January 5, 2020

    Why Mobile Financial Apps Should Practice Obfuscation

    There are 57 million mobile banking users in the U.S. alone. Globally, about 59% of consumers use mobile banking application. However, many report that they are wary of mobile banking, mobile payments, and other financial mobile applications due to security concerns.

    Financial mobile app growth is on an impressive trajectory. Yet with the amount and nature of sensitive data being stored and processed in mobile financial apps, consumers need reassurance that security and privacy concerns are being taken seriously by app developers.

    Less Than Half of Mobile Financial Apps Practice Obfuscation

    As you may know, we recently conducted research into the nature and level of application shielding in use by more than 3,000 of the world’s leading financial services apps on the Android marketplace.

    We discovered that less than half of these apps are using proper mobile application security—including obfuscation—to prevent reverse engineering, malicious app clones, sensitive data loss, and other potential negative outcomes.

    What is Code Obfuscation?

    One valuable form of application shielding that all mobile financial apps should be using is code obfuscation.

    Code obfuscation is the process of making applications more difficult to decompile or disassemble, and the retrieved application code more difficult for humans to parse. Obfuscation is part of a broader application shielding strategy.

    The goal of code obfuscation is to prevent any unauthorized party from accessing and gaining insight into the logic of an application, which prevents them from extracting data, tampering with code, exploiting vulnerabilities, and more.

    Code obfuscation strategies include:

    • Renaming classes, fields, methods, libraries etc.
    • Altering the structure of the code
    • Transforming arithmetic and logical expressions
    • Encryption of strings, classes etc.
    • Removing certain metadata
    • Hiding calls to sensitive APIs & More

    All of this is undertaken without altering the function of the code or the end user experience.

    Cover Your Top 10 Bases

    Developers of mobile banking and financial applications should be sure to fully understand the top ten most common security risks for mobile applications, as defined by OWASP. Reverse engineering and tampering rank as the eighth and ninth most prevalent security risks according to this list, and both of these can be dramatically curtailed by using sophisticated obfuscation techniques. Application shielding techniques, including obfuscation, can help protect apps against many of the risks on this list.

    Adhere to Compliance Mandates

    While compliance mandates are often less strict than security best practices, as a financial institution, you obviously have a good degree of obligation when it comes to regulations. Meeting compliance mandates, such as PCI-DSS for payment processors, SOC 2 for any SaaS-related business, and new international regulations, among others, is a good place to start when it comes to up-leveling your security and privacy practices.

    Achieve Consumer Trust

    The reality today is that consumers have many options to choose from. It has never been easier to research everything from credit card choices to bank reputations to payment providers’ compliance practices. Savvy consumers can easily walk away from one mobile financial app and choose another one (or stay away from apps altogether). So, if you operate in the mobile financial application space, it’s key to use security best practices to both protect your apps and to provide consumers with the peace of mind they need to do business with you.

    Guardsquare

    Learn more about Security for Mobile Financial Applications and how we can help protect your customer data.

    Mobile App Security for Finance >

    Other posts you might be interested in