Menu Close Back

Blog

Guardsquare Announces Record Revenue, Customer and Employee Growth for 2019

Product innovation, global expansion and funding fueled momentum for
mobile application security leader

 

BOSTON, USA – January 22, 2020 – Guardsquare, the mobile application security platform, today announced it achieved record revenue, employee, and customer growth adding more than 200 paying customers in 2019. This momentum—along with a $29 million investment from Battery Ventures in early 2019—demonstrates increasing industry-wide demand for Guardsquare’s mobile application protection solutions that secure applications through dynamic and static protection against reverse-engineering and hacking.

“We are extremely proud of the success we have had over the past year and I want to personally thank our open source ProGuard users, as well as our DexGuard and iXGuard customers and partners,” said Roel Caers, CEO of Guardsquare. “We address a critical need for app developers, which is evident by our success and fervent market adoption. The application security market is one of the fastest growing in the industry and Guardsquare is at the forefront, already protecting billions of applications and poised for further adoption in the coming year.”

Increased Need for Mobile Application Security in a Connected World

Recent research shows that the application security market was valued at $4 billion in 2019 and is expected to reach $15.25 billion by 2025 as application security becomes a necessity for organizations across all industries and the developers creating and updating existing applications.

Product Enhancements

Guardsquare delivers a multi-layered security solution to ensure applications are self-defending through code-hardening (encryption and obfuscation) and runtime application self-protection (RASP). These layers of protection are integrated into an application’s code to shield it against threats both on- and off-device.

In addition to ProGuard, its open source optimizer for Java bytecode that makes Java and Android applications up to 90 percent smaller and 20 percent faster, Guardsquare’s two commercial offerings deliver maximum application security--DexGuard (for Android) and iXGuard (for iOS). Guardsquare made significant enhancements to DexGuard and iXGuard in 2019 by incorporating code virtualization and App Bundle support for DexGuard, and the introduction of application integrity protection for enhanced security and an in-app assistant to maximize usability to iXGuard. JavaScript obfuscation was added to both DexGuard and iXGuard.   

Company Growth

Guardsquare recently announced the expansion of its global footprint by adding a North America office in Boston to the headquarters in Leuven, Belgium. Guardsquare also expanded its leadership team with the addition of John Vigeant, chief revenue officer, and Erica Sheehan, vice president of marketing.

Industry Recognition

Guardsquare was awarded the prestigious Ernst & Young “Scale-Up of the Year” 2019 Award, which is given by the Flemish government to Belgian-based companies with top performance, growth, innovation, strategy and entrepreneurship. Guardsquare was also a winner in the BVA Awards for “Growth Company of the Year” and was a top 10 finalist in the Deloitte 2019 Technology Fast 50 Belgium list.

Supporting Quotes

“Mobile applications are the key to success for modern organizations due to their extreme flexibility and portability,” said Dharmesh Thakker, general partner of Battery Ventures. “Guardsquare’s ability to secure mobile applications against reverse engineering and hacking has made it the leading-edge provider of mobile application protection. Its solutions are already in use by six of the top 10 global credit card companies, and Guardsquare is planning additional product innovation and market expansion.”

Supporting Resources

About Guardsquare

Guardsquare is the global leader in mobile application protection. More than 600 customers worldwide across all major industries rely on Guardsquare to secure their mobile applications against reverse engineering and hacking. Built on the open source ProGuard technology, Guardsquare software integrates transparently in the development process and adds multiple layers of protection to Android (DexGuard) and iOS (iXGuard) applications, hardening them against both on-device and off-device attacks. Guardsquare is based in Leuven (Belgium) with a US office in Boston, MA.

Contact
Erica Sheehan
VP of Marketing, Guardsquare
erica.sheehan@guardsquare.com

Heather Fitzsimmons
Mindshare PR for Guardsquare
heather@mindsharepr.com

 

The Role of the CISO in Securing Mobile Applications

Things have changed significantly for chief information security officers (CISOs) in the last 10 years. Security is now a CEO- and board-level concern, with breaches costing companies consumer trust, buyer loyalty, and, in some cases, millions of dollars. As security has become a central issue for organizations that impacts everything from finance, to legal, to HR, CISOs roles have evolved, too. 

