How to Protect Financial Android Apps From Reverse Engineering
In the past few years, mobile finance apps reached 573.1 million downloads in the US and, in 2022, the financial app market’s value reached $1.18 billion worldwide. With financial apps, it’s easy for users to transfer money, invest, and perform basic banking functions on the go. The growing popularity of these apps makes them attractive to businesses looking to grow and retain their customer base, and also a target for threat actors.
One of the most common ways threat actors attack a mobile financial app is reverse engineering. An attacker will typically download the targeted app from an app store and analyze the app within their local environment using a variety of tools. If the reverse engineering attempt is successful, threat actors can access financial data and personally identifiable information (PII) in the app, putting the mobile app’s publisher and financial institution at risk for revenue loss, fines, and brand reputation damage as a result of fraud.
In this blog, we’ll examine what information threat actors target with reverse engineering, common financial app security vulnerabilities, and how to protect your iOS and Android apps from reverse engineering attacks.
What are threat actors targeting in reverse engineering?
According to the Open Web Application Security Project (OWASP), when threat actors target a mobile app for reverse engineering they’re usually trying to accomplish the following:
- Reveal information about back-end servers.
- Expose cryptographic constants and ciphers.
- Steal intellectual property.
- Perform attacks against back-end systems.
- Gain intelligence needed to perform subsequent code modification.
What are common financial app security vulnerabilities?
The process of mobile app reverse engineering often leads to threat actors discovering exploitable security weaknesses in financial apps. Some of the most common vulnerabilities include:
- Exposed API keys that enable threat actors to attack servers dedicated to payments or managing sensitive data.
- Unprotected password input fields that allow clear text communication, which could lead to the theft of sensitive financial data.
- UI elements susceptible to clickjacking, an attack that encourages users to click on a button or element which triggers a malicious response. This could include downloading malware or gathering confidential data.
- Out-of-date secure layer communications ripe for man-in-the-middle (MiTM) attacks that intercept communication of sensitive financial data between the app and the banking server.
- Easily decrypted app code which can lead to code modification or cloning and repackaging apps with malicious payloads. These repackaged apps can be distributed through illegitimate app stores and via email/sms phishing campaigns.
Guardsquare helped one of the largest digital wallet providers in South Asia stop threat actors from reverse engineering its app. The client used DexGuard and iXGuard’s API call hiding and app integrity checks to prevent cloning and repackaging.
What is the cost of mobile app reverse engineering?
Last year, threat actors exploited an API key tied to Slope, a mobile software wallet provider. Slope’s software wallet was used by Solana, a blockchain designed to support massively scaling decentralized applications (dapps). As a result of the attack, thousands of Solana users’ SOL, a USDC stablecoin, and other Solana-provided tokens were stolen. In total, the threat actors stole a total of $4.46 million in coins and tokens.
Solana is an example of reverse engineering where attackers discovered the API key by breaking down and analyzing the app for vulnerabilities. Unfortunately, these attacks affect everyone — from the end-users’ tokens, to the irreparable reputational damage Solana suffered.
When it comes to reverse engineering, many app publishers and security specialists underestimate the true costs of revenue loss from customer churn and fines from regulatory bodies.
How to protect your financial app against reverse engineering
Apply OWASP’s Mobile Application Security Verification Standard (MASVS)
OWASP MASVS provides an industry standard on mobile app security with particular recommendations for financial apps. MASVS recommends that mobile apps handling money and PII adopt four additional security controls for resilience to guard against reverse engineering and tampering:
- MASVS-RESILIENCE-1: The app validates the integrity of the platform to ensure that it has not been compromised in a way that gives an advantage when performing reverse engineering. This requirement includes a focus on root/jailbreak detection, virtual environment detection, as well as utilizing device attestation to guarantee the authenticity of the user device.
- MASVS-RESILIENCE-2: The app implements anti-tampering mechanisms, which focuses on checks that verify the integrity of the application, ensuring it has not been modified or repackaged. It can also guarantee the runtime integrity of the application and the resources it depends on.
- MASVS-RESILIENCE-3: The app implements anti-static analysis mechanisms. While it is impossible to prevent someone from analyzing your application using static analysis tools, obfuscation techniques can play a vital role in increasing the difficulty of performing static analysis. Layering obfuscation techniques and taking steps to prevent your app from leaking metadata can significantly improve the resilience of your application to static analysis.
- MASVS-RESILIENCE-4: The app implements anti-dynamic analysis techniques. Dynamic analysis is a technique used to observe or manipulate an application and its behavior at runtime. To prevent dynamic analysis as a tool for reverse engineering, build in debugger detections, or dynamic analysis tools and techniques. These detections should be carefully implemented and hardened to ensure attackers can’t easily bypass or observe them.
Build an anti-reverse engineering toolkit (automation is key)
OWASP MASVS is a good foundation for security, but implementation of the recommended security standards requires additional tools. After all, MASVS recommends adding runtime application self-protection (RASP) to your financial app to protect against dynamic analysis attacks. RASP functions by injecting checks throughout your application’s code to detect where and when a threat actor is attempting to reverse engineer your app. Manually injecting checks is tedious and lacks the agility and effectiveness of automated check injection. You’ll want to find a security solution that automates the RASP process.
Additionally, MASVS-RESILIENCE-3, recommends adding layers of obfuscation to your mobile application. Obfuscation strategies include renaming classes, fields, methods, and libraries in your app’s structure and altering the structure of the code, among other methods like control flow obfuscation. Often, developers and security specialists lack the specialized knowledge to apply multiple obfuscation techniques, which can leave the app vulnerable. To avoid security gaps, it’s best to find a tool that automatically applies multiple layers of obfuscation to your application.
Consider Guardsquare for comprehensive reverse engineering protection
Guardsquare offers a comprehensive mobile app security approach, including protecting, testing, and real-time monitoring of financial services apps.
- DexGuard and iXGuard help Android and iOS developers safeguard their financial services apps against reverse engineering and tampering with multiple layers of obfuscation and automated RASP.
- AppSweep scans apps throughout the development process to find vulnerabilities before threat actors can exploit via reverse engineering. The security insights provided from AppSweep are mapped to the OWASP MASVS framework to provide additional context to developers and security specialists.
- ThreatCast monitors apps in real time, collecting information from DexGuard and iXGuard’s injected RASP checks. When threat actors attempt to reverse engineer an app, data and insights are provided to the developers and security specialists to improve security in future builds.
An Australian bank, one of the largest commercial banks in the Asia-Pacific region, used Guardsquare’s DexGuard and iXGuard to launch protected apps capable of safeguarding the 3.5 million in-app banking sessions conducted each day.
Don’t underestimate the threat
When it comes to protecting Android and iOS financial apps from reverse engineering, it’s important to consider what is at risk and plan ahead to prioritize security and protect the sensitive information and assets in your app with a comprehensive security plan. Not only is the end-users’ data at risk, but also your organization’s revenue and reputation.
As mobile app usage continues to grow, so will the number of financial apps and, unfortunately, the threat actors targeting them. Reverse engineering is a sophisticated attack technique that requires multiple layers of mobile application protection. As always, Guardsquare recommends approaching the security of your app with a “protect, test, and monitor” mindset.
Ready to protect your financial app against reverse engineering? Connect with an expert to get started.
Executive summary (TL;DR)
- Due to the large amount of sensitive data and assets handled by financial apps, mobile app reverse engineering is a major threat.
- Threat actors targeting financial apps for reverse engineering are looking to exploit vulnerabilities in the app for fraud and sensitive data theft. App publishers and financial institutions are at risk of revenue loss, customer churn, and regulatory fines.
- The OWASP MASVS resilience recommendations in addition to a mobile app security approach that focuses on protection, testing, and monitoring can successfully bring visibility to and block reverse engineering attempts.