Mobile App Security Core

Cryptomathic Mobile App Security Core (MASC) is a proven mobile banking app security solution for Android and iOS. It is deployed across millions of banking app instances to provide the strongest defense mechanisms and platform independent protection against attacks on highly targeted financial apps.

Banking app security threats

Mobile banking apps are rapidly becoming the default tool for personal finance and consumers expect their mobile apps to offer full-service facilities. The convenience of banking apps is their greatest advantage, but this also opens possibilities for exploitation as they escape your control once downloaded.

As mobile apps get richer and offer access to more resources, they become more attractive to attackers. Without a robust security foundation, a mobile banking platform offers a huge attack surface and the opportunity to compromise individual accounts or the complete infrastructure.

Some attacks attempt to reverse-engineer your mobile app, while others focus on trying to intercept the communication between the server and the app. If successful, such attacks can result in severe financial and/or reputational damage.  



To protect against the broad range of security threats requires multiple, mutually reinforcing security layers to be integrated throughout the code of your mobile application. Only such pervasive security can effectively shield and defend them against these attacks & exploits. Cryptomathic MASC is uniquely positioned to facilitate this role on the app side.

Read White Paper
Read White Paper

Cryptomathic MASC

Multi-layered defense for mobile app security

As a security software development kit (SDK) for banking apps (Android and iOS), Cryptomathic MASC consists of multiple layers of complementary defense mechanisms and smartphone app security components - provided with a simple, easy-to-integrate API. MASC enables app providers to focus on developing user-friendly business applications while leaving the critical and specialist security-related parts to MASC.

Cryptomathic MASC is built upon an evolutionary security framework that is designed to protect against the ever-changing threat landscape. MASC protection measures are constantly being refined and updated (along with the standard mobile app updates) to remain resistant and resilient to both known and unknown attacks.

The MASC app defense mechanisms are built upon five main security concepts:


Sentinel Framework for RASP

The building blocks for Runtime Application Self-Protection (RASP) are supplied by ‘sentinels’ scattered around in the MASC library. The main responsibilities of the sentinel framework is to monitor the activity of the app as well as the phone. The sentinels will detect irregular or unwanted activity and react accordingly. The Sentinel Framework is tightly integrated throughout the MASC code to protect both the app itself and the defense mechanisms provided by MASC.
The sentinels appear and operate in many different ways:

  • Detectors and reactors. It is the responsibility of some sentinels to detect an attack and others to react on it. The detectors have been fine-tuned over several code generations and are known to work very well in deployed customer scenarios.
  • The detectors differ on how aggressively they search and what they try to detect.
  • The response can be set to as soft as a warning message to the backend system or extremely aggressive, such as crashing the application.

Application Hardening

Application hardening referrers to making an app more difficult to reverse-engineer and to protect against tampering. MASC follows best practice to combine secure coding with application hardening to protect banking app IP and to prevent exploits.

Cryptomathic MASC employs several layers of application hardening mechanisms:

  • Code hardening
  • White box encryption
  • Data obfuscation
  • Native code obfuscation
  • Protected configuration
  • Anti-debug
  • Anti-tampering
  • Emulator detection
  • Root and Jailbreak detection

Device and API Assurance

Device and API assurance gives the backend system confidence that it is communicating with a genuine app. In the same manner the app knows that it is communicating with the genuine backend.

API Protection

API assurance and protection build on dynamically provisioned cryptographic keys and secrets. The MASC sentinel framework protects the software component against reverse engineering and tampering.
A challenge-response protocol based on the above building blocks assures the server that it communicates with a genuine app. This also serves to protect the server API from unauthorized access, by preventing non-approved 3rd party apps or aggregators from accessing the APIs.

Device Assurance

It is possible to improve the assurance level to include device specific secrets. This is known as a device binding and can be done after the first contact between a newly installed app and the server backend.

Secure Storage

An important component of MASC is Secure Storage which implements protection measures designed with two main objectives:

  • Prevent separation of data and application
  • Prevent migration or copying data to other devices.

Cryptographic keys generated and managed by MASC are protected by device hardware where possible. The keys are always encrypted and never escape the core in clear text.


Secure Connectivity

MASC is designed to be responsible for secure communication between the business app and the backend systems.

In order to ensure that the app only communicates with the intended system, it maintains its own certificate store, which implements pinned server certificate verification.

Measures for securing connectivity include:

  • Access token protection
  • Encrypted transport
  • Cookie protection
  • Strong Authentication
  • HTTPS tunnelling
  • Device health and audit logging

MASC Security specific roles

Each security concept described above contains mutually reinforcing layers to address the security-specific roles that MASC underpins.





MASC - Mobile App Security Core

Take control of your banking app security with MASC


MASC Benefits

  • Secure your application without sacrificing development speed
  • Minimize the risks of threats with 360 degree defense mechanisms built into your application
  • Compatible with common build tools and development environments
  • Extensive customization options to enable you to adapt the applied protection to your security and performance requirements
  • Defense mechanisms are regularly refined and updated so your application protections are always ahead of the attackers
  • Support for add-ons such as malware detection and device fingerprinting


Securing Mobile
Banking Apps
with MASC 

MASC is a security toolkit which was developed to close security loopholes related to mobile banking apps. 

Download White paper

Proven App Security

MASC is a proven security solution for banking apps, used for several years by large retail banks to protect their data. MASC has successfully protected millions of app downloads with a 100% success record to date.