Mobile Banking Security: Challenges, Solutions


Published on

With the proliferation of online mobile banking services, security is a key issue. We offer a primer on security challenges and applicable controls/remedies. This includes solutions such as Trusteer Mobile SDK, Arxon's EnsureIT and Dexguard.

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Mobile Banking Security: Challenges, Solutions

  1. 1. Mobile Banking Security: Challenges, Solutions To offer the best feature-packed online banking mobile applications that can be delivered, organizations need to carefully consider both functional as well as security implications to ensure that customers and assets are protected from malware and wrongdoers. Executive Summary There are over 1.2 billion smartphone users worldwide.1 Individuals adopt smartphones not only to surf the Internet but to download and use entertainment, information, social sites, shopping, travel and banking apps — among other things. This has led to numerous opportunities for organizations to roll out mobile applications that not only engage and drive loyalty but also garner additional revenue. Organizations are substantially increasing spend on mobile applica- tion development to help employees/customers increase their productivity while delivering a more intuitive user experience.2 Moreover, an increasing number of individuals are using mobile applications compared with traditional desktop/Web-based applications. A research report from ComScore shows that apps account for a majority of consumers’ mobile minutes, and 80% of their media time is spent on app usage compared with only 20% on Web browsers.3 Recently published data from MQA Research shows that consumer interest in mobile banking and payments services in the U.S. has increased significantly in the past two years. Roughly 75% of those surveyed say they would consider using mobile banking services if offered, compared with only 49% who expressed their willingness to try mobile banking services in a similar survey conducted in 2006.4 Globally, banks offer a variety of mobile banking services; and those banks that do not currently provide m-banking services claim they plan to do so in the near future to remain relevant, according to a recent survey conducted by the Aite Group.5 And according to a study from the University of Hamburg, Germany, m-banking mobile applica- tions are growing exponentially; roughly 69% of banks already offer such services.6 However, there is a downside to this market momentum. The MQA survey revealed that security remains a major concern in adopting m-banking. Approximately 72% of respondents said they worry about the security of accessing financial data on a mobile device. Nevertheless, 79% of respondents said they would sign up for account balance alerts by mobile. Our research on consumer segments reinforces the importance of security features for choosing banks that offer mobile banking.7 Addressing Mobile Security Mobile device productivity comes at a price — increased security risks. Mobile applications create yet another path into enterprise networks, cognizant 20-20 insights | july 2014 • Cognizant 20-20 Insights
  2. 2. 2cognizant 20-20 insights Analysis and Recommendations Continued on next page Title Description Recommendations Authentication Strong authentication mechanism. Multistep authentication on secured XML-based Web services for user ID plus password and secure ID/SMS is recommended. An additional recommendation is to check for user location using a GPS during authentication. Authorization Allow authenticated users access only to business functionality to which they are entitled. After a user has authenticated, the application can check with the back-end services to determine if the user has the required access to the applica- tion data (i.e., whether the user is mobile-enabled or not). The client displays a secure navigation menu based on the entitlements/access rights of the user. The entitlements/access rights are checked at the back end for each request before making calls to business functions. Data Confidentiality Sensitive data should be kept in memory (and not on disk) only while it’s needed. The application must not store any sensitive data on the file system. Sensitive information should not be leaked through logs and error messages. The application cache manager should clear the data when the application operates in the background. If sensitive data needs to be handled on iOS, use C and not ObjectiveC. The logs and error messages should be suppressed using a tool like Dexguard8 for the Android platform and Arxon’s EnsureIT9 for iOS. Secure Data Cleanup All secure objects in the system (data requests, account data, user-related information etc.) must be securely wiped when a log-off is triggered. Secure objects and data structures should be cleaned when a log-off is triggered. In a case where application tampering is detected, the application should be forced shut. For checking if the application is tampered with, the Dexguard library can be used. In a case where a Webview API is used, then it should be cleared during log-off. Local Data Transfer Prevention The application should prevent any data from being locally transferred outside the application (e.g., copying it or sending it to an unauthorized external application). Remove the data from the clipboard when the app operates in the background so it cannot be transferred outside the application. Disable long press for sensitive fields. Connection Encryption All network traffic is encrypted. HTTPS protocol should be used to connect to the back-end applications. An additional white list of IP addresses and domain names should be maintained on the client side to prevent apps from talking to other domains not specified on the white list. OS Security Check Detect if the application is running on a jail-broken/rooted/malware-infect- ed device. Trusteer Mobile SDK10 is recommended. Trusteer provides a score on OS security updates and malware detection. Based on the score, the appli- cation can make the decision to close the app or the score can be passed to the back-end systems over a secured channel for further investigations/ actions.
