When developing an application for mobile banking, application hardening using code obfuscation is one possible way of protecting sensitive data. However, this may not be an acceptable solution in many different scenarios: when the data to protect must be (partially) displayed, linked to other accounts or other data, or sent to a remote network, etc. The general solution to this problem is data obfuscation.
Data Obfuscation or data masking consists of hiding the original data by some other modified content, in order to protect the the sensitive data, while allowing it to remain usable by the application.
Sandboxing or testing mobile applications in less-protected environments is one use case for data masking. In this case, completely fake and useless data, which are disconnected from real financial systems, is used instead of real ones, but still functional. In development management, it is also a good method to prevent contractors from directly accessing sensitive databases, while having fully functional access to the systems.
Data masking can be also used in production environments. The goal here is to secure the real data and shield confidential information like credit card numbers, social security numbers, names, addresses, etc. In a production environment, especially in a cloud production environment, the goal is to prevent attackers from accessing this information.
In a wide variety of contexts, one may want the ‘look & feel’ of the masked data to remain as close as possible to the original data.
Data Obfuscation Techniques
There is a wide range of data obfuscation techniques.
One could simply substitute the original data with equivalent fake data that has an identical format and business logic. For example, a database of personal records will be substituted with an equivalent database, but populated with imaginary records, while looking real and following the identical logic with realistic addresses located in substituted counties, etc.
If such a database would be stolen and leaked, only fake imaginary information would appear. The substitution technique, therefore, creates a lure, a ‘bait’ making an attacker think he successfully achieved his goals and thus, not proceeding any further.
The technique consists of simply shuffling the records used by a mobile banking application and using random permutations.
For instance, in the context of personal records, birth date, address, etc., can be shuffled, making the final database useless to an attacker. This provides a quick obfuscation solution but has a very low level of security.
This technique makes sense when sensitive information must be printed on paper or displayed on a screen. While the customer must be able to identify the corresponding data, they must appear in such a way that they are incomplete.
For example, a well-known technique is to mask out a credit card number like:
While the credit card number is largely masked out, the application user can still identify and map the masked data to a full credit card number that it represents.
Of course, great care must be taken so that there is enough entropy in the masking and that an attacker could not brute force the masked bits to reconstruct the data.
An efficient way of securing data is to encrypt them. While providing optimal security, it's not always convenient. Indeed, some encryption APIs are not always available on all mobile operating system versions. For instance, AES is only available through Android api23 and higher. Additionally, encryption may slow down the application when large data are to be ciphered/deciphered and/or frequently.
Finally, the whole obfuscation of the data relies on an encryption key, which itself must be protected and obfuscated.
In general, tokenization may be the right solution for data obfuscation. The data are substituted with a token resulting from a random data and/or one-way hash cryptographic functions. A dictionary maps and unmaps the data into and from tokenized data.
Tokens are widely used by mobile banking and mobile payment applications to protect customers’ credit card data by replacing it with a proprietary number.
Data obfuscation in a mobile context creates efficient app protection against data loss/breach, data hijacking, displaying data through an unprotected interface, as well as unauthorized use of data by contractors (testers, developers, etc.) in an organization.
References and Further Reading
- Read more articles about application security for mobile banking applications (2018 - today), by Martin Rupp, Stefan Hansen and more
- MASC Mobile App Security Core (2019), Web page by Cryptomathic
- PCI Mobile Payment Acceptance Security Guidelines for Developers version 2 (September 2017), by the Emerging Technologies, PCI Security Standards Council