In fact, the Wall Street Journal recently recognized this shift, citing a Forrester survey that found a decrease in CISOs who report to the CIO (from 38% in 2018 to 35% in 2019) and an increase in CISOs who report to the CEO or president (from 16% in 2018 to 18% in 2019). While this is not a huge shift in terms of numbers, we do believe it is part of a larger trend of security being recognized as an important concern as well as a business driver. 

As the CISO role has evolved, security threats have also changed in many ways. Originally introduced in 2008, mobile apps today represent a significant—and perhaps overlooked—center for risk. 

Hackers realize that mobile apps are often overlooked within a company’s security portfolio and often focus their efforts on them as a result. Common threats targeting mobile apps include:

  • Advertisement hijacking

  • API key extraction

  • Credential harvesting

  • Financial fraud

  • IP theft and cloning

  • Man-in-the-middle attacks

  • Piracy

  • Security circumvention

  • Tampering

The question becomes, how can CISOs guard against mobile app threats? Below are three key areas where CISOs today should ensure their teams have an appropriate strategy in place.

The Myth of “Safe” Apps 

Many people mistakenly believe that iOS applications cannot be reverse-engineered, thanks to Apple’s App Store encryption, code-signing processes, and other built-in precautions. 

In reality, CISOs and security departments know that this is not true. While the App Store’s goal is to protect consumers from apps with malware and other security issues, their protections do not fully cover the interests of the companies who make these apps. For example, iOS does not have full protections built in to hedge against tampering, cloning, or reverse engineering. 

Additionally, while there is wider acknowledgment of the vulnerabilities affecting Android applications, it does not make sense to only develop or implement protections for Android, as this leaves the door wide open on the iOS side

Tip: It is important to be clear-eyed about the reality that iOS apps are indeed vulnerable to hacking and fraud. Many of the attack methods listed above can be detected and prevented with a multi-layered security approach: Code hardening protects the code at rest, while RASP provides protection when the mobile application is running. 

Fake Mobile Apps Are on the Rise

When the Apple App Store opened and Google Play launched in 2008, businesses and individuals alike recognized a major opportunity. Today, the Apple App Store has about 2 million apps, and Google Play nearly 3 million.

Eager scammers are taking advantage of the proliferation of apps by creating “fake apps” and duping consumers into downloading them with the goal of diverting payment, racking up views for unauthorized ads, spreading malware, and carrying out other fraudulent activities. Companies without strong encryption and other security protections may find their apps reverse-engineered and marketed online by criminals, virtually indistinguishable from the real thing. This problem is so pervasive that the US Federal Trade Commission issued an alert for fake apps just a few years ago.

Tip: Hackers can’t duplicate what they can’t access. Make your app’s code unreadable with obfuscation and encryption, two important code hardening techniques. With these tools in place, hackers will not be able to decompile source code, stopping them from wholesale replicating and falsely marketing a fake app.

Protecting Valuable Intellectual Property

Companies, especially those in high-value, disruptive spaces, invest a lot of time and money developing their unique services. As a natural consequence, many mobile apps include proprietary algorithms used by a company’s core products. If bad actors are able to access the source code of these apps, they can intercept user data or copy a legitimate app’s functionality and go to market without the up-front investment.  

Tip: Code hardening is the best way to protect major investments in developing unique intellectual property from theft and misuse by hackers with bad motives

New Regulatory Landscape

As mobile apps have grown in popularity, regulations have raced to keep up with them. Today, CISOs must ensure that their companies’ applications comply with all major regulations, many of which vary from country to country. This is especially true in highly regulated landscapes, such as banking, where penalties for non-compliance can be costly. 

Additionally, many countries are passing new local, regional, or global regulations aimed at protecting users. Turkey and Singapore, for example, recently passed new regulations around mobile banking. 

Also in 2019, the Payment Card Industry Security Standards Council enacted new guidelines: the PCI Mobile Payment Acceptance Security Guidelines, industry standards for processing credit card information, and PCI SPoC regulating the security of electronic mobile transactions on commercial off-the-shelf devices (COTS). 

These are only a handful of the regulations at play for mobile apps: GDPR, PSD2, and many other regional rules apply, depending on your business, location, customer base, industry, and other factors.

Tip: As security is increasingly linked to regulatory compliance, CISOs must work closely with other business units to monitor for new regulations and apply appropriate security and privacy measures to mobile apps to meet these standards.

