Natalie Monko Lead Project Manager

    Mobile Banking App Security Issues: Main Threats And How To Avoid Them

    Since we at Surf are working with clients from various industries, we know how important it is to dive deep into the specificities and certain requirements of each sphere to deliver a reliable and effective mobile app. Our experience shows that it’s not enough to simply build a fintech app with an extensive list of features and intuitive UI/UX design – this is the case when app’s security should be put at the forefront. 

    Why so? The more customers access their banks through their gadgets – the more mobile banking app security issues arise. Banking apps are highly prone to breaches and data theft, as they serve as a place where users store and manage sensitive data. Moreover, mobile operating systems themselves are vulnerable to bugs, viruses, and malware. All these open wide doors before cybercriminals. In this article, we’ll look into the main factors that can put at risk your app’s security and also share our experience on how to make your mobile banking app resistant to any type of fraud. 

    Why is security a cornerstone of a mobile banking app?

    To answer the question “How secure are mobile banking apps?”, it’s necessary to figure out what is the difference between an app that enables m-banking and other types of applications that do not require linking with a bank account. 

    A mobile banking app is a piece of software connected to the bank’s backend system via open-source Application Programming Interfaces (APIs). On the one hand, the usage of open-source APIs significantly accelerates the development process. However, this implies a higher risk of security breaches that cannot be eliminated with a standard set of security measures. 

    When we are talking about mobile banking app security, there are three so-called “layers of protection” or levels, where the danger can come from: 

    • Device. Cyberattackers can get access to sensitive records on a smartphone, which is often happening with poorly coded apps. As a result, card data and personal info can be stolen and used for stealing money or blackmailing. 
    • Transit. At this stage, intruders can intercept sensitive information during data transfer. A mobile banking app constantly contacts the bank server to make a payment or update the current balance. If an unprotected protocol is used for data transfer, users’ private information ends up being easy prey for malicious actors. 
    • Server. In this case, flaws can lead to the situation when unauthorized users gain access to the information on the app server. They can do it through backend APIs with security vulnerabilities. 
    Levels of cybersecurity issues: device, transit, server

    If you look at the ultimate trends in fintech and mobile banking, you’ll see that although there is a buzz around such cutting-edge features as AI-based chatbots, voice recognition, and cardless ATMs, at least half of booming features deal with enhanced security technologies. Another reason why security issues should be prioritized even before the start of the development process is that even a minor breach of users’ data puts your company’s reputation at enormous risk. 

    Common types of fintech cyberattacks

    Attackers take advantage of mobile banking app security flaws in different ways, but some intrusions occur more frequently. We recommend paying particular attention to the following 5 types of attacks while developing an m-banking app:

    • Man-in-the-middle (MiTM) attacks. Malicious actors attempt to intercept vital information during its transfer between a bank and an app to use the stolen data later for hacking a user’s account.  
    • Infrastructure breaches. These attacks often target servers. Their primary aim is to steal credentials (usernames, passwords, and other personal information).
    • Pirate apps. In this case, hackers reverse engineer a mobile banking app to later distribute their “infected” version and gain access to the data of users who installed the pirated version. 
    • Mobile malware. Although malware is common for desktop systems, today there are plenty of mobile malware that is aimed at smartphones. 
    • Clickjacking. A technique that encourages users to click on a button or element that eventually triggers a malicious response (for example, downloading malware or gathering confidential data)

    It’s important to understand that these attacks don’t always happen because of loopholes in mobile development: sometimes the reasons are system issues or the unsafe behavior of mobile users. 

    Key risk factors & strategies to resolve

    The first step to build the most secure mobile banking app is to figure out points of focus during the preparatory phase before development. We recommend getting familiar with the list of possible mobile security flaws mentioned in the OWASP mobile vulnerabilities report. OWASP (Open Web Application Security Project) is a community of developers that creates software security guidelines and promotes best coding practices for engineers worldwide. 
    OWASP Mobile Top 10 is a list that identifies types of security risks faced by mobile apps globally. Getting familiar with this list is a must for all developers working on fintech apps. According to some estimations, about 85% of mobile apps worldwide were affected by at least one of the OWASP Top 10.

    Top 10 security issues according to OWASP mobile vulnerabilities report

    So, let’s look at each of them in detail: 

    1. Improper platform usage 

    One of the most common reasons behind mobile banking app security issues is caused by mistakes in the development process. This risk arises as a result of misuse of an operating system’s features, or a failure to use iOS or Android’s own unique security features (for example, TouchID or permissions systems). If you fail to comply with platform security requirements, the data of your app’s users could be exposed and corrupted. 

    Strategy to avoid: Thoroughly examine the documentation for Android and iOS to learn what security practices should be applied for the mobile interface and server-side operations in each case and stick to them. 

    1. Insecure data storage 

    Another common problem that could be easily prevented at the development stage. Many freely available software allows malicious actors to access third-party application directories and the personal data stored there. If your internal data storage is not protected enough, confidential data can be corrupted and used for illegal activities. 

    Strategy to avoid: For the iOS platform, it’s recommended to use purposefully vulnerable mobile apps (for example, iGoat) to threat model an app and development frameworks. Thus, developers can figure out how certain APIs deal with information assets and app processes, including data storage. 

