Weaknesses in Today’s Financial Mobile Apps
The success of the smartphone and the ease of use it brings has led consumers to perform a variety of financial transactions using mobile devices, such as mobile banking, remote deposits, mobile commerce, and so on. In fact, the mobile payment market worldwide is expected to increase at a compound annual growth rate of 20.5% between the years of 2016 and 2024. North America and Asia Pacific are leading regional markets due to early acceptance for newer technology.
The success of the smartphone and the ease of use it brings has led consumers to perform a variety of financial transactions using mobile devices, such as mobile banking, remote deposits, mobile commerce, and so on. In fact, the mobile payment market worldwide is expected to increase at a compound annual growth rate of 20.5% between the years of 2016 and 2024. North America and Asia Pacific are leading regional markets due to early acceptance for newer technology. The North America market will be worth an estimated $321 billion by 2024 and the Asia Pacific market will be worth $753 billion by 20241. Another report predicts that, in the United States, mobile wallets are expected to surpass the use of both credit and debit cards by 20202.
Although the aforementioned popularity of mobile technologies has greatly simplified the use of day-to-day financial operations for the end user, it has definitely brought headache to companies developing the apps and providing the back end of such operations. The costs of dealing with cybercrime incidents has reached the point where it is now a major threat to the corporate bottom line. For instance, a study released in 2017 showed that the average annual cost of cybercrime for companies and institutions providing financial services was over $18 million3. In fact, financial services has the highest annualized cost of cybercrime when compared to a range of other industries such as $14 million for aerospace and defense, $13 million for technology and software, and $12 million for health care. This is only logical because as with any crime, cybercriminals tend to attack the most lucrative targets that results in the highest payoff. Given the high potential financial losses associated with software-based attacks on financial institutions, it is imperative that companies take concrete steps to ensure the security of their mobile apps, whether outward or inward facing.
Download our Intertrust Code Protection White Paper 2017
In addition to the demand for these services, there is an overwhelming awareness and concern around security and fraud. Among non-mobile banking users, more than 57 percent say mobile banking is unsafe, and an additional 18 percent state they don’t know if mobile banking is safe or not. In another study by Deloitte, of the respondents who do not use a mobile device for financial services, 61 percent cited security issues as the prime reason.
Security researchers from the University of Birmingham, UK, developed a tool called “Spinner” to perform semi-automated testing on mobile phone apps3. The tool revealed a serious flaw in many high profile banking apps . Unfortunately, standard tests were not able to detect the vulnerability contained inside the “certificate pinning” technology that was used to improve security. Due to this, penetration testing was not able to identify the issue of not having proper hostname verification. The vulnerability allowed for a “man in the middle attack” allowing an attacker to possibly retrieve usernames, passwords and PINs.
In another research study involving 30,000 mobile devices with one or more banking apps installed, malicious mobile-banking software threatened up to 10 percent mobile banking customers4. Some of the malware includes bots aiming to steal customer bank accounts and this type of malware has grown more then 50 percent since 2017. The bogus logins are convincing enough to where 36 percent of worldwide respondents were fooled by the fake log-in screens.
Defending Against Mobile Banking Malware
- Fake apps or hacked apps are an impending security threat. Consumers who download apps with false branding may expose sensitive financial information. Therefore, app developers must prevent reverse engineering through code level obfuscation and tamper resistant software protection. By making code difficult to reverse engineer, hackers will have a harder time finding vulnerabilities.
- Obfuscation is one of the key techniques used in anti-reverse engineering with a goal to remove as much of the structure as possible that would be familiar to reverse engineers, to make the code as confusing as possible, while keeping the functionality the same.
- Control flow obfuscation modifies the basic structure of how subroutines are called. For example, calls to subroutines could be replaced with computed jumps and functions can be inlined.
- Control flow flattening is another important technique where routines are not called directly from other routines but rather a dispatcher controls the control flow as illustrated below:
- While data can be protected with cryptography, this only shifts the problem from protecting the data directly to protecting the cryptographic keys. Cryptographic keys are not only used to protect data. They can also be used to create a secure identity for the device. A device may needs such a key to authenticate to a cloud service. If a hacker were able to obtain this secret, they might be able to masquerade as that device or as the owner of the device. Cryptographic keys are also used to establish secure communications. For example, HTTPS is a familiar protocol that uses SSL/TLS to secure communication to a website. If a hacker were able to obtain these keys, they could snoop on or later supposedly secure communications. Many mobile banking apps lack adequate implementation of SSL or certificate validation. Use the two digital security protocols to ensure server authenticity and to establish encrypted links including SSL (Secure Socket Layers) and TLS (Transport Layer Security).
- When an app is distributed to millions of devices and mobile banking users, it’s not guaranteed that those devices are safe environments even when running security software. This is especially true with the trend toward jailbroken devices. Jailbreaking permits a hacker to alter or replace system applications and settings, run specialized applications that require administrator permissions, and perform other operations that are otherwise inaccessible to a normal user. Rooting is the process of allowing users of Android devices to attain privileged control of the operating system with the goal of overcoming limitations that carriers and hardware manufacturers put on the devices. Since users of rooted Android devices have almost complete control over the device and data it stores, a successful rooting of Android is a security risk to applications that deal with sensitive data or enforce certain usage restrictions.
While mobile payments will continue to evolve and become competitive advantages for financial institutions, the methods that hackers use are evolving even faster. Consumers want to trust mobile transactions, therefore, it is imperative that financial institutions take the necessary steps to protect their apps by making them harder to attack.
Intertrust Code Protection White Paper 2017
- The Evolving Computing Landscape
- What Are Hackers Trying to Achieve?
- How Hackers Work
- Why Can’t We Just Get Rid of Vulnerabilities?
- Reverse/Anti-Reverse Engineering
- whiteCryption Code Protection
- Select Use Cases
- And much more…
Originally published at www.intertrust.com on June 5, 2018.