Securing Mobile Applications in 2020

As companies develop ever more mobile apps, CISOs’ jobs will only become more complicated. Companies who proactively safeguard their mobile apps using both static and dynamic protections will be well-positioned to gain and maintain user trust in 2020 and beyond. 

 

Learn more about how code hardening and RASP can protect your company’s mobile apps by requesting a demo.

 

What PCI SPoC Compliance Means for Mobile Apps

Guardsquare provides security solutions that safeguard mobile apps against reverse engineering and hacking. We develop software that complies with a number of regulatory and industry standards, such as the PSD2, the OWASP mobile security project the PCI guidelines.

In light of the recent compliance discussions and numerous regulatory updates (for instance, in Turkey and Singapore), we are presenting a short blog series discussing how PCI regulations apply to mobile applications. In Part I of this series, we discussed the PCI Mobile Payment Acceptance Security Guidelines. Today, we discuss how our solutions, DexGuard and iXGuard, meet the PCI Software-based PIN entry on Commercial off-the-shelf devices (SPoC) requirements for Android and iOS.

What is PCI SPoC?

PCI SPoC is a new security standard announced by the Payment Card Industry Security Standards Council (PCI SSC) to regulate the security of electronic mobile transactions on commercial off-the-shelf devices (COTS). The new guidelines secure the authentication of transactions using software-based PIN verification on smartphones and tablets.
Vendors are typically required to use PCI-approved, PCI PIN Transaction Security (PCI PTS) -compliant hardware for PIN authentication (PCI PTS POI). However, the introduction of PCI SPoC allows merchants to leverage the NFC capabilities of off-the-shelf smartphones and tablets in order to secure the authentication of transactions instead. This eliminates the need for vendors to use traditional (often more expensive) electronic PIN pads.

How Does PCI SPoC Work?

PCI SPoC defines a number of components and processes for authenticating transactions using a PIN on COTS. At a minimum, the system consists of an EMV card reader (referred by SPoC as the Secure Card Reader for PIN (SCRP) a back-end monitoring and payment processing system, and a PIN CVM (PIN Cardholder Verification Method) application that accepts the cardholder PIN.

With PCI SPoC, a consumer would enter their card into a secure card reader for PIN (SCRP) that reads the account information, then enter their PIN into the merchant’s smartphone or tablet to authenticate the transaction. PIN information on the mobile device is captured by a PCI compliant, PIN CVM mobile application that then securely exchanges this information with the SCRP. Subsequently, the SCRP securely communicates with both the mobile device and a back-end monitoring system to attest and process the transaction. Transactions in this setting are restricted to EMV contact and contactless.

The key advantage of PCI SPoC is that it allows the PIN information to be effectively isolated from other account data so that it is no longer possible to instigate correlation attacks, which can crack encrypted information. Thus SPoC ensures the integrity of the PIN entry application that captures this data. Additionally, SPoC requires an active monitoring service to enforce additional external security controls for:

  • attestation (ensuring the security mechanisms are intact and operational),
  • detection (notifying when anomalies are present), and
  • response (triggering controls to alert and take action).

How Guardsquare Can Help Mobile Apps Meet SPoC Compliance

Any underlying hardware of COTS devices is assumed to be unknown or untrusted, and an attacker may therefore have full access to its software. PCI SPoC therefore enforces security requirements that developers must meet to ensure software-centric PIN protection. Furthermore, testing requirements are also defined for the validation and evaluation of the solution by payment security laboratories.

As defined by SPoC, “...it is considered important for the software to provide inherent protections that complicate reverse engineering and tampering of the code execution flow. This may include, but is not limited to, protections using “obfuscation” of the code, internal integrity checks for code and processing flows and encryption of code segments, etc.”

Guardsquare hardens the PIN CVM mobile app against reverse engineering and tampering attacks and provides integrity controls to ensure a trusted execution environment on COTS devices.

Our software, DexGuard and iXGuard, obfuscate mobile apps using multiple advanced techniques and secure COTS devices against rooting and other dynamic attacks designed to compromise the Android and iOS Runtimes. Guardsquare tampering detection checks and fingerprinting capabilities further harden these controls, and the overall payment system, by signalling modifications and anomalies of the CVM application to the backend monitoring system.

Stronger Security for Mobile App Transactions

Mobile applications, app security, and compliance are arguably becoming a central pillar of business models across many sectors. Guardsquare’s mobile protection suite, including DexGuard and iXGuard, ensures the overall effectiveness of your IT security architecture by hardening it against dynamic and static attacks.