  3. 3. 3cognizant 20-20 insights Title Description Recommendations Jail-Break/ Rooted Device Check Application must prevent hackers from accessing the app in a case where the device is rooted or jail- broken. Trusteer Mobile SDK is recommended to check if the device is rooted. Trusteer provides a score if the device is rooted. Based on the score the application can take the decision to close the app or the score can be passed to back-end systems over a secured channel for further investiga- tions/actions. Root Tools is another open source API that can be used to conduct a rooted device check.11 Preprocessing/ String Obfuscating/ Symbol Stripping Eliminate any plain-text resources from the application’s bundle. This prevents malicious attackers from gathering insights on the applica- tion internals. The symbol table should be stripped, thus leaving only unresolved symbols and forcing an attacker to trawl for data in the runtime code, decrypt the binary or use more complex debugger tactics to obtain a map of the application symbols for class names, methods and function names. Dexguard/EnsureIT tool is recommended for this purpose. Dexguard/EnsureIT is used to preprocess the application code and encrypt the classes, methods and string constants. Dexguard is also used to obfuscate the plain-text files and static contents. Root Certificate Check To secure the communications with the back-end server, a certificate check should be created on the client side to ensure that it is signed by the organization. The SSL certificate should be bundled with the application. It should be encrypted using a tool like Dexguard/EnsureIT. The SSL certifi- cate should be checked to see if it is signed by the respective authority. If the certificate is not signed, then the app should be closed. Anti-Debugging Mechanism Application must prevent debuggers from attaching to it (e.g., to read sensitive data from memory in use by another running application). In the Android manifest, one can define debuggable property to be false. A tool like Dexguard/EnsureIT supports removal of logging, debug or test code for production release. Tamper Checking The application should check to see if it’s being tampered with. For example, debug flags can be checked to determine if the application is being debugged. A tool like Dexguard/EnsureIT is recommended. A tamper check can be conducted using the Dexguard library. The application should be checked for tampering during launch and should be closed if it is found to have been tampered with. Blacklisting Older Versions of the App It should be possible to block certain older versions of the app on the back-end server if there is a security breach. A server-side filter can be used to check for blacklisted application versions. If an app version is blacklisted, then the user will receive an error message and be asked to upgrade the app. Security Logging All security events that happen inside the application should be logged and sent to the back-end server. This is achievable using a secured Web service provided at the back end. All security events are temporarily stored on the device and sent to the server periodically. During log-off, the device data is sent to the server to ensure no confidential data remains on the device. Anti-pharming12 Protection The app should prevent the redirec- tion of its traffic to a malicious server by checking that the host-name look-up with DNS resolves to a white- listed IP. Trusteer Mobile SDK provides a feature to protect the application from anti-pharming. Custom implementation is possible to verify a URL against a preconfigured white list for every outgoing service call. Encrypt Assets Hide important data – like property files. A tool like Dexguard/EnsureIT can encrypt asset files transparently, so hackers won’t be able to abscond with them. Analysis and Recommendations cont’d Figure 1
