Why App Protection Matters More than Ever for Mobile Banking
Half of American consumers prefer to manage their bank accounts through a mobile device according to the American Bankers Association. The top 3 reasons consumers choose mobile banking are convenience, features such as personalized financial advice, savings tools, big-purchase calculators or even virtual assistants to mention a few, and greater control over their finances. While mobile banking provides numerous benefits to end-users and the organization, the increasing popularity and use of mobile banking comes with increasingly sophisticated cyber attacks targeting these mobile apps. Organizations report the average cost of a mobile application security incident to be just under $5 million (source: Vanson Bourne).
This blog provides insights on mobile banking app security and covers key trends in innovation and regulations, the primary risks, threat vectors, and recommendations to improve the app security posture to mitigate risk.
Key takeaways
- Mobile banking offers convenience, but it deals with sensitive financial and user data, making security incidents a high business risk.
- Though stricter regulations and innovative solutions are emerging, digital advancements like open banking, superapps and wallets create new challenges for developers.
- Common threat vectors include malware, fake apps, supply chain vulnerabilities and insecure apps.
- Robust mobile application protection solutions, alongside OWASP recommendations, provide an extra layer of security and generate more user trust
What's at stake if mobile banking apps don’t have the right level of security?
Mobile banking apps offer convenience, but because they handle a lot of sensitive data, there are inherent risks. Security breaches can have serious consequences for both banks and their users.
Security incidents can expose financial data (for instance, account details, transaction history) which can be used to initiate unauthorized transfers resulting in financial losses. Personal information can also be compromised, leading to identity theft and more.
The consequences of such incidents can disrupt a bank's operations, causing significant downtime and hinder the bank’s ability to serve its customers. Security breaches can also erode customer trust and damage a bank's reputation resulting in the loss of hard-earned customers. Finally, failing to comply with regulations regarding data security can result in hefty fines for banks or the need to discontinue operations until the compliance issues are resolved.
The impact of new regulations and innovation on mobile banking
The evolving digital banking landscape is bringing forth innovative approaches. Coupled with proper security mechanisms, banks can leverage the ongoing digital transformations both to gain a competitive and to offer better and additional services to their target customers.
Let's explore some of the key digital banking trends and how mobile banking app publishers can take advantage of them while ensuring maximum security for their users.
Cybersecurity regulations
Regulations like PSD2, the upcoming successor PSD3 (Europe) and Safe Apps (Singapore) mandate strong security in banking apps dealing with payments. This includes, among other measures, strong user authentication, data encryption, app protection, and secure communication. Adhering to these regulations helps financial institutions improve trust in digital banking within their users as well as reducing the risk of revenue losses due to chargebacks in case of fraud.
Digital wallets and mobile payments
When we go out, we could very easily forget our wallet at home, but we almost never leave our smartphone behind. Big techs know that and offer convenient ways to pay with mobile devices like Apple Pay, Google Pay and Samsung Pay. Banks want to stay competitive and, therefore, are investing in becoming the digital wallet of choice within their customers. These mobile contactless payment options are convenient for end users, but the risks associated with them, such as intercepting data by using malware or cloned apps, can lead to stolen financial data and need to be taken seriously.
Open banking/Open finance
Open banking unlocks a world of financial innovation by letting authorized apps access user financial data. While this fuels new services, robust authentication and data protection are vital to ensure only authorized apps can access information made available via the Open Banking API.
Financial services superapps
Superapps offer a one-stop shop for finances, integrating budgeting, investments, and even shopping. However,a single breach could expose more data than a traditional banking app due to the nature of superapps.
Top mobile banking attack vectors
Let's explore the top attack vectors targeting these increasingly complex mobile banking applications.
Android malware
Banking malware attacks on Android are surging, with a 32% increase reported in 2023. By using different techniques, such as Accessibility Service Abuse, Screen Capture & Recording, UI Injection, malware attacks are used by threat actors to steal user and financial data.
Cloned and fake apps
Unprotected mobile apps are easy targets for cloning. Threat actors create fake copies laced with malware that steal sensitive data. These clones often mimic the legitimate app in appearance and function, making them difficult to detect. The consequences can be severe for mobile banking app publishers, ranging from poor user experience to data breaches.
Supply chain vulnerabilities
Software supply chain attacks target third-party components, like libraries, used by many applications. Mobile apps often depend on pre-built libraries, but these can introduce security risks. Poorly maintained libraries or malicious ones can leave apps vulnerable. Unlike the app itself, developers have often limited control over these third-party elements.
Unsecured apps
Many organizations (67%) (source: Vanson Bourne) mistakenly rely solely on the OS for mobile app security, despite the risks (acknowledged by 93%). This leaves apps vulnerable to tampering and attacks, leading to potential revenue loss, user churn, and fines.
Mitigate security risk with robust mobile application protection
Mobile banking apps are prime targets for threat actors, and there are several concerning attack vectors such as malware, supply chain attacks, cloned apps or insecure apps as mentioned earlier. The Open Web Application Security Project (OWASP) has identified the top 10 mobile risks that those threat vectors can cause, but these guidelines are just the beginning.
Adopt a comprehensive application protection strategy
On top of OWASP’s recommendations, banks need additional security layers to make it harder for attackers to analyze and tamper with their apps. Tools like Guardsquare’s DexGuard (Android) and iXGuard (iOS) offer mobile app developers protection measures like:
- Code obfuscation: this scrambles the app’s code, making it difficult for attackers to understand how it works and exploit vulnerabilities
- Data encryption: this protects sensitive information if stored in the app, like account details, API keys, rendering it useless even if intercepted.
- Runtime application self-protection (RASP): this technology continuously monitors the app’s behavior at runtime and can detect attempts to tamper with the app code or inject malicious code
Why obfuscation and encryption matter
Imagine that a bank implements strong malware detection. If the app isn’t protected by obfuscation, an attacker could reverse engineer the code, understand how the detection works and then bypass it. That is why DexGuard from Guardsquare provides Android developers with both malware detection and application protection capabilities.
The same principle applies to fingerprint and facial recognition often used to protect digital wallets from unauthorized access. While these methods add a layer of security, they aren’t foolproof, If the digital wallet is not protected, attackers could potentially reverse engineer the banking app, understand how the authentication works and bypass it. Deepfake video injection, for example, is a growing threat to biometric facial recognition.
Obfuscation and encryption importance extends beyond the app itself. Third party libraries or SDKs are often integrated into banking apps. It's crucial to choose reputable vendors for these SDKs and ensure they also employ proper code obfuscation and encryption practices. Weaknesses in an SDK can be exploited to attack multiple apps that use the same library as mentioned earlier.
Complement obfuscation and encryption with anti-tampering solutions
Anti-tampering solutions are essential to a robust mobile application strategy and work together with obfuscation and encryption by providing a multi-layered defense against the main mobile banking threat vectors described earlier.
For instance, with reference to digital wallets, RASP can detect attempts to hook application functions in charge for the biometric authentication, Library hooking is a technique used by threat actors to inject deep fake videos. RASP also protects banks from their apps being cloned. Anti-tampering techniques can detect attempts to repackage an app with malware and to provide a new certificate for its distribution.
Conclusion: Secure digital banking with a multi-layered mobile application protection
By combining OWASP best practices with comprehensive mobile application protections that offer obfuscation, encryption and RASP capabilities, banks can significantly reduce the risks of security incidents. This layered approach protects sensitive data that might be stored in the app, prevents app tampering and allows banks to continue innovating in the era of digital transformation.
Connect with a Guardsquare’s expert to discuss the right level of security for your mobile banking application.