We are constantly reminded by news stories how complex it can be to secure mobile banking and payments apps. A recent study has found that 11% percent of Android banking apps are suspicious, which is enough to frighten many banking app service providers and their end-users.
Should suspicious apps turn malicious, they can attempt to collect customer credentials, initiate communication with a bank's back-end servers, modify the behaviour of the payment/banking app or reroute the legitimate app to a rogue web server. Yet, as an app provider it is impossible to control which other apps a user downloads on their device and what permissions the apps have been granted.
So what can banks and app providers do to protect their apps?
The best defence is a layered approach, implementing different techniques within each layer. Here are some of the key steps you can take to strengthen app security using currently available technology.
Step 1: Bring your app out of the attacker's comfort zone.
Deter attacks by making it difficult for attackers to understand the app workflows. This can be achieved through:
- Implementing reverse engineering resistance using data obfuscation, which is the process of hiding original data with random characters, and anti-debugging capabilities.
- Ensuring apps can't run on smartphone emulators by using strong device binding/fingerprinting which is resistant to spoofing.
- Creating your own security libraries, which avoids being exposed to standard OS vulnerabilities that are often easily available and promoted within the public domain.
Step 2: Protect your data and secure your communication channels.
To safeguard your app data, avoid relying only on standard Android or iOS mobile software development kits (SDK) and use alternative proprietary secure storage based on data obfuscation. When a Secure Element is not available, the security library should store the most sensitive data, e.g. encryption keys, in non-obvious locations and enable the location to be changed regularly.
To protect communications, use 'certificate pinning'. This checks a server's certificate against trusted validation data to confirm the source is safe. A copy of this certificate is then 'bundled with the app' to provide stronger authentication in the future. Additional protocols can also be used to improve resistance against man-in-the-middle attacks.
Step 3. Enable your app to fight back.
Use anti-malware and sentinels built into the app to enable attack detection and defensive reaction. This method can be used as a two-line defence, where the app can either react immediately or harvest data about the attack before enforcing its defences at a seemingly random point.
Combining a number of protection measures, as outlined above, places a significant up-front investment barrier to fraudsters. This leaves them with little chance of success and ultimately persuades them to search elsewhere.
Click here for Cryptomathic's white papers on mobile app security.