  4. 4. cognizant 20-20 insights 4 allowing criminals, fraudsters and hackers to propagate malicious code. Sensitive data stored on a mobile device could be lost or stolen, leading to data breaches, compliance violations and expensive/embarrassing public disclosures. Large organizations recognize mobile device threats and vulnerabilities and understand that they need proper security protection. Just what types of security controls are needed? Figure 1 provides a list of top security requirements and suggested remedies. Looking Forward Given existing competitive market dynamics, even small banks now offer mobile solutions to their customers. Online banking, or for that matter any important financial mobile application rollout, takes on increased strategic importance since success there is critical to moving forward. Securing any and all feature-packed mobile apps is therefore exceedingly critical. New threats are always emerging so security architects need to be forewarned and forearmed on the trends and vulnerabilities to ensure their organizations’ mobile apps are safe and hard to hack, if not impenetrable, before they are imple- mented. Mobile applications and related security breaches receive much media attention and can undermine a company’s reputation. The above guidelines offer a comprehensive approach and tangible recommendations for defending mobile apps from security breaches. By building comprehen- sive security features into strategic, feature-rich mobile apps from the get-go, organizations can keep sensitive transactional and interactional data from the prying eyes of those who wish to do them harm over the near and long term. Footnotes 1 “There Will Soon Be One Smartphone For Every Five People In The World,” Will-Soon-Be-One-Smartphone-For-Every-Five-People-In-The-World/articleshow/21375608.cms. 2 “Why Your Enterprise Must Rethink Mobile App Development,” enterprise-must-rethink-mobile-app-development/. 3 “Mobile Marketing Statistics 2014,” ics/mobile-marketing-statistics/. 4 “Security: a major concern for the adoption of m-banking,” 5 “Corporate Mobile Banking: A Look at J.P. Morgan ACCESS Mobile,” access/doc/Corporate_Mobile_Banking_A_Look_at_JP_Morgan_ACCESS_Mobile.pdf. 6 “The Mobile Commerce Prospects: A Strategic Analysis of Opportunities in the Banking Sector,” 7 “Segment-based Strategies for Mobile Banking,” Based-Strategies-for-Mobile-Banking.pdf. 8 Dexguard, 9 Arxon EnsureIT, 10 Trusteer Mobile SDK, 11 Root Tools, 12 Anti-Pharming,
  5. 5. About Cognizant Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process out- sourcing services, dedicated to helping the world’s leading companies build stronger businesses. Headquartered in Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industry and business process expertise, and a global, collaborative workforce that embodies the future of work. With over 75 development and delivery centers worldwide and approximately 178,600 employees as of March 31, 2014, Cognizant is a member of the NASDAQ-100, the S&P 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world. Visit us online at or follow us on Twitter: Cognizant. World Headquarters 500 Frank W. Burr Blvd. Teaneck, NJ 07666 USA Phone: +1 201 801 0233 Fax: +1 201 801 0243 Toll Free: +1 888 937 3277 Email: European Headquarters 1 Kingdom Street Paddington Central London W2 6BD Phone: +44 (0) 20 7297 7600 Fax: +44 (0) 20 7121 0102 Email: India Operations Headquarters #5/535, Old Mahabalipuram Road Okkiyam Pettai, Thoraipakkam Chennai, 600 096 India Phone: +91 (0) 44 4209 6000 Fax: +91 (0) 44 4209 6060 Email: ­­© Copyright 2014, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners. About the Authors Amit Tank is a Solutions Architect within Cognizant’s Banking and Financial Services Business Unit. He has over 12 years of industry experience across several industry sectors including (but not limited to) software product development, professional services, research and development, manufacturing engineering and software applications. Amit has architected, designed and developed critical business- centric enterprise applications for companies in the insurance, mortgage, banking and financial services industries. He earned his bachelor’s degree in engineering from NIT Durgapur, India and is a TOGAF 9 certified enterprise architect. Amit can be reached at Chintan Desai is a Project Manager within Cognizant’s Banking and Financial Services Business Unit. He has 10-plus years of experience leading all phases of diverse technology projects, and more than seven years of computer programming experience using C and Java in projects involving mobility (Android), enterprise content management and portals. He received a bachelor of engineering degree in computer science from DDIT, Nadiad. Chintan can be reached at