I recently had the pleasure – along with our Head of Shielding Sales, Jouni Welander – of participating in a think tank with leading security experts from banks, payment schemes and governments around Europe.
The topic of discussion was mobile app security. For most of the participating banks, mobile is now the primary interaction channel with their customers. This has made mobile banking security a huge topic.
It was interesting to hear how practice has changed over recent years, with cybersecurity’s involvement in mobile app development “shifting left”. This means, for our experts at least, the days of being reactive have gone. They are now proactively involved in the specification of new apps and features – making sure security is considered early in the process. This makes sense as they are seeing an increase in fraud through the mobile channel as feature-sets expand.
Our experts self-selected as being interested in mobile app security. It would be interesting to know if this proactive approach is standard practice. Research data from iSMG suggests this best practice isn’t yet the norm.
The iSMG research also identified that 50% of banks outsource their mobile app development, while a further 19% buy in a white-label solution. iSMG highlighted that this led to a loss of visibility around security control implementation. In the Think Tank, it was felt that this did not have to be the case. A proactive approach to security, with the bank’s security experts involved in specifying outsourcing requirements, gives the bank flexibility to make in-house vs outsource business decisions without impacting security.
With the majority of participants highly concerned about API Security and how the mobile app can become a vehicle into the wider ecosystem, the conversation turned to reverse engineering of the apps.
There was lots of good mobile security being put into practice by the participants and their teams: for example, network connections were being pinned to prevent man-in-the-middle attacks, and the apps underwent Static and Dynamic Application Security Testing (SAST/DAST) before being published. SAST/DAST validates the perimeter of the application, checking its interfaces are sensibly defined so as not to open up unnecessary security risk. This kind of testing typically does not evaluate how easy it is to get inside the app perimeter and how easy it is to analyse an app’s code – a form of attack called reverse engineering.
Reverse engineering can reveal secrets about how the app connects to the rest of the ecosystem. By extracting those secrets, an attacker gains the knowledge required to attack the rest of the ecosystem. Which is why defending mobile apps against reverse engineering is important for API Security.
After illustrating how quickly secrets can be extracted from an app’s code, the majority of participants vowed to investigate further their own app security.
If you’d like to learn more about how to prevent reverse engineering of mobile apps, check out Verimatrix’s Application Shielding solutions.