    For Android apps, developers often use Android Debug Bridge (ADB) shell to check file permissions, database management system, and database encryption. 

    1. Insecure communication 

    Another risk to mobile banking app security. Mobile banking app’s functionality depends on the communication with external data sources, like NFC, Bluetooth devices, servers. If the security of this communication is not ensured, this endangers the whole app and causes data leaks and man-in-the-middle attacks. 

    Strategy to avoid: Encrypt all communications using SSL (Secure Sockets Layer) protocol, in addition to quality authentication or strong encryption algorithms.

    1. Insecure authentication

    Occurs when a smartphone fails to recognize the user correctly and allows a malicious actor to log into the app with default credentials. User ID, passwords, PINs, fingerprint scanning can be mixed in one app to make sure that authentication cannot be bypassed. 

    Strategy to avoid: Here are two tips. First, include the server-side authentication option, as the local one is more vulnerable. Second, make sure that the app does not store the user’s password on the device. Also, warn users about the possible risks of agreeing to the “Remember me” option. 

    1. Insufficient cryptography

    Developers of the most secure mobile banking apps prioritize cryptography when it comes to security technologies. Encrypted data is useless for intruders, as it almost cannot be read while breaching the encryption usually requires too much time and processing power for attackers to succeed. 

    Strategy to avoid: Weak encryption can lead to the leakage of users’ data, so it’s recommended to use only those algorithms that have been thoroughly tested and proved their resilience. 

    1. Insecure authorization

    The difference between authentication and authorization is that authentication is a method for identifying logged-in individuals, while authorization determines which parts of the application are accessible to a given user, based on their role (such as an administrator or end-user). The well-architectured authorization allows you to be certain that every user will receive just the data they have been granted access to.

    Strategy to avoid: Insecure authorization is the mobile banking app security issue that can be prevented if you avoid relying on roles and permissions enforced on the mobile device. Remember that each role within the app should be based only on server data.

    1. Poor code quality 

    A quite frequent situation, when all developers within a team follow different development practices, which causes inconsistencies in the final code. This problem leads to vulnerable mobile banking app security, as its maintenance becomes complicated and associated with bugs and security breaches.

    Strategy to avoid: Establish common practices for all members of the development team and keep all documentation to make the adaptation process for newcomers easier. 

    1. Code tampering

    In general, mobile code is prone to code tampering, which means that attackers can possibly change some parts of the app’s binary code, create copies of them and distribute malicious (tampered) versions of these fragments through third-party app stores. The prevalence of tampered apps is very common, and companies make every effort to detect and remove duplicated apps from app stores and inform users about possible data breaches in such cases. 

    Strategy to avoid: It’s crucial to include a runtime detection option at the stage of development so that the app could detect additions or changes, based on what the app itself knows about its integrity during compilation. Another tip here to ensure maximum mobile banking app security is to set up automatic erasure of app code and data once a tampering attempt is detected. 

    1. Reverse engineering

    Reverse engineering is often the first stage of any malicious cyberattack: intruders access an app’s source code from a compiled file and use it to learn the app’s business logic. 

    Strategy to avoid: There are three things you can do to avoid reverse engineering attempts:

    1. Use tools similar to those attackers use for reverse engineering. If these tools appear to be effective in analyzing confidential data about the app, your existing code will likely be compromised. 
    1. Apply code obfuscation. This will make it more difficult to detect logical connections between different parts of the code. 
    1. Think about using C and C++ languages, which can help to make the app resilient to reverse engineering tools.
    1.  Extraneous functionality

    Once the app development is finished, developers often keep code, which has no use for the end-user but serves as a backdoor to have easy access to the backend server, creating logs to analyze errors. Although it makes development work easier, these hidden functionalities can put users’ sensitive data at risk.

    Strategy to avoid: Attentively test your app to make sure that all the unnecessary code has been removed from the final version.

    Bottom line 

    So, building a mobile banking app comes along with numerous security risks. Let’s summarize the main of discussed insights on mobile banking app security: 

    • Mobile architecture is prone to cyberattacks and breaches itself, as it deals with the use of open-source APIs. This configuration requires security measures beyond the standard set;
    • Mobile banking app security has three layers of protection or levels, where the danger can come from: device, transit and server;
    • There are thousands of different types of attacks on fintech apps, but the most common for mobile banking apps are: man-in-the-middle attacks, infrastructure breaches, pirate apps, mobile malware and clickjacking; 
    • About 85% of mobile apps worldwide were affected by at least one security risk of the OWASP Top 10
    • Each of 10 OWASP security risks can be avoided by certain adjustments and additions to the development process, as well as thorough testing. 

    Surf possesses extensive expertise in developing fintech apps using native and cross-platform technologies. We know that security is the cornerstone of this type of apps, so we always pay particular attention to the best mobile banking app security practices to safeguard the vulnerable data of end-users. 

    Among our latest fintech projects are the development of a smart-bank app for Rosbank corporate clients and ​​cryptocurrency trading platform Twim. For Rosbank, Surf team built the app on Flutter, ensuring seamless user migration from an old app and intuitive UI/UX design. In case with Twim, the main task was to build a fast and stable app for both power traders and enthusiasts, and we succeeded in achieving this goal.

    If you are looking for a reliable partner in developing a fintech app – fill in the form and we will return shortly with estimations regarding your project!