Mobile App Security Core

Built-in app security

Cryptomathic Mobile App Security Core (MASC) is a mobile app security solution for protecting valuable digital assets on Android and iOS devices. Through cutting-edge responsive security and runtime application self-protection (RASP) technology, mobile app developers can leverage our comprehensive security framework and advanced defense mechanisms to bring security-sensitive features to native mobile apps.

The solution is designed to secure apps deployed in security-sensitive industries including:

  • Trust services and digital identities apps for: Strong Authentication, Digital identity wallets or EUDI Wallet, secure digital signatures

  • Finance apps for: Banking, Mobile Point of Sale (MPoC), PCI compliance

  • eHealth: Apps processing confidential health data, collecting health records and more...

Risk and Compliance

In many sectors, mobile apps have become the default tool for client engagement and consumers expect their mobile apps to offer full-service facilities. The superior user experience of native apps is their greatest advantage, but this also opens possibilities for exploitation as they escape your control once downloaded.

Without a robust security foundation, mobile platforms offer a huge attack surface. App developers need to develop a threat model for their use case and carefully consider its risk mitigation strategy including a defense model encompassing both proactive measures and reactive measures. To facilitate the process, the industry developed some compliance frameworks for developing, testing, operating and maintaining an environment with a large estate of mobile apps. These include:

  • ENISA Smartphone Guidelines Tool

  • OWASP Mobile Application Security

  • PCI MPoC Compliance Standard

MASC delivers proven protection against mobile app threats

Cryptomathic has over a decade of experience in supporting large-scale deployments and we developed a mobile security solution used to protect millions of mobile devices in security-sensitive sectors.

Some attacks attempt to reverse-engineer your mobile app, while others focus on trying to intercept the communication between the server and the app. If successful, such attacks can result in severe financial and/or reputational damage. 



To protect against the broad range of security threats requires multiple, mutually reinforcing security layers to be integrated throughout the code of your mobile application. Only such pervasive security can effectively shield and defend them against these attacks & exploits. Cryptomathic MASC is uniquely positioned to facilitate this role on the app side.

Download the white paper on protecting the European Identity Wallet and recommendations on securing sensitive mobile apps or contact us for more information.

Read White Paper
Read White Paper
Securing the EUDI Wallet

Cryptomathic MASC

Multi-layered defense for mobile app security

As a security software development kit (SDK) for mobile apps (Android and iOS), Cryptomathic MASC consists of multiple layers of complementary defense mechanisms and smartphone app security components - provided with a simple, easy-to-integrate API. MASC enables app providers to focus on developing user-friendly business applications while leaving the critical and specialist security-related parts to MASC.

Cryptomathic MASC is built upon an evolutionary security framework that is designed to protect against the ever-changing threat landscape. MASC protection measures are constantly being refined and updated (along with the standard mobile app updates) to remain resistant and resilient to both known and unknown attacks.

The MASC app defense mechanisms are built upon five main security concepts:


Sentinel Framework for RASP

The building blocks for Runtime Application Self-Protection (RASP) are supplied by ‘sentinels’ scattered around in the MASC library. The main responsibilities of the sentinel framework is to monitor the activity of the app as well as the phone. The sentinels will detect irregular or unwanted activity and react accordingly. The Sentinel Framework is tightly integrated throughout the MASC code to protect both the app itself and the defense mechanisms provided by MASC.
The sentinels appear and operate in many different ways:

  • Detectors and reactors. It is the responsibility of some sentinels to detect an attack and others to react on it. The detectors have been fine-tuned over several code generations and are known to work very well in deployed customer scenarios.
  • The detectors differ on how aggressively they search and what they try to detect.
  • The response can be set to as soft as a warning message to the backend system or extremely aggressive, such as crashing the application.

Application Hardening

Application hardening referrers to making an app more difficult to reverse-engineer and to protect against tampering. MASC follows best practice to combine secure coding with application hardening to protect banking app IP and to prevent exploits.

Cryptomathic MASC employs several layers of application hardening mechanisms:

  • Code hardening
  • White box encryption
  • Data obfuscation
  • Native code obfuscation
  • Protected configuration
  • Anti-debug
  • Anti-tampering
  • Emulator detection
  • Root and Jailbreak detection

Device and API Assurance

Device and API assurance gives the backend system confidence that it is communicating with a genuine app. In the same manner the app knows that it is communicating with the genuine backend.

API Protection

API assurance and protection build on dynamically provisioned cryptographic keys and secrets. The MASC sentinel framework protects the software component against reverse engineering and tampering.
A challenge-response protocol based on the above building blocks assures the server that it communicates with a genuine app. This also serves to protect the server API from unauthorized access, by preventing non-approved 3rd party apps or aggregators from accessing the APIs.

Device Assurance

It is possible to improve the assurance level to include device specific secrets. This is known as a device binding and can be done after the first contact between a newly installed app and the server backend.

Secure Storage

An important component of MASC is Secure Storage which implements protection measures designed with two main objectives:

  • Prevent separation of data and application
  • Prevent migration or copying data to other devices.

Cryptographic keys generated and managed by MASC are protected by device hardware where possible. The keys are always encrypted and never escape the core in clear text.


Secure Connectivity

MASC is designed to be responsible for secure communication between the business app and the backend systems.

In order to ensure that the app only communicates with the intended system, it maintains its own certificate store, which implements pinned server certificate verification.

Measures for securing connectivity include:

  • Access token protection
  • Encrypted transport
  • Cookie protection
  • Strong Authentication
  • HTTPS tunnelling
  • Device health and audit logging

MASC Security specific roles

Each security concept described above contains mutually reinforcing layers to address the security-specific roles that MASC underpins.





MASC - Mobile App Security Core

Take control of your banking app security with MASC


MASC Benefits

  • Secure your application without sacrificing development speed
  • Minimize the risks of threats with 360 degree defense mechanisms built into your application
  • Compatible with common build tools and development environments
  • Extensive customization options to enable you to adapt the applied protection to your security and performance requirements
  • Defense mechanisms are regularly refined and updated so your application protections are always ahead of the attackers
  • Support for add-ons such as malware detection and device fingerprinting


Securing Mobile
Banking Apps
with MASC 

MASC is a security toolkit which was developed to close security loopholes related to mobile banking apps. 

Download White paper

Proven App Security

MASC is a proven security solution for banking apps, used for several years by large retail banks to protect their data. MASC has successfully protected millions of app downloads with a 100% success record to date.