As the mobile app security solution, Guardsquare helps ensure software-centric PIN protection for Android and iOS devices by providing solutions that directly comply with several PCI security requirements. We use industry-standard cryptography, code obfuscation, tampering prevention and runtime integrity verification to protect hundreds of customers. These technologies are crucial to preventing unintended modification or behavior of the PIN CVM mobile app and COTS devices.

Contact us to learn more about how we can help your business meet the new PCI compliance mandates and ensure the security of your customer data and transactions.

Why Mobile Financial Apps Should Practice Obfuscation

There are 57 million mobile banking users in the U.S. alone. Globally, about 59% of consumers use mobile banking application. However, many report that they are wary of mobile banking, mobile payments, and other financial mobile applications due to security concerns.

Financial mobile app growth is on an impressive trajectory. Yet with the amount and nature of sensitive data being stored and processed in mobile financial apps, consumers need reassurance that security and privacy concerns are being taken seriously by app developers.

Less Than Half of Mobile Financial Apps Practice Obfuscation

As you may know, we recently conducted research into the nature and level of application shielding in use by more than 3,000 of the world’s leading financial services apps on the Android marketplace.

We discovered that less than half of these apps are using proper mobile application security—including obfuscation—to prevent reverse engineering, malicious app clones, sensitive data loss, and other potential negative outcomes.

What is Code Obfuscation?

One valuable form of application shielding that all mobile financial apps should be using is code obfuscation.

Code obfuscation is the process of making applications more difficult to decompile or disassemble, and the retrieved application code more difficult for humans to parse. Obfuscation is part of a broader application shielding strategy.

The goal of code obfuscation is to prevent any unauthorized party from accessing and gaining insight into the logic of an application, which prevents them from extracting data, tampering with code, exploiting vulnerabilities, and more.

Code obfuscation strategies include:

  • Renaming classes, fields, methods, libraries etc.
  • Altering the structure of the code
  • Transforming arithmetic and logical expressions
  • Encryption of strings, classes etc.
  • Removing certain metadata
  • Hiding calls to sensitive APIs & More

All of this is undertaken without altering the function of the code or the end user experience.

Cover Your Top 10 Bases

Developers of mobile banking and financial applications should be sure to fully understand the top ten most common security risks for mobile applications, as defined by OWASP. Reverse engineering and tampering rank as the eighth and ninth most prevalent security risks according to this list, and both of these can be dramatically curtailed by using sophisticated obfuscation techniques. Application shielding techniques, including obfuscation, can help protect apps against many of the risks on this list.

Adhere to Compliance Mandates

While compliance mandates are often less strict than security best practices, as a financial institution, you obviously have a good degree of obligation when it comes to regulations. Meeting compliance mandates, such as PCI-DSS for payment processors, SOC 2 for any SaaS-related business, and new international regulations, among others, is a good place to start when it comes to up-leveling your security and privacy practices.

Achieve Consumer Trust

The reality today is that consumers have many options to choose from. It has never been easier to research everything from credit card choices to bank reputations to payment providers’ compliance practices. Savvy consumers can easily walk away from one mobile financial app and choose another one (or stay away from apps altogether). So, if you operate in the mobile financial application space, it’s key to use security best practices to both protect your apps and to provide consumers with the peace of mind they need to do business with you.

Ready to learn more about what our data uncovered when it comes to mobile financial apps?

 

5 Mobile App Security Predictions for 2020

As the year and decade come to a close, it’s a good time to start thinking about what the upcoming months and years are likely to hold when it comes to appsec. Mobile applications continue to be at the heart of many businesses’ strategies, and security vulnerabilities continue to escalate. Below, we’ll share five predictions for mobile app security in 2020, along with recommendations from our appsec experts on how to best prepare your organization.

1. Increased Adoption of Mobile Payments

Research has shown many consumers are wary of using mobile banking applications due to security and privacy concerns. They are interested in the convenience and timeliness these apps can offer, but they want to know that their data will be protected, especially given the near-constant headlines about security breaches. Interestingly enough, more consumers are open to mobile payments apps. Currently, it is predicted that 2020 will be the first year that more than 1 billion people worldwide will use a mobile payment app to pay in-store at least every six months.

