Mobile Banking Best Practices to Combat Fraud and Achieve Compliance

Mobile banking has experienced unprecedented growth in the past decade. What once was a convenient perk has rapidly become the primary method for over 3.5 billion consumers to conduct financial transactions. As a result, financial institutions develop and maintain their own mobile applications to remain competitive. In fact, 91% of consumers stated that offering a mobile app is one of their top criteria when choosing a bank. Not only has overall adoption increased, but frequency of use has grown as well - 78% of those consumers with a mobile banking app use it to check their accounts weekly.

The rising threat of fraud in mobile banking

While the convenience of mobile banking is undeniable, its widespread adoption has also increased the need to protect mobile banking applications. A quarter of mobile users report experiencing fraud attempts multiple times per week. Although various regulatory measures have been established to protect consumers, the responsibility for implementing security measures largely falls on the financial institutions. The impact is twofold for banks: as the risk for fraud increases, additional protections are needed to safeguard consumers and comply with local regulations, or else face stiff financial penalties. Guardsquare’s most recent webinar, Fraud, Compliance, and Best Practices for Mobile Banking Apps, explores how to solve fraud and compliance challenges by improving mobile banking application security with a multi-layered mobile app protection strategy.

Identifying security gaps or vulnerabilities is essential to ensuring any identified risks are addressed and realizing if any compliance gaps exist in mobile banking applications. Not doing so potentially exposes banking apps to significant regulatory fines or penalties.

Read on to learn how incorporating the best practices below assists in mitigating fraud and meeting compliance.

Key security risks and considerations for mobile banking app protection

Developers must address several unique risks specific to financial applications. Let’s take a closer look at some examples of specific threats.

Cloning and intellectual property theft

Although banking apps are not the most common target for cloning, the risk remains significant. Cybercriminals can reverse engineer and repackage legitimate banking apps with malicious code, resign the application and distribute it via phishing campaigns. Unsuspecting users who sideload these fraudulent apps expose their credentials and sensitive data. In 2023, Chinese scammers were able to sideload fake loan apps onto user devices to take advantage of India’s real-time payment system, UPI. These apps successfully deceived users, leading to financial loss and data breaches.

Financial fraud and unauthorized transactions

Financial fraud can manifest in a variety of ways within mobile banking apps. A common attack vector is the account opening and registration process. Malicious actors will create fake accounts to conduct illegal operations like money laundering. Strengthening registration controls and authentication measures can help mitigate this risk. Additionally, fraudsters may repackage applications or steal credentials to conduct unauthorized transactions, bypassing security mechanisms to access user funds.

Malware and device compromise

The presence of malware on end-user devices is a substantial risk to mobile banking application security. If a device is compromised malicious software can capture user credentials, automate unauthorized transactions, and exploit security vulnerabilities. Banking apps must be designed to detect and mitigate the presence of malware, ensuring that financial transactions remain secure even when users' devices are compromised. Proper banking application security must be in place on your application to safeguard against this common threat.

Regulatory concerns and regional standards

Banking regulations have been extended to protect consumers using the mobile applications created by these financial institutions. Depending on the region, some regulations are more explicit than others in regards to what standards must be met. Others are more broad in their definition of which mobile app protections must be in place. Below are some of the most influential regulatory frameworks impacting mobile banking app security:

PSD2 regulations facilitate the optimization and democratization of e-payment services, enhancement of customer experience, and retention. Specific to the EU, the advent of PSD2 has revolutionized online payments. It achieved this revolution by providing banks and non-banking third-party players access to consumer bank account information via the following: enforcement of high security standards for consumer payments, advancing innovation, and spurring competition between service providers. Similar to the other regulations listed, PSD2 requires security protections like threat monitoring, SSL pinning, and code obfuscation, among others.

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect customer data and systems, which extends to protection for mobile banking applications. Non-compliance with the GLBA includes fines up to $100K per violation. What sets it apart from the regulations listed above is that the GLBA is less explicit in its requirements. Still, there are similar measures organizations can take to maintain compliance. These include identifying and assessing vulnerabilities, like penetration testing and security testing, and analyzing the effectiveness of security controls through practices like threat monitoring.

The Monetary Authority of Singapore (MAS) has specific regulations addressing technology risk management for banks operating in the country. Annex C contains mobile specific security measures that should be considered by banks. Updated in 2021 to reflect the evolving threat landscape, these measures include runtime protections, data encryption, and SSL pinning.

The Reserve Bank of India (RBI) has specific guidelines that outline comprehensive security requirements for digital payment applications (including banks). There are two primary sections that financial institutions need to pay attention to: General Controls and Mobile Payments Security Controls. Some of the requirements listed are code obfuscation, threat monitoring, security testing, and adherence to OWASP MAVS standards.

