthen mobile app security holistically, from secure coding to runtime protections.

Preventing attacks in mobile applications

Mobile payment security isn’t just about passing a one-time certification from payment industry organizations; it’s an ongoing process. Certifications must be refreshed over time. More importantly, the threat landscape is constantly evolving with new attack techniques continuously emerging. To stay ahead of threats, developers must adopt a proactive, multi-layered protection strategy that’s grounded in industry best practices. These recommendations include:

• Carry out regular security testing: Incorporate both automated security scans during development (for mobile wallets, softPOS, etc.) and thorough manual penetration tests before each release. This dual approach ensures vulnerabilities are caught early and remediated effectively.
• Use strong runtime application self-protection (RASP): Employ RASP mechanisms to detect and block runtime attacks – such as memory manipulation, tampering, and debugging – in real-time, directly on the user’s device.
• Implement robust obfuscation: Obfuscate application code to make reverse engineering more difficult. While not foolproof, strong obfuscation raises the bar for attackers trying to uncover app logic or exploit weaknesses.
• Force users to update apps regularly: Enforce regular updates to ensure critical patches reach users promptly. Outdated app versions can expose users to known vulnerabilities that have already been addressed.
• Secure critical assets at rest and during transit: Protect sensitive assets, such as cryptographic keys and credentials, by using strong encryption schemes and (where possible) by binding keys to secure hardware components like Trusted Execution Environments (TEEs) or Secure Elements.

Conclusion: A layered approach to payment processing app security is key

The key takeaway from our webinar is clear: security should be app-specific. Each app has its own architecture, data flow, and threat exposure. So security must be tailored accordingly. Understanding your app’s unique threat model and applying a multi-layered security approach doesn’t just ensure a smoother certification process. It also helps you build stronger apps with real-world resilience against attacks. Modern attackers aren’t just targeting transaction data; they’re after anything that scales: encryption keys, credentials, internal logic, and more. Strong obfuscation, RASP, secure key management, and regular pentesting are your best defense.

Be sure to watch the webinar recording to learn more.