Yet as a recent Guardsquare report found, less than half of global mobile financial apps are using any type of code obfuscation currently—leaving them wide open to hacking. Without sufficient security upgrades, the continued growth of mobile payments and financial apps will lead to more hacks and breaches in 2020.

That said, it’s not too late for banks, mobile payment providers, and other developers of mobile financial applications to embrace better appsec practices for the coming year. Proper mobile application security, including both code hardening and runtime application self-protection (RASP) can prevent reverse engineering, fraudulent app clones, sensitive data loss, IP theft, and other potential negative outcomes.

2. Major Kotlin Growth Ahead

Kotlin is the fourth fastest growing language currently, and now that Google has declared it their preferred Android programming language, we anticipate it will only continue to spike—likely overtaking Javascript in the near future.

However, many developers using the language do not fully understand security best practices, including how to protect Kotlin code against OWASP's well-known Mobile Top 10 risks, as explained in-depth here.

In 2020, developers must take steps to educate themselves about Kotlin security and to better protect their apps written using Kotlin. As with any other Java-based language, apps written using Kotlin must be protected against both static and dynamic attacks using a combination of code hardening and RASP.

3. Crackdown on Fake Apps

Nearly 65,000 new fake apps were detected in December of last year alone—over 6 times the amount reported in June 2018. We expect fake apps to be increasingly common and problematic in 2020.

Fake mobile apps are Android or iOS applications that mimic the look and/or functionality of legitimate applications to trick unsuspecting users into installing them. Once downloaded and installed, the applications can perform a variety of malicious actions. Developers need to understand how fake apps threaten their brand reputation and consumer trust and take steps to prevent them, including:

  • Provide legitimate mobile applications.
  • Regularly check the Google Play Store and the App Store for fakes.
  • Protect Android and iOS applications.

You can learn more about this pernicious challenge here . On the positive side, we anticipate that more and more organizations will see mobile as an opportunity to manage and protect their reputation by embracing mobile app security.

4. Increased Awareness of iOS Security Shortfalls

Did you know that every iOS version has eventually been jailbroken? In fact, a recent permanent jailbreak was discovered that highlights the reality that iOS apps are not perfectly secure. Many app developers still believe iOS apps are virtually immune to reverse engineering and don’t need any protection, but this just isn’t true.

We believe that 2020 will be the year more developers open their eyes to the reality that iOS is not immune to hacking and begin to better protect their applications. To learn more about this reality, check out our blog post: 3 Misconceptions About iOS Security.

5. Widespread Regulatory Changes

Recent international mobile banking and financial services app regulations in Turkey and Singapore are paving the way for tighter app security policies. While these regulations are primarily intended to safeguard consumers and their sensitive financial data, in the process, they will protect app publishers from the unintended consequences of mobile application hacking and misuse.
Whether a business is beholden to these specific regulations or not, we expect them to spread globally over the coming year and decade. How to respond? Luckily, application shielding is a measure organizations can easily implement to remain compliant, as well as more generally keep sensitive logic and data protected from misuse. Application shielding makes an app more resistant to common intrusion techniques, including reverse-engineering and tampering.

What are your predictions for mobile apps and appsec in 2020?

5 Guardsquare Accomplishments We’re Proud of from 2019

It’s fair to say that 2019 was a big year for us at Guardsquare, and with the year coming to a close, we wanted to take a moment to look back at what we’ve accomplished in the spirit of continuous improvement and looking ahead to the future.

Battery Ventures funding

In late January 2019, Guardsquare announced a $29 million investment from Battery Ventures. This represented the company’s first round of institutional financing. As part of the transaction, Battery General Partner Dharmesh Thakker and Battery Principal Paul Morrissey joined Guardsquare’s board.
Guardsquare is leveraging the partnership with Battery to more aggressively invest in R&D, customer-success initiatives, and sales and marketing efforts.

“We are extremely happy to welcome Battery as a shareholder,” Jürgen Ingels, a Guardsquare board member and early investor in the company stated. “This enables us to put a turbo on further growth. It is also a great endorsement of the Belgian tech scene.”

