By Mark Noctor, Director of Sales EMEA at Arxan Technologies
The rate of mobile consumer adopters continues to steeply rise. Statista predicts that mobile app downloads is set to rise to almost 270 billion by 2017.The subject of mobile banking and payments in particular has been recently hitting the headlines as market scrutiny has been stirred by the launch of Apple Pay and how it has renewed popular interest in mobile payment services via Near Field Communication (NFC) on mobile devices, including wearables. In addition to Apple Pay, Android devices offer a similar capability, and have a larger consumer footprint.
There is plenty at stake for the banking and financial institutions that are launching these innovative approaches for financial services via mobile applications; especially to the larger Android market base that tends to host more malware. One critical question that needs to be addressed in this new mobile landscape is that of security. As financial brands race to compete on the latest and greatest apps to gain either new consumers or maintain existing loyalty, there is the risk that security will fall by the wayside in favour of aggressive time-to-market deadlines. Yet this need not and should not be the case, as the stakes are high in terms of revenue loss and reputation damage.
The recent European-wide Data Protection Day bought to the forefront the need for both banks and end users to question whether the mobile banking and payment apps that are available have the correct security measures in place to ensure that the sensitive data held within them remains secure. We predict security risks in the financial sector will be a key threat area in 2015. With this in mind, it is vital that mobile application security is a top priority as bank, payment providers and customers continue to do more on the mobile platform.
How big is the threat?
With mobile now a mainstay in the financial sector, the threat to banking and payment applications is high with hackers keen to gain access to the valuable data held within them for nefarious gains. We recently conducted in-depth research into the State of Mobile App Security, which revealed that 95% of the top 100 Android financial apps and 70% of iOS apps have been subject to hacking in the past year. Supporting this alarming statistic is research conducted by RiskIQ®showing that more than 40,000 (or 11 percent) of the 350,000 apps which reference banking in the world’s top 90 app stores contain malware or suspicious binaries.
These research findings clearly highlight the criticality for application security to be a top priority and an integral component of upholding consumer data privacy. With this in mind,banking and payment customers can be more informed about what steps or questions they should be considering in their use of a mobile financial application. Such considerations can help to ensure increased security and protection of their data.
Asking the Right Questions
For customers who are using or considering banking or financial applications, the four following considerations should be undertaken to increase the level of security surrounding mobile financial transactions.
- Rule number one is to only download banking and payment applications from official app stores. To some this may sound obvious but it is amazing how easy it can be to be duped into downloading an app from an illegitimate site that has been engineered to look like the real thing. To safeguard against the risk of this happening there is a capability to ensure that your phone settings are set to prevent any app downloads from unofficial stores.
- Has the bank or financial institution built in protection to ensure the app cannot be reverse engineered? Don’t be afraid to ask the question to your provider and put the app under the scrutiny that it deserves. After all, these apps will hold valuable and private information relating to your individual service, payments and transactions history. Typically, reverse engineering is the first step used by app hackers to infiltrate an app ecosystem. This is easily achieved by leveraging simple hacker tools found on the internet that can be used to engineer the app back to its original source code. In doing so, hackers can analyse the app and understand critical parts of the app for tampering of app functionality or malware insertion that will provide them with unauthorised access or send sensitive information where it shouldn’t be going.If there are no safeguards in place to stop hackers from reverse engineering the app then it can leave you and your data wide open.
- Again this may sound basic but don’t connect to your banking app, or any other sensitive app or account, over public and unsecured Wi-Fi. We are all guilty sometimes of trying to get something done in a rush and with mobile apps designed to make our lives easier when we are on the go it is possible to forget the basics. But think of it like this – would you say your pin number out loud when making an in-store payment? No, you wouldn’t because then everybody in the vicinity could hear it. Public Wi-Fi works the same way. If the network is unsecured then anybody could either inadvertedly or maliciously gain access to the app and possibly gain full access to your banking or payment details and, potentially, information stored on other apps on your phone. If public Wi-Fi is unavoidable, perhaps because you travel and spend a lot of time in cafes, hotels or airports, then pay for access to a Virtual Private Network (VPN) that will significantly improve your privacy on these networks.
- Another question for your bank is whether they have deployed application self-protections for the apps. You can’t wholly rely on mobile anti-virus, anti-spam or the enterprise wide device security solutions already residing on your phone. For example, these solutions do not provide sufficient protection against app hacking attacks. This is clearly evidenced by the recent app attacks that have been launched, namely Wirelurker or Masque. For the greatest security available, many of the leading mobile app developers of financial services are building self-protections into the application development process for both runtime and ‘at-rest’ defence against hacker attacks. Does your financial institution deploy application self-protections to prevent or mitigate these app risks?
Don’t compromise on Security
The need to prioritise the protection of sensitive and highly valuable data is more important than ever, with the app ecosystem in the financial sector rapidly expanding and everything from payment transactions to brokering now occurring on the mobile platform. With mobile banking and payments becoming a main fixture in the financial sector, it is important for application security to be a top priority so that data privacy protections are continuously upheld.