OWASP Mobile Top 10 Applied to Banking

Mobile banking apps are on the rise because they provide a convenient way to deal with our finances - from managing accounts to making payments. In fact, 78% of American adults prefer using digital banking with a mobile app or a website.

However, this widespread adoption has made mobile banking a prime target for threat actors seeking to commit fraud, steal customers’ money or confidential data.

As we discussed in a previous blog, common attack vectors include malware, cloned apps, and Man-in-the-Middle attacks. These threats underscore the urgent need for robust mobile banking security.

The OWASP Mobile Top 10 provides a comprehensive framework for achieving industry-standard mobile app security and mitigating the key risks posed by these attack vectors.

Key Takeaways:

• The OWASP Mobile Top 10 offers developers and security professionals clear guidelines for addressing the most critical security challenges in mobile banking applications.
• Real-world security incidents demonstrate the severe consequences of neglecting OWASP best practices.
• Mobile app protection is essential to mitigate the risks highlighted in the OWASP Mobile Top 10.

What is the OWASP Mobile Top 10

OWASP is a global nonprofit organization dedicated to enhancing software application security. By leveraging OWASP guidelines and tools, developers can proactively identify and address security vulnerabilities, ensuring a safer and more reliable user experience.

One of the key tools provided by OWASP is the OWASP Mobile Top 10, a curated list of the most critical security risks that mobile apps face. Serving as a comprehensive guide for developers, the list empowers them to identify and mitigate potential vulnerabilities in their mobile apps. The OWASP Mobile Top 10 is regularly updated to reflect evolving threats and best practices in mobile security with the latest version being released in January 2024.

Why is the OWASP Mobile Top 10 important for mobile app developers?

By adhering to the guidelines of the OWASP Mobile Top 10, developers can create more secure, reliable, and trustworthy mobile applications. Specifically, these guidelines help developers with:

• Prioritization of vulnerabilities: It highlights the most pressing security concerns, enabling developers to allocate resources effectively.
• Risk mitigation: By addressing risks highlighted in the top 10, developers can significantly reduce the likelihood of their apps being compromised.
• Compliance: Adherence to the OWASP Mobile Top 10 can help developers meet industry standards and regulatory requirements.
• Reputation protection: Secure mobile apps contribute to a positive user experience and safeguard the reputation of both the developer and the organization behind the app.
• Cybersecurity education: The OWASP Mobile Top 10 serves as a tool to ensure mobile app developers are aware of the latest threats and mitigations.

Mitigate mobile app security risks

The OWASP Mobile Top 10 not only identifies the most critical risks for mobile apps, but also offers developers and security professionals actionable guidelines for addressing these challenges. It combines general best practices with targeted risk mitigations to bolster the security of mobile applications.

Building a secure foundation

• Secure coding: Integrate secure coding practices throughout development to minimize vulnerabilities from the start.
• Testing & reviews: Conduct rigorous code reviews and testing to identify and address security issues early in the development process.

Addressing specific threats

• Improper Credential Usage (M1): Avoid storing credentials directly within the app. If necessary, use strong encryption for data at rest and in transit.
• Inadequate Supply Chain Security (M2): Ensure secure app signing and distribution processes, use trusted libraries, and implement robust security controls for updates. Regularly test and scan for vulnerabilities. Vet suppliers by requesting protected SDKs.
• Insecure Authentication/Authorization (M3): Avoid weak authentication design patterns
• Insufficient Input/Output Validation (M4): Reject suspicious data, enforce length limits, and encode before display/transmission. Tailor validation to data type (file uploads, database queries) and add integrity checks to prevent corruption.
• Insecure Communication (M5): Always secure sensitive data transfers with SSL/TLS encryption, verify server certificates, and avoid mixed sessions. Consider extra encryption for maximum protection. Never use unencrypted channels like SMS or notifications.
• Inadequate Privacy Controls (M6): Minimize the amount of personal identifiable information (PII) collected and processed to reduce the attack surface.
• Insufficient Binary protection (M7): Assess for critical content and threats. If necessary, obfuscation and local/backend security checks can deter reverse engineering, manipulation, and redistribution. Integrity checks can also detect unauthorized modifications.
• Security Misconfiguration (M8): Prioritize secure defaults, minimize permissions, enforce least privilege, disable debugging in production, and limit app functionality exposed to other apps.
• Insecure Data Storage (M9): Use strong encryption, secure data transmission, secure storage mechanisms, access controls, input validation, secure session management, and keep dependencies updated.
• Insufficient Cryptography (M10): Use top encryption with strong keys. Securely manage keys, avoid custom code. Encrypt data at rest and in transit. Validate all parties. Stay updated and follow best practices.