Ernst & Young, BVA, and Deloitte Awards

We were excited (and humbled!) to have been recently named Ernst & Young Belgium’s ‘Scale-up van het Yaar’ 2019 (Scale-Up of the Year) and Belgian Venture Association (BVA)’s ‘Growth company of the year’ 2019 for our mobile app security solutions for Android and iOS.
This year, Guardsquare was nominated once more to Deloitte’s Technology Fast 50, a competition for tech companies founded and headquartered in Belgium. Winner of Deloitte's 2018 Technology Fast 50, Guardsquare also took home Deloitte’s Rising Star award in 2016, and was a top 10 finisher for the 2019 Technology Fast 50.

We’ve always been incredibly proud that our innovative solutions including ProGuard, DexGuard and iXGuard are protecting billions of mobile apps and hundreds of customers, and we’re grateful to add recognition from organizations like EY, BVA, and Deloitte to our list of accolades.

The Boston Office Opening

In August, we opened a new office in the U.S., specifically in Boston, MA. Helmed by our then-recently hired CRO John Vigeant, the Boston office is also home to new VP of Marketing Erica Sheehan and members of our global sales and marketing teams. Nestled near the busy South Station bus and train terminal in the heart of Boston, this office has served as a landing pad for these key team members.

Product Upgrades & New Releases

Throughout 2019, we have continued to upgrade ProGuard, DexGuard, and iXGuard to bring even more security features and improvements to our customers. Most recently, we have released the following: DexGuard update, iXGuard update, and ProGuard update. In 2020, we look forward to continuing to improve these offerings, as well as adding some exciting new enhancements to our suite.

Partnerships

To help our customers ensure they have a full range of mobile app security solutions at their fingertips, Guardsquare has expanded our ecosystem to include additional partnerships with organizations such as Zimperium, whom we are partnering with to offer the most complete mobile application hardening and threat defense on the market. The partnership will bring even stronger levels of mobile app protection to both current users and new customers. We are excited to continue to expand our partnership program in 2020.

Looking Forward to 2020

We have big plans for Guardsquare in 2020, and look forward to serving our customers and bringing mobile application performance and security to even more apps in the new year. Thanks for reading, and for following along on our journey!

Better Together: Guardsquare Partners with Zimperium to Provide Customers with Comprehensive Mobile App Protection

Wood is a strong material, but imagine trying to construct a sturdy building without any metal… From steel beams to nails, it’s nearly impossible to go without this key ingredient. Any good architect or builder understands it’s key to use both materials, respecting the integrity and unique properties of each, to build a truly robust structure.

Similarly, mobile app developers need to protect their apps and their customers’ data using both proactive and reactive measures.

Specifically, developers must work to reduce the chances of reverse engineering, while also actively monitoring for real-time threats. Protection and detection, layered on top of the underlying operating system security are paramount, especially since both iOS and Android platforms continue to evolve at a rapid clip.

To help our customers ensure they have a full range of mobile app security solutions at their fingertips, Guardsquare and Zimperium are partnering to offer the most complete mobile application hardening and threat defense on the market. The partnership will bring even stronger levels of mobile app protection to both current users and new customers. Customers can also take advantage of Zimperium’s centrally managed solution to access the features of both platforms.

Enhancing the Value for Guardsquare Customers

As part of the partnership, Guardsquare customers can take advantage of Zimperium’s zIAP mobile threat defense SDK to detect real-time network, malware, phishing, and device attacks. Adding zIAP complements Guardsquare’s app tampering and obfuscation technology and will be centrally managed in Zimperium’s cloud-based administration console.

In addition to providing centralized administration, Zimperium will use Guardsquare technology in its own mobile apps and distribute Guardsquare to current and prospective customers.

As a global leader in mean time to detection (MTTD), Zimperium is a powerful partner for Guardsquare when it comes to solving real customer problems. Shridhar Mittal, Zimperium’s Chief Executive Officer shared, “We believe our combined technologies provide the best possible mobile application security solution for our customers, and look forward to working together to build a more secure mobile ecosystem."

Any time two companies with deep expertise and complementary offers join forces to provide a more robust solution, businesses all around the world can benefit. We look forward to working closely with Zimperium to secure applications and organizations against hacking and its consequences.

To learn more about how you can take advantage of Guardsquare and Zimperium’s joint offerings, email us at sales@guardsquare.com

 

International Banking App Security Regulations Signal Need for Application Shielding

Recent international mobile banking and financial services app regulations in Turkey and Singapore are paving the way for tighter app security policies. While these regulations are primarily intended to safeguard consumers and their sensitive financial data, in the process, they will protect app publishers from the unintended consequences of mobile application hacking and misuse.

