Here we explain why additional security mechanisms, beyond the mobile OS security features, are needed to protect mobile banking applications from malware and related threats.
Here we explain why additional security mechanisms, beyond the mobile OS security features, are needed to protect mobile banking applications from malware and related threats.
As the use of mobile phones for mobile banking and payment applications increases, corresponding security threats are increasing as well. The majority of smart phones use only two operating systems (Android and iOS) and, therefore, they represent prey of choice for criminal groups and malevolent hackers.
In this article, we will explain some of the defense mechanisms and security techniques involved with protecting mobile banking applications.
With the introduction of PSD2, banks are forced to provide third party payment service providers (PSPs) with access to the bank’s customers’ account information for account servicing and payment initiation services, but only in the case where the user has granted access to these third-party players. This article explores a technical solution that leverages eIDAS to address the PSD2 requirements.
When developing an application for mobile banking, application hardening using code obfuscation is one possible way of protecting sensitive data. However, this may not be an acceptable solution in many different scenarios: when the data to protect must be (partially) displayed, linked to other accounts or other data, or sent to a remote network, etc. The general solution to this problem is data obfuscation.
Attacks on mobile banking and payment applications frequently begin with the use of an emulator for the mobile operating system, where the targeted application is run and analysed.
An investigation conducted by "Which?", a consumer watchdog group based in the UK, found serious vulnerabilities in the security of banking security systems, including mobile banking apps.
Unlike other operating systems like Windows, Linux, or OSX, both Android and iOS operating systems are usually shipped with built-in user rights restrictions. The process of removing such restrictions, which is not supported by either Google or Apple, is called rooting and jailbreaking, respectively, for Android and iOS.
In the mobile environment, source code is often distributed without enough security. Programs compiled as bytecode, such as the ones developed for Java or .NET, contain almost all the original information from the source code. Programs developed with native code, usually developed in C, Objective-C, or C++, are much more difficult to reverse. In what follows, we will look at the difference between interpreted code and native code in mobile operating systems and why we still need native code obfuscation.
In the mobile environment, while debuggers are legal and legitimate development tools, they can also be used to reverse mobile banking and payment applications. This article describes some of the possible anti-debug techniques.
