Financial services apps are increasingly popular all around the world and come in a wide variety of flavors. Their purposes and functions range from mobile payments to banking to bitcoin to stock trading and beyond. Many consumers in the developed world rely on them for convenience and speed. And many consumers in the developing world employ mobile apps to access and take advantage of financial services that might not otherwise be available to them.
A whopping 79% of smartphone owners have used their devices to make online purchases in the past six months, and more than 75% of Americans used a mobile device to check bank balances in 2019. Meanwhile, the total value of mobile payments is set to reach $503 billion in 2020. However, as positive as these statistics are, there’s a darker side: Mobile fraud losses totaled more than $40 million across 14,392 breaches in 2019.
It should come as no surprise that financial services apps process, contain, and transmit some of the most valuable and sensitive data that exists, from personally identifiable information to bank access credentials to credit card numbers and beyond. So while these apps can be very powerful and positive for consumers, hackers also see the potential. For this reason, the makers of these apps have a duty to ensure that the data they process and contain is well-secured.
Unfortunately, research conducted by Guardsquare and others has found that this is far from uniformly true today. In fact, the majority of Android financial services apps do not use any type of obfuscation—a key security best practice—at all, and those who do employ obfuscation largely do not take full advantage of it.
Guardsquare researched the nature and level of application shielding in use by more than 3,000 of the world’s leading financial services apps on the Android marketplace. Our data showed that less than 50% of these financial apps are using proper mobile application security. This leaves them open to:
It’s clear that mobile financial services apps are falling short when it comes to security. Let’s take a look at where and how they need to improve.
Code hardening is the best way to prevent attacks from accessing and attacks from accessing and tampering with an app’s source code. Hackers tamper with source code to steal IP, commit monetary fraud, extract sensitive data such as encryption keys for use in follow-up attacks, gather information about the interaction between the application and backend servers and many other goals that drive hacker behavior.
Code obfuscation is the gold standard technique to prevent hackers from decompiling or reverse engineering source code. That said, while code hardening is very effective when properly implemented, as our study showed, most mobile apps, including financial ones, do not use these techniques at all. Of those who do use some code hardening, a huge majority limit their obfuscation techniques to name obfuscation alone.
They primarily use open source optimizers, like our open source product ProGuard or R8. These of course have positive impacts on apps—namely, increasing performance by shrinking them. But it’s important to be realistic about the fact that they provide only limited security.
Our research shows that less than 10% of the top 3,000 financial services Android apps use additional code protection techniques beyond name obfuscation. While it is harder to find exact data on iOS, our experience leads us to believe that the majority of these apps are also not up to snuff when it comes to security. These are apps that contain extremely sensitive financial and personal information that, if accessed by someone with bad intentions, can lead to fraud and reputational damage, among other negative consequences. Ensuring maximum security protections should be a top priority.
Of course, if you operate in the financial services arena or work with customers who do, you are likely well aware of the many regulations and rules that apply to this space. It is very much a “highly regulated industry.” Compliance mandates vary by country and region, but many must meet the requirements of:
While few of these specify the importance of code hardening for mobile financial services apps, ther reality is that this best practice is the only way to truly ensure that financial services organizations are properly protecting their own IP and customers’ data.
Code hardening is an important first step for mobile app security, and it must go beyond name obfuscation to include control flow obfuscation and a range of other techniques.
It is the layering of multiple applied code hardening techniques that will make a mobile app too challenging and time-consuming to decompile. This will deter attackers.
In addition to code hardening techniques, it’s best to include multiple runtime application self-protection (RASP) techniques to secure mobile financial services apps against dynamic attacks. With these techniques fully deployed, mobile finserv app developers can have peace of mind that their applications will not be a tempting and easy target for hackers.
Mobile finserv apps have the power to decrease friction in banking and mobile payments, making for happier customers. They also have the power to improve access to these key resources for the underbanked and unbanked. In other words, they are both a tool of convenience and a means of democratizing access to vital financial resources and information, making them incredibly valuable to both their makers and their users.
This is precisely why it’s so important to properly protect these apps with a combination of effective, complete code hardening and RASP techniques to prevent static and dynamic attacks. Taking a layered approach to mobile app security will enable financial services app makers to rightly claim that they are protecting both their own organizations and their valued customers from fraud, hacking, and financial losses.