Luckily, application shielding is a measure organizations can easily implement to remain compliant with these upcoming regulations, as well as keep sensitive logic and data protected from misuse. Application shielding makes an app more resistant to common intrusion techniques, including reverse-engineering and tampering. According to OWASP, these techniques rank among the top ten most common security risks for mobile applications.

Here’s a quick look at some of the highlights mobile app developers should be aware of when it comes to these upcoming regulations. They’re likely to become industry standards that other countries will embrace in 2020 and beyond, so it’s best to be prepared!

Turkey’s Regulations Put Security Onus on Banks

The Turkish banking regulatory agency, BDDK, recently issued draft legislation to ensure that banks are held responsible for the secure development and ongoing protection of their mobile applications. Among the provisions in the legislation:

  • Regular integrity checks to ensure that applications are running without unauthorized or malicious code in development, testing or production environments.
  • Systemic application controls that ensure the accuracy, completeness and reliability of the data entered, modified, processed or produced by mobile applications. This measure includes ensuring authorized access to data.
  • Verification that the source of all code within the application comes from the bank itself. The bank is responsible for ensuring that apps remain free of malicious code that could affect a consumer’s mobile device, data, or operating system.
  • During the customer verification/authentication process, the bank must ensure that data is being transmitted securely between the customer and bank alone, without third-party interference.

These regulations are intended to ensure that financial institutions are proactive about their banking app security, rather than waiting to be affected by a breach. Taking the right preventative measures can protect banks from financial loss, customer loss, reputational damage, and more.

Singapore Cracking Down on Data Privacy and Security

Like Turkey, the Singaporean government has been serious about data privacy, introducing regulations such as the Personal Data Protection Act (PDPA) and the Cybersecurity Act to ensure digital regulatory compliance. However, many organizations have overlooked these business obligations when it comes to their mobile applications, which has led to more specific guidance around the protection of mobile apps.

New mobile regulations in Singapore include specific application security measures for developers and app publishers, including:

  • Avoid storing or caching data in the mobile application to mitigate the compromise of data on the device
  • Implement the following:
    • Anti-tampering mechanisms that prevent the injection of malicious code that could alter or monitor the behavior of the app at runtime
    • Application integrity checks (such as dynamic app protection including runtime application self-protection, or RASP), as well as code obfuscation to prevent reverse-engineering of the application
    • Certificate or public key pinning to protect against man-in-the-middle attacks
    • A secure in-app keypad to prevent keylogging and credential theft
    • Device binding to prevent tokens from being cloned.

Many cybersecurity experts believe that once Singapore passes these regulations, other countries including Malaysia and Thailand with similar PDPA requirements will quickly follow suit.

The Best Defense: Static and Dynamic App Protection

In the banking industry and beyond, application shielding can protect your mobile apps against tampering and misuse that could result in unauthorized access, malicious code injections, credential theft, app cloning, and more. In addition, as more and more countries introduce regulations similar to Turkey’s and Singapore’s, global organizations will need to be prepared for compliance reasons.

To be defended against a full spectrum of attacks, it’s important that organizations search for a solution that combines both static and dynamic app protection. Static protection prevents hackers from decoding sensitive parts of the application (such as API keys or credentials), and protects code and data at rest. Dynamic protection defends apps against analysis at runtime and live attacks. Code hardening techniques such as code obfuscation and encryption, as well as RASP, can help organizations remain both protected and compliant with the latest regulations.

Even with these emerging international regulations, surprising new research from Guardsquare recently confirmed that just under half of the top global banking apps are obfuscating their code. Ideally, new compliance requirements will empower an industry-wide change, or at least raise awareness for more organizations to embrace proactive application shielding.

Want to learn more about how mobile financial apps fall short of security practices? Download the Guardsquare banking app security report below:

The App Security Gap: How Mobile Financial Applications Are Failing to Secure Code [Free Report]

CEOs from several major American banks testified before the U.S. House Financial Services Committee in April of 2019, noting that they view cybersecurity as the largest risk to the financial system currently. It may be this reality that leads a relatively low percentage of U.S. consumers (about 30%) to actually use mobile banking applications. 

In fact, 40% of US consumers who don’t use mobile payments cite security concerns as a major reason for this choice. Older consumers in particular are less likely to adopt mobile banking solutions due to security and privacy concerns arising in part out of an epidemic of dire headlines related to banking, credit card, and other financial organizations’ data breaches.

