5 min read

Plugging the Security Gaps in Mobile Banking Apps

Dawn M. Turner (guest) : 25. February 2021

Mobile App Security MASC RASP
Plugging the Security Gaps in Mobile Banking Apps

An investigation conducted by "Which?", a consumer watchdog group based in the UK, found serious vulnerabilities in the security of banking security systems, including mobile banking apps. The investigation was a cooperative effort between Which? and independent security experts 6point6. It scrutinized the deficiencies in banking systems that could allow scammers and cybercriminals unauthorized or unwittingly access to customers’ funds and accounts. This article suggests solutions for a comprehensive and dynamic protection for banking apps.

Top security issues found in mobile banking apps

While most large banks have implemented secure mobile banking safety measures, some have not fully stepped up. Some of the top security issues found in mobile banking apps include:

  • Failing to block users from logging into banking websites from two different computer networks (e.g. two different wi-fi networks or a wi-fi network and cellular network at the same time).
  • Failing to log out users when they switch to other apps or use forward/back buttons to leave their banking session and return to it.
  • Not meeting the latest regulations for strong customer authentication (SCA) during login processes to prevent unauthorized access to users’ accounts.
  • Not implemented at a minimum, two-factor authentication for both mobile and internet banking users.
  • Failures in authentication checks that allow users to bypass these checks upon login if they designate their device as “trusted.”
  • Not implementing limited functionality protocols that prevent users from changing sensitive information via mobile apps.
  • Making it too easy for a user to recover their account number via their app by requiring only basic details to authenticate the user’s identity, such as basic pre-set security questions for forgotten passwords.
  • Failing to alert users when passwords are changed.
  • Failing to allow users to use special characters in their passwords.
  • Not providing sufficient code obfuscation that could allow hackers to steal sensitive information or identify weaknesses within the app.
  • Failing to perform root and emulator detection that can expose banking apps to security weaknesses.

Digital transformation, is it good or bad for banks security-wise?

Using cutting-edge technologies, the rise of mobile banking apps has helped fuel the trend of the banking industry’s digital transformation. A recent digital banking report from Business Insider concluded that 89% of users surveyed use mobile banking, while 70% use it as their primary means to access their banking accounts.

Both banks and their customers are benefitting from the digital transformation trend. Much of the distrust toward mobile banking has dissipated thanks to better user experiences and, of course, improved security strategies and tools. Unlike other industries, the development of mobile banking apps requires adhering to stringent security regulations and processes.

Securing data with mobile banking apps is often a complex issue because of three major factors:

  1. Internal business processes
  2. Software security measures
  3. User behavior

Often, when there is a failure in one factor, the other two cannot effectively compensate. This is where the likelihood of a security breach is further increased. However, with well-rounded and robust security controls that encompass all three factors, these breaches can be avoided.

Keeping cybercriminals at bay through banking-grade app security controls

Despite the fact that users should never share their usernames and passwords, we do not advocate client “education” as a significant security mechanism. This will never bring sufficiently secure protection. Apps will only remain secure if the procedures and technologies are highly failsafe and even protected against involuntary faulty operations by the client.  

Logging into public wi-fi hotspots when using their banking apps will always be a typical scenario, even though such networks are not secure. The always-on millennials will not wait until they go home to connect to their secured wi-fi. Accustomed to logging into local speedy WIFIs, they will not use the app exclusively while connected to their cellular network to protect their personal information. They will not compromise on user experience. The app should neither.

Secure distribution and secure enrollment

Channeling customer activities helps reduce some of the security risks related to mobile banking. Featuring the app’s link to the app stores on their website helps banks direct their customers to their official app instead of a counterfeit one. Secure enrollment is a second “must”, no matter from where the customer signs up. The App, Infrastructure and Backend shall allow for this. Continuous checks for APP Integrity from the Bank’s backend and a monitoring of device health will add an additional supervision layer. 

Secure communication

The communication between the app and the back-end server must be secure to protect the data being sent and to ensure the app only communicates with the intended system. Securing the communication can involve several mechanisms, including protection for access tokens and cookies, encrypted transport protection (HTTPS) and HTTPS tunneling and additional mechanisms to authenticate both the mobile device and the back-end system.

Secure authentication

Secure communication begins with the authentication. Using multi-factor authentication adds security over two-factor authentication adding features like biometric protection, secrets and certificate pinning. The latter will only be “banking-grade” and protected against tampering, if the banking back-end provides managed certificate whitelisting and an automated certificate life-cycle management with very short certificate life cycles. Such a solution relies on Hardware Security Modules in the backend to create, host and manage the certificates, avoiding access to certificates by third parties, even if they intrude the heart of the banking infrastructure. The environment should be crypto-agile by default. Meaning that when new standards or policies emerge (e.g., driven by recent breaches), should be able to evolve rapidly. The security features presented in the section on secure enrollment above, like automated continuous checks from the backend, tunneling  etc. will round up the secure communication.

Secure app design

Mobile apps often provide open flanks to cybercriminals.  

3 approaches help to keep them out:

Cryptomathic-mobile-app-security-for-Banking-MASC

Methods to detect tampering attempts of the app, especially by debuggers, simulators, and emulators should be considered. Malevolent physical access to the device & app should also be prevented. Finally, this security layer should be able to detect the rooting or jailbreaking of the device and respond accordingly. All monitoring and health checks should be integrated with the banking-backend and fraud systems.

Application hardening mechanisms should be employed to make the app difficult to attack or modify. This includes obfuscating the source code of the application and especially, the relevant data and constants that are used to connect to servers. 

Secure Storage and Key Protection is the third pillar in secure app design.

The app must be able to efficiently protect the various cryptographic keys by preventing their possible recovery by an attacker. Usage of secure storage, such as using a secure element or SIM card, should also be offered if possible. Otherwise, this can be achieved with dedicated obfuscation methods.

Cryptomathic helps in developing secure mobile banking apps

MASC Product sheet Often app development is conducted by banks in conjunction with app developing companies. The experience and focus is set on user experience and app performance. 

Designing the security infrastructure for banks is a demanding task. Errors committed during the App design phase cannot be eliminated at a later stage. 

To fill that void, Cryptomathic brings in their longtime experience in banking-grade security, providing a security software development kit (SDK) for banking apps (Android and iOS). 

Cryptomathic MASC consists of multiple layers of complementary defense mechanisms and smartphone app security components. This enables app developers to focus on developing user-friendly business applications while leaving the critical and specialist security-related parts to MASC.

Cryptomathic MASC is built upon an evolutionary security framework that is designed to protect against the ever-changing threat landscape. MASC protection measures are constantly being refined and updated (along with the standard mobile app updates) to remain resistant and resilient to both known and unknown attacks. 

Going beyond pure app protection, MASC forms the bridge between the App itself, the communication channel and the banking backbone, providing protection for the complete mobile banking process.

Getting the apps protected

Knowing where deficiencies lay in banking security systems, especially with mobile banking apps, and how they can be prevented can help banks and their customers avoid falling prey to cybercriminals. Adhering to security standards and implementing strong security policies, including cryptographic tools, could greatly reduce the risk of most security gaps banks and their customers may encounter with mobile banking apps. Cryptomathic MASC provides a comprehensive and dynamic protection environment helping app developers and banks alike. MASC is a proven solution and has protected banking apps since 2013

Read White Paper

References and Further Reading