COVID-19 has brought with it a truly unprecedented time for the digital economy. To safeguard ourselves and stem the spread of the Coronavirus, we’re all being asked to do things virtually. To comply with health official’s mandates, many of us are already required to work from home, attend classes remotely, and complete our transactions online.
Many of us turned to mobile apps, for work, transactions, communication and comforting distractions. At the same time, about every brand I transact with has issued COVID-19 advisories. I’ve been collecting these advisories, because they tell me something about the way the world’s largest business are adapting to the COVID-19 pandemic.
Mobile Banking and COVID-19
To comply with COVID-19 mandates, most banks and financial institutions are actively encouraging customers not to come to branches. Instead, these banks are sending advisories via email or posting the same on websites, telling customers to use the mobile banking app to save, deposit checks, send money, handle transactions and communicate with the bank. The largest banks out there, like Wells Fargo, Chase and others are telling customers to bank virtually, listing the Mobile banking app before the same bank’s online alternative. And, it’s not just the large banks that are following this trend. For example, People’s United Bank reminds its customers that their mobile banking app offers a secure and convenient way to bank during the age of COVID-19. Literally every advisory I’ve received from brands and banks I follow and transact with, encourages me to use the mobile banking app first, before any other alternative.
And collectively, we have all adapted to this new banking reality. AppAnnie, a mobile app economy analytics firm, published a very interesting report on the impact of COVID-19 on the mobile economy in the 1H of 2020. It found that banking customers worldwide dramatically increased their use of mobile banking apps. In the United States, mobile banking app use went up by 65% in less than 6 months (from Q4 2019 to Q2 2020).
It’s also interesting to note that, in the same communications regarding COVID-19, major banks and financial institutions are warning customers to stay alert for cyber criminals, fraudulent activities, phishing activities and other scams. This makes sense to me. I read elsewhere that a Coronavirus tracking app has been found to lock Android phones up for ransom. Criminals it seems are also on high alert, looking for unsuspecting consumers and unprotected apps.
FBI Warns Against Mobile Banking App Exploits
On June 10, 2020, the FBI said that increased use of mobile banking apps could lead to exploitation. US financial technology providers estimate more than 75 percent of Americans used mobile banking in some form in 2019. And studies of US financial data indicate a 50 percent surge in mobile banking since the beginning of 2020. The FBI expects cyber actors to attempt to exploit new mobile banking customers using a variety of techniques, including app-based banking trojans and fake banking apps.
Eventbot Malware Trojan Targets FinServ Apps
EventBot is a malicious program (Malware) hidden within a seemingly valid app that harvests unprotected data from victim apps on the same Android device. TechCrunch reports that EventBot often masquerades as a legitimate Android app — like Adobe Flash or Microsoft Word for Android. Once installed, EventBot goes to work, harvesting unprotected data, expanding permissions and gaining access the accessibility options in the Android operating system. And ZDnet warns that EventBot is specifically targeting mobile banking, mobile apps and cryptocurrency wallets across Europe and the United States looking for user credentials, one-time-passwords (OTPs) and account details. Appdome makes protecting mobile banking apps from Eventbot Malware easy.
COVID-19 Bill of Rights
We blogged earlier this year about the work of OWASP, who publishes its Mobile Top 10 Risks. This is a good place to start for security professionals to assess the vulnerability state of their mobile apps. But, what about the consumer user? As a consumer user of mobile banking and other apps, the list should be augmented with the basic protections we all expect from our mobile banking app. If, in the age of COVID-19, we want more people to turn to and use mobile apps as the trusted medium of commerce, we should consider the following COVID-19 bill of rights for mobile banking apps:
- Secure Data Storage (OWASP M2). Simply put, secure the user’s data at rest, i.e., stored locally by the mobile app.
- Sufficient Cryptography (OWASP M5). Use AES 256 or higher on all data elements in the app, including strings, preferences and resources.
- Secure Communication (OWASP M3). Protect against MiTM. There should be no reason hackers and thieves should see data that passes between my app and the backend.
- Encrypted Username and Passwords. Surprisingly, many apps don’t do this inside the app itself.
- Protect Users Against Fake Apps. Most apps on the app stores don’t protect against tampering, reversing and similar threats, allowing malicious actors to create and distribute fake apps to prey on unsuspecting consumers.
- Protect Users against Keylogging. This is an add on to protecting Usernames and Passwords, as malicious third-party apps can track and store user credentials as they are added to apps.
At this point, you may be asking, how do you know mobile apps don’t protect against these threats today? Well, at Appdome, we’re in the mobile app security business. Every day, we see unencrypted databases, unencrypted strings and resources, weak encryption, use of HTTP, no app shielding, no obfuscation and more. This allows any hacker using dynamic and static analysis tools to learn very important financial information of users of the app, steal usernames, passwords, server URLs and use a compromised app to attack the backend banking servers.
What’s more, a malicious entity could compromise several apps, expose user information and inflict lasting damage on the trust and reputation of the institution. This is a big issue, underscored by the Verizon Mobile Security Index which found that 95% of banks and financial services organizations said their customers expect a reliable service, and that any less could have a lasting impact on their reputation.
With the sudden big push towards mobile banking, it is paramount that banks take control of the security of their mobile banking apps, before their customers have to deal with the stress of compromised banking information, in addition to the stress caused by the coronavirus outbreak.
Appdome Provides Instant Protection
Luckily there is the Appdome Mobile Security Suite. With a single click, banks can fully protect their apps against attempts by a hacker or malicious entity to break into their mobile apps. Appdome is a Mobile Solutions and Security Platform that uses AI to automatically build security into mobile apps, without the need for coding. In fact, there are no dependencies on roadmaps or engineering and development resources. Anybody in the security organization of the bank can fully secure their mobile banking app, using Appdome’s simple to use, point and click UI. With Appdome, banks can protect their apps against all 10 of the OWASP Mobile Security risks. Appdome also enables PSD2 Compliance for Mobile Apps.
The Appdome Mobile Security Suite includes the following security components:
- TOTALData Encryption encrypts data-at-rest, data-in-use and data-in-transit encryption.
- TOTALCode Obfuscation obfuscates the binary code, native and non-native libraries, and the app’s flow control and logic.
- Secure Communications protects data at all points that are ‘in-transit’ and ensures the validity of all end points and any intermediate systems in between an app and its backend.
- OS Integrity protects the app from operating in unsafe environments, such as on Jailbroken/Rooted devices.
- ONEShield by Appdome hardens the app to protect your IP from attempts to tamper with or reverse engineer the app.
By protecting your mobile apps with Appdome Mobile Security Suite, mobile app developers and non-developers can use a non-cascading, multi-layered defense to protect against any security threat their apps can be faced with.
Recommendations for Mobile Developers
Protect your mobile apps now. The Coronavirus pandemic is forcing regions all over the world to lockdown and shelter-in-place, more and more of your customers will have to start mobile banking. Hackers know this and are looking to take advantage of the situation. By waiting until they suffer a mobile breach, banks are putting their customers and reputation at risk.