It’s also the case that, while consumers may feel some trepidation regarding mobile banking, many are still open to the usage of smartphones and other mobile devices for payment purposes. 

A full 89% of U.S. customers say they steer clear of mobile payments. In comparison, a whopping 92% of European millennials plan to be using mobile payments by 2020, and mobile payments in the UK in particular are on a lightning trajectory. That said, security and privacy concerns are still a major factor, with about half of European customers citing them as a barrier to entry for mobile payments. 

Financial mobile app growth is on an impressive trajectory. That said, consumers around the world need reassurance that security and privacy concerns are being taken seriously by app developers. 

Despite Consumer Wariness, Most Financial Apps Fall Behind with Security

Both financial institutions and consumers appear to be aware of potential risks, and their concerns clearly have merit. However, most financial institutions who offer mobile financial applications are not taking adequate security precautions. 

It’s worth taking a look at the top ten most common security risks for mobile applications, as defined by OWASP.  Reverse engineering and tampering rank as the eighth and ninth most prevalent security risks according to this list. 

Yet the majority of applications on the market today do not currently use any form of application shielding, which is a critical form of security that protects against these two common security risks. Eschewing application shielding is especially risky in heavily regulated and high-scrutiny markets like financial services, where reverse engineering opens apps up to data theft, fraudulent app versions, and more. 

Consumers indicate they are willing to share sensitive personal data with banks and other financial institutions in exchange for valuable products and services, but 75% of consumers state that they are very cautious about doing so. In other words, financial institutions are already on thin ice with consumer trust and cannot afford to jeopardize it with insufficient security and privacy measures.

According to research conducted by Gartner, by 2020, an estimated 30% of enterprises plan to use application shielding to protect at least one of their mobile, IoT, or JavaScript applications. That number is just 5% today. The rate of change is expected to be high, with a prediction of more than 50% of enterprises using application shielding by 2021. However, this will still leave more than half of all mobile apps open to reverse engineering and other common attacks that can lead to data leakage and theft. Particularly when it comes to sensitive data related to finance, this is a concerning trend.

The Research

Recently, at Guardsquare, we conducted research into the nature and level of application shielding in use by more than 3,000 of the world’s leading financial services apps on the Android marketplace. We discovered that a paltry number of these apps are using proper mobile application security to prevent reverse engineering, fraudulent app clones, sensitive data loss, IP theft, and other potential negative outcomes.

Let’s take a look at what our data uncovered and what players in the financial services industry—and beyond—can learn from it about how to better protect their mobile applications.

Guardsquare Announces Departure of Co-founder Heidi Rakels

LEUVEN, Belgium — December 10, 2019 — Guardsquare, the leading mobile application security platform, today announced the departure of co-founder Heidi Rakels.  Rakels has been instrumental in guiding the company’s strategy and growth since its launch in 2014.

Roel Caers, CEO Guardsquare, stated: "On behalf of Guardsquare and the Board of Directors, I would like to thank Heidi for her leadership and numerous contributions to the company over the past five years.  It has been a pleasure to work with Heidi and gain from her industry knowledge and software expertise and I wish her the best for the future.” 

“These have been some of the best and most rewarding years of my career. I am very proud of what we accomplished together and I have complete confidence that Guardsquare is tremendously well positioned for the future.” said Rakels.

Heidi Rakels has earned numerous accolades for her accomplishments at Guardsquare, both personal and professional, including winning the ICT Women of the Year award in 2019, the EY Scale-up of the year 2019 and the Deloitte Technology Fast50 Belgium in 2018.

About Guardsquare

Guardsquare is the global leader in mobile application protection. More than 600 customers worldwide across all major industries rely on Guardsquare to secure their mobile applications against reverse engineering and hacking. Built on the open source ProGuard technology, Guardsquare software integrates transparently in the development process and adds multiple layers of protection to Android (DexGuard) and iOS (iXGuard) applications, hardening them against both on-device and off-device attacks. Guardsquare is based in Leuven (Belgium) with offices in Boston, MA and San Francisco, CA. 

Contact
Erica Sheehan
VP of Marketing, Guardsquare
erica.sheehan@guardsquare.com

Heather Fitzsimmons
Mindshare PR for Guardsquare
heather@mindsharepr.com

Pages