At the beginning of 2021, the mobile banking app security requirements most financial services organizations were looking to implement were a variation of the following:
- TOTALCode Obfuscation
- TOTALData Encryption
- iOS jailbreak prevention and Android root prevention
- Secure Communications
Evolving Threat Landscape for Mobile Banking and Fintech Apps in 2022
Going into 2022, we’ve seen a clear evolution in the complexity of the threat landscape. This evolution has major implications for the mobile banking app security requirements financial services and fintech companies are looking at. Leading up to 2o22, we’ve seen the following threats emerge:
Mobile Banking Trojans
Malware in general and Mobile Banking Trojans specifically have emerged as one of the biggest threats to mobile banking. Mobile Banking Trojans can take many different forms, but they all share two things in common: the purpose is to defraud mobile banking customers by stealing money from their accounts, and every Android banking trojan starts with a permission escalation attack by abusing the Android Accessibility Service.
App Overlay Attacks / Screen Overlay Attacks
A Screen Overlay Attack (sometimes also called Clickjacking) is an attack method that uses multiple transparent or opaque layers to trick users into interacting with malicious or hidden content or malware. The trickery is accomplished with the help of malware on the user’s device, which either imitates, hijacks, or covers a portion of the legitimate app.
The Overlay attack can be used to harvest or steal data, typically usernames, passwords, account numbers, and other valuable information. Other overlay attacks trick users into enabling specific developer features that allow a fraudster to install malware on the device or to take remote control of the device. Finally, overlay attacks can also be a way for bad actors to elevate administrative privileges, enable Accessibility Services or grant app permission requests to a malicious app running in the background.
In most cases, the unassuming end-user has no idea an app overlay attack is happening until they experience the negative effects of the attack.
Abuse of Android Debug Bridge
Android Debug Bridge (ADB) is a very powerful and versatile Android command-line utility that enables developers to communicate with and manage an Android device or app. ADB can be misused by people acting with bad intent and used for unintended purposes. We wrote extensively about the 10 top ways ADB can be misused.
Abuse of Magisk
Magisk is a “systemless” rooting tool that is used to elevate privileges to gain system-level access (root access) to the Android OS and underlying file system. Magisk does not make changes to the Android bootloader or require flashing custom ROM. Instead, it stores modifications in the boot partition instead of modifying the real system files. Since the original system files remain unchanged, modifications can go undetected by Google SafetyNet and most root detection methods, which makes Magisk Manager an incredibly powerful and popular tool for compromising Android apps. We’ve documented in detail the top 7 ways Magisk is abused to attack Android apps.
Abuse of Frida
Frida is a dynamic instrumentation / binary instrumentation toolkit intended for developers, pen-testers, and security researchers. However, it is also used by fraudsters, cybercriminals, black hats, and other malicious actors to compromise mobile apps, inject malicious code, and/or change a mobile app’s logic or behavior in unintended and malicious ways. Learn how to block Frida and other dynamic instrumentation, hooking, code injection, and app manipulation toolkits in Android and iOS apps. We’ve documented in detail the top 7 ways cyber criminals abuse Frida to attack Android and iOS apps.
Banking Cybersecurity Checklist – The Top 10 Security Requirements Every Bank Should Consider in 2022
As one of the produce specialists for Appdome, one of the top questions I get from Financial Services organizations is what my recommended solution is to protect their mobile banking and fintech app. The solution I recommend is a variation of the following 10 protections.
The top 10 mobile banking app security requirements for 2022 are:
- ONEShield – Appdome’s RASP solution which adds debugging, tampering, iOS reversing engineering and Android reverse engineering protections to the app. It also prevents the app from running emulators and simulators.
- TOTALCode Obfuscation – to obfuscate all binary code and all non-native coding elements, including 3rd party libraries and SDKs.
- TOTALData Encryption – AES-256 encryption of all data stored in the application sandbox as well as throughout the code of the app (in the preferences, strings and resources as well as encrypt the strings.xml and java class .dex files of Android apps).
- OS Security – adds iOS jailbreak prevention and Android root prevention to banking and fintech apps.
- Secure Communications – protects any mobile banking and fintech app against Man-in-the-Middle (MitM) and other network-based threats. It also adds secure certificate pinning and bot defense to the apps to further protect the connection between the app and the mobile back end.
- Detect Accessibility Abuse – Detects any application installed on the device that has too many accessibility services permissions. This privilege escalation is common with all Trojans and RATs.
- Block Overlay Attacks – detect and prevent screen overlay attacks such as Anubis, BankBot, StrandHogg, BlackRock, Cloak&Dagger, Ghimob, Ginp, and MazarBot from displaying a fake screen on top of the app screen
- Block Android Debug Bridge – prevent the use of ADB for malicious reverse engineering and debugging of your apps
- Block Magisk Manager – Identifies and blocks the use of Magisk Manager, an advanced root bypass, root hiding app
- Block Frida Toolkits – Automatically detect and block Frida based toolkits from reverse-engineering and instrumenting of the app UI and logical flow.
Appdome is by far the best mobile app security solution for banks and fintech available in the industry today. But don’t take our word for it. Cyrus Daruwala, Managing Director of Financial Services and FinTech at IDC, says:
“To cater to today’s new world, where everyone is living, working, and playing through mobile apps, banks have figured out the art of ecosystems, the magic of API’s and the success of cloud. They have addressed everything – but one key aspect – app-based Security and Fraud prevention! This was usually left to the network folks in the bank, or worse still, left to the users’ good judgement.
When I started evaluating the various end-to-end app security solutions for my banking customers, I found Appdome to be the leader of the pack. Not only are they unique (and complete) in their app protection solution, but they are amongst the very few in the world who can let you build runtime app self-protection (or RASP) with No code, No SDK’ and No Gateway’s needed. Highly recommended for any bank or institution creating a super-app ecosystem”.