PCI have recently released the new standard and compliance program for Mobile Payments on Commercial off-the-shelf devices (MPoC). This blog is the first of a series discussing Mobile Payments and the security requirements that need to be met. This one describes the compliance environment and the history of how it has reached this point.
Mobile application hardening refers to the process of securing mobile applications against various threats and attacks. It involves implementing a range of security controls and techniques to protect the application code, data, and functionality from unauthorized access and manipulation.
The ubiquity of mobile applications has made them part of our day-to-day lives, but with the increased use comes the risk of potential security threats. It is essential to be aware of these threats and take appropriate measures to safeguard your data and identity. In this article, we will take a look at the top 10 mobile application security threats and how you (as an app developer or user) can protect yourself from them.
Cryptomathic Mobile App Security Core (MASC) is a comprehensive security software solution for the European Digital Identity (EUDI) wallet, eID apps, mobile banking apps, etc., comprised of multiple layers of mutually reinforcing mobile app security components that are provided with a simple, easy-to-use API. It enables app developers to focus on developing excellent business applications while leaving the specialist security-critical parts to MASC.
Organizations responsible for the development of an EUDI wallet (or other apps with highly sensitive data), will be acutely aware of the importance of security throughout the entire digital wallet ecosystem. In addition, they will likely already have a skilled security function and have implemented industry-standard security policies and procedures.
However, implementing adequate proactive and reactive security measures to counter the threats to large-scale deployments of such sensitive mobile apps is a highly specialized field, especially when the mobile app is being executed on devices that cannot be managed. For this reason, organizations should strongly consider contracting with a mobile app security vendor.
Following its introduction in January 2018, the Open Banking regulation mandates UK banks to provide their data in a standardized format, facilitating third-party developers to create financial service applications and allowing for fast bank payments and settlements without intermediaries. The number of Open Banking users reached 1 million by November 2019, but despite the slower-than-anticipated growth of this new technology, recent usage figures and government commitment indicate that Open Banking may soon become more widely adopted.
Itemizing the potential risks of the European Digital Identity (EUDl) Wallet scheme is a complex task that involves assessing the attack surface of the digital wallet app across various platforms, as well as the backend infrastructure, processes, and organizations involved. To provide support, the ENISA and OWASP mobile app guidelines offer useful resources for a secure development lifecycle of digital wallets, as outlined in this article.
We also introduce how Cryptomathic's Mobile App Security Core helps address the majority of the ENISA and OWASP security recommendations.
The European Digital Identity wallet (EUDI wallet) is proposed by the European Commission to provide a secure, safe and standardized digital identity for all EU citizens. It is based on the European Standard for Electronic Identification and Trust Services (eIDAS) and part of the proposed eIDAS 2.0 regulation. The EUDI wallet will be made available to its users as a mobile app that allows them to securely store and selectively share, locally or remotely, on request and under their sole control, identification data based on their national electronic IDs (eIDs), as well as other attestations of attributes such as digital travel credentials (ePassports), driver’s licenses, university diplomas, and also personal information including medical records or bank account details. The wallet should also allow them to access a variety of online services and sign documents with qualified electronic signatures and seals (QES).
With such valuable data stored on an app, the threats to the EUDI wallet will come from multiple diverse sources, all with varying motives. This article explores the threat landscape and considerations for protecting the digital wallet's sensitive data against threats.
Mobile apps and mobile software components are rarely stand-alone as they frequently perform their most important operations on various backend systems. Both parties in this communication need assurance that they are talking to an authentic partner at the other end. The server needs assurance that the software it talks to on the mobile device is authentic and not tampered with. The software on the mobile device needs assurance that it talks to the authentic server (not a man-in-the-middle) and that data can reliably be sent to the server.
