The document discusses security best practices for mobile banking apps, noting a rise in digital banking usage during COVID-19. It outlines various mobile threats like weak activation processes, easy-to-guess PINs, jailbroken devices, and malware. The document recommends strategies like strong authentication, app shielding, malware detection, and secure development practices to protect users from these mobile threats.

1. Prague
Securing Mobile
Banking Apps
You Are Only as Strong as
Your Weakest Link

2. 10-20%
rise in digital banking use across Europe
in April 2020
Facts & Numbers
40%
of Android users have phones which no
longer received security updates

3. " The digital banking
leaders also happen
to be the leaders in
security.

4. PIN/Password Policy
Secure Networking
App Shielding (RASP)
Malwarelytics
malware protection on Android
Transaction Signing (SCA)
Security Advisor

5. PSD2
Strong Customer Authentication
Secure Standards for Communications
Detecting Signs of Malware Infection
Mobile Secure Execution Environment
Transaction Risk Analysis
Fraud Detection Systems
Auditing and Documentation

6. Money Heist
The same thing as always, but digital…

7. Current Mobile Threats
Weak Activation After-Theft Attack Weak RuntimeMobile Malware

8. 1,2M+
App Samples
0,04%
Malware
0,17%
Highly Dangerous
1900+
Accessibility
22k+
Screen Override
5k+
SMS Access
Mobile Malware

9. QRecorder(Q4/2018)

10. StrandHogghttps://www.youtube.com/watch?v=XtabRTVQT6Q

11. StrandHogghttps://www.youtube.com/watch?v=C7IB62jYf4o

12. Real App Fake App
Mobile Malware

13. 4major malware
attacks in Q1
€100k
highest single
client loss
€500k
total cost impact
estimates in Q1
Mobile Malware
Czech Republic, Q1/2019

14. Mobile Malware
Cerberus Banker Trojan (1/3)

15. Mobile Malware
Cerberus Banker Trojan (2/3)

16. Mobile Malware
Cerberus Banker Trojan (3/3)

17. Mobile Malware
EventBot targets users of over 200 different financial applications, including banking,
money transfer services, and crypto-currency wallets.

18. Malwarelytics

19. Weak Activation
Using an SMS OTP during a mobile app enrollment.
Attackers use social engineering to trick
users into confirming a new mobile banking
activation on their own devices.
After an attacker activates mobile banking,
the bank account and the user's identity are
fully compromised.
Mobile app authentication is only as strong
as the elements that were used during the
activation process.

20. Weak Activation
How to improve activation security?
"Slow Channels" "Identity Aging"HW OTP

21. After-Theft Attack
Weak PIN codes and passwords.
4-digit PIN
=
10 000 combinations

23. After-Theft Attack
Weak PIN codes and passwords.
11% of users choose "1234"
Top 20 PIN codes can open over 25% of all devices.
https://www.datagenetics.com/blog/september32012/

24. After-Theft Attack
Weak PIN codes and passwords.
Enforce strong PIN codes!→

26. After-Theft Attack
What is a strong PIN code?
1234, 1111, 2222, 3333, …

27. After-Theft Attack
What is a strong PIN code?
1234, 1111, 2222, 3333, …
2468, 1357, 1212, 1313, …

28. After-Theft Attack
What is a strong PIN code?
1234, 1111, 2222, 3333, …
2468, 1357, 1212, 1313, …
1984, 2000, 1968, 1989, …

29. After-Theft Attack
What is a strong PIN code?
2580

30. After-Theft Attack
What is a strong PIN code?
2580 1 2 3
4 5 6
7 8 9
0
Patterns…

31. After-Theft Attack
What is a strong PIN code?
3719
1379
9713
1937
1 2 3
4 5 6
7 8 9
0
Patterns…
Patterns…

32. After-Theft Attack
What is a strong PIN code?
6428
4628
6842
2846
1 2 3
4 5 6
7 8 9
0
Patterns…
Patterns…
Patterns everywhere!

33. After-Theft Attack
What is a strong PIN code?
The last safe PIN code!
8068

34. After-Theft Attack
What is a strong PIN code?
The last safe PIN code!
8068

35. Open-Source Freebie!
https://github.com/wultra/passphrase-meter

36. After-Theft Attack
Forensic cryptographic data extraction.
Built-in security measures in
mobile OS can be bypassed.
PIN code or cryptographic keys
can leak from the memory.
Implement cryptography as a low-
level C/C++ module with strict
memory management.
Uses HW backed key storage
(SecureEnclave, StrongBox).

37. Weak Runtime
Nothing is guaranteed on a jailbroken/rooted device…
To mitigate risks related to compromised devices,
implement RASP / App Shielding technology.
Your app could have been:
→ modified by repackaging ("at rest")
→ modified after connecting a debugger ("at runtime")
→ modified by a fake system library (framework or
native library injection)
A ticking time bomb…

38. " Xposed is a framework for modules
that can change the behavior of
the system and apps without
touching any APKs. That's great
because it means that modules can
work for different versions and
even ROMs without any changes…

41. Weak Runtime
On the system level, iOS and Android are equally secure…
Dispelling The “Sufficiently Secure
iOS” Myth and the Importance of
App Shielding on iOS
— by Tomáš Kypta
https://bit.ly/3gan7V1

42. Current Mobile Threats
Weak Activation After-Theft Attack Weak RuntimeMobile Malware

43. " The digital banking
leaders also happen
to be the leaders in
security.

44. Consulting document
"Principles of a Secure
Mobile Banking on iOS
and Android"
— by Petr Dvořák

45. Thank You
Petr Dvořák
petr@wultra.com
Any questions?
Tereza Gagnon
tereza.gagnon@wultra.com