It's no secret that consumers are moving towards online transactions, and now more so with the impact of COVID-19. For example, there were over $1.6 billion in money transfers using fintech apps in Q3 2020 alone, which is a quarter-over-quarter growth of 30%. These finance apps range from mobile banking and payments to crypto and stock trading.
Unfortunately, these finance apps are also more susceptible than ever to mobile app security threats. That’s because these mobile apps store and process personal information like bank credentials, credit card numbers, and other valuable data. Moreover, the sudden shift to digital has created an opportunity for hackers to target apps that were quickly launched in the wake of the pandemic.
In this post, we’ll cover three growing areas of concern for mobile apps that deal with financial information.
Spreading banking trojans and malware is a profitable tactic that hackers use against financial institutions. In fact, a report from Checkpoint showed banking trojans on the rise, with some of them more than doubling their impact in mid-2020. Bank trojans are malicious code that’s disguised within other apps like games, and once installed, attempts to steal information when users interact with their finance apps.
Using dynamic analysis tools, hackers can also manipulate finance apps directly at runtime to execute malicious code, redirect API calls, or install malware in an effort to steal user information or gain unauthorized access to their accounts. If a finance app suffers from widespread trojans or malware, consumers may file complaints and lawsuits that damage the company’s reputation.
That’s why bank mobile app protection using application shielding techniques should be a requirement for every financial institution. Runtime application self-protection (RASP) can help finance companies detect and react to compromised environments (e.g. rooting/jailbreaking, debuggers, emulators, virtual environments).
Another area of growing concern in mobile finance is the large number of fake banking apps posing as financial institutions. In fact, the FBI has warned that there has been an uptick in fraudulent mobile apps since 2018, when they discovered nearly 65,000 fake apps on major app stores. These apps attempt to trick users into giving away their login credentials so that malicious actors can steal consumers’ money or identity.
Mobile app developers can prevent fake apps using a combination of hardening and tampering detection, and more specifically, code obfuscation. By renaming, restructuring, and hiding certain elements of the app’s source code, companies can prevent unauthorized parties from reverse engineering and redistributing their code as a fraudulent app. That said, it’s also critical that app developers go beyond name obfuscation by including control flow, arithmetic, and other forms of obfuscation as well. These techniques ensure that even static analysis apps cannot easily decompile the code.
Another major concern that’s widespread among finance mobile apps is data leakage, which would allow hackers to obtain credentials, account balances, credit limits, and other personal financial information. A recent analysis of 14 mobile banking apps found that more than half of the apps had inadequate security, and 43% of the apps were storing important or sensitive information as plaintext.
Leaking personal or financial information can significantly damage a financial company’s consumer trust and credibility. That’s why, for even greater security, finance mobile app developers should ensure their application hardening efforts include the encryption of sensitive information in compliance with data regulations like PCI-DSS, SOC 2, and PSD2. Any important data, including API keys, passwords, personally identifiable information (PII), and more should be encrypted by default. Also, all security-sensitive classes should be encrypted themselves. Access to these classes can be obfuscated with additional techniques.
In addition, RASP mechanisms can prevent tampering during electronic transactions and protect the integrity of the app’s financial features. For example, if there is suspicious activity detected, the app can quickly shut down and notify an administrator about the incident. These defensive measures can give finance companies additional peace of mind that their apps can adapt to an evolving threat landscape.
As you can see, mobile security should be a priority for fintech companies and financial institutions, yet the majority of finance mobile apps are vulnerable to attacks. Since 40% of U.S. consumers choose not to use mobile payments because they are concerned with security, finance mobile app developers should ensure they’re meeting industry standards. Bank mobile app protection not only builds credibility with consumers, but can lead to revenue growth in the future as well.
Using application hardening best practices, app developers can prevent many of the most common security risks without much additional effort. Guardsquare has solutions to help mobile developers harden their applications with obfuscation, encryption, and RASP, as well as monitor app security threats in real time. By layering these techniques, financial institutions can make it challenging for hackers to execute both static and dynamic attacks.
In line with the general trend of shifting left in the SDLC, Guardsquare’s flagship products DexGuard (for Android) and iXGuard (for iOS) also generate a comprehensive Protection Report to assess the level of security of every app’s build at a glance. This will allow AppSec and development teams to make sure only adequately protected apps are getting released into the wild.