An Overview of Cybersecurity for Mobile Banking Applications
Agile development processes and 4G networks have enabled mobile technology to automate, quickly and portably, hundreds of processes that until a few years ago were unthinkable. In recent years the financial sector has benefited from this type of technology focusing on improving the experience of its customers; most banks provide all kinds of advice, transactions and procedures through their mobile applications. However, cybercriminals, who are people or entities with high technical knowledge, can take advantage of weaknesses in the development of technological solutions in order to defraud the bank or the clients themselves. This article analyzes from a technical point of view the implementation of mobile applications from four banks in Colombia, in order to verify how much security they offer to users and how protected their digital money.
The mobile application (app) development sector has grown in recent years. The number of apps, and the principal app stores, Play Store for Android and App Store for iOS, have shown a considerable increase in downloads in recent years. This increase is due to the global growth in internet coverage, network speeds, and agile development processes.
The implementation of 4G technology has significantly improved data upload and download speeds for mobile devices, while the prices of plans offered by mobile internet providers have fallen and data limits have increased. Furthermore, the governments of developing countries have found that investments in technological and telecommunications infrastructure offer an opportunity to reduce social inequality (Fernández, 2011).
Similarly, the height of agile software development methods has provided short device delivery times, which accelerates the software development process for both major developers and for entrepreneurs that seek to make a living from their apps. Emerging hybrid development technologies have also sped up the coding process and open a wide range of opportunities for developers that no longer need to learn native coding languages to develop their apps. There are now hundreds of thousands of apps that were developed using hybrid frameworks such as Angular, Native Script, jquery Mobile, Cordova, Ionic and Xamarin, and the percentage of apps developed this way has steadily increased, as it reduces the complexity of hardware interactions and rendering times.
Today, a user with access to a mobile phone and an internet connection has, on average, more than 20 apps on their device, which automate their interactions with information, communication, entertainment, shopping, interpersonal connections, and the financial sector. The last of these has seen a fruitful relationship with mobile technology, offering their customers technological solutions, literally at a touch.
The financial services sector has a great interest in making commercial use of this technology, thanks to the ability to reduce personnel costs and improve the customer experience. It has been estimated that the use of banking apps is increasing at 50% per year. One of Colombia’s largest banks has stated that “68.8% of the bank’s customers use digital channels to access financial services and products” (Jáuregui, 2017).
Nevertheless, this technology comes with a price, which is that the increase in virtual channels for all types of financial transactions creates a new tool for fraud, committed against the bank and its customers. Many mobile antivirus providers have highlighted the increase in malware aimed at these devices, and 18% of Android mobile devices with banking apps are infected with some kind of malware (Hispasec, 2018).
That is why developers of financial apps include security in the development cycle, and why banks must lead campaigns to increase their customers’ awareness of this type of fraud.
A Guide to Security Verification
The MASVS provides a practical guide to analyzing the security vulnerabilities of banking-related mobile apps.
The Mobile Application Security Verification Standard (MASVS) is a security verification guide developed by the OWASP, comprised of 75 requirements to be evaluated for the mobile client, communication channel, and its backend. The current version of MASVS is 1.1, which includes three verification levels (Standard Security, Defense-in-Depth, and Resiliency Against Reverse Engineering and Tampering).
Level 1 offers a solid baseline for the development of any app, with basic requirements such as the existence of an acceptable security policy in the mobile device to the implementation of a secure communication channel.
Level 2 offers requirements to evaluate the security of sensitive data in the app. Specifically, it addresses requirements for secure storage, secure communication, session management, biometric authentication, and error management, among others.
Finally, Level 3, perhaps the most complex in terms of the coding phase, is resiliency against reverse engineering (OWASP, 2018). This level includes requirements at the level of obfuscated code, app virtualization, installation for teams with super-user permissions, and client manipulation.
The recommended level of verification depends on the app and the services it provides. For banking apps, for example, Level 2 and Level 3 (L2+R) should be analyzed.
Conducting the Audit
We tested mobile apps including validation of the 75 requirements suggested in the MASVS. Applications were audited in the production environment, downloaded directly from official app stores, using real credentials belonging to audit team members. It was not possible to fully validate some requirements due to limited access to functions for the accounts.
Commercial and free tools were used to conduct the audit, including intercepting proxies, decompilers, static analyzers, and dynamic analyzers.
The MASVS methodology does not include a risk metric, so we applied an internal criterion to quantify each vulnerability. The factors used were:
· Threat agents: estimates the likelihood of success of an attack based on level of skill required, motive, opportunity, and scope.
· Vulnerability: quantified based on the ease of discovery, exploitation, knowledge of the vulnerability, and its detection.
· Impact: measured according to the direct impact on the cornerstones of information security: confidentiality, integrity, availability.
Finally, this scoring allowed us to create a maturity chart, for the app, based on OWASP and MASVS criteria: identity management, access validation, authentication, session management, authorization, error management, information recompiling, client, business logic, configuration, and encryption.
Here, we present the results of the audit. First, we found that all of the mobile apps audited had a security SDK that provided certain requirements, such as virtualization detection, super-user premises, and certificate replacement. However, in some apps it was possible to evade the SDK.
Bank 1 achieved the highest maturity rating among the four apps audited. We identified weaknesses in its communications channel and in sharing information with customers; this corresponds to the finding lines of code with comments, following a reverse-engineering attack.
Bank 4, in contrast, was found to be the least secure, with weaknesses at the level of client manipulation, information recompilation, and authentication.
As shown in Figure 4, information sharing (49%) and client manipulation (52%) are the most common vulnerabilities among mobile clients, both of which are a result of the reverse engineering done on installers.
In contrast, control for identity management, session management, and treatment of errors were all satisfactory.
One of our most important findings relates to biometric control, because the apps that use biometrics are based on the smartphone’s operating system as the principal security mechanism, which means the banking app’s account can be accessed using different fingerprints.
Reverse engineering is the predominant threat among mobile apps; client manipulation permits social engineering attacks on bank customers that are not familiar with information technology security.
It is extremely important for the financial services sector to lead awareness campaigns on information security for their customers and the broader public. Users must be taught not to download and install applications from sources other than the official Android and iOS stores, because they may be manipulated and contain malware.
Hybrid applications are known to be less expensive, and to contain intrinsic vulnerabilities; however, the financial company, as part of its information security policy, should require software developers to implement secure software development guidelines that cover the entire process.
Finally, we found that the mobile apps offered by the financial services sector in Colombia offer an acceptable level of security. The vulnerabilities we identified do not affect the business or transactions; rather, they impact users that lack awareness of information security.
Fernández, M. (Octubre de 2011). Crónica ONU. Obtenido de https://unchronicle.un.org/es/article/las-comunicaciones-m-viles-y-el-desarrollo-socioecon-mico-una-perspectiva-latinoamericana
Hispasec. (18 de 05 de 2018).hispasec.com. Obtenido de unaaldia.hispasec.com: https://unaaldia.hispasec.com/2018/05/el-18-de-los-moviles-android-con.html
Jáuregui, D. (03 de 2017). larepublica.co. Obtenido de El uso de apps móviles bancarias crece más de 50% al año: https://www.larepublica.co/finanzas/el-uso-de-apps-moviles-bancarias-crece-mas-de-50-al-ano-2489011
OWASP. (27 de Febrero de 2018). OWASP. Obtenido de MASVS: https://github.com/OWASP/owasp-masvs/blob/master/Document-es/0x15-V8-Resiliency_Against_Reverse_Engineering_Requirements.md