With the proliferation of online mobile banking services, security is a key issue. We offer a primer on security challenges and applicable controls/remedies. This includes solutions such as Trusteer Mobile SDK, Arxon's EnsureIT and Dexguard.
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
Mobile Banking Security: Challenges, Solutions
1. Mobile Banking Security:
Challenges, Solutions
To offer the best feature-packed online banking mobile applications that
can be delivered, organizations need to carefully consider both functional
as well as security implications to ensure that customers and assets are
protected from malware and wrongdoers.
Executive Summary
There are over 1.2 billion smartphone users
worldwide.1
Individuals adopt smartphones not
only to surf the Internet but to download and
use entertainment, information, social sites,
shopping, travel and banking apps — among other
things. This has led to numerous opportunities
for organizations to roll out mobile applications
that not only engage and drive loyalty but also
garner additional revenue. Organizations are
substantially increasing spend on mobile applica-
tion development to help employees/customers
increase their productivity while delivering a
more intuitive user experience.2
Moreover, an increasing number of individuals
are using mobile applications compared with
traditional desktop/Web-based applications. A
research report from ComScore shows that apps
account for a majority of consumers’ mobile
minutes, and 80% of their media time is spent
on app usage compared with only 20% on Web
browsers.3
Recently published data from MQA
Research shows that consumer interest in mobile
banking and payments services in the U.S. has
increased significantly in the past two years.
Roughly 75% of those surveyed say they would
consider using mobile banking services if offered,
compared with only 49% who expressed their
willingness to try mobile banking services in a
similar survey conducted in 2006.4
Globally, banks offer a variety of mobile banking
services; and those banks that do not currently
provide m-banking services claim they plan to do
so in the near future to remain relevant, according
to a recent survey conducted by the Aite Group.5
And according to a study from the University of
Hamburg, Germany, m-banking mobile applica-
tions are growing exponentially; roughly 69% of
banks already offer such services.6
However, there is a downside to this market
momentum. The MQA survey revealed that
security remains a major concern in adopting
m-banking. Approximately 72% of respondents
said they worry about the security of accessing
financial data on a mobile device. Nevertheless,
79% of respondents said they would sign up for
account balance alerts by mobile. Our research on
consumer segments reinforces the importance of
security features for choosing banks that offer
mobile banking.7
Addressing Mobile Security
Mobile device productivity comes at a price —
increased security risks. Mobile applications
create yet another path into enterprise networks,
cognizant 20-20 insights | july 2014
• Cognizant 20-20 Insights
2. 2cognizant 20-20 insights
Analysis and Recommendations
Continued on next page
Title Description Recommendations
Authentication
Strong authentication mechanism. Multistep authentication on secured XML-based
Web services for user ID plus password and
secure ID/SMS is recommended. An additional
recommendation is to check for user location
using a GPS during authentication.
Authorization
Allow authenticated users access
only to business functionality to
which they are entitled.
After a user has authenticated, the application
can check with the back-end services to determine
if the user has the required access to the applica-
tion data (i.e., whether the user is mobile-enabled
or not). The client displays a secure navigation
menu based on the entitlements/access rights
of the user. The entitlements/access rights are
checked at the back end for each request before
making calls to business functions.
Data
Confidentiality
Sensitive data should be kept in
memory (and not on disk) only while
it’s needed. The application must not
store any sensitive data on the file
system. Sensitive information should
not be leaked through logs and error
messages.
The application cache manager should clear
the data when the application operates in the
background. If sensitive data needs to be handled
on iOS, use C and not ObjectiveC. The logs and
error messages should be suppressed using a
tool like Dexguard8
for the Android platform and
Arxon’s EnsureIT9
for iOS.
Secure Data
Cleanup
All secure objects in the system (data
requests, account data, user-related
information etc.) must be securely
wiped when a log-off is triggered.
Secure objects and data structures should be
cleaned when a log-off is triggered. In a case
where application tampering is detected, the
application should be forced shut. For checking
if the application is tampered with, the Dexguard
library can be used. In a case where a Webview
API is used, then it should be cleared during
log-off.
Local Data
Transfer
Prevention
The application should prevent any
data from being locally transferred
outside the application (e.g., copying
it or sending it to an unauthorized
external application).
Remove the data from the clipboard when the
app operates in the background so it cannot be
transferred outside the application. Disable long
press for sensitive fields.
Connection
Encryption
All network traffic is encrypted. HTTPS protocol should be used to connect to
the back-end applications. An additional white
list of IP addresses and domain names should
be maintained on the client side to prevent apps
from talking to other domains not specified on
the white list.
OS Security
Check
Detect if the application is running on
a jail-broken/rooted/malware-infect-
ed device.
Trusteer Mobile SDK10
is recommended. Trusteer
provides a score on OS security updates and
malware detection. Based on the score, the appli-
cation can make the decision to close the app or
the score can be passed to the back-end systems
over a secured channel for further investigations/
actions.
3. 3cognizant 20-20 insights
Title Description Recommendations
Jail-Break/
Rooted Device
Check
Application must prevent hackers
from accessing the app in a case
where the device is rooted or jail-
broken.
Trusteer Mobile SDK is recommended to check
if the device is rooted. Trusteer provides a score
if the device is rooted. Based on the score the
application can take the decision to close the app
or the score can be passed to back-end systems
over a secured channel for further investiga-
tions/actions. Root Tools is another open source
API that can be used to conduct a rooted device
check.11
Preprocessing/
String
Obfuscating/
Symbol
Stripping
Eliminate any plain-text resources
from the application’s bundle. This
prevents malicious attackers from
gathering insights on the applica-
tion internals. The symbol table
should be stripped, thus leaving
only unresolved symbols and forcing
an attacker to trawl for data in the
runtime code, decrypt the binary or
use more complex debugger tactics
to obtain a map of the application
symbols for class names, methods
and function names.