Common regulatory themes

Despite regional differences, several security principles are consistently emphasized across regulatory frameworks:

• App & Code Integrity: Protecting apps from cloning, reverse engineering, and unauthorized modifications.
• Environment Integrity: Ensuring apps run in secure environments by detecting deebugging, emulation, or rooted/jailbroken devices.
• SSL Pinning: Preventing man-in-the-middle attacks by securing communications between the mobile app and the backend.
• Anti-hooking & Runtime Protections: Preventing code manipulation and unauthorized access
• Data and Asset Encryption: Safeguarding sensitive assets such as API keys and payment information

While there are common themes between regional and international regulations, many of them lack robust security recommendations and techniques, especially for protecting mobile applications. Overall, they do provide a good starting point with guidelines to implement strong mobile banking application security controls. However, there are additional actions you can take to create a more comprehensive mobile application protection strategy.

Limitations of existing fraud prevention measures

While banks employ several fraud prevention tools, such as secure SDKs, multi-factor authentication (MFA), and Know-Your-Customer (KYC) protocols, these measures are not foolproof.

• Know-Your-Customer (KYC) bypassing: Attackers leverage deepfake technology, device spoofing, and malware to circumvent KYC verifications.
• MFA exploitation: Cybercriminals use Trojan malware to intercept authentication codes and compromise user accounts
• Secure SDK attacks: Hackers exploit man-in-the-middle techniques to manipulate communication between SDKs and applications, disabling features.

Best practices for mobile banking app protection

So, given that even secure development practices can still be bypassed, which security controls should you adopt? There are additional measures that can be taken to bolster your mobile banking app’s protection including.

Identifying and protecting sensitive code

As a developer you have a deep understanding of your application. The first step towards enhanced security protections is knowing which assets and areas of your application are a target for bad actors. Think of assets or code sensitive to the flow of your application, especially during runtime. This could be API keys, personal identifiable information, and payment transaction details. Make sure these are well protected, encrypted, and obfuscated to mitigate reverse engineering attempts.

Implementing code obfuscation

Code obfuscation is a critical layer to protecting your mobile banking application with a defense in depth strategy. It should not be used alone, but rather as a component of your mobile app defense strategy to make it difficult for others to reverse engineer and understand the flows of your application. Without this understanding, it’s very difficult for malicious actors to inject malware into your application or know which flows to target.

Strengthening data protection

Throughout the lifecycle of your application, there will be data available statically and at runtime. Developers should protect this data both at the client-side and the back-end. This includes secure communication between your client and the back-end. You will also want to make sure any data in memory stays there for as limited a time as possible and is well protected.

Enforcing runtime application self-protection (RASP)

RASP ensures applications cannot be modified or tampered with while the application is running. RASP protects against hooking or the manipulation of libraries and or code functions the application is dependent upon. Malicious actors will incorporate techniques to attempt to bypass security mechanisms or change the behavior of your application. The ability to identify when the app is being tampered with and defend against it is vital to overall application security.

Enhancing malware detection and mitigation

As stated earlier, many users have malware present on their devices. Mobile applications, and mobile banking applications in particular, need to be able to protect against malware present on end-user devices. Security for mobile banking applications should include defenses against certain malware tactics like screen recording of user inputs or overlay attacks. Locking down important ecosystem features like accessibility can help prevent malware from using accessibility services to infiltrate an application.

Implementing device and transaction binding

Nowadays, attacks are often scaled to become widespread across many different users and devices. The UPI and PIX attacks mentioned earlier demonstrate how fast these attacks can scale and be carried out. App developers can install methods to track and trace once a specific device has been bound to an account. Afterwards, this is securely recorded to make certain any other attempts to interact with your back end from a different device or unapproved app triggers established security mechanisms. An example security mechanism would be reauthenticating users when recognizing them as they sign in from a different device or location. Measures like these introduce friction that greatly slows down the ability to scale attacks on your application.

Utilizing attestation and continuous monitoring

Attestation is a method to extend RASP protections from the client side to the server side of an application. This is because attestation gives security teams the ability to make certain security decisions and policies at the server side, deeply integrating them to the back-end flow of your application. For instance, when a user is opening an account and you want to verify the integrity of their device, attestation will verify using data collected by that device over time to ensure it meets the correct security threshold to open an account. An attestation service may also be leveraged to check device integrity based on server-side policies when high-value transactions take place.

Threat monitoring provides aircover for your application once it is in the hands of your users. Real-time threat monitoring enables your security team to identify and analyze threats to your application, including users and devices associated with fraudulent activity. By staying on top of these threats, your security team can communicate with developers any new or evolving threats to build protections against.

Conducting regular mobile banking application security testing

An overall security best practice is regular security testing. Mobile application security testing (MAST) will identify security vulnerabilities and weaknesses in your code that should be addressed prior to release. Some of the known vulnerabilities that can be identified with MAST include hardcoded API keys and different data flows that may lead to exploitation. This proactive approach to security mitigates risks and can be incorporated directly into the software development lifecycle. OWASP, an industry standard in mobile security testing, provides a list of top security vulnerabilities and further MAST resources.

