Weaknesses in Today’s Financial Mobile Apps

Defending Against Mobile Banking Malware

  • Fake apps or hacked apps are an impending security threat. Consumers who download apps with false branding may expose sensitive financial information. Therefore, app developers must prevent reverse engineering through code level obfuscation and tamper resistant software protection. By making code difficult to reverse engineer, hackers will have a harder time finding vulnerabilities.
  • Obfuscation is one of the key techniques used in anti-reverse engineering with a goal to remove as much of the structure as possible that would be familiar to reverse engineers, to make the code as confusing as possible, while keeping the functionality the same.
  • Control flow obfuscation modifies the basic structure of how subroutines are called. For example, calls to subroutines could be replaced with computed jumps and functions can be inlined.
  • Control flow flattening is another important technique where routines are not called directly from other routines but rather a dispatcher controls the control flow as illustrated below:
  • While data can be protected with cryptography, this only shifts the problem from protecting the data directly to protecting the cryptographic keys. Cryptographic keys are not only used to protect data. They can also be used to create a secure identity for the device. A device may needs such a key to authenticate to a cloud service. If a hacker were able to obtain this secret, they might be able to masquerade as that device or as the owner of the device. Cryptographic keys are also used to establish secure communications. For example, HTTPS is a familiar protocol that uses SSL/TLS to secure communication to a website. If a hacker were able to obtain these keys, they could snoop on or later supposedly secure communications. Many mobile banking apps lack adequate implementation of SSL or certificate validation. Use the two digital security protocols to ensure server authenticity and to establish encrypted links including SSL (Secure Socket Layers) and TLS (Transport Layer Security).
  • When an app is distributed to millions of devices and mobile banking users, it’s not guaranteed that those devices are safe environments even when running security software. This is especially true with the trend toward jailbroken devices. Jailbreaking permits a hacker to alter or replace system applications and settings, run specialized applications that require administrator permissions, and perform other operations that are otherwise inaccessible to a normal user. Rooting is the process of allowing users of Android devices to attain privileged control of the operating system with the goal of overcoming limitations that carriers and hardware manufacturers put on the devices. Since users of rooted Android devices have almost complete control over the device and data it stores, a successful rooting of Android is a security risk to applications that deal with sensitive data or enforce certain usage restrictions.
  • The Evolving Computing Landscape
  • What Are Hackers Trying to Achieve?
  • How Hackers Work
  • Why Can’t We Just Get Rid of Vulnerabilities?
  • Reverse/Anti-Reverse Engineering
  • Tampering/Anti-Tampering
  • whiteCryption Code Protection
  • Select Use Cases
  • And much more…

--

--

--

Senior Product Evangelist in data and security. All things #startups #mobile, #data #security and #IoT. Snowboarder, book worm.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Final Kick: Online football Hack Free Resources Generator

Umbrella Network Announces Partnership with CoinRisk

192.168.1.1 — WHAT IS IT?

How can an organization help prevent Social Engineering attacks?

Why C-Suite Should Adopt Agile Cyber Security: Uber’s Data Breach

{UPDATE} Fruit Linlink Hack Free Resources Generator

Internal AMA Recap with Umbrella Network’s President, John Chen

Internet and Our Political Culture: A Missed Opportunity

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Beth Kindig

Beth Kindig

Senior Product Evangelist in data and security. All things #startups #mobile, #data #security and #IoT. Snowboarder, book worm.

More from Medium

Startup Special! Wharton’s Top Fintech Startups with Gaby Campoverde, John Garner, and Nate Soffio

Speed, Support, and Networks — The Real Resources of Startup Studios

Our investment in Fortiro: B2B software to automate document processing and fraud detection

Fixing a Broken Funding System: Building #NewMajority Founder Pipelines