Cryptomathic Mobile App Security Core (MASC) is a proven mobile banking app security solution for Android and iOS. It is deployed across millions of banking app instances to provide the strongest defense mechanisms and platform independent protection against attacks on highly targeted financial apps.
Mobile banking apps are rapidly becoming the default tool for personal finance and consumers expect their mobile apps to offer full-service facilities. The convenience of banking apps is their greatest advantage, but this also opens possibilities for exploitation as they escape your control once downloaded.
As mobile apps get richer and offer access to more resources, they become more attractive to attackers. Without a robust security foundation, a mobile banking platform offers a huge attack surface and the opportunity to compromise individual accounts or the complete infrastructure.
Some attacks attempt to reverse-engineer your mobile app, while others focus on trying to intercept the communication between the server and the app. If successful, such attacks can result in severe financial and/or reputational damage.
To protect against the broad range of security threats requires multiple, mutually reinforcing security layers to be integrated throughout the code of your mobile application. Only such pervasive security can effectively shield and defend them against these attacks & exploits. Cryptomathic MASC is uniquely positioned to facilitate this role on the app side.
As a security software development kit (SDK) for banking apps (Android and iOS), Cryptomathic MASC consists of multiple layers of complementary defense mechanisms and smartphone app security components - provided with a simple, easy-to-integrate API. MASC enables app providers to focus on developing user-friendly business applications while leaving the critical and specialist security-related parts to MASC.
Cryptomathic MASC is built upon an evolutionary security framework that is designed to protect against the ever-changing threat landscape. MASC protection measures are constantly being refined and updated (along with the standard mobile app updates) to remain resistant and resilient to both known and unknown attacks.
The MASC app defense mechanisms are built upon five main security concepts:
The building blocks for Runtime Application Self-Protection (RASP) are supplied by ‘sentinels’ scattered around in the MASC library. The main responsibilities of the sentinel framework is to monitor the activity of the app as well as the phone. The sentinels will detect irregular or unwanted activity and react accordingly. The Sentinel Framework is tightly integrated throughout the MASC code to protect both the app itself and the defense mechanisms provided by MASC.
The sentinels appear and operate in many different ways:
Application hardening referrers to making an app more difficult to reverse-engineer and to protect against tampering. MASC follows best practice to combine secure coding with application hardening to protect banking app IP and to prevent exploits.
Cryptomathic MASC employs several layers of application hardening mechanisms:Device and API assurance gives the backend system confidence that it is communicating with a genuine app. In the same manner the app knows that it is communicating with the genuine backend.
An important component of MASC is Secure Storage which implements protection measures designed with two main objectives:
Cryptographic keys generated and managed by MASC are protected by device hardware where possible. The keys are always encrypted and never escape the core in clear text.
MASC is designed to be responsible for secure communication between the business app and the backend systems.
In order to ensure that the app only communicates with the intended system, it maintains its own certificate store, which implements pinned server certificate verification.
Measures for securing connectivity include:Each security concept described above contains mutually reinforcing layers to address the security-specific roles that MASC underpins.
MASC is a proven security solution for banking apps, used for several years by large retail banks to protect their data. MASC has successfully protected millions of app downloads with a 100% success record to date.