Skip to main content

Mobile Payment and Banking App Security

Protecting Mobile Banking and Payment Apps from the Inside Out

The Vulnerability Epidemic in Financial Services Mobile Apps

New research from Aite Group reveals systemic security deficiencies among mobile payment apps and other consumer mobile financial apps. The cause of these protection failures may surprise you. Findings from the study include:

  • 97% of the apps tested suffered from lack of binary protection, making it possible to decompile them and see the source code. Decompiling an app allows a bad actor to understand how it detects jailbroken mobile devices. Once vulnerabilities (such as API keys, private keys and credentials) are found in the source code, this paves the way for money theft through banking trojans, username/password theft or account takeover using overlay screens. It also enables theft of confidential data.
  • 83% of apps tested stored data insecurely. Unfortunately, storing data in an insecure area allows users to access sensitive data that the app could have stored in temporary files or logs, leaving much to be desired for mobile payment app security.
  • 90% of apps tested during the study shared services with other apps on the device. With this set-up, data from the financial institution’s (FI’s) app is accessible to any other application on the device. This then allows hackers to potentially leak data from the FI’s app to an app within their control.

Maintain Customer Trust & App Adoption

Mobile banking and mobile payment app security needs to be at the center of every financial institution's development and deployment strategy. Gaining and keeping customer trust is key to maintaining growth rates and protecting brand image. The whitepaper, “A New Approach to Secure Mobile Banking,” explains a new approach to addressing mobile banking app security issues at the binary and source code level. The paper provides executive-level context on what financial institutions are doing to address mobile banking security issues, and how improving those efforts can boost consumer confidence in mobile banking security.

Tips for addressing mobile banking security concerns include:

  • Prevent reverse-engineering and tampering—which can lead to breaches and app data theft—by hardening mobile apps with a system of embedded safeguards after code is complete.
  • Stop API compromises and theft of intellectual property (IP) or personally identifiable information (PII) with comprehensive data and key encryption using white-box cryptography.
  • Stay ahead of app threats and vulnerabilities by integrating the ability for protected apps to send real-time threat visibility and analytics data back to the financial institution.

Today's Zero Trust World

The FFIEC and ENISA detail threats to the mobile channel resulting from unsecured applications, as well as their potential impacts on customers and institutions. The threats from reverse engineering and app tampering include:

  • Personally Identifiable Information and password compromises
  • Risks from rooted or jailbroken devices
  • Exfiltration of confidential back-end data

The common threat to mobile banking, payment apps and mobile wallets is the vulnerability to reverse engineering. Once a mobile device app is reverse-engineered, bad actors can gain an understanding of how it operates in order to insert malware, identify hardcoded passwords and keys, or steal intellectual property. Next steps can include:

  • Repackaging the app for upload back to the app store to capture login details
  • Fraudulent use of decoded keys and data for user account attacks
  • Back office attacks utilizing keys, data and API knowledge to exfiltrate data

Protect Against App Hacking & Reverse Engineering

Application protection shields apps from reverse-engineering, tampering, data exfiltration and API exploits at the application endpoint. Proper application protection also detects and counters threats in real time to protect businesses from brand damage, financial loss, intellectual property theft, data loss and resulting government penalties. Mobile app hacking can be prevented by actions including:

  • Binary level code obfuscation to secure code functionality
  • Data and key obfuscation and encryption to protect critical data and keys
  • App integrity checks to verify code status
  • Notifications to alert business of real-time app attacks
  • Detection of rooted or jailbroken devices to alert on OS level threat

Arxan protects apps for 30 of the largest banks in EMEA and North America.

Innovation in Mobile Banking Security

Global banks are using Apperian App Management to securely distribute enterprise apps to their corporate employees and banking associates to make them more efficient, engaged, and productive. Apperian App Management maintains mobile banking security for enterprise apps while doing the following, plus much more: 

  • Deploying both custom and public apps to any device, including all mobile BYOD devices
  • Managing and updating any app—both custom and public   
  • Ensuring app security and governance

Additional Resources

Mobile Payment and Banking App Security

Customer Spotlight: TD Bank Mobile Strategy

With more than 80,000 employees around the world,

Revised Payment Services Directive (PSD2)

Protect Critical Payment Apps and Achieve PSD2 Compliance

A New Approach to Secure Mobile Banking

Best practices for protecting mobile banking apps

Mobile banking applications present financial institutions with an opportunity for trem

The Vulnerability Epidemic in Financial Services Mobile Apps

Despite the growing cybersecurity threat targeting mobile financial services applications, many financial institutions are failing when it comes to

Infographic: In Plain Sight

 

Arxan-protected apps have been securely deployed 5+ billion times

The Arxan Enterprise Solution

Comprehensive and designed to deliver real, sustained value

Multi-Layered Application Protection

Adaptive app and data protection prevents tampering, IP theft and reverse engineering — Learn More

Visibility & Intelligence

Real-time analytics and predictive intelligence against potential threats — Learn More

Advanced Threat Team

Industry-recognized security thought-leaders with more than 50 years of experience — Learn More

Enterprise Customer Success

Comprehensive suite of services, tailored to each enterprise’s singular needs — Learn More