Implementing a security-first approach

Adopt a security-first mindset

Security should be top of mind throughout development of your mobile application. The first step is conducting a threat modeling exercise. Unfortunately, many overlook this step and start diving into which features their app requires. But, without understanding the risks and threats you are trying to protect against, the features will have limited impact. Incorporating a diverse range of viewpoints from your engineering and security teams to collaborate on a threat modeling strategy will have long-lasting positive impacts. Once the greatest risks to your application and your users are identified, all your decisions will flow downstream from there to create a secure software development lifecycle.

Identifying threats and vulnerabilities

As mentioned, the first step to incorporating security best practices is identifying key threats and vulnerabilities. Leveraging resources such as OWASP and the experiences of your engineering and security teams are excellent methods. Staying up to date on threats specific to the mobile banking industry is also highly encouraged, as the landscape evolves rapidly with new threats each day. A structured approach includes:

• Understanding financial institution risks
• Assessing regulatory compliance gaps
• Identifying app vulnerabilities
• Evaluating potential incident impact
• Implementing effective security measures

The key here is to align your threat modeling strategy with your mobile banking app security strategy. By doing so, you will reassure yourself that you are testing and measuring what matters to your banking application and its users.

Enhancing KYC with advanced protections

After conducting a threat modeling exercise, your team may identify the opening of fraudulent accounts is an apparent threat to your mobile banking application that should be prioritized. So, your application builds with a secure SDK to install KYC protections. This protection is often found as a requirement for anti-money laundering compliance as well and required to increase protection for mobile banking applications.

However, as we illustrated above, KYC flows can still be bypassed - unless they are boosted with strong code hardening and RASP protections. Code hardening encrypts and places obfuscation around the KYC logic (and other flows) within your mobile banking application. It prevents bad actors from downloading your application in the app store, opening your app and using a static analysis tool to see where all the KYC logic is present in your application’s code. If this is undetectable, it will be extremely difficult for them to tamper with or manipulate the logic of your KYC flow.

RASP prevents tampering from occurring dynamically within your application. Essentially, RASP is a collection of runtime checks injected randomly into your application. An example of a RASP check would be debugger or emulator checks to verify environment integrity. Another benefit of RASP checks is detecting rooted or jailbroken devices and preventing them from interacting with your application. They can also detect and prevent hooking frameworks from interacting with the app as well, verifying code and app integrity by protecting them from modification. DexGuard and iXGuard, respectively built for Android and iOS, are examples of tools that provide complete mobile app protection against reverse engineering and tampering by using protection mechanisms like RASP and code hardening techniques.

Continuously test your app for vulnerabilities

It's essential to test your application regularly via MAST, as mentioned earlier. Regular mobile banking app security testing keeps security top of mind when developing your application and prevents vulnerable apps from being released. There are several requirements that can be used as a guide when conducting security testing:

1. Establish objectives
2. Define testing requirements
3. Test early, often, and after every build
4. Integrate testing into the CI workflow
5. Test 3rd-party dependencies
6. Use static and dynamic analysis
7. Implement automated security testing and pentesting

Tools like AppSweep scan your apps’ code and dependencies early in development, uncovering vulnerabilities before they become costly problems. AppSweep provides actionable recommendations to help developers fix the discovered vulnerabilities quickly and efficiently.

Stay vigilant with threat monitoring

Enriching your fraud-detection and risk assessment strategy with runtime threat monitoring is another method to raise security awareness. With threat monitoring, security teams can identify users and devices generating threats associated with fraudulent transactions. After discovery, they can implement mechanisms to disable these devices or users from gaining access to the application. For instance, they may initiate an automatic crash when a user attempts to login to your banking app with a rooted device.

Tools like ThreatCast also deliver metadata with each threat. The metadata includes information like which app version they are using, OS, device model, and the geolocation of the users. These insights can be incorporated into development as new threats emerge. Security and engineering teams can coordinate which app versions are being targeted, the status of evolving threats, and threat metadata to mitigate future risk by using insights to build protections into future app builds.

Start combatting fraud and simplify compliance requirements to protect mobile banking apps

Mitigating fraud and achieving regulatory compliance is a necessity for mobile banking app protection. While there are secure development methods like building with secure SDKs and implementing KYC protections, these alone are not enough to protect against fraud. Implementing a multi-layered app protection strategy delivers comprehensive protection for mobile banking applications against fraud and helps you achieve compliance requirements.

A security-first mindset throughout the SDLC is critical to staying vigilant against threats to your application. Implementing RASP protections and code hardening techniques with tools like DexGuard (Android) or iXGuard (iOS) strengthens the resilience of your existing fraud protections. MAST with AppSweep helps you identify any security risks or vulnerabilities prior to release, so you can identify any security or compliance gaps early. Once your app is published, continuous threat monitoring with ThreatCast keeps your team up to date on active and evolving threats to your users and app, with relevant insights you can implement into your next sprint.

Learn more about Guardsquare’s comprehensive, polymorphic approach to mobile application security here.