By Andrew Whaley, VP engineering UK, Arxan
Mobile banking and mobile payments have experienced a meteoric rise in popularity over the last year. A recent report by the BBA [The Way We Bank Now Report, 2016] points to a 54% growth in UK mobile banking usage, with an astonishing 11 million mobile app banking transactions per day in 2015.
Mobile payments are equally experiencing a dramatic uptick in use, with an e-marketer report revealing that almost three quarters of mobile banking app users use a mobile payment app to settle a bill.
The convenience and ubiquity of mobile devices are the key factors driving this adoption. For example, mobile banking allows the use of the mobile phone itself as the second authentication channel alongside the passcode; whereas online banking typically requires a second code generating device. However, while many of us enjoy the convenience and simplicity of using mobile devices to pay for our underground tickets or call and pay for an Uber, users still harbour doubts over security.
Concerned about security
In many respects, mobile banking is a lot more secure than web banking. In the first place, the fact that the code runs on the mobile platform itself makes it more secure. However, abuse of certain hygiene factors can jeopardise this protection; for example, jail broken or rooted devices are more susceptible to attack.
Fraudsters are only too aware of the potential rewards from hacking mobile payment or banking apps, so there is no room for complacency either by banks or consumers. As consumers increasingly move from web to mobile banking, cybercriminals will follow the money and find ways to exploit vulnerabilities.
It’s my experience that banks take security very seriously indeed and huge sums of time and money are invested in tackling the perennial issue of fraud. UK payment card fraud cost UK banks £567.5 million in 2015, an 18% increase on the previous year according to Financial Fraud Action UK [Fraud The Facts 2016 Report]. A total of £843.6 million of attempted card fraud was prevented by banks and card companies, equivalent to £6 out of every £10 of fraud being stopped. In 2015 £2.8 million was lost to mobile banking fraud in the UK.
However, Arxan’s 2015 State of Application Security Report, which tested the UK’s most popular financial apps, showed that 92% of those apps didn’t address at least two of the Open Web Application Security Project’s (OWASP) top 10 mobile vulnerabilities, and 96% were susceptible to reverse engineering.
Hidden financial threats
There are three key types of threats that threaten financial apps: exploitation of the banking backend servers; the application programming interfaces (API); and the apps themselves. Mobile operating systems are generally quite secure, with sandboxes on Android and iOS systems designed to protect and segregate apps. However, the apps themselves need protection to prevent access by a skilled hacker.
App hardening solutions essentially protect the app in a full metal jacket, which means that even if the mobile device itself is compromised, the attacker is still unable to penetrate the application code. One aspect of this is code obfuscation, which means that code and data are completely scrambled, preventing the attacker from gaining visibility. Other elements include the ability to detect when tampering has occurred, preventing hackers from reverse engineering or changing it in any way, including the ability to insert malware into the app.
So what of the future? Mobile operating systems are getting more secure, but vulnerabilities still exist and the situation is constantly in flux with hackers and security professionals in a constant cat and mouse pursuit. Devices are also adding extra security, by introducing new capabilities like the cryptographic enclaves in the new Apple devices.
However, fraudsters are catching up, and new exploits are constantly being created which can endanger devices, operating systems and apps. So, a multi-layered approach to security is the only way to stay ahead of the game. App providers needs to ensure they have their own inbuilt defences over and above those offered by the operating system and the device manufacturers, to protect both their own code and their users from the constant drumbeat of attacks that are threatening mobile users every day.
Arxan provides a comprehensive enterprise solution for application protection, specialising in mobile apps and IoT.