It's no secret that consumers are moving towards online transactions, and now even more so with the impact of the pandemic. In fact, 67% of U.S. customers use digital-first and traditional banks’ online or mobile apps.
Unfortunately, finance apps are also more susceptible than ever to mobile app security threats. That’s because these mobile apps store and process personal information like bank credentials, credit card numbers, and other valuable data. Moreover, the rapid shift to digital has created an opportunity for hackers to target apps that were quickly launched in the wake of the pandemic.
In this post, we’ll cover three growing areas of concern for mobile apps that deal with financial information.
Spreading banking trojans and malware is a profitable tactic that hackers use against financial institutions. The Nokia 2021 Threat Intelligence Report, based on data from network traffic monitored on more than 200 million devices globally, showed an 80% year-on-year increase of new banking trojans. Bank trojans are malicious code that’s disguised within other mobile applications like games that, once installed, attempts to steal information when users interact with their finance mobile apps. These trojans are known to try and steal SMS messages containing one-time passwords.
Using dynamic analysis tools, hackers can also manipulate finance apps directly at runtime to execute malicious code, redirect API calls, or install malware to steal user information or gain unauthorized access to their accounts. In addition, open banking has propelled the widespread use of APIs across mobile banking apps, enabling third-party developers to create their own apps that interact with the financial institution.
Alissa Knight, a former hacker, recently researched the vulnerabilities of financial services companies’ mobile apps. Knight was able to access 55 banks through their APIs. With this access, Knight could change customers’ PIN codes and move money in and out of customer accounts. The targeted companies’ customer volume ranged from 25,000 to 68 million, with $2.3 million to $7.7 trillion in assets. If a finance app suffers from an attack with malicious intent, similar to Knight’s where third-parties abuse APIs, the reputation of the bank could be severely impacted and result in the loss of customers.. Many consumers could even switch to using a competitor’s services because of a lack of trust.
That’s why mobile banking app protection using app shielding techniques should be a requirement for every financial institution. Runtime app self-protection (RASP) can help finance companies detect and react to compromised environments (e.g. rooting/jailbreaking, debuggers, emulators, virtual environments).
Another area of growing concern in mobile finance is the large number of fake banking apps posing as financial institutions. An analysis by the Washington Post found that almost 2% of the 1,000 highest-grossing apps on the app store are scams. These fake apps have generated over $48 million in revenue.
Mobile app developers can prevent fake apps using a combination of hardening and tampering detection and, more specifically, code obfuscation. By renaming, restructuring, and hiding certain elements of the app’s source code, companies can prevent unauthorized parties from reverse engineering and redistributing their code as a fraudulent app.
That said, it’s also critical that app developers go beyond name obfuscation by including control flow, arithmetic, and other forms of obfuscation as well. These techniques ensure that even static analysis tools cannot easily decompile the code.
Another major concern that’s widespread among financial mobile apps is data leakage, which would allow hackers to obtain credentials, account balances, and credit limits.
To illustrate just how concerned developers should be, cyberattacks against financial institutions increased by 118% in the first half of 2021, and 77% of financial apps have at least one vulnerability that could result in a data breach. An attack that leads to leaking personal or financial information can significantly damage a financial company’s consumer trust and credibility.
That’s why, for even greater security, mobile app developers for financial institutions should ensure their application hardening efforts include the encryption of sensitive information in compliance with data regulations like PCI-DSS, SOC 2, and PSD2.
Any important data, including API keys, passwords, personally identifiable information (PII), and more should be encrypted by default. Also, all security-sensitive classes should be encrypted themselves. Access to these classes can be obfuscated with additional techniques.
In addition, RASP mechanisms can prevent tampering during electronic transactions and protect the integrity of the app’s financial features. For example, if there is suspicious activity detected, the app can quickly shut down and notify an administrator about the incident. These defensive measures can give finance companies additional peace of mind that their apps can adapt to an evolving threat landscape.
As you can see, mobile application security should be a priority for fintech companies and financial institutions, yet the majority of finance-related mobile apps are vulnerable to attacks.
With mobile banking predicted to be a $1.82 billion market by 2025, at a growth rate of 12.2% a year, mobile app developers for financial institutions must ensure they’re meeting industry standards. Bank mobile app protection not only builds trust and credibility with consumers, but can lead to revenue growth in the future as well.
Using application hardening best practices, app developers can prevent many of the most common security risks without much additional effort. Guardsquare has solutions to help mobile developers harden their applications with obfuscation, encryption, and RASP, as well as monitor app security threats in real-time. By layering these techniques, mobile app developers make it challenging for hackers to execute both static and dynamic attacks.
In line with the trend of shifting left in the SDLC, integrating security testing tools, like Guardsquare's AppSweep, into your CICD pipeline is an important step toward ensuring security risks are identified early in the process as apps evolve. Additionally, Guardsquare’s flagship products DexGuard (for Android) and iXGuard (for iOS) also generate a comprehensive Protection Report to assess the level of security of every app’s build at a glance. This allows AppSec and development teams to make sure only adequately protected apps are released into the wild.
To further emphasize Guardsquare’s commitment to providing industry-leading mobile application security, we have recently earned EMVCo certification in obfuscation, root detection, anti-instrumentation, tamper detection, and anti-emulation.