OWASP Mobile Top 10 risks in action

The OWASP mobile top 10 is not a theoretical concept. It represents real-world vulnerabilities that have led to significant security incidents in the mobile app market. Here are recent examples from the mobile banking industry.

M1 Improper Credential Usage

Five mobile banking apps compromised the digital fingerprints of 300,000 users due to poor credential management. The breach exposed how hard-coded AWS credentials within the apps led to sensitive data leaking and potentially granted threat actors access to additional and more sensitive data.

M2: Inadequate Supply Chain Security

In 2023, the first banking supply chain attack using malicious NPM packages compromised two banks. This attack demonstrates how vulnerabilities in common libraries or SDKs can be exploited to launch attacks across multiple apps.

M3: Insecure Authentication/Authorization

A recent study found that several top UK banks did not use MFA adequately in their mobile banking apps, making them susceptible to unauthorized access. Unauthorized access can lead to revenue losses due to fraud.

M4: Insufficient Input/Output Validation

A vulnerability in a crypto digital wallet let attackers perform remote control execution attacks. This attack demonstrates how failing to validate user input can lead to various attacks such as SQL injection, command execution and cross-site scripting (XSS).

M5: Insecure Communication

Malware in India intercepted data shared by mobile banking apps with their backend servers on unencrypted communication channels. In this example, the malware was capable of stealing Multi-Factor Authentication tokens and cookie sessions to use them for further unauthorized access to financial data.

M6: Inadequate Privacy Controls

The Money Lover finance app incident exposed user data due to inadequate privacy controls. This kind of risk often originates from other issues such as insecure data storage and communication (cf. M5, M9), data access with insecure authentication and authorization (cf. M3, M1), and insider attacks on the app’s sandbox (cf. M2, M4, M8).

M7:Insufficient Binary Protections

Police in India recently arrested a developer who cloned popular mobile banking apps and the criminals working with him to steal money using the cloned apps. Weak binary protection allowed criminals to reverse engineer the app, steal its functionality, and create malicious clones for further attacks.

M8: Security Misconfiguration

A study done by Cybernews found that Android financial apps are too greedy for permissions. Asking for unnecessary permissions, such as camera access or external file storage access, could lead to security and privacy issues.

M9 Insecure Data Storage:

Customer data managed by a mobile banking app was found to be accessible by other apps on the same device, highlighting the risks of insecure data storage.

M10: Insufficient Cryptography

A recent analysis of UK banks discovered mobile banking apps using outdated versions of 'Transport Layer Security (TLS)', or the use of weak algorithms for encrypting and decrypting data.

Strengthening mobile app security with multi-layered protections

To address the OWASP Mobile Top 10 and achieve a robust security posture, a multi-layered approach is required. This is particularly critical in mobile banking, where sensitive financial data and transactions are constantly at risk. Combining OWASP best practices with layers of advanced mobile application protection strategies, such as obfuscation, tamper detection, and runtime integrity checks, can significantly enhance the resilience of mobile banking apps.

By integrating these additional security measures, mobile banking app publishers can better protect their apps, users’ data and transactions from increasingly sophisticated attacks, ensuring trust and security in the digital banking experience.

For organizations seeking to elevate their mobile security posture, adopting both the OWASP guidelines and advanced mobile app protection solutions is a key strategy for long-term success in an ever-changing threat landscape.

For further guidance on securing mobile banking applications, connect with a Guardsquare expert.