Dexguard/EnsureIT tool is recommended for
this purpose. Dexguard/EnsureIT is used to
preprocess the application code and encrypt the
classes, methods and string constants. Dexguard
is also used to obfuscate the plain-text files and
static contents.
Root Certificate
Check
To secure the communications with
the back-end server, a certificate
check should be created on the client
side to ensure that it is signed by the
organization.
The SSL certificate should be bundled with
the application. It should be encrypted using
a tool like Dexguard/EnsureIT. The SSL certifi-
cate should be checked to see if it is signed by
the respective authority. If the certificate is not
signed, then the app should be closed.
Anti-Debugging
Mechanism
Application must prevent debuggers
from attaching to it (e.g., to read
sensitive data from memory in use by
another running application).
In the Android manifest, one can define
debuggable property to be false. A tool like
Dexguard/EnsureIT supports removal of logging,
debug or test code for production release.
Tamper
Checking
The application should check to see if
it’s being tampered with. For example,
debug flags can be checked to
determine if the application is being
debugged.
A tool like Dexguard/EnsureIT is recommended.
A tamper check can be conducted using the
Dexguard library. The application should be
checked for tampering during launch and should
be closed if it is found to have been tampered
with.
Blacklisting
Older Versions
of the App
It should be possible to block certain
older versions of the app on the
back-end server if there is a security
breach.
A server-side filter can be used to check for
blacklisted application versions. If an app version
is blacklisted, then the user will receive an error
message and be asked to upgrade the app.
Security
Logging
All security events that happen inside
the application should be logged and
sent to the back-end server.
This is achievable using a secured Web service
provided at the back end. All security events are
temporarily stored on the device and sent to the
server periodically. During log-off, the device data
is sent to the server to ensure no confidential
data remains on the device.
Anti-pharming12
Protection
The app should prevent the redirec-
tion of its traffic to a malicious server
by checking that the host-name
look-up with DNS resolves to a white-
listed IP.
Trusteer Mobile SDK provides a feature to protect
the application from anti-pharming.
Custom implementation is possible to verify a
URL against a preconfigured white list for every
outgoing service call.
Encrypt Assets
Hide important data – like property
files.
A tool like Dexguard/EnsureIT can encrypt asset
files transparently, so hackers won’t be able to
abscond with them.
Analysis and Recommendations cont’d
Figure 1
4. cognizant 20-20 insights 4
allowing criminals, fraudsters and hackers to
propagate malicious code. Sensitive data stored
on a mobile device could be lost or stolen, leading
to data breaches, compliance violations and
expensive/embarrassing public disclosures. Large
organizations recognize mobile device threats
and vulnerabilities and understand that they
need proper security protection. Just what types
of security controls are needed? Figure 1 provides
a list of top security requirements and suggested
remedies.
Looking Forward
Given existing competitive market dynamics,
even small banks now offer mobile solutions
to their customers. Online banking, or for that
matter any important financial mobile application
rollout, takes on increased strategic importance
since success there is critical to moving forward.
Securing any and all feature-packed mobile apps
is therefore exceedingly critical.
New threats are always emerging so security
architects need to be forewarned and forearmed
on the trends and vulnerabilities to ensure their
organizations’ mobile apps are safe and hard to
hack, if not impenetrable, before they are imple-
mented.
Mobile applications and related security breaches
receive much media attention and can undermine
a company’s reputation. The above guidelines
offer a comprehensive approach and tangible
recommendations for defending mobile apps
from security breaches. By building comprehen-
sive security features into strategic, feature-rich
mobile apps from the get-go, organizations can
keep sensitive transactional and interactional
data from the prying eyes of those who wish to
do them harm over the near and long term.
Footnotes
1
“There Will Soon Be One Smartphone For Every Five People In The World,” www.businessinsider.in/There-
Will-Soon-Be-One-Smartphone-For-Every-Five-People-In-The-World/articleshow/21375608.cms.
2
“Why Your Enterprise Must Rethink Mobile App Development,” www.wired.com/2013/02/why-your-
enterprise-must-rethink-mobile-app-development/.
3
“Mobile Marketing Statistics 2014,” www.smartinsights.com/mobile-marketing/mobile-marketing-analyt-
ics/mobile-marketing-statistics/.
4
“Security: a major concern for the adoption of m-banking,”
www.vasco.com/Images/Mobile_Banking_Security_VASCO.pdf.
5
“Corporate Mobile Banking: A Look at J.P. Morgan ACCESS Mobile,” www.jpmorgan.com/treasury/jpm_
access/doc/Corporate_Mobile_Banking_A_Look_at_JP_Morgan_ACCESS_Mobile.pdf.
6
“The Mobile Commerce Prospects: A Strategic Analysis of Opportunities in the Banking Sector,”
www.postbank.de/postbank/docs/HamburgUP_Tiwari_Commerce.pdf.
7
“Segment-based Strategies for Mobile Banking,” www.cognizant.com/InsightsWhitepapers/Segment-
Based-Strategies-for-Mobile-Banking.pdf.
8
Dexguard, www.saikoa.com/dexguard.
9
Arxon EnsureIT, www.arxan.com/products/mobile/ensureit-for-apple-ios/.
10
Trusteer Mobile SDK, www.trusteer.com/products/trusteer-mobile-sdk.
11
Root Tools, https://github.com/Stericson/RootTools.
12
Anti-Pharming, http://en.wikipedia.org/wiki/Anti-pharming.