Rise of Digital Banking Poses New Security Risks to Mobile Apps

Advancements in digital banking are critical for Southeast Asia development – particularly for unbanked and underbanked populations. Developers and app publishers need to be aware of the potential security risks of unprotected mobile apps. Grant Goodes, Chief Data Scientist, Guardsquare explains what’s happening now, why it’s concerning, and how developers can properly prioritize mobile app security.

In 2020, COVID-19 caused a significant surge in digital banking apps in Southeast Asia. With that boom came a greater need for mobile banking app security to protect both citizens and financial institutions. 

For example, in Vietnam, transactions via smartphones increased 177%Opens a new window year-over-year in 2020 vs. 2019. Some governments, like Singapore’s, responded to demand by awarding new digital banking licensesOpens a new window . 

Rushed App Development Opens Up Security Risks

One of the primary concerns among many mobile app developers is being first-to-market with their applications. During the pandemic, many banks in Southeast Asia rushed to create new applications for consumers as their in-person banking options dwindled. However, this urgency often makes security an afterthought – meaning that these applications become low-hanging fruit for potential malicious actors.

For example, malicious actors often look for unobfuscated applications, so they can reverse engineer or decompile these apps. Many times, this exposes sensitive information contained within the app’s code or directories, such as API keys or private certificates. This could open up bank’s servers to a potential compromise. 

In some cases, attackers can repackage legitimate apps as counterfeit versions that contain malware and redistribute them in third-party app stores, opening up users themselves to significant risks. In Southeast Asia and the Middle East, this is an urgent problem, as consumers frequent these third-party app stores.

Unfortunately, many developers do not address these concerns proactively until it’s too late.

Learn More: How to Build a Successful AppSec Program That Doesn’t Give Developers a Hard Time

Confusing Regulations and Misinformation Abound

In some Southeast Asian countries, confusing regulations stemming from central banks make financial mobile app security more complex than it needs to be. For example, in Malaysia and Singapore, white-box cryptography (WBC) is a common regulatory requirement for mobile banking apps. 

All known WBC implementations are subject to either automated key-extraction attacks or manual attacks that defeat the intended security of WBC. In addition to being insecure, most WBC implementations (e.g., DES and AES encryption algorithms) also introduce substantial performance and size overhead, which makes them not justified even as a mild obfuscation technique.

Another example of a technique that’s commonly used in Southeast Asia, but actively discouraged by Apple and Google, is device fingerprinting. Device fingerprinting uniquely identifies a user’s device to a specific person. As user privacy regulations spread globally (and regulations such as GDPR apply to entities operating even outside the European Union), device fingerprinting will no longer be sustainable.

In addition, secure keyboards are a common regulatory requirement that isn’t necessarily useful in every mobile app deployment. Secure keyboards act as a layer on top of the user’s default keyboard, preventing malicious actions like keylogging. For iOS apps, Apple’s keyboard is always the default, rendering secure keyboards useless. For Android, secure keyboards can be useful, but only in tandem with a layered security approach. 

Learn More: 4 Ways To Keep Business Applications Secure in an Increasingly Cloudy World

Layering Application Shielding Techniques

While WBC and device fingerprinting certainly have their place in the mobile app security landscape, there are better ways to protect an application. Regulators should require that financial mobile apps apply layered application shielding techniques to protect their banking institutions and users and meet PCI requirements. They should also encourage financial institutions to implement a full-scale secure development environment that considers security in every step.

Malicious actors can reverse-engineer the application to steal IP, tamper with the code to commit monetary fraud, extract sensitive data such as encryption keys for use in follow-up attacks, gather information about the interaction between the application and backend servers, and many other goals that drive attacker behavior. 

Code hardening includes name obfuscation, control flow obfuscation, arithmetic obfuscation, hiding calls to sensitive APIs, string and class encryption, and resource and asset encryption – is the best way to prevent attacks from accessing and tampering with an app’s code. Obfuscation refers to rendering code illegible without affecting its functionality. Encryption ensures the code of the application and the data it contains cannot be accessed while the application is at rest. 

Code hardening can be made even more effective by combining it with RASP (Runtime Application Self-Protection). RASP guarantees that applications are protected from real-time analysis and attacks. RASP continuously tracks the applications’ integrity as well as the context in which they are operating. The application responds in a pre-programmed manner when a threat is identified. The RASP mechanisms can’t be disabled or tampered with because they’re obfuscated and encrypted.

As mobile banking matures in Southeast Asia and throughout the world, these security techniques will become critical to ensuring that both banks and their users are protected against nefarious actors looking for an easy target.

Let us know if you liked this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!