By Jodi Wadhwa, Vice President Marketing at Arxan Technologies
Today, smart phones and devices are increasingly gaining popularity with many consumers preferring to now conduct their financial transactions on the go. This can include anything from remote deposits, balance inquiries and easy money transfers to mobile peer-to-peer transactions, digital wallet transactions, mCommerce, or mobile payments. In fact, analyst house Gartner forecasted that the volume of mobile payment transactions worldwide will be at £140 billion this year and will grow to £429 billion by 2017; it is easy to understand why hackers would target this lucrative sector.
However, as mobile banking advances, unfortunately so does cyber criminal activity. Hackers come up with new ways every day to break into smart devices and steal sensitive information for their own financial gain. According to the June 2014 McAfee Labs Threat Report, new mobile malware (short for malicious software) has increased for five straight quarters, with a total mobile malware growth of 167 % in the past year alone.
It is clear to see that the ever-increasing adoption rate for mobile financial transactions, coupled with cyber criminals making it a target, makes digital banking and payment protection more of a necessity than ever. Banks are under immense pressure to keep their mobile banking apps safe and up to date, and in order to stay one step ahead of cyber criminals, mobile app developers must deploy critical code – such as jailbreak/route detection, security certificates, sensitive intellectual property, etc. – into “the wild,” to reside in distributed and untrustworthy environments for digital banking or payment apps. Many are doing so without application protection.
Malicious mobile apps
We recently conducted research into the top 100 paid Android and iOS apps, the top free apps on these operating systems, as well as the most used financial services and banking applications. The analysis revealed there is widespread and unfettered hacking of mobile applications on both Android and iOS, with financial apps proving a particularly attractive target for hackers.
As part of Arxan’s research we specifically focused on the 40 most popular financial apps to analyse and understand how pervasive application hacking is and the findings revealed that these apps are deeply insecure. Financial applications are an attractive target for attackers, given the high value associated with the data that they contain. Over half (53%) of Android apps had hacked or cracked versions that were available for download, with 23% on iOS.
As malware is a form of unauthorised code modification or tampering, hackers use specialised tools to target the mobile banking application itself and attack sensitive areas within the application code. They completely reverse-engineer the app back to the original source code and plant their malicious code, and before you can say “HEY PRESTO” the app has been repackaged and redistributed unto the app stores – now with embedded malware and unbeknownst to not only the app creators, but also users downloading the “new” (and not improved!) app.
Financial services app owners also will commonly deploy their products on multiple platforms to ensure their mobile services reach the majority of their total customer base. These high-risk apps, especially with regards to mobile banking and payment applications, require a much more diligent effort in order to protect the overall application from hacking and malware threats. In addition to the potential financial losses, a compromised payment app can have a major impact on consumer loyalty and confidence, and can ultimately have an impact on the share value of these companies.
Infected mobile banking apps
Unfortunately, it is safe to assume that there are already numerous cases of infected apps on countless devices, while a large scale advanced mobile malware attack is lying in lurk somewhere waiting to be activated. Given the magnanimous potential of affecting banking or payment transactions on millions of devices, business to consumer applications are undergoing standardisation on application hardening with run-time protection practices before they are deployed.
With that in mind, our research also revealed that critical exposures in the application’s code can progress code tampering or malware attacks. From customised Mobile App Assessments of financial services apps, we found binary risks in the tune of 100% for authentication exposure, 50% of apps had jailbreak detection code and crypto exposure, and 50% had payment exposure. None of the apps were yet deployed with application hardening protection.
Further, “rich apps” provide more functionality and user experience and hence these apps need to access sensitive data, include access policies for privileged users or enable the processing of valuable transactions. For example, in some banking applications there is jail-break detection, which provides a critical decision point that would prevent users from proceeding with certain high value transactions of the application on a device that has been compromised. However, once an attacker has been able to leverage hacker tools to analyse and reverse engineer the app to locate the jail-break detection code in source code, no matter how sophisticated its logic may be, it can usually be defeated by changing a few bytes in the code.
Ultimately, financial organisations bear an onus of protecting their assets, users and sensitive data against fraud, privacy and financial loss. As the proliferation of mobile devices continues and more financial services are available through dedicated applications, there is an increasing need for mobile application security to be considered and implemented in the development process. This protection is needed to secure the application at rest and runtime. Many organisations rush to get apps into the hands of consumers, and upgrade them to offer the new functionalities and other content driven by consumer demand. The unfortunate side-effect of this is that security often becomes an afterthought.
Developers need to start implementing “application hardening” techniques at the beginning of the app building process. Security processes need to be inserted within the app that will yield self-aware, self-defending and tamper-resistant applications to ensure that the application is highly resilient against hacker attacks and can independently be capable of detecting whether its own state has been compromised, and take remedial actions as needed. Basically security innovation must be kept in-step with the innovation in mobile financial services.