Commercial Banking
Privately / Publicly Owned
Public
Employees
5000+
Customer Since
2019
Challenges
Solutions
This publicly traded, Pakistan-based commercial bank offers corporate and commercial investment services, international banking assistance, cash management services, and agricultural banking. On top of employing 5,000+ employees across nearly 700 branches and sub-branches to serve millions of customers across the country. Since 1991, the organization has continued to provide the best banking experience for their customers as well as giving back to the rest of the community.
The organization provides customers access to their banking services via their iOS and Android apps including their main banking apps, digital wallet, and ID Verification apps. They are committed to providing their customers with a convenient, reliable, and secure banking experience through these applications. In 2022, the organization saw an approximately 40% YoY increase in net revenues across all of its business, partly thanks to its high digital banking adoption rate.
“Prior to working with Guardsquare, I had heard a lot of good things about Guardsquare from my industry peers in and outside of Pakistan.So when we decided we needed to improve our mobile app security posture, Guardsquare was the obvious choice.”
– CISO, Top 10 Pakistani commercial & retail bank
In 2019, a study revealed that South Asia represented 33.2% of global mobile phone users who utilize mobile phones as their primary channel for banking activities. Fast forward to 2022, the State Bank of Pakistan identified that 12.3 million registered mobile phone users performed 387.5 million mobile phone banking transactions with a staggering YoY increase of 141.1% in transaction value. As the number of customers using its mobile banking apps continued to increase, the bank quickly noticed that threat actors were increasingly targeting its apps with different kinds of attacks to cause harm.
“One of the first things I did when I joined the company was to evaluate the security posture of our digital channels. I quickly found that our mobile applications were not secure and were vulnerable to different kinds of exploitations. Left unchanged, these issues could cause us to lose regulatory compliance, and ultimately, our operating license.”
— CISO, Top 10 Pakistani commercial & retail bank
One notable risk they saw was the presence of dozens of cloned, modded and repackaged versions of their apps distributed on the internet.
So when the apps failed to pass internal pentesting, the organization’s then-new CISO knew they had to move fast. Without sufficient protection against tampering and reverse engineering, attackers could cause harm to their business by stealing and selling sensitive assets and data inside their apps, committing fraud (i.e., brand abuse, transaction fraud, account take-over (ATO)), and even launching malware attacks against their apps. Most importantly, the bank needed to maintain compliance with the State Bank’s regulatory requirements and achieve other industry compliance (i.e., PCI-DSS). Failing to comply with these requirements could result in hefty fines and ultimately lead to the revocation of the bank’s operational license in the country.
The bank approached Guardsquare in 2019 to inquire about implementing DexGuard and iXGuard to protect their Android and iOS applications. They quickly chose to work with Guardsquare due to the company’s good reputation in the South Asian banking industry. The company’s CISO, who spearheaded the push for greater mobile app security, was impressed with the breadth and depth of security features offered by Guardsquare’s products.
He found the advanced static and dynamic protection features DexGuard and iXGuard offer to be the exact solutions necessary to mitigate all the identified security risks. The protection features include, among others, name obfuscation, controlflow obfuscation, certificate pinning, jailbreak/root detection, and hooking detection. This advanced feature set is complemented by the polymorphic protection capability that ensures that no protection configuration is ever the same between each release.
Additionally, to maintain continuous visibility of their mobile applications in production, the bank also implemented ThreatCast to monitor client-side threats. The user-friendly dashboard provides the organization with real-time information on dynamic attack attempts by users, such as when the apps are being used in rooted/jailbroken devices when hooking or debugging tools are attached to the device, and when users attempt to repackage the apps. These insights can then be used to inform future app development to further enhance the bank’s security posture as well as being fed into existing SIEM and anti-fraud systems, allowing for more accurate fraud detection.
With their mobile apps fully protected, the security team was no longer able to find any cloned, modded, or repackaged versions of their apps. They were able to pass the internal and external penetration testing without any issues and maintain compliance with the country’s state bank’s requirements. To further demonstrate their commitment to maintaining the best security posture, they were able to seamlessly meet Mobile Applications (Apps) Security Guidelines issued by the country’s Payment Systems Policy & Oversight Department as well as the PCI-DSS compliance requirements.
“The protection report Guardsquare offers allows us to easily and continuously evaluate, improve, and validate the protection configurations of our applications early in the development lifecycle."
— CISO, Top 10 Pakistani commercial & retail bank
With ThreatCast, the security team now has full visibility into how their applications are being used in production, allowing them to make a more informed decision on their future app development strategies. Additionally, as a part of the CISO’s security improvement strategies, the bank also practices regular Red vs. Blue team exercises to continue improving the organization’s mobile app cyber defenses, building the security skills of each team member along the way.
Moving forward, the company will continue using Guardsquare products to meet and maintain external compliance requirements and protect its apps from existing and developing threats. The bank’s CISO is also considering other applications for Guardsquare products, such as incorporating ThreatCast into their existing SIEM and exploring the use of AppSweep in their iOS and Android apps. AppSweep enables companies to seamlessly integrate mobile application security testing (MAST) throughout the application lifecycle, find and fix security vulnerabilities, and map those vulnerabilities to industry standards like OWASP.
“Working with Guardsquare has been a delight. From the product quality to aftersales support we received, you can tell that they are called ‘the best in the market’ for a reason."
— CISO, Top 10 Pakistani commercial & retail bank
Developer friendly mobile app sec tools tools:
Guardsquare offers the most complete approach to mobile application security on the market. Built on the open source ProGuard® technology, Guardsquare’s software integrates seamlessly across the development cycle. From app security testing to code hardening to real-time visibility into the threat landscape, Guardsquare solutions provide enhanced mobile application security from early in the development process through publication.
More than 900 customers worldwide across all major industries rely on Guardsquare to help them identify security risks and protect their mobile applications against reverse engineering and tampering.