Secure iOS Mobile Banking Digital Wallets Under the DMA

The European Union's recent decision to accept Apple’s proposal to comply with the DMA by letting third-party providers bypass Apple Pay has created new business for digital wallet applications on iOS. But are app publishers truly prepared to seize this opportunity?

This blog explores the critical aspects of mobile app security for mobile banking digital wallet solutions, ensuring compliance with industry regulations such as PCI DSS and EMV security standards.

The rise of mobile digital wallets: Benefits & challenges

A digital wallet, as defined by the Mobey Forum, is a mobile application capable of securely storing and managing digital assets. While initially focused on managing payment, as usage has grown, digital wallets have expanded their functionalities to encompass a broader range of use cases beyond payments, such as commerce, identity management, ticket management, and banking.

Digital wallets have become the preferred payment method globally, driven by the widespread adoption of mobile devices. For instance, over 53% of Americans favor digital wallets, according to Forbes. While European adoption is lower at 32% for exclusive use, 72% engage with digital wallets. In Asia-Pacific, digital wallets dominate in-store payments, with a remarkable 50% market share, and a peak of 66% in China.

This trend is accelerating due to several factors:

• Convenience: consumers increasingly opt for smartphones over physical wallets, making digital wallets readily accessible.
• Ease of use: contactless payment technology simplifies transactions compared to traditional payment methods.
• Security: unlike physical wallets, mobile devices offer remote locking, protecting digital wallets and personal information from theft. Furthermore, payment data is usually protected by biometrics authentication and authorization such as fingerprints and face recognition.

Despite their advantages, digital wallets remain attractive targets for fraudsters who employ various tactics to steal sensitive financial and user data. These attacks include:

• Fake app creation: Malicious apps disguised as legitimate digital wallets can steal sensitive information during transactions.
• App tampering: Attackers may modify existing digital wallet apps to extract card details or introduce malicious code.
• Man-in-the-middle attacks: Threat actors intercept communications between the digital wallet app and payment processors to steal data.

To counter these threats, developers must implement robust app protection measures to deter attackers and safeguard financial data.

The Digital Market Act: A game changer

The Digital Market Act (DMA) is a recently implemented regulation by the European Union aimed at promoting fair competition in the digital market. It primarily targets large tech companies which dominate specific online sectors. Apple falls into this category due to its dominant position in the mobile operating system market with iOS.

With reference to mobile payments, here's how the DMA is changing the game regarding digital wallets on iOS.

Before the DMA

iPhones and iPads are equipped with Near Field Communication (NFC) chips, enabling contactless payments through digital wallets. Apple Pay was the only way to access the NFC for payments and It was pre-installed on iOS devices, providing users with immediate access to a digital wallet without requiring additional downloads. This exclusive arrangement presented significant challenges for competing digital wallet providers like mobile banking wallets. Not only were they dependent on Apple Pay for functionality, but they also lacked the advantage of being the default wallet on iPhones and iPads.

After the DMA

The DMA prohibits large tech companies from unfairly favoring their own services within their platforms. This has compelled Apple to open up access to the iPhone's NFC chip, previously exclusive to Apple Pay.

As a result, developers can now create their own digital wallet apps for iOS. Furthermore, users gain the freedom to choose their preferred wallet as the default payment method on their iOS devices. This increased competition is expected to stimulate innovation and the development of new digital wallet solutions.

DMA implications on security of mobile payment on iOS

The recent decision to let developers bypass Apple Pay presents both exciting opportunities and added responsibilities for developers. As highlighted earlier, this openness allows developers to create their own digital wallets on iOS. While the openness offers advantages, developers now have the primary responsibility of ensuring the security of the payment process via the mobile app. This means digital wallet apps need to comply with established security standards for mobile and digital payments like PCI DSS and EMVco to be considered secure by major credit card networks.

Ensuring compliance with security standards

As clearly stated by Apple documentation, apps bypassing Apple Pay in the European Economic Area (EEA) for contactless transactions must adhere to stringent security and privacy standards. These include PCI DSS, EMVCo, GDPR, and other relevant regulations governing the handling of sensitive financial and personal data.

Threat actors commonly target digital wallet apps to access sensitive financial information like credit card PINs (Personal Identification Numbers) and PANs (Personal Account Numbers). To mitigate these risks, developers are required to implement robust mobile application protection techniques.

These techniques should hinder static and dynamic analysis attacks. Specifically:

• Code obfuscation and data encryption: Employ application protection techniques, including naming and control-flow obfuscation, to deter reverse engineering with static analysis attacks. Encrypt all sensitive data within the app.
• Runtime application self-protection: Implement environment, application, and code integrity checks to detect and prevent attacks during app execution performed with dynamic analysis. This includes identifying compromised devices (e.g., jailbroken iPhones), debuggers, emulators, binary patching attempts, and code tampering through library hooking or resigning.

These security measures are essential for safeguarding digital wallets and protecting sensitive financial data. To ensure the highest level of security, major credit card networks mandate that digital app publishers adhere to strict security standards established by PCI and EMVCo.

Conclusion

Guardsquare provides robust mobile app protection for iOS applications and SDKs, facilitating compliance with PCI DSS and EMVCo regulations for digital wallets.

Guardsquare's multi-layered, polymorphic approach significantly hinders attack attempts by forcing threat actors to overcome multiple security barriers. This defense strategy demands extensive knowledge and resources from attackers. Additionally, the polymorphic nature, which dynamically changes security configurations with each app build, makes it exceptionally difficult to scale attacks. Consequently, reverse engineering and tampering with digital wallets become significantly more challenging for malicious actors.

Connect with an expert to learn more about how to safeguard your digital wallet solutions.