Cryptomathic Blog

An investigation conducted by "Which?", a consumer watchdog group based in the UK, found serious vulnerabilities in the security of banking security systems, including mobile banking apps.

In the mobile environment, source code is often distributed without enough security. Programs compiled as bytecode, such as the ones developed for Java or .NET, contain almost all the original information from the source code. Programs developed with native code, usually developed in C, Objective-C, or C++, are much more difficult to reverse. In what follows, we will look at the difference between interpreted code and native code in mobile operating systems and why we still need native code obfuscation.

When developing an application for mobile banking, application hardening using code obfuscation is one possible way of protecting sensitive data. However, this may not be an acceptable solution in many different scenarios: when the data to protect must be (partially) displayed, linked to other accounts or other data, or sent to a remote network, etc. The general solution to this problem is data obfuscation.

In the mobile environment, while debuggers are legal and legitimate development tools, they can also be used to reverse mobile banking and payment applications. This article describes some of the possible anti-debug techniques.

Here we describe some of the HTTPS vulnerabilities in the context of mobile banking and their countermeasures.

In this article, we will describe what HTTPS tunneling is and how it has been used in mobile banking and payment applications. We also look at some of its vulnerabilities and remedies to the described attacks.

In this article, we introduce the role that access tokens play in mobile banking applications and provide recommendations on how to secure these access tokens. We will also explain why such security measures are important.

Application hardening usually consists in processing an already developed application, and transforming it so to make it difficult / impossible to reverse engineer and tamper.

In this article, we shall focus on the techniques used for protecting keys and in general, cryptographic secrets in the context of mobile banking & payment applications.