CoDi Compliance, No coding required – The Fastest Way to Secure Mexico’s Mobile Banking Apps

What is CoDi? 

CoDi is a digital/mobile payment system developed and sponsored by the Bank of Mexico (aka: Banxico), Mexico’s central bank. Banxico launched the first phase of CoDi in September 2019, with the lofty goals of moving Mexico to a ‘cashless’ economy, significantly increasing the country’s tax base, as well as to bring the vast majority of ‘unbanked’ Mexican’s into the financial system. 

CoDi enables mobile users to pay for ‘everyday goods and services’ from any participating merchant using a mobile banking app that they download from an app store or their bank’s website. CoDi will cover everything from groceries, public transit, electronics, household goods and more – Basically anything the average Mexican would normally purchase using cash. CoDi is free and settlements are instantaneous between merchants, consumers and banks. 

How Does CoDi Work? 

Consumers initiate transactions by scanning a QR code or via NFC, using their bank’s mobile app. Merchants request payments using Banxico’s mobile app, which sends the consumer a confirmation message over the public Internet. Transaction are processed and cleared through SPEI, Mexico’s existing interbank financial network. Once cleared, the consumer’s bank will process the payment directly to the merchant. 

There are several obstacles that Banxico is working through in order to achieve mass-market adoption. In Mexico, cash is still king. On the technical side, the biggest challenges have to do with ensuring the security, fidelity and authenticity of all transactions, as well as making sure that the network is always available to process transactions when consumers need it. Careful implementation is required to ensure that all 50 member banks can connect to SPEI using encrypted transport with a high enough key strength to protect mobile user data. Also, the reliance and widespread use of QR codes and NFC technology could be inviting to cybercriminals. In practice, QR codes often contain data for a locator or identifier that points to a website or application. They make use of mobile app permissions to certain OS functions such as the camera and GPS, but if users are not vigilant, some apps may seek greater permissions than actually needed and open the device up for attack. QR codes can also be attacked through Javascript injection or XSS vulnerabilities existing on the server-side.  

Security Challenges With CoDi

Chief among the security challenges is mobile fraud. According to Mercator’s recent review of the LATAM market, mobile fraud rates in Mexico are among the highest in the world. Chargeback rates (a byproduct of mobile fraud) are approx 3x the global average. And Mexican financial and e-commerce institutions have been victims of multiple high profile attacks on Mexican payment systems, where millions of records containing PII have reportedly been exposed. 

Such breaches are thought to be one of the reasons why identity theft in Mexico is among the highest in the world, reaching as high as 7800 occurrences in a single year. 

Regulation Changes and Compliance Initiatives

Over the past few years, the Bank of Mexico and other regulatory agencies have introduced compliance initiatives and changes to regulations in an effort to deal with the security incidents which have plagued Mexico’s banks and consumers.  For example, in Dec 2019, the  Ministry of Economy published changes to the Federal Consumer Protection Law. The changes are designed to give consumers more control and rights when it comes to their privacy. These changes will place more responsibility on banks and other financial institutions to protect and safeguard user data. 

As a means of addressing security concerns head-on, Banxico is requiring that all CoDi member banks follow the same guidelines that it publishes for SPEI (the inter-banking payment network). It makes sense to extend any CoDi compliance requirements to mobile app as the implementation and use of CoDi is entirely inside the mobile app.

Banxico’s requirements are a good start because they establish a high-level framework that makes it clear to member banks that they need to protect mobile users and data, and they reference encryption and secure communications channels as primary ways to protect data. That’s good. However, the requirements are mainly written from a ‘server-side’ or network-centric perspective and they do not provide enough detail for mobile app makers to establish a baseline for data security and compliance. 

For instance, they specify the acceptable encryption algorithms and protocols and key derivation for digital certificates inside the SPEI interbank network. But what about the data BEFORE it gets to SPEI – ie: data stored inside the 50+ mobile banking apps, as well as the communication links and intermediate points in between the mobile app/user and the SPEI network?    

Specifically, mobile apps create, process and store a lot of data about users, transactions, network information, and this information often includes personally identifiable information (PII) about mobile users. Developers have a lot of flexibility and choice when it comes to how and where sensitive mobile data is stored, persisted, and transmitted: such as App preferences, resource files, strings, or external storage media. 

To make apps easy to use, user info and authentication artifacts are often persisted for lengthy periods of time. And developers also have significant flexibility in deciding how to externalize data or grant permissions to other systems or apps. 

What does all this mean? It means that there for every mobile banking app, there are many ways hackers can get their hands on sensitive and valuable data at every part of the transaction. So in order to achieve CoDi compliance and protect mobile data and users, the data needs to be protected end-to-end.  

Best Practices for CoDi Compliance and Mobile App Security

Here are some best practices for mobile app security that Banxico and all member banks who participate in CoDi can use to build secure versions of their mobile apps that process CoDi transactions. 

CODI COMPLIANCE AND SECURITY MATRIX

Best Practice Specific ProtectionsCoDi Compliance & Security Benefit 
Standardize and Automate App Security No-code Mobile Security

Security Templates 

-Ensures a common baseline and minimum security standard for any app that connects to Banxico and SPEI

-Enables mobile app security within the app lifecycle and continuous delivery process 

App Hardening Anti-Tampering

Anti-Reversing 

Anti-Debugging 

-Prevents clones/mods/ fakes of mobile banking apps

-Prevents static/dynamic code analysis

-Prevents malicious debugging 

Obfuscation Binary code obfuscation 

Non-native obfuscation 

Control flow relocation 

Strip debug info 

-Prevents hackers from learning how a mobile banking app functions

-Prevents static and dynamic reverse engineering 

-Prevents decompiling app to obtain source code 

Data Protection  Data at Rest Encryption

Encrypt app preferences

Encrypt strings/secrets

Encrypt app resources 

Data in Use Encryption 

-Protects all data stored inside the mobile app 

-Protects PII and user data stored within app preferences, app resource folders, and text-based XML strings

-Protects transient data stored in memory 

-Protects user privacy 

-Protects data in all 3 states (at rest, in transit, in use)

Secure TransportMiTM attack Protection 

Certificate Pinning 

CA Validation 

Certificate validation 

-Prevents session hijacking, screen overlay, phishing, malicious proxies 

 -Verifies the authenticity and validity of the chain of trust

-Prevents certificate forgery, prevents unauthorized certificate signing

OS Protection Jailbreak/Root prevention

Advanced Root hiding detection 

Detect Unknown sources 

Detect Developer options

-Prevents mobile banking apps from running in a compromised environment 

-Prevents hackers from installing malware, such as mobile banking trojans 

-Prevents drive-by downloads 

Secure Authentication Secure In-App Pincode, and Biometrics, FaceID

Secure Enclaves 

Adaptive MFA

-Provides additional means to verify identity while preserving the user experience

-In-app biometrics/pincodes provide better app security than device pincodes

-Enables contextual and environmental considerations to trigger step-up authentication challenges

Following the above best practices will enable banks to build security into their mobile apps without any coding, making their apps self-defending in the wild, and protecting all mobile data that their app processes as part of CoDi. 

The risks of not following mobile security best practices are numerous and extensive, including theft of sensitive user data (PII), transaction data, mobile fraud, identity theft, ransomware attacks, session hijacking, and more. Of course, with the ease of Appdome, we hope you’ll choose to secure your app and users. My advice would be to protect the people that use your mobile app. It’s best practice and just good business.