Mobile app security must be able to detect and block devices that criminals use and abuse to commit fraud.
Written by Karen Hsu
TThe global COVID-19 pandemic has forced consumers to find contactless ways to conduct shopping, banking and other transactions, and many have turned to mobile apps. A new way of doing things that seems to have caught on. According to the Appdome 2021 Global Mobile Security Survey, since the beginning of 2020, nearly 60 percent of mobile consumers said they are using and downloading more mobile apps and using them to purchase more goods and services. Payment apps like Venmo, Zelle, ApplePay, and other fintech or mobile-based peer-to-peer consumer apps are growing exponentially.
Regulators took note. Rules and guidance have been issued to establish standards that financial application developers must meet to ensure that consumers are adequately protected.
In the United States, the Federal Financial Institutions Review Board and the Federal Bureau of Investigation have detailed regulations on which mobile financial applications should be protected and how. Banks that publish financial applications should be aware of these rules and have plans in place to ensure they comply with the Bank Secrecy Act and pass the FFIEC inspection.
Compliance with the BSA
The May 2019 FinCEN guidance further detailed the regulatory requirements for mobile wallets and other applications with similar functionality. Failure to comply with the rules can be extremely costly and in some cases can result in prison terms, so financial app publishers should definitely take these rules seriously.
The BSA/AML regulation defines the primary requirements that organizations must meet:
- Effective knowledge of your clients and AML programs.
- Prepare a foreign exchange transaction report for all transactions over $10,000.
- If your organization suspects or knows that transactions may involve money laundering or an attempt to evade the requirements of the BSA, report the suspicious activity.
Mobile Apps: Ensure BSA Compliance and Pass FFIEC Exams
The purpose of the “FFIEC IT Audit Manual” published by the FFIEC is to assist technology providers, financial institutions and examiners in identifying and controlling risks in retail payment systems and related banking activities.
In 2016, the FFIEC added a new appendix that specifically addresses mobile apps and details the main risks they carry. They broadly include:
- Consumers and other end users may download applications from app stores that are not authorized by the manufacturer and may contain malicious code
- Applications that act as vectors to deliver malware
- The ability of end users to run financial applications on rooted (Android) or jailbroken (iOS) devices to gain root user privileges and remove manufacturer device controls. This may result in the user downloading applications from untrusted sources that may install malware on the device.
- Unencrypted storage of personal data on the device or application, such as email addresses, passwords and usernames
- Insecure secrets, tokens, and URLs that can give hackers unauthorized access to back-end databases.
To comply with FFIEC and BSA regulations, mobile app publishers must incorporate fraud prevention and cybersecurity protections into their development, security, and operations processes to ensure that they can regularly add new security protections to their new and updated Android and iOS apps. Combined with the right automation, DevSecOps allows organizations to avoid having to make terrible decisions about whether to delay an application, cut new features, or release applications with unaddressed vulnerabilities. It can do this because operations, security and development are synchronized and coordinated into a continuous workflow.
Security measures to enable compliance
Compliance requires a number of basic protections built into the application. For starters, mobile app security must be able to recognize and block devices that criminals are using and reusing to commit fraud. Fraudsters most often abuse common development tools that allow dynamic instrumentation, code injection, script injection, accessibility abuse, and method binding—all of which allow them to disrupt or modify your application. By blocking these features, developers can deprive fraudsters of the tools of their trade and stop fraud before it starts.
In addition, in-app security must prevent anyone from copying, modifying, repackaging, and deprecating the app. This helps protect against many exploits, including app weaponization by creating a trojan app that looks like the original and usually mimics the original user experience. But they carry malicious code that allows criminals to take over financial accounts and steal sensitive information.
Another tactic used by hackers is to increase their permissions by rooting (Android) or jailbreaking (iOS) the device, which allows them to manipulate the financial applications running on it. When an app is running in a rooted/jailbroken environment, the app’s defenses must be able to detect the threat and shutdown itself to protect itself.
Another essential protection for financial applications is strong encryption, which usually means encryption via the AES 256 standard. Financial app security often encrypts data only when it’s in the app’s sandbox, which is a protected area where apps run inside the mobile device. However, this is not enough to protect data in financial applications. There are many other places where hackers can extract data if it is kept clean, especially in the application code. The app needs to encrypt data in strings, settings, resources, in-app secrets, and more.
Data in application code is particularly sensitive because it contains login credentials, security certificates, backend URLs, and keys that allow the application to connect to other services. With this data, hackers can successfully launch devastating attacks targeting the core systems of a financial institution. They must also be protected by strong cryptographic protocols.
However, protecting data in code is particularly difficult to implement without negatively impacting the application, and incorporating the other protections listed above is very complex and requires manual coding. Software development kits can reduce the amount of manual work involved in starting from scratch, but they are far from plug-and-play solutions. They can require a lot of manual coding, which can be beyond the skills and resources of many development teams. In addition, these tools can contain vulnerabilities themselves, as they often depend on many layers of libraries and other code that can compromise compliance.
However, there are now AI-based, no-code platforms that can integrate security into the application, saving time and increasing accuracy and protection. By integrating into the development organization’s DevSecOps process, organizations can build strong security without compromising their release schedule or application functionality.
Whatever decisions are made in terms of security implementation and fraud protection, banks cannot skimp on these areas. The fraud and non-compliance are simply too great.
Karen Hsu is Appdome’s Chief Operating Officer. He previously served as the CEO of BlockchainIntel, which he co-founded. She was also a co-founder of the non-profit organization Blockchain By Women.
:quality(70)/cloudfront-us-east-1.images.arcpublishing.com/adn/5253HTE7EZH2NMXZJOC5GPB5O4.jpg "I just got dumped by my much younger girlfriend and it still stings")
