When the University of Birmingham publicly called out several mobile banking apps for Man-In-the-Middle (MiTM) security flaws earlier this year, Appdome saw it as a call-to-action.
The researchers at the University of Birmingham looked at the MiTM implementations across hundreds of apps. They observed that many mobile banking providers had already augmented their mobile apps with SSL pinning but several failed to do complete implementations – for example, they either failed to include hostname verification or worse allowed for self-signed certs or any cert from any public CA. This left the apps vulnerable, and in most cases in the worst state imaginable.
As a prolific mobile banking user myself, my mobile banking app is critical to how I manage my money, pay bills and create a nest egg for my family. I can’t remember the last time I walked into the local branch office of my bank. The mobile app from my bank is the primary relationship platform they have with me. Not only do I use my mobile banking app everywhere, I expect to do so. Judging by what I see online, I’m not alone. Mobile banking is banking in the modern world. For me, the analysis is very simple. As a provider of a mobile banking app, there are three elements you need to protect – the data, the app and its use.
Mobile app use is a multi-dimensional concept. At a minimum, adding advanced MiTM protections to your mobile banking app enables secure use of the app from anywhere, on any network. I’m very proud that Appdome provides a complete, best-practice implementation for MiTM Protection for mobile banking apps. The Appdome solution requires no-code or coding and covers the critical use cases to protect mobile banking apps and their users.
Appdome’s MITM feature set has always verified hostnames as part of the SSL validation process. Earlier this year, we added the ability for mobile app providers to specify the cert used in the validation process. This allowed admins on Appdome to add specific, known, trusted certificates to a whitelist. Attempts to connect to sites with certs not on the whitelist are denied.
Then, Appdome decided the market needed a major step forward in mobile app MiTM Protection. We released a new feature called Trust Session Inspection, the capability offers an advanced MiTM solution for Android and iOS apps that does SSL Certificate Validation on the go. The key element of Trusted Session Inspection is the ability to keep track of the SSL session and validated the CA authenticity as it is being sent.
Trusted Session Inspection goes beyond where other MiTM protections leave off. It is stateful, with zero performance impact. It allows for malicious proxy detection regardless if the proxy is internal or external to the mobile device. And SSL Certificate Validation prevent an app from resuming unauthorized SSL sessions it did not initiate. With Trusted Session Inspection, Android and iOS apps are protected against all types of attacks such as malicious proxy, ARP spoofing or any other session hijacking techniques.
I’m happy to say that Trusted Session Inspection is amazing. Many of Appdome’s financial services customers, and a growing number of prospects, are making Appdome’s MITM features a core part of their mobile apps. Universally, people are amazed that they can implement these capabilities without writing one single line of code. One of the biggest extra benefits we hear from these financial customers is how liberating it is to use Appdome within agile development processes. With Appdome, a security release is completely independent from feature development cycles, giving each organization the peace of mind that they can satisfy security requirements on demand without any impact to their product roadmaps.
Of course, Appdome provides security features to protect the data and the app itself too. We offer a comprehensive mobile security suite to ensure data at rest protection, string and preference encryption and more. Through our ONEShield™ and TOTALCode™ Obfuscation, we also protect the app itself from hacking and hackers. ONEShield provides Appdome’s app hardening features, among them anti-tampering, anti-debugging and anti-reversing protections, with the power of TOTALCode Obfuscation, encrypted strings and preferences, and other features — making Appdome the single most comprehensive solution to protect mobile apps.
Drop me a line to learn more about how you can get out of coding security features and free your mobile app roadmap with Appdome.
Chris Roeckl is VP of sales at Appdome.