Prestigious Brazilian Bank Keeps Customer Data Safe with Guardsquare

The Company

Through conducting instant payment transfers via QR codes (PIX) to enable customer access to low-interest credit rates by providing payroll-deductible loans, this Brazil-based financial services organization is a leader in digital solutions.

The organization provides various digital services, ranging from insurance, digital credit cards, and loan requests, and has more than 100 people on its mobile app development team to keep its myriad of apps safe and secure for its almost 6 million active clients.

"With DexGuard and ThreatCast, we can defend our applications against a myriad of threats and compromises, like cloning attempts and data theft, to keep our customers' data safe and secure."

— Cybersecurity Coordinator, Brazil-based financial services company

The Challenge

In the financial services industry, secure mobile app development is crucial to ensure brand trust and loyalty from customers. Due to the financial transactions mobile banking apps perform and the information they hold (personally identifiable information (PII), payment card information, payment history), mobile banking apps are, in many ways, at the forefront of most security protection requirements.

“Our goal as a company is to create and provide easily accessible banking solutions so that everyone feels confident about joining our bank and certainly thinking about user safety.”

— Cybersecurity Coordinator of the financial services organization

“Obviously secure app development is a critical part of what we do, so we need to start with all the necessary security controls and mechanisms, especially with so much of our business being conducted through mobile apps,” said the cybersecurity coordinator of the financial services organization.

In an effort to ensure the mobile app is secure, the Red Team performs penetration tests to find any vulnerabilities that could put their apps, and the bank itself, at risk. The Red Team also utilizes a threat modeling methodology throughout their projects.

Additionally, in one of their security tests, the security team identified exposed credentials, data, and API paths that were visible to anyone who had access to the code or to any malicious individual who could use the application. This discovery led the team to look for a tool that would provide faster, more secure, and more comprehensive protection for mobile apps, including robust code obfuscation techniques to keep their customers' data safe.

The Solution

Through a combination of research and some employees' previous experience with the tool, the financial services company selected Guardsquare's comprehensive mobile app protection solution for Android, DexGuard, and iOS apps, iXGuard. These solutions apply code protection and automatically inject runtime application self-protection (RASP) checks, allowing the enterprise to defend its mobile applications against various types of attacks and potential compromises, such as cloning attempts and data theft.

“After seeing the results of our pentest, security testing with other tools, and talking to team members who have previously used Guardsquare solutions, we determined that Guardsquare would provide us with the most comprehensive mobile app protection possible,” said the cybersecurity coordinator.

The company also utilizes ThreatCast, Guardsquare’s real-time threat monitoring solution, to gain deeper visibility into vulnerabilities and suspicious activity post-app launch. Doing so allows the team to adjust its security configuration to effectively mitigate the constantly evolving threats against mobile banking apps.

The Result

By leveraging Guardsquare's protection and monitoring solutions, the financial services organization was able to increase the security of its mobile applications. In fact, the company identified emulators and hooking as specific threats that Guardsquare helped protect against.

“Mobile app attack methods are constantly evolving, with advanced emulators and connection attempts only growing over time. Many hackers reverse-engineer the application to study business rules, find loopholes, and ultimately, break into the system and compromise all security,” said the cybersecurity coordinator.

“DexGuard's layered integrity check includes code hook prevention, statement substitution, data tampering, system library patches, real-time monitoring/ user behavior analysis, usage identification with 'root-level users' device', and much more. This prevents threat actors from tampering with our mobile apps, attempts to circumvent our app's security mechanisms/controls, use methods against Frida attacks, hooking, cloning, exposing sensitive data, and recompiling the app.”

In addition to protecting its apps from evolving threats, Guardsquare also helps the financial services firm achieve compliance with local government regulations, specifically Brazil’s data protection law, Lei Geral de Proteção de Dados (LGPD).

In short, the LGPD is a statutory law on data protection and privacy in the Federative Republic of Brazil. The primary goal of LGPD is to unify the 40 different Brazilian laws that regulate how personal consumer data is processed by businesses. With Guardsquare continuously protecting the company’s mobile apps from attacks and keeping its customer’s personal information safe, the financial services company satisfies this compliance requirement.

Developer friendly mobile app sec tools that:

Guardsquare offers the most complete approach to mobile application security on the market. Built on the open source ProGuard® technology, Guardsquare’s software integrates seamlessly across the development cycle. From app security testing to code hardening to real-time visibility into the threat landscape, Guardsquare solutions provide enhanced mobile application security from early in the development process through publication.

More than 900 customers worldwide across all major industries rely on Guardsquare to help them identify security risks and protect their mobile applications against reverse engineering and tampering.

The creators of ProGuard® www.guardsquare.com