Digital Payment Security: When Mobile Security Matters

Implementing robust security measures on the mobile channel is essential as digital customers are the number one attack surface today, and mobile is their preferred digital payment method for online transactions. The number of consumers making mobile payments before the pandemic was about 900 million, which rose to roughly 1.48 billion users for online payments in 2020. Mobile applications are constantly at risk, and it is challenging to keep end-users safe. Identifying fake and infected applications is challenging even for app stores with large testing labs, such as Apple and Google. Recently, apps infected by Joker, a malware specialized in SMS fraud used for stealing text messages and device information, were removed from the Google Play Store. Even after that, the affected apps were still available on alternative, less-protected stores. In fact, there are over 300 app stores worldwide today creating plenty of opportunities for fraudsters, hackers, and cybercriminals to trick unsuspecting, unprotected customers into downloading malicious apps onto their mobile devices. 

According to HelpNet Security, 77% of the financial mobile apps have at least one serious vulnerability that could lead to a data breach, 81% of finance apps leak data, and 49% of payment apps are vulnerable to encryption key extraction. 

Meanwhile earlier this year, The United States Senate Committee on the Judiciary approved bill S.2710 the Open App Markets Act. The catalyst for this bill is the iOS and Android app stores’ steep commission rates of up to 30 percent on in-app purchases in combination with the constraints they apply to either prevent or discourage installing apps outside their stores. The Open App Markets Act’s goal is to allow developers to reach their customers without the control of the big players who own the propriety app stores and the underlying operating systems. The legislation would allow users to download and run apps coming from alternative app stores.  

In Europe, large tech platforms that act as “gatekeepers” in the digital sector, will be forced by a newly published document from the European Commission, the European Union's Digital Markets Act (DMA), to allow end-users to use third-party app stores and payment systems. 

Of course, all these regulatory initiatives bring serious unintended security concerns as they will make it easier for customers to download fake or repackaged applications from third-party, less-protected app stores.  

What Do Changing Regulations and Payment Security Mean for App Developers? 

If your application operates with sensitive data such as Personal Identifiable Information (PII), payment, smart contract, metadata, business, or other confidential information like credit card information or a payment card number, you need to make sure you put in place reliable cybersecurity such as application shielding. Especially, if you allow apps to run on jailbroken or rooted devices. In such a case you need to ensure sensitive data is securely stored on the device.  

Important Mistakes to Avoid When Building a Mobile Payments App 

A common mistake we see is many applications on the market that carry sensitive information, either use inefficient code hardening techniques or do not use these techniques at all. 

  • For example, the obfuscation technique that is often used is a simple variable label renaming. Meanwhile, more effective methods to prevent static analysis, such as namespace flattening and code shuffling, are not considered. Using simple obfuscation techniques leads to apps that can be backward-engineered and leave the app open to a repackaging attack.  
  • Or sensitive data and API keys in the application are not encrypted but stored in plain text. Data that is left unprotected can be easily stolen.  
  • Another mistake is that data is encrypted, but the crypto keys are stored in plain text/hardcoded in the source code or the application assets. If you leave the key to your house under the doormat, the door will no longer provide protection once the doormat is lifted.  
  • The communication channel to and from the app is not secure. In such cases, transaction details, such as the beneficiary account number and the transfer amount of the payment, can be tampered with. 

Another important element is the runtime protection of the application. If static protection is often misunderstood and poorly implemented, in many cases, this layer is not even considered and is entirely missing.  

  • Often, developers have little to no in-house expertise in the detection of runtime attacks on the device and the application. 
  • Only known attacks are tracked, and no methods to detect unknown threats are used. 
  • Even if an attack is identified in the app, there could simply be nothing to effectively react to it or customize the reaction.  

How OneSpan Can Help You with Mobile App and Digital Payment Security

With OneSpan Mobile Security Suite and App Shielding, you can protect your mobile apps and the digital transactions they will conduct even before being uploaded to the app store.  

  • If your mobile app deals with sensitive data (e.g., processing digital agreements, P2P payments, or banking transfers), then you should implement effective protection for its business logic, secrets, and API keys. We enable the protection of secrets and personal information through Secure storage. If your application stores sensitive data on the device, Secure Storage combines software and hardware security elements to ensure data safety. To increase resistance to reverse engineering, we can obfuscate your app with advanced techniques. In addition to obfuscation, we can effectively protect your app from tampering and repackaging.  
  • App shielding is a component that seamlessly integrates into existing apps to detect, mitigate, and protect against runtime attacks, such as code injection, debugging, emulation, screen mirroring, app hooking, and more. The application stays protected even on compromised devices and by unknown attacks. This protection is also bound to your app, so if it ends up in an unknown store, the protection will follow. We can also dynamically change the screen of the mobile app depending on the risk or even stop the application from running.  
  • Our secure channel ensures data integrity, freshness, authenticity, and confidentiality for every communication between the server and the device. 
  • OneSpan provides a variety of strong authentication methods with dynamic linking and What You See Is What You Sign (WYSIWYS) to prevent ATO. Even successful authentications are analyzed by machine learning algorithms to further ensure interaction authenticity.  
  • We orchestrate the available authentication methods, depending on the level of risk or the requirements of the local regulators (e.g., PSD2). This is to increase security and user experience through user-friendly methods, such as biometrics, behavior, Cronto graphical cryptogram, FIDO, and more.  

Take the Next Step for Mobile Security in Financial Services 

As the business world continues to embrace digital transformation and secure payments, the need for robust, reliable mobile app security only becomes more important. Customers expect secure digital processes and trusted agreements, and that is reflected in both the consumer behavior, initiatives by financial institutions, and the regulations aimed at facilitating digital payments and payment solutions. 

Mobile App Shielding
White Paper

Mobile App Shielding: How to Reduce Fraud, Save Money, and Protect Revenue

Discover how app shielding with runtime-protection is key to developing a secure, resilient mobile banking app.

Download Now

Ralitsa Miteva is a fraud detection and prevention solutions manager at OneSpan where she advises financial institutions and other organizations about the evolving fraud landscape and helps them to overcome the new prevention challenges during their digital transformation.