Securing Open Banking Mobile Apps

Key takeaways

• Open banking has unlocked a world of possibilities for Fintech companies to offer new tailored financial services to customers via mobile apps and facilitate financial inclusion, but security remains paramount.
• Open banking apps need to comply with financial regulations which mandates mobile application security such as code obfuscation, data encryption and application integrity protection.
• Security communities, like OWASP, recommend continuously monitoring mobile apps during their development to identify vulnerabilities and fix them to simplify pentesting mandated by financial regulations before an app is released into the market.
• By prioritizing robust security measures, fintech companies can safeguard sensitive data and avoid potential fraud or open banking API misuse, avoiding financial losses due to hefty fines, bad press or customer churn.

What is open banking?

Open banking is a practice that enables third-party financial service providers to gain direct and secure access to customer banking, transaction, and other financial data held by banks and financial institutions through the use of application programming interfaces (APIs).

Open banking allows customers to have control of their transaction data and benefit from easy to use, highly secure financial transactions with their mobile device.

The Open banking Standard was first introduced in the UK and has ignited a Fintech revolution inspiring similar initiatives all over the world. In the UK, the nine largest banks and building societies are now required to make customers’ data available through open banking. Other smaller banks and financial institutions can choose to take part in open banking by becoming regulated providers.

Europe adopted Open Banking with the PSD2 directives which are focused on enabling the exchange of customers’ account data between banks, credit card networks and Fintech companies to facilitate mobile payments.

In the US, a new rule, proposed by the Consumer Financial Protection Bureau, will require banks to provide APIs that allow third-party companies to access consumer-authorized financial data. This enables consumers to share their data with a wider range of financial service providers and aggregate their financial information across multiple accounts.

Open banking presents a significant opportunity also in APAC, with regional governments and monetary authorities actively pursuing regulations to safeguard consumer financial data. Notable examples include Australia's Consumer data right and Singapore’s framework for digital assets.

Why open banking is relevant to mobile apps

By sharing financial data via open banking, customers can access better-suited financial services products and switch products or banks more easily. The combination of these benefits in conjunction with the convenience of mobile app technology has resulted in a plethora of new and enhanced mobile financial apps for consumers.

Some examples already in the market include mobile apps that aggregate data from different accounts, apps for instant payments, apps that provide proof of income, or credit status verification, money-saving advice, and more.

From a mobile app publisher’s perspective, open banking allows developers to leverage API keys issued by banks and building institutions to create new and innovative mobile apps that seamlessly integrate with the bank’s financial services. To speed up the development, several banks and building institutions provide open banking SDKs, streamlining the process of integrating their APIs into mobile applications.

The implications of open banking for mobile app security

The ease of aggregating customer financial data and sharing them through open APIs brings with it the need for more stringent security best practices and requirements to safeguard sensitive personal information, prevent fraud, and detect unauthorized API usage.

By implementing rigorous security measures, mobile app publishers can safeguard their brands from potential security breaches that could lead to damaging media coverage, customer attrition, and substantial financial losses.

Ensuring open banking mobile apps comply with financial regulations

In the European Community, open banking is regulated by the 2nd Payment Service Directive (PSD2). PSD2 is responsible for two key requirements to allow secure customer account data exchange:

• For mobile and remote payments, Strong Customer Authentication (SCA) must additionally be ensured by using a unique authentication code to dynamically link the transaction to a specific amount and specific payee.
• Common and secure open standards of communication (CSC) ensures the safe sharing of payment account data or initiation payment transactions, by (1) providing an API for secure information exchange and (2) adapting the customer online banking interface to provide access to TPPs.

To fulfill PSD2 and Regulatory Technical Standards (RTS) implementation requirements. It’s critical that the app publisher correctly applies hardening techniques at critical code locations and threat detection through:

• Application and code integrity, to ensure the overall integrity of banking apps and SDKs.
• Environment integrity of the device(s) on which apps are run, via root/jailbreak, hook, debugging, emulator, and virtual environment detection.
• Code obfuscation techniques, to protect against reverse engineering and tampering when online payments are made..
• Asset/resource encryption, to protect app assets/resources including certificates, configuration files, etc.
• Data encryption, to protect API - & encryption keys from leaking during static analysis.
• Threat monitoring, to help identify users and devices generating threats that could lead to fraudulent transactions.
• SSL pinning hardening, to avoid bypassing the secure communication with the backend.

Even if your app does not directly process mobile payments, if it interacts with open banking APIs, it still handles sensitive customer financial information making it a prime target for cyberattacks. Therefore, implementing robust mobile app security and code hardening techniques remains crucial to protect against potential threat actors.

Proactively identify security vulnerabilities before they are exploited in the wild

Financial regulations mandate penetration testing prior to releasing an app to market or deploying a significant update. This process aims to detect vulnerabilities before threat actors exploit them, allowing app publishers to implement corrective measures.

While pentesting is important, unfortunately, identifying flaws at the final stage of development during a pen test just before pushing the app to production can be financially expensive due to higher remediation costs.

To mitigate the need for extensive pentesting, mobile app security experts like the OWASP community advocate for conducting security testing throughout the entire software development lifecycle. Security testing helps app developers find and fix vulnerabilities in their apps earlier in the development process than pentesting making it easier and less costly to address the identified risks. Incorporating security testing throughout development simplifies pentesting operations, reduces costs, and allows developers to release their apps on time and without compromising on security measures.

Here are a few ways to make mobile app security testing easier:

• Automate security checks by adhering to security standards like OWASP MASTG
• Use tools that not only find vulnerabilities, but also provide recommendations to fix them
• Integrate with existing CI/CD pipelines used by mobile app teams to develop and release their open banking app continuously into the market

Prevent fraud by monitoring open banking mobile apps in the field

Once a mobile app is in the market, the app publisher no longer has control over it and can be a target for Man-at-the-end attacks, where an attacker not only gains access to the software of a targeted system but also to the hardware and environment in which it is running.The potential scenarios for attackers to steal user data via mobile apps are numerous. These include, for example, malware or tricking users into downloading fake apps or clones with malicious payload. Ultimately the goal of an attacker is to intercept, inspect, modify the app's communication with the back-end server. This could enable the attacker to bypass authentication, steal sensitive data, or even impersonate legitimate users.

In the context of open banking mobile apps, the sensitive personal financial data of customers is at risk of being misused for fraudulent activities or unauthorized system access.

Given this risk, a beneficial best practice is to continuously monitor these apps in real-time to detect signs of suspicious activity and malicious user behavior, and use that information to feed fraud detection systems. For example, detecting an attempt to repackage the app could indicate an attacker's efforts to inject malicious code into a legitimate app to steal sensitive financial data. This mobile threat intelligence can be channeled into a fraud detection system for in-depth analysis and prompt intervention by the security team to prevent further illicit activities.

We partner with our customers to help them with protecting, testing and monitoring the security of their open banking mobile applications.