Top Bank Uses Guardsquare to Ensure Mobile Banking Security

The Company

As one of the 50 largest U.S. banks by asset size, this financial institution provides a full range of banking, investment, and insurance services to businesses and individuals all over Texas. The bank prides itself on consistently providing its customers with fair deals and keeping its assets safe and sound. Its belief that every customer is significant has been guiding its practices since its founding in 1868.

The Challenge

The bank has about 15 developers working on their Android and iOS mobile applications. With the need to keep the company’s intellectual property protected, secure app development is a crucial priority. Specifically, the team wanted to protect against malicious actors attempting to tamper with their Android app, repackage it, or insert malicious code.

“We have been using Guardsquare for five or six years, and it’s really about what we’re not seeing. We don’t see any repackaging attacks where we’re finding unauthorized versions of our app on third-party stores. Because of Guardsquare, we can rest easy knowing that our app is not being tampered with.

— Software Development Team Lead at financial institution

“Our main concerns were the security of Android apps. They are easy to root, making it possible for attackers to install APKs from anywhere. We needed to protect our intellectual property,” said Senior Software Engineer at the financial institution.

With the need to ensure that the bank’s Android app was fully protected, Guardsquare was the first choice for security. The bank was already using ProGuard, the open source app optimizer created and maintained by Guardsquare. The bank’s previous use of ProGuard supported their choice of using DexGuard to harden their mobile application.

"Right from when the Android app was available for development, the development team knew we wanted Guardsquare to protect the app’s security.

— Senior Software Engineer at financial institution

The Solution

The bank uses DexGuard’s advanced code hardening and runtime application self- protection (RASP) to protect its Android app. DexGuard is a command-line tool that processes, optimizes, and protects Android applications and libraries. It enables users to protect applications or SDKs without requiring them to share or alter the source code. DexGuard is also backward compatible with ProGuard, making it simple for existing users like this financial institution to reuse their ProGuard configuration and implement DexGuard’s additional layers of protection.

The main priority for the development team was to obfuscate the code, making it challenging for someone to inspect or tamper with the code. The development team also wanted more visibility into how their application security measures would work on rooted devices.

“If we didn’t have Guardsquare in place, it would be easier for an attacker to get into the app, inspect it, and reverse engineer it, potentially putting our customer data and intellectual property at risk,” said the Senior Software Engineer.

The primary users of Guardsquare at the financial institution are the software development team lead and the Android developers. If a developer imports new libraries, Guardsquare updates the configuration to make sure DexGuard is updated, helping to avoid potential IP theft, credential harvesting, tampering, and cloning. With its seamless protection, it’s easy for the developers to forget that it’s even there.

With its ease of use, most people don’t even notice Guardsquare is involved in our app security. It just works; we never have to worry about it.

— Senior Software Engineer at financial institution

The Result

For this bank, the results are all about what the development team is not seeing. The team doesn’t see repackaging attacks, where their app would be found on third-party app stores. An added benefit is that Guardsquare’s security protections help meet compliance requirements for mobile payments, including PCI Mobile Payment Acceptance Security Guidelines.

In the banking industry, companies are hyper aware of reverse engineering. The bank has areas of code in which it writes custom security routines; with DexGuard, the team can now apply encryption

adding another layer of security to increase the difficulty of reverse engineering. To validate their protection, the bank attempted to reverse engineer the Android binary while using DexGuard.

The development team used third party tools to inspect the contents of the binary, including the source code. The team’s attempts proved unsuccessful against DexGuard’s security features.

“When reaching out for support, the Guardsquare support team is always consistently successful in working through any challenges our development team may encounter,” explained the Senior Software Engineer.

The Guardsquare team has personally reached out to the development team to check in on the bank’s use of DexGuard, offering to analyze current configurations and make recommendations on improvements.

“The support team at Guardsquare is always quick to respond and extremely helpful in working through whatever issues I’m encountering. Overall, it has been really great working with the team,” said the Senior Software Engineer.

Developer friendly mobile app sec tools that:

Guardsquareoffers the most complete approach to mobile application security on the market. Built on the open source ProGuard® technology, Guardsquare’s software integrates seamlessly across the development cycle. From app security testing to code hardening to real-time visibility into the threat landscape, Guardsquare solutions provide enhanced mobile application security from early in the development process through publication.

More than 900 customers worldwide across all major industries rely on Guardsquare to help them identify security risks and protect their mobile applications against reverse engineering and tampering.

The creators of ProGuard